Total
29680 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8257 | 3 Google, Lobby Universe, Lobbyuniverse | 3 Android, Lobby App, Lobby | 2025-07-31 | 5.3 Medium |
| A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8207 | 3 Canara, Canarabank, Google | 3 Ai1 Mobile Banking App, Ai1, Android | 2025-07-31 | 5.3 Medium |
| A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8261 | 1 Vaelsys | 1 Vaelsys | 2025-07-31 | 7.3 High |
| A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8204 | 1 Comodo | 1 Dragon | 2025-07-31 | 3.1 Low |
| A vulnerability classified as problematic was found in Comodo Dragon up to 134.0.6998.179. Affected by this vulnerability is an unknown functionality of the component HSTS Handler. The manipulation leads to security check for standard. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-49138 | 1 Psu | 1 Haxcms-php | 2025-07-30 | 6.5 Medium |
| HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue. | ||||
| CVE-2021-24008 | 1 Fortinet | 5 Fortiddos, Fortiddos-cm, Fortimail and 2 more | 2025-07-24 | 5 Medium |
| An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiDDoS version 5.4.0, version 5.3.2 and below, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, version 4.6.0, version 4.5.0, version 4.4.2 and below, FortiDDoS-CM version 5.3.0, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, FortiVoice version 6.0.6 and below, FortiRecorder version 6.0.3 and below and FortiMail version 6.4.1 and below, version 6.2.4 and below, version 6.0.9 and below may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file. | ||||
| CVE-2025-7021 | 1 Openai | 1 Operator | 2025-07-24 | 6.5 Medium |
| Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site. | ||||
| CVE-2021-34782 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 4.3 Medium |
| A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application. | ||||
| CVE-2024-23591 | 1 Lenovo | 2 Thinksystem Sr670 V2, Thinksystem Sr670 V2 Firmware | 2025-07-23 | 2 Low |
| ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting. The server’s NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem significantly mitigates this issue. | ||||
| CVE-2024-34517 | 1 Neo4j | 1 Neo4j | 2025-07-23 | 6.5 Medium |
| The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. | ||||
| CVE-2024-52965 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-22 | 6.8 Medium |
| A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. | ||||
| CVE-2025-20965 | 1 Samsung | 1 Bixby | 2025-07-18 | 6.2 Medium |
| Improper handling of insufficient permission in Bixby wakeup prior to version 2.3.74.8 allows local attackers to access sensitive data. | ||||
| CVE-2025-20896 | 1 Samsung | 1 Easysetup | 2025-07-17 | 4 Medium |
| Use of implicit intent for sensitive communication in EasySetup prior to version 11.1.18 allows local attackers to access sensitive information. | ||||
| CVE-2025-20895 | 1 Samsung | 1 Galaxy Store | 2025-07-17 | 3.2 Low |
| Authentication Bypass Using an Alternate Path in Galaxy Store prior to version 4.5.87.6 allows physical attackers to install arbitrary applications to bypass restrictions of Setupwizard. | ||||
| CVE-2024-20870 | 1 Samsung | 1 Galaxy Store | 2025-07-17 | 5.1 Medium |
| Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.71.8 allows local attackers to write arbitrary files with the privilege of Galaxy Store. | ||||
| CVE-2025-20950 | 1 Samsung | 1 Notes | 2025-07-17 | 4 Medium |
| Use of implicit intent for sensitive communication in SamsungNotes prior to version 4.4.26.45 allows local attackers to access sensitive information. | ||||
| CVE-2025-20951 | 1 Samsung | 1 Galaxy Store | 2025-07-17 | 5.1 Medium |
| Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.90.7 allows local attackers to write arbitrary files with the privilege of Galaxy Store. | ||||
| CVE-2024-49416 | 1 Samsung | 1 Smartthings | 2025-07-17 | 4 Medium |
| Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information. | ||||
| CVE-2024-20850 | 1 Samsung | 1 Samsung Pay | 2025-07-17 | 6.2 Medium |
| Use of Implicit Intent for Sensitive Communication in Samsung Pay prior to version 5.4.99 allows local attackers to access information of Samsung Pay. | ||||
| CVE-2024-20852 | 1 Samsung | 1 Smartthings | 2025-07-17 | 5.9 Medium |
| Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration. | ||||