Total
667 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34119 | 2025-07-17 | N/A | ||
| A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and is accessible, its content is returned without authentication. This flaw allows attackers to retrieve sensitive files such as system configuration, password files, or application data. | ||||
| CVE-2024-29905 | 1 Diracgrid | 1 Dirac | 2025-07-13 | 8.1 High |
| DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`). | ||||
| CVE-2025-21608 | 1 Meshtastic | 1 Firmware | 2025-07-12 | N/A |
| Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-34064 | 2025-07-03 | N/A | ||
| A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation. | ||||
| CVE-2025-46707 | 2025-07-02 | 5.2 Medium | ||
| Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU. | ||||
| CVE-2025-49574 | 1 Quarkus | 1 Quarkus | 2025-06-27 | 6.4 Medium |
| Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0. | ||||
| CVE-2023-7014 | 1 Amitzy | 1 Molongui Authorship | 2025-06-17 | 5.3 Medium |
| The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable. | ||||
| CVE-2023-7204 | 1 Wp-staging | 1 Wp Staging | 2025-06-11 | 7.5 High |
| The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides | ||||
| CVE-2023-36013 | 1 Microsoft | 1 Powershell | 2025-06-10 | 6.5 Medium |
| PowerShell Information Disclosure Vulnerability | ||||
| CVE-2020-16247 | 1 Philips | 1 Clinical Collaboration Platform | 2025-06-04 | 6.8 Medium |
| Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. | ||||
| CVE-2024-22049 | 1 John Nunemaker | 1 Httparty | 2025-06-03 | 5.3 Medium |
| httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written. | ||||
| CVE-2024-21597 | 1 Juniper | 1 Junos | 2025-06-03 | 5.3 Medium |
| An Exposure of Resource to Wrong Sphere vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the intended access restrictions. In an Abstracted Fabric (AF) scenario if routing-instances (RI) are configured, specific valid traffic destined to the device can bypass the configured lo0 firewall filters as it's received in the wrong RI context. This issue affects Juniper Networks Junos OS on MX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S3; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3; * 22.2 versions earlier than 22.2R3; * 22.3 versions earlier than 22.3R2. | ||||
| CVE-2023-42716 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-05-29 | 7.5 High |
| In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed | ||||
| CVE-2024-51754 | 2025-05-29 | 2.2 Low | ||
| Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-23950 | 1 Keylime | 1 Keylime | 2025-05-27 | 7.5 High |
| In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations. | ||||
| CVE-2020-26272 | 1 Electronjs | 1 Electron | 2025-05-27 | 5.4 Medium |
| The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue. | ||||
| CVE-2021-1918 | 1 Qualcomm | 60 Qca6391, Qca6391 Firmware, Qcm6490 and 57 more | 2025-05-22 | 6.5 Medium |
| Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | ||||
| CVE-2023-49345 | 1 Ubuntubudgie | 1 Budgie Extras | 2025-05-21 | 6 Medium |
| Temporary data passed between application components by Budgie Extras Takeabreak applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel. | ||||
| CVE-2024-21626 | 3 Fedoraproject, Linuxfoundation, Redhat | 10 Fedora, Runc, Enterprise Linux and 7 more | 2025-05-15 | 8.6 High |
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | ||||
| CVE-2024-20694 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2025-05-14 | 5.5 Medium |
| Windows CoreMessaging Information Disclosure Vulnerability | ||||