Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE VIEW:Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)
ID:844
Vulnerability Mapping:Prohibited
Type:Graph
Status:Obsolete
DetailsContent HistoryObserved CVE ExamplesReports
26008Vulnerabilities found

CVE-2025-0083
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-4||MEDIUM
EPSS-0.00% / 0.17%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple locations, there is a possible way to access content across user profiles due to URI double encoding. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CVE-2025-0080
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.00% / 0.12%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple locations, there is a possible way to overlay the installation confirmation dialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-0079
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 0.19%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple locations, there is a possible way that avdtp and avctp channels could be unencrypted due to a logic error in the code. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-0078
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-8.8||HIGH
EPSS-0.02% / 3.60%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In main of main.cpp, there is a possible way to bypass SELinux due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2024-49740
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.00% / 0.17%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:48
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple locations, there is a possible crash loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-Android
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-35115
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-9.2||CRITICAL
EPSS-0.02% / 3.38%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 22:18
Updated-26 Aug, 2025 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Agiloft insecure download of system packages

Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.

Action-Not Available
Vendor-Agiloft
Product-Agiloft
CWE ID-CWE-494
Download of Code Without Integrity Check
CVE-2025-55298
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.16% / 37.46%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 17:20
Updated-26 Aug, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-123
Write-what-where Condition
CWE ID-CWE-134
Use of Externally-Controlled Format String
CVE-2025-55212
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-3.7||LOW
EPSS-0.04% / 11.62%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 16:43
Updated-26 Aug, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-369
Divide By Zero
CVE-2025-57813
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 9.76%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 16:06
Updated-26 Aug, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insertion of Sensitive Information into Log File in github.com/traPtitech/traQ

traQ is a messenger application built for Digital Creators Club traP. Prior to version 3.25.0, a vulnerability exists where sensitive information, such as OAuth tokens, are recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. This vulnerability has been patched in version 3.25.0. If upgrading is not possible, a temporary workaround involves reviewing access permissions for SQL error logs and strictly limiting access to prevent unauthorized users from viewing them.

Action-Not Available
Vendor-traPtitech
Product-traQ
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-57810
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.06% / 19.93%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 15:37
Updated-26 Aug, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jsPDF Parsing of Corrupt PNGs Leads to Potential Denial of Service (DoS)

jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. The vulnerability was fixed in jsPDF 3.0.2.

Action-Not Available
Vendor-parallax
Product-jsPDF
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-8700
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.09%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 12:23
Updated-26 Aug, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation via get-task-allow entitlement in Invoice Ninja

Invoice Ninja's configuration on macOS, specifically the presence of entitlement "com.apple.security.get-task-allow", allows local attackers with unprivileged access (e.g. via a malicious application) to attach a debugger, read or modify the process memory, inject code in the application's context despite being signed with Hardened Runtime and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission. According to Apple documentation, when a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator's credentials. Since there is no prompt when the target process has "get-task-allow" entitlement, the presence of this entitlement was decided to be treated as a vulnerability because it removes one step needed to perform an attack. This issue was fixed in version 5.0.175

Action-Not Available
Vendor-Invoice Ninja
Product-Invoice Ninja
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-8597
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.09%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 12:23
Updated-26 Aug, 2025 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation via get-task-allow entitlement in MacVim.app

MacVim's configuration on macOS, specifically the presence of entitlement "com.apple.security.get-task-allow", allows local attackers with unprivileged access (e.g. via a malicious application) to attach a debugger, read or modify the process memory, inject code in the application's context despite being signed with Hardened Runtime and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission. According to Apple documentation, when a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator's credentials. Since there is no prompt when the target process has "get-task-allow" entitlement, the presence of this entitlement was decided to be treated as a vulnerability because it removes one step needed to perform an attack. This issue was fixed in build r181.2

Action-Not Available
Vendor-MacVim
Product-MacVim
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-9190
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 0.76%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 12:22
Updated-26 Aug, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCC Bypass via misconfigured Node fuses in Cursor

The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model.

Action-Not Available
Vendor-Cursor
Product-Cursor
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-53813
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.07%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 12:22
Updated-26 Aug, 2025 | 13:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCC Bypass via misconfigured Node fuses in Nozbe

The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions.  Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2025.11 of Nozbe.

Action-Not Available
Vendor-Nozbe
Product-Nozbe
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-53811
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.07%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 12:22
Updated-26 Aug, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TCC Bypass via misconfigured Node fuses in Mosh-Pro

The configuration of Mosh-Pro on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Mosh-Pro TCC (Transparency, Consent, and Control) permissions.  Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Mosh-Pro, potentially disguising attacker's malicious intent.  This issue was detected in 1.3.2 version of Mosh-Pro. Since authors did not respond to messages from CNA, patching status is unknown.

Action-Not Available
Vendor-Mosh-Pro
Product-Mosh-Pro
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-9474
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-2||LOW
EPSS-0.01% / 0.73%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 05:02
Updated-26 Aug, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mihomo Party Socket sysproxy.ts enableSysProxy temp file

A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used.

Action-Not Available
Vendor-Mihomo
Product-Party
CWE ID-CWE-377
Insecure Temporary File
CWE ID-CWE-378
Creation of Temporary File With Insecure Permissions
CVE-2024-47192
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 6.00%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 00:00
Updated-27 Aug, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-494
Download of Code Without Integrity Check
CVE-2025-50974
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 6.49%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 00:00
Updated-27 Aug, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-50753
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.4||HIGH
EPSS-0.01% / 1.15%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 00:00
Updated-27 Aug, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-9424
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.23% / 45.68%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 22:32
Updated-26 Aug, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie WS7204-A branch_import.php os command injection

A vulnerability was identified in Ruijie WS7204-A 2017.06.15. Affected by this vulnerability is an unknown functionality of the file /itbox_pi/branch_import.php?a=branch_list. Such manipulation of the argument province leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-WS7204-A
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-3456
Assigner-Arista Networks, Inc.
ShareView Details
Assigner-Arista Networks, Inc.
CVSS Score-3.8||LOW
EPSS-0.01% / 0.38%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 20:02
Updated-25 Aug, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-c

On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships.

Action-Not Available
Vendor-Arista Networks, Inc.
Product-EOS
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-57773
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.04% / 11.12%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 16:42
Updated-25 Aug, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dataease DB2 Aspectweaver Deserialization Arbitrary File Write Vulnerability

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This vulnerability requires commons-collections 4.x and aspectjweaver-1.9.22.jar. The vulnerability has been fixed in version 2.10.12.

Action-Not Available
Vendor-DataEase (FIT2CLOUD Inc.)
Product-dataease
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-7426
Assigner-Switzerland National Cyber Security Centre (NCSC)
ShareView Details
Assigner-Switzerland National Cyber Security Centre (NCSC)
CVSS Score-9.3||CRITICAL
EPSS-0.03% / 6.87%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 08:52
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MINOVA TTA Information Disclosure and Credential Exposure

Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse.  Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs

Action-Not Available
Vendor-MINOVA Information Services GmbH
Product-TTA
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-9405
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 13.63%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 03:02
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open5GS gmm-sm.c gmm_state_exception assertion

A security flaw has been discovered in Open5GS up to 2.7.5. The impacted element is the function gmm_state_exception of the file src/amf/gmm-sm.c. The manipulation results in reachable assertion. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The patch is identified as 8e5fed16114f2f5e40bee1b161914b592b2b7b8f. Applying a patch is advised to resolve this issue.

Action-Not Available
Vendor-n/a
Product-Open5GS
CWE ID-CWE-617
Reachable Assertion
CVE-2025-9403
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.40%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 02:02
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jqlang jq JSON jq_test.c run_jq_tests assertion

A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.

Action-Not Available
Vendor-jqlang
Product-jq
CWE ID-CWE-617
Reachable Assertion
CVE-2025-43960
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.11% / 30.20%
||
7 Day CHG~0.00%
Published-25 Aug, 2025 | 00:00
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-9396
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.40%
||
7 Day CHG~0.00%
Published-24 Aug, 2025 | 22:32
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ckolivas lrzip strtol_l.c __GI_____strtol_l_internal null pointer dereference

A security flaw has been discovered in ckolivas lrzip up to 0.651. This impacts the function __GI_____strtol_l_internal of the file strtol_l.c. Performing manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be exploited.

Action-Not Available
Vendor-ckolivas
Product-lrzip
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-9387
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.08% / 76.90%
||
7 Day CHG~0.00%
Published-24 Aug, 2025 | 12:02
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DCN DCME-720 Web Management Backend ip_block.php os command injection

A vulnerability was found in DCN DCME-720 9.1.5.11. This affects an unknown function of the file /usr/local/www/function/audit/newstatistics/ip_block.php of the component Web Management Backend. Performing manipulation of the argument ip results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. Other products might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-DCN
Product-DCME-720
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-9384
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.41%
||
7 Day CHG~0.00%
Published-24 Aug, 2025 | 10:02
Updated-25 Aug, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
appneta tcpreplay parse_args.c tcpedit_post_args null pointer dereference

A vulnerability was detected in appneta tcpreplay up to 4.5.1. Impacted is the function tcpedit_post_args of the file /src/tcpedit/parse_args.c. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 4.5.2-beta2 is recommended to address this issue. Upgrading the affected component is advised. The vendor explains, that he was "[a]ble to reproduce in 6fcbf03 but not in 4.5.2-beta2".

Action-Not Available
Vendor-appneta
Product-tcpreplay
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-9380
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-8.5||HIGH
EPSS-0.01% / 0.81%
||
7 Day CHG~0.00%
Published-24 Aug, 2025 | 07:02
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FNKvision Y215 CCTV Camera Firmware passwd hard-coded credentials

A vulnerability was identified in FNKvision Y215 CCTV Camera 10.194.120.40. Affected by this issue is some unknown functionality of the file /etc/passwd of the component Firmware. Such manipulation leads to hard-coded credentials. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-FNKvision
Product-Y215 CCTV Camera
CWE ID-CWE-259
Use of Hard-coded Password
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-4609
Assigner-Chrome
ShareView Details
Assigner-Chrome
CVSS Score-9.6||CRITICAL
EPSS-0.09% / 25.98%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 21:05
Updated-26 Aug, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationGoogle LLC
Product-chromewindowsChrome
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-57801
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.01% / 0.45%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 19:54
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks

gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0.

Action-Not Available
Vendor-Consensys
Product-gnark
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2025-43759
Assigner-Liferay, Inc.
ShareView Details
Assigner-Liferay, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.05% / 13.70%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 19:07
Updated-26 Aug, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.

Action-Not Available
Vendor-Liferay Inc.
Product-DXPPortal
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-43762
Assigner-Liferay, Inc.
ShareView Details
Assigner-Liferay, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.22%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 18:43
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-57771
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.09% / 27.21%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 16:35
Updated-22 Aug, 2025 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Roo-Code potential remote code execution via auto-execute command parsing flaw

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5.

Action-Not Available
Vendor-RooCodeInc
Product-Roo-Code
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-33120
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.8||HIGH
EPSS-0.01% / 2.04%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 14:54
Updated-23 Aug, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM QRadar SIEM privilege escalation

IBM QRadar SIEM 7.5 through 7.5.0 UP13 could allow an authenticated user to escalate their privileges via a misconfigured cronjob due to execution with unnecessary privileges.

Action-Not Available
Vendor-IBM Corporation
Product-QRadar SIEM
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-57888
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 8.81%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jobmonster Theme <= 4.8.0 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NooTheme Jobmonster allows Retrieve Embedded Sensitive Data. This issue affects Jobmonster: from n/a through 4.8.0.

Action-Not Available
Vendor-NooTheme
Product-Jobmonster
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-9341
Assigner-91579145-5d7b-4cc5-b925-a0262ff19630
ShareView Details
Assigner-91579145-5d7b-4cc5-b925-a0262ff19630
CVSS Score-5.9||MEDIUM
EPSS-0.02% / 3.14%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 09:09
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Garbage collection can delay for AES CBC Native support, resulting in heap exhaustion

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files org/bouncycastle/crypto/fips/AESNativeCBC.Java. This issue affects Bouncy Castle for Java FIPS: from BC-FJA 2.1.0 through 2.1.0.

Action-Not Available
Vendor-Legion of the Bouncy Castle Inc.
Product-Bouncy Castle for Java FIPS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-43752
Assigner-Liferay, Inc.
ShareView Details
Assigner-Liferay, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.22%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to cause a potential DDoS.

Action-Not Available
Vendor-Liferay Inc.
Product-PortalDXP
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-50691
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 9.66%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-22 Aug, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can read the daemon's key and use it to log in, leading to privilege escalation.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2025-52094
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.01% / 0.76%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-26 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure Permissions vulnerability in PDQ Smart Deploy V.3.0.2040 allows a local attacker to execute arbtirary code via the \HKLM\SYSTEM\Setup\SmartDeploy component

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-52287
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.05% / 14.31%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-55631
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.89%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-22 Aug, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to manage users' sessions system wide instead of an account-by-account basis, potentially leading to a Denial of Service (DoS) via resource exhaustion.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-55634
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.82%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-22 Aug, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream pushes.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-55581
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-0.01% / 0.23%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DCS-825L firmware version 1.08.01 and possibly prior versions contain an insecure implementation in the mydlink-watch-dog.sh script. The script monitors and respawns the `dcp` and `signalc` binaries without validating their integrity, origin, or permissions. An attacker with filesystem access (e.g., via UART or firmware modification) may replace these binaries to achieve persistent arbitrary code execution with root privileges. The issue stems from improper handling of executable trust and absence of integrity checks in the watchdog logic.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-494
Download of Code Without Integrity Check
CVE-2025-55622
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.57%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-28 Aug, 2025 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings.

Action-Not Available
Vendor-n/aReolink Innovation Limited
Product-reolinkn/a
CWE ID-CWE-491
Public cloneable() Method Without Final ('Object Hijack')
CVE-2022-45134
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 28.07%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 00:00
Updated-26 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-55231
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.64%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:50
Updated-28 Aug, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Storage-based Management Service Remote Code Execution Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Storage allows an unauthorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows Server 2025Windows Server 2019 (Server Core installation)Windows Server 2016Windows Server 2025 (Server Core installation)Windows Server 2012 R2Windows Server 2022Windows Server 2019Windows Server 2016 (Server Core installation)Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2025-55229
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.27%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:50
Updated-28 Aug, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Certificate Spoofing Vulnerability

Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows 11 Version 24H2Windows 10 Version 1507Windows 10 Version 1607Windows 11 version 22H2Windows 11 version 22H3Windows 11 Version 23H2Windows 10 Version 21H2Windows Server 2025Windows Server 2019 (Server Core installation)Windows Server 2016Windows Server 2025 (Server Core installation)Windows Server 2022Windows 10 Version 22H2Windows 10 Version 1809Windows Server 2019Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2016 (Server Core installation)
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2025-3128
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.3||CRITICAL
EPSS-0.19% / 40.57%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:37
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mitsubishi Electric Europe smartRTU OS Command Injection

A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.

Action-Not Available
Vendor-Mitsubishi Electric Europe
Product-smartRTU
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-27721
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:33
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
INFINITT Healthcare INFINITT PACS Exposure of Sensitive System Information to an Unauthorized Control Sphere

Unauthorized users can access INFINITT PACS System Manager without proper authorization, which could lead to unauthorized access to system resources.

Action-Not Available
Vendor-INFINITT Healthcare
Product-INFINITT PACS System Manager
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 520
  • 521
  • Next