Search Results (14127 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-4515 2 Pribai, Zylon 2 Privategpt, Privategpt 2025-07-08 4.3 Medium
A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-12766 1 Lollms 1 Lollms Web Ui 2025-07-08 N/A
parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter `{"url":"http://steal.target"}`. Existing security mechanisms such as `forbid_remote_access(lollmsElfServer)`, `lollmsElfServer.config.headless_server_mode`, and `check_access(lollmsElfServer, request.client_id)` do not protect against this vulnerability.
CVE-2024-49048 1 Microsoft 1 Torchgeo 2025-07-08 8.1 High
TorchGeo Remote Code Execution Vulnerability
CVE-2024-49029 1 Microsoft 4 365 Apps, Excel, Office and 1 more 2025-07-08 7.8 High
Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-43450 1 Microsoft 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more 2025-07-08 7.5 High
Windows DNS Spoofing Vulnerability
CVE-2025-6551 1 Java-aodeng 1 Hope-boot 2025-07-08 3.5 Low
A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-39002 2 Richardrodger, Rjrodger 2 Jsonic, Jsonic-next 2025-07-07 6.3 Medium
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-56518 1 Hazelcast 1 Management Center 2025-07-07 9.8 Critical
Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI.
CVE-2025-25680 1 Lsc 2 Ptz Dual Band Camera, Ptz Dual Band Camera Firmware 2025-07-07 7.7 High
LSC Smart Connect LSC Indoor PTZ Camera 7.6.32 is contains a RCE vulnerability in the tuya_ipc_direct_connect function of the anyka_ipc process. The vulnerability allows arbitrary code execution through the Wi-Fi configuration process when a specially crafted QR code is presented to the camera.
CVE-2024-35314 1 Mitel 3 Micollab, Mivoice Business Solution Virtual Instance, Mivoice Business Solutions Virtual Instance 2025-07-07 9.8 Critical
A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.
CVE-2024-35315 1 Mitel 3 Micollab, Mivoice Business, Mivoice Business Solution Virtual Instance 2025-07-07 5.6 Medium
A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges.
CVE-2024-48232 1 Mipjz Project 1 Mipjz 2025-07-07 4.9 Medium
An issue was found in mipjz 5.0.5. In the mipPost method of \app\setting\controller\ApiAdminTool.php, the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in a Server-side request forgery (SSRF) vulnerability that can read server files.
CVE-2024-40503 1 Tenda 2 Ax12, Ax12 Firmware 2025-07-07 6.5 Medium
An issue in Tenda AX12 v.16.03.49.18_cn+ allows a remote attacker to cause a denial of service via the Routing functionality and ICMP packet handling.
CVE-2024-40515 2 Tenda, Tendacn 3 Ax2 Pro, Ax2 Pro Firmware, Ax2 Pro 2025-07-07 9.8 Critical
An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality.
CVE-2024-29030 1 Usememos 1 Memos 2025-07-07 5.8 Medium
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.
CVE-2024-29028 1 Usememos 1 Memos 2025-07-07 5.8 Medium
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.
CVE-2024-33394 1 Kubevirt 1 Kubevirt 2025-07-07 5.9 Medium
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
CVE-2025-6613 2 Anujk305, Phpgurukul 2 Hospital Management System, Hospital Management System 2025-07-06 3.5 Low
A vulnerability classified as problematic was found in PHPGurukul Hospital Management System 4.0. Affected by this vulnerability is an unknown functionality of the file /doctor/manage-patient.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-3892 1 Progress 1 Telerik Ui For Winforms 2025-07-03 7.2 High
A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.
CVE-2024-42902 1 Limesurvey 1 Limesurvey 2025-07-03 8.8 High
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function