Export limit exceeded: 364838 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364838 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-64504 1 Langfuse 1 Langfuse 2025-12-02 5 Medium
Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on the same Langfuse instance could enumerate names and email addresses of users in another organization if they knew the target organization’s ID. Disclosure is limited to names and email addresses of members/invitees. No customer data such as traces, prompts, or evaluations is exposed or accessible. For Langfuse Cloud, the maintainers ran a thorough investigation of access logs of the last 30 days and could not find any evidence that this vulnerability was exploited. For most self-hosting deployments, the attack surface is significantly reduced given an SSO provider is configured and email/password sign-up is disabled. In these cases, only users who authenticate via the Enterprise SSO IdP (e.g. Okta) would be able to exploit this vulnerability to access the member list, i.e. internal users getting access to a list of other internal users. In order to exploit the vulnerability, the actor must have a valid Langfuse user account within the same instance, know the target orgId, and use the request made to the API that powers the frontend membership tables, including their project/user authentication token, while changing the orgId to the target organization. Langfuse Cloud (EU, US, HIPAA) were affected until fix deployment on November 1, 2025. The maintainers reviewed the Langfuse Cloud access logs from the past 30 days and found no evidence that this vulnerability was exploited. Self-Hosted versions which contain patches include v2.95.11 for major version 2 and v3.124.1 for major version 3. There are no known workarounds. Upgrading is required to fully mitigate this issue.
CVE-2025-9799 1 Langfuse 1 Langfuse 2025-12-02 5 Medium
A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.
CVE-2025-33194 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 5.7 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. A successful exploit of this vulnerability might lead to information disclosure or denial of service.
CVE-2025-33188 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 8 High
NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service.
CVE-2025-33191 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 5.7 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. A successful exploit of this vulnerability might lead to denial of service.
CVE-2025-33192 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 5.7 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. A successful exploit of this vulnerability might lead to denial of service.
CVE-2025-33193 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 5.7 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2025-59305 1 Langfuse 1 Langfuse 2025-12-02 7.6 High
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all, backgroundMigrations.status, and backgroundMigrations.retry.
CVE-2025-62687 4 Linux, Logstare, Microsoft and 1 more 5 Linux, Linux Kernel, Collector and 2 more 2025-12-02 N/A
Cross-site request forgery vulnerability exists in LogStare Collector. If a user views a crafted page while logged, unintended operations may be performed.
CVE-2025-64299 4 Linux, Logstare, Microsoft and 1 more 5 Linux, Linux Kernel, Collector and 2 more 2025-12-02 2.7 Low
LogStare Collector improperly handles the password hash data. An administrative user may obtain the other users' password hashes.
CVE-2025-64695 3 Logstare, Microsoft, Secuavail 3 Collector, Windows, Logstare Collector 2025-12-02 N/A
Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). If exploited, arbitrary code may be executed with the privilege of the user invoking the installer.
CVE-2025-33196 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 4.4 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2025-33197 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 4.3 Medium
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. A successful exploit of this vulnerability might lead to denial of service.
CVE-2025-33198 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 3.3 Low
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2025-33199 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 3.2 Low
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. A successful exploit of this vulnerability might lead to data tampering.
CVE-2025-33200 1 Nvidia 3 Dgx, Dgx Os, Dgx Spark 2025-12-02 2.3 Low
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2025-13315 3 Linux, Lynxtechnology, Microsoft 4 Linux, Linux Kernel, Twonky Server and 1 more 2025-12-02 9.8 Critical
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
CVE-2025-54866 2 Microsoft, Wazuh 2 Windows, Wazuh 2025-12-02 5.5 Medium
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0.
CVE-2025-62608 1 Ml-explore 1 Mlx 2025-12-02 9.1 Critical
MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.
CVE-2025-62609 1 Ml-explore 1 Mlx 2025-12-02 7.5 High
MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.