Security

CVE ID : CVE-2025-38092

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

ksmbd: use list_first_entry_or_null for opinfo_get_list()

The list_first_entry() macro never returns NULL. If the list is
empty then it returns an invalid pointer. Use list_first_entry_or_null()
to check if the list is empty.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53109

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-52891

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53006

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like “socketfactory” and “socketfactoryarg”, there are also “sslfactory” and “sslfactoryarg” with similar functionality. The difference lies in that “sslfactory” and related parameters need to be triggered after establishing the connection. Other similar parameters include “sslhostnameverifier”, “sslpasswordcallback”, and “authenticationPluginClassName”. This issue has been patched in 2.10.11.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53108

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item attachments that they do not own. This issue could lead to unauthorized data manipulation or loss of critical inventory data. This issue has been patched in version 0.20.1. There are no workarounds, users must upgrade.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53110

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53492

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation Mediawiki – MintyDocs Extension allows Stored XSS.This issue affects Mediawiki – MintyDocs Extension: 1.39.X, 1.42.X, from 1.43.X before 1.43.2.

Severity: 3.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53493

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation Mediawiki – MintyDocs Extension allows Stored XSS.This issue affects Mediawiki – MintyDocs Extension: 1.39.X, 1.42.X, from 1.43.X before 1.43.2.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53494

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation Mediawiki – TwoColConflict Extension allows Stored XSS.This issue affects Mediawiki – TwoColConflict Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6725

Published : July 2, 2025, 3:15 p.m. | 4 hours, 27 minutes ago

Description : In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-20308

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root.

This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin user and executing a specific command with crafted parameters. A successful exploit could allow the attacker to elevate privileges from the spacesadmin user and execute arbitrary commands on the underlying operating system as root.

Severity: 6.0 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-52886

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-20310

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.

This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53359

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : ethereum is a common ethereum structs for Rust. Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for “legacy” transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions. This is a specification deviation. The signature malleability itself is not a security issue and not as high of a risk if the ethereum crate is used on a single-implementation blockchain. This issue has been patched in version v0.18.0. A workaround for this issue involves manually checking transaction malleability outside of the crate, however upgrading is recommended.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-53358

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6942

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : The distributed engine of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine.

Severity: 3.8 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6943

Published : July 2, 2025, 4:15 p.m. | 3 hours, 27 minutes ago

Description : Secret Server version 11.7 and earlier is vulnerable to a SQL report creation vulnerability that allows an administrator to gain access to restricted tables.

Severity: 3.8 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-20307

Published : July 2, 2025, 5:15 p.m. | 2 hours, 27 minutes ago

Description : A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform could allow an authenticated, remote attacker to to conduct cross-site scripting (XSS) attacks against a user of the interface.

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Severity: 4.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-20309

Published : July 2, 2025, 5:15 p.m. | 2 hours, 27 minutes ago

Description : A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Severity: 10.0 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45814

Published : July 2, 2025, 5:15 p.m. | 2 hours, 27 minutes ago

Description : Missing authentication checks in the query.fcgi endpoint of NS3000 v8.1.1.125110 , v7.2.8.124852 , and v7.x and NS2000 v7.02.08 allows attackers to execute a session hijacking attack.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…