CVE ID : CVE-2025-51630
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a buffer overflow via the ePort parameter in the function setIpPortFilterRules.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53909
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53927
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53928
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53941
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53946
Published : July 17, 2025, 2:15 p.m. | 16 minutes ago
Description : WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.5 in the `id_funcionario` parameter of the `/html/saude/profile_paciente.php` endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. Version 3.4.5 fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4302
Published : July 17, 2025, 8:15 a.m. | 2 hours, 9 minutes ago
Description : The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-7712
Published : July 17, 2025, 3:15 a.m. | 1 hour, 59 minutes ago
Description : The Madara – Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wp_manga_delete_zip() function in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-7735
Published : July 17, 2025, 4:15 a.m. | 59 minutes ago
Description : The Hospital Information System developed by UNIMAX has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-9408
Published : July 16, 2025, 12:15 p.m. | 14 hours, 29 minutes ago
Description : In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-53908
Published : July 16, 2025, 8:15 p.m. | 6 hours, 47 minutes ago
Description : RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-6982
Published : July 16, 2025, 8:15 p.m. | 6 hours, 47 minutes ago
Description : Use of Hard-coded Credentials in TP-Link Archer C50 V3(
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-6983
Published : July 16, 2025, 8:15 p.m. | 6 hours, 47 minutes ago
Description : A
Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34118
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : A path traversal vulnerability exists in Linknat VOS Manager versions prior to 2.1.9.07, including VOS2009 and early VOS3000 builds, that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability is accessible via multiple localized subpaths such as ‘/eng/’, ‘/chs/’, or ‘/cht/’, where the ‘js/lang_en_us.js’ or equivalent files are loaded. By injecting encoded traversal sequences such as ‘%c0%ae%c0%ae’ into the request path, attackers can bypass input validation and disclose sensitive files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34117
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated remote attacker can send specially crafted UDP packets to execute arbitrary commands on the affected device. This backdoor uses a hardcoded authentication mechanism and accepts shell commands post-authentication. Some device models include a non-standard implementation of the `echo` command, which may affect exploitability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34120
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify arbitrary file paths using a crafted `datasupdateinfo` payload. The files are packaged in a ZIP archive and made available for download without authentication. This vulnerability can be exploited to read arbitrary files on the host system, including sensitive OS and configuration files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34119
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and is accessible, its content is returned without authentication. This flaw allows attackers to retrieve sensitive files such as system configuration, password files, or application data.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34121
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34123
Published : July 16, 2025, 9:15 p.m. | 5 hours, 47 minutes ago
Description : A stack-based buffer overflow vulnerability exists in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC configuration file. The issue occurs due to improper handling of user-supplied data in the XML ‘Name’ attribute, leading to an SEH overwrite condition. An attacker can exploit this vulnerability by convincing a user to open a malicious .VSC file, resulting in arbitrary code execution under the context of the user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-34124
Published : July 16, 2025, 10:15 p.m. | 4 hours, 47 minutes ago
Description : A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map loading when a crafted object name causes a buffer overflow, potentially allowing arbitrary code execution. Exploitation requires the victim to open a malicious map file within the game.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…