Total
2171 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30762 | 1 Oracle | 1 Weblogic Server | 2025-07-24 | 7.5 High |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | ||||
| CVE-2023-48426 | 1 Google | 9 Chromecast, Chromecast Firmware, Chromecast Ga00439 and 6 more | 2025-07-24 | 10 Critical |
| u-boot bug that allows for u-boot shell and interrupt over UART | ||||
| CVE-2024-7726 | 1 Kioxia | 6 Cm6, Cm6 Firmware, Pm6 and 3 more | 2025-07-23 | 6.8 Medium |
| There exists an unauthenticated accessible JTAG port on the Kioxia PM6, PM7 and CM6 devices - On the Kioxia CM6, PM6 and PM7 disk drives it was discovered that the 2 main CPU cores of the SoC can be accessed via an open JTAG debug port that is exposed on the drive’s circuit board. Due to the wide cutout of the enclosures, the JTAG port can be accessed without having to open the disk enclosure. Utilizing the JTAG debug port, an attacker with (temporary) physical access can get full access to the firmware and memory on the 2 main CPU cores within the drive including the execution of arbitrary code, the modification of firmware execution flow and data or bypassing the firmware signature verification during boot-up. | ||||
| CVE-2025-7862 | 1 Totolink | 2 T6, T6 Firmware | 2025-07-23 | 7.3 High |
| A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-20391 | 2 Cisco, Microsoft | 2 Secure Client, Windows | 2025-07-22 | 6.8 Medium |
| A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of authentication on a specific function. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges on an affected device. | ||||
| CVE-2025-52089 | 1 Totolink | 2 N300rb, N300rb Firmware | 2025-07-19 | 8.8 High |
| A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges. | ||||
| CVE-2025-34104 | 2 Matomo, Piwik | 2 Matomo, Piwik | 2025-07-16 | N/A |
| An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file. | ||||
| CVE-2024-8196 | 2 Microsoft, Mintplexlabs | 2 Windows, Anythingllm Desktop | 2025-07-15 | N/A |
| In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace. | ||||
| CVE-2025-41656 | 1 Nodered | 1 Node-red | 2025-07-14 | 10 Critical |
| An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | ||||
| CVE-2025-7115 | 1 Rowboatlabs | 1 Rowboat | 2025-07-13 | 7.3 High |
| A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. It has been rated as critical. Affected by this issue is the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts of the component Session Handler. The manipulation of the argument params leads to missing authentication. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is expected that this issue will be fixed in the near future. | ||||
| CVE-2024-36457 | 1 Broadcom | 1 Symantec Privileged Access Management | 2025-07-13 | N/A |
| The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint. | ||||
| CVE-2023-25493 | 1 Lenovo | 1 Bios | 2025-07-13 | 6.7 Medium |
| A potential vulnerability was reported in the BIOS update tool driver for some Desktop, Smart Edge, Smart Office, and ThinkStation products that could allow a local user with elevated privileges to execute arbitrary code. | ||||
| CVE-2024-12957 | 1 Asus | 1 Armoury Crate | 2025-07-12 | N/A |
| A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | ||||
| CVE-2024-39364 | 1 Advantech | 1 Adam-5630 | 2025-07-12 | 6.3 Medium |
| Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands. | ||||
| CVE-2024-23815 | 1 Siemens | 1 Desigo Cc | 2025-07-12 | 7.5 High |
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | ||||
| CVE-2024-3219 | 1 Python Software Foundation | 1 Cpython | 2025-07-12 | N/A |
| The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included. | ||||
| CVE-2024-52285 | 1 Siemens | 2 Sipass Integrated Ac5102 (acc-g2), Sipass Integrated Acc-ap | 2025-07-12 | 5.3 Medium |
| A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data. | ||||
| CVE-2025-32440 | 1 Netalertx | 1 Netalertx | 2025-07-11 | 10 Critical |
| NetAlertX is a network, presence scanner and alert framework. Prior to version 25.4.14, it is possible to bypass the authentication mechanism of NetAlertX to update settings without authentication. An attacker can trigger sensitive functions within util.php by sending crafted requests to /index.php. This issue has been patched in version 25.4.14. | ||||
| CVE-2025-25268 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | 8.8 High |
| An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication. | ||||
| CVE-2025-44039 | 1 Cpplusworld | 2 Cp-xr-de21-s, Cp-xr-de21-s Firmware | 2025-07-11 | 5.1 Medium |
| CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. This vulnerability allows local attackers to connect to the UART port via a serial connection, read all boot sequence, and revealing internal system details and sensitive information without any authentication. | ||||