Total
306798 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55622 | 1 Reolink | 1 Reolink | 2025-08-23 | 6.5 Medium |
| Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. | ||||
| CVE-2025-6791 | 1 Centreon | 2 Centreon, Centreon Web | 2025-08-23 | 8.8 High |
| On the monitoring event logs page, it is possible to alter the http request to insert a payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection. This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | ||||
| CVE-2025-55637 | 1 Reolink | 1 Smart 2k+ Video Doorbell | 2025-08-23 | 6.5 Medium |
| Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to contain a command injection vulnerability via the setddns_pip_system() function. | ||||
| CVE-2025-55619 | 2 Google, Reolink | 2 Android, Reolink | 2025-08-23 | N/A |
| Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering. | ||||
| CVE-2025-55626 | 1 Reolink | 1 Smart 2k+ Video Doorbell | 2025-08-23 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage. | ||||
| CVE-2025-55624 | 1 Reolink | 1 Reolink | 2025-08-23 | 5.3 Medium |
| An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components. | ||||
| CVE-2025-55623 | 2 Google, Reolink | 2 Android, Reolink | 2025-08-23 | 5.4 Medium |
| An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge). | ||||
| CVE-2025-26496 | 4 Linux, Microsoft, Salesforce and 1 more | 6 Linux, Windows, Tableau Desktop and 3 more | 2025-08-23 | 9.6 Critical |
| Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion.This issue affects Tableau Server, Tableau Desktop: before 2025.1.3, before 2024.2.12, before 2023.3.19. | ||||
| CVE-2025-55629 | 1 Reolink | 1 Smart 2k+ Video Doorbell | 2025-08-23 | 6.5 Medium |
| Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value. | ||||
| CVE-2025-55621 | 1 Reolink | 1 Reolink | 2025-08-23 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. | ||||
| CVE-2025-7841 | 2 Sertifier, Wordpress | 2 Certificates-open-badges Plugin, Wordpress | 2025-08-23 | 4.3 Medium |
| The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-7827 | 3 Anzia, Woocommerce, Wordpress | 3 Ni Woocommerce Customer Product Report, Woocommerce, Wordpress | 2025-08-23 | 4.3 Medium |
| The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. | ||||
| CVE-2025-7839 | 2 Pokornydavid, Wordpress | 2 Restore Delete Post Or Page Data Plugin, Wordpress | 2025-08-23 | 4.3 Medium |
| The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8309 | 1 Manageengine | 3 Assetexplorer, Servicedesk Plus, Supportcenter Plus | 2025-08-23 | 8.1 High |
| There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. This vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940. | ||||
| CVE-2025-9304 | 2 Oretnom23, Sourcecodester | 2 Online Bank Management System, Online Bank Management System | 2025-08-23 | 7.3 High |
| A weakness has been identified in SourceCodester Online Bank Management System 1.0. Impacted is an unknown function of the file /bank/show.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-48956 | 1 Vllm-project | 1 Vllm | 2025-08-23 | 7.5 High |
| vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1. | ||||
| CVE-2025-55297 | 1 Espressif | 1 Esp-idf | 2025-08-23 | N/A |
| ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9. | ||||
| CVE-2025-50860 | 1 Ehcp | 1 Easy Hosting Control Panel | 2025-08-23 | 6.5 Medium |
| SQL Injection in the listdomains function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to access or manipulate database contents via the arananalan POST parameter. | ||||
| CVE-2025-55371 | 1 Jishenghua | 1 Jsherp | 2025-08-23 | 5.3 Medium |
| Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method. | ||||
| CVE-2025-43756 | 1 Liferay | 2 Dxp, Portal | 2025-08-23 | N/A |
| <!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter. | ||||