Search

Search Results (363962 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-20228 1 Splunk 3 Splunk, Splunk Cloud Platform, Splunk Enterprise 2025-07-21 6.5 Medium
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).
CVE-2025-20232 1 Splunk 3 Splunk, Splunk Cloud Platform, Splunk Enterprise 2025-07-21 5.7 Medium
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208 and 9.1.2308.212, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the “/app/search/search“ endpoint through its “s“ parameter. <br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
CVE-2025-20324 1 Splunk 3 Splunk, Splunk Cloud Platform, Splunk Enterprise 2025-07-21 5.4 Medium
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.
CVE-2024-8017 2 Open-webui, Openwebui 2 Open-webui, Open Webui 2025-07-21 N/A
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.
CVE-2024-7990 2 Open-webui, Openwebui 2 Open-webui, Open Webui 2025-07-21 N/A
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.
CVE-2024-7959 2 Open-webui, Openwebui 2 Open-webui, Open Webui 2025-07-21 7.7 High
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the attacker to access internal services and potentially gain command execution by accessing instance secrets.
CVE-2024-7760 1 Aimstack 1 Aim 2025-07-21 9.6 Critical
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
CVE-2025-21445 1 Qualcomm 55 Qam8255p, Qam8255p Firmware, Qam8295p and 52 more 2025-07-21 7.8 High
Memory corruption while copying the result to the transmission queue which is shared between the virtual machine and the host.
CVE-2025-21426 1 Qualcomm 21 Fastconnect 7800, Fastconnect 7800 Firmware, Snapdragon and 18 more 2025-07-21 6.6 Medium
Memory corruption while processing camera TPG write request.
CVE-2025-27051 2 Microsoft, Qualcomm 21 Windows, Fastconnect 6900, Fastconnect 6900 Firmware and 18 more 2025-07-21 7.8 High
Memory corruption while processing command message in WLAN Host.
CVE-2025-27044 1 Qualcomm 17 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 14 more 2025-07-21 7.8 High
Memory corruption while executing timestamp video decode command with large input values.
CVE-2025-27058 1 Qualcomm 17 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 14 more 2025-07-21 7.8 High
Memory corruption while processing packet data with exceedingly large packet.
CVE-2025-27056 1 Qualcomm 51 Fastconnect 7800, Fastconnect 7800 Firmware, Qmp1000 and 48 more 2025-07-21 7.8 High
Memory corruption during sub-system restart while processing clean-up to free up resources.
CVE-2025-1121 1 Google 1 Chrome Os 2025-07-21 6.8 Medium
Privilege escalation in Installer and Recovery image handling in Google ChromeOS version 15786.48.2 on device allows an attacker with physical access to gain root code execution and potentially unenroll enterprise-managed devices via a specially crafted recovery image.
CVE-2025-50090 1 Oracle 2 Applications Framework, E-business Suite 2025-07-21 5.4 Medium
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
CVE-2025-53924 1 Emlog 1 Emlog 2025-07-21 6.9 Medium
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code into siteurl parameter resulting in Stored XSS. When someone clicks on the link the malicious code is executed. As of time of publication, no known patched versions exist.
CVE-2025-7747 1 Tenda 2 Fh451, Fh451 Firmware 2025-07-21 8.8 High
A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. This affects the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. The manipulation of the argument PPW leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7754 2 Code-projects, Fabianros 2 Patient Record Management System, Patient Record Management System 2025-07-21 6.3 Medium
A vulnerability was found in code-projects Patient Record Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /xray_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-38435 1 Unitronics 1 Visilogic 2025-07-21 6.5 Medium
Unitronics Vision PLC – CWE-703: Improper Check or Handling of Exceptional Conditions may allow denial of service
CVE-2023-25914 1 Danfoss 2 Ak-sm 800a, Ak-sm 800a Firmware 2025-07-19 8.8 High
Due to improper restriction, authenticated attackers could retrieve and read system files of the underlying server through the XML interface. The information that can be read can lead to a full system compromise.