Vulnerabilities (CVE)

Total 300253 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-22952 1 Usememos 1 Memos 2025-07-10 N/A 9.8 CRITICAL
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
CVE-2024-57240 1 Apryse 1 Webviewer 2025-07-10 N/A 5.4 MEDIUM
A Cross-Site Scripting (XSS) vulnerability in the Rendering Engine component in Apryse WebViewer v11.1 and earlier allows attackers to execute arbitrary code via a crafted PDF file.
CVE-2024-37479 1 La-studioweb 1 Element Kit For Elementor 2025-07-10 N/A 8.5 HIGH
Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1.
CVE-2024-53450 1 Infiniflow 1 Ragflow 2025-07-10 N/A 7.5 HIGH
RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.
CVE-2024-5926 1 Stitionai 1 Devika 2025-07-10 N/A 9.1 CRITICAL
A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue is present in all versions of the application. The vulnerability arises due to insufficient path sanitization for the 'project-name' parameter, enabling attackers to specify paths that traverse the filesystem. By setting 'project-name' to the root directory, an attacker can cause the application to attempt to read the entire filesystem, leading to a DoS condition.
CVE-2024-38993 1 Richardrodger 1 Jsonic 2025-07-10 N/A 9.8 CRITICAL
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-39853 1 Swiperjs 1 Swiper 2025-07-10 N/A 6.5 MEDIUM
adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-39929 1 Exim 1 Exim 2025-07-10 N/A 5.4 MEDIUM
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
CVE-2025-7417 2025-07-10 9.0 HIGH 8.8 HIGH
A vulnerability has been found in Tenda O3V2 1.0.0.12(3880) and classified as critical. Affected by this vulnerability is the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manipulation of the argument ip leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7416 2025-07-10 9.0 HIGH 8.8 HIGH
A vulnerability, which was classified as critical, was found in Tenda O3V2 1.0.0.12(3880). Affected is the function fromSysToolTime of the file /goform/setSysTimeInfo of the component httpd. The manipulation of the argument Time leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-6392 2025-07-10 N/A N/A
Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
CVE-2025-53637 2025-07-10 N/A 4.1 MEDIUM
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.
CVE-2025-24798 2025-07-10 N/A 4.3 MEDIUM
Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2.
CVE-2024-36387 2 Apache, Netapp 2 Http Server, Ontap 2025-07-10 N/A 5.4 MEDIUM
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
CVE-2024-6353 1 Standalonetech 1 Terawallet 2025-07-10 N/A 8.8 HIGH
The Wallet for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'search[value]' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-45031 1 Apache 1 Syncope 2025-07-10 N/A 6.1 MEDIUM
When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue.
CVE-2024-23590 1 Apache 1 Kylin 2025-07-10 N/A 9.1 CRITICAL
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
CVE-2024-50378 1 Apache 1 Airflow 2025-07-10 N/A 4.9 MEDIUM
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.
CVE-2024-6983 1 Mudler 1 Localai 2025-07-10 N/A 8.8 HIGH
mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system.
CVE-2024-8771 1 Icegram 1 Email Subscribers \& Newsletters 2025-07-10 N/A 4.3 MEDIUM
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages.