Skip to main content
CVE-2025-32023 HIGH POC PATCH THREAT Act Now

Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.

Redis RCE Buffer Overflow Ubuntu Debian +2
NVD GitHub Exploit-DB
CVSS 3.1
7.0
EPSS
10.7%
CVE-2025-7116 HIGH POC This Week

A vulnerability classified as critical has been found in UTT 进取 750W up to 3.2.2-191225. This affects an unknown part of the file /goform/Fast_wireless_conf. The manipulation of the argument ssid leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow 750w Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-7117 HIGH POC This Week

A vulnerability classified as critical was found in UTT HiPER 840G up to 3.1.1-190328. This vulnerability affects unknown code of the file /goform/websWhiteList. The manipulation of the argument addHostFilter leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow 840g Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-7118 HIGH POC This Week

A vulnerability, which was classified as critical, has been found in UTT HiPER 840G up to 3.1.1-190328. This issue affects some unknown processing of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow 840g Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-25177 HIGH POC PATCH This Week

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).

Null Pointer Dereference Denial Of Service Ubuntu Debian Luajit +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-53531 HIGH POC PATCH This Week

WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.

Denial Of Service Wegia
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-53530 HIGH POC PATCH This Week

WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.

Denial Of Service Wegia
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-3225 HIGH POC PATCH This Week

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.

Denial Of Service Llamaindex Red Hat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-3262 HIGH POC PATCH This Week

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

Denial Of Service Transformers Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53539 HIGH POC PATCH This Week

FastAPI Guard is a security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. fastapi-guard's penetration attempts detection uses regex to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs. This vulnerability is fixed in 3.0.1.

Denial Of Service Fastapi Guard
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-3046 HIGH POC PATCH This Week

A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Path Traversal Llamaindex Red Hat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-6209 HIGH POC PATCH This Week

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

Path Traversal Llamaindex Red Hat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-3466 HIGH POC PATCH This Week

CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.

RCE Authentication Bypass Dify
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-6804 HIGH Act Now

Marvell QConvergeConsole compressFirmwareDumpFiles Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressFirmwareDumpFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24924.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-6803 HIGH Act Now

Marvell QConvergeConsole compressDriverFiles Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressDriverFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24923.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-6800 HIGH Act Now

Marvell QConvergeConsole restoreESwitchConfig Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the restoreESwitchConfig method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24920.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-6799 HIGH Act Now

Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24919.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-6797 HIGH Act Now

Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24917.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-6796 HIGH Act Now

Marvell QConvergeConsole getAppFileBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getAppFileBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24916.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.0
7.5
EPSS
13.3%
CVE-2025-53376 HIGH PATCH This Week

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.

Command Injection Docker Dokploy
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-53373 HIGH PATCH This Week

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-53540 HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

RCE CSRF
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-3920 HIGH PATCH This Week

A security vulnerability in A vulnerability (CVSS 8.5). High severity vulnerability requiring prompt remediation.

Authentication Bypass
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-36014 HIGH This Week

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

RCE Code Injection IBM Integration Bus
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-53536 HIGH PATCH This Week

Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.

RCE PHP Information Disclosure Path Traversal Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-5987 HIGH PATCH This Week

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library.

OpenSSL Denial Of Service Libssh
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-6806 HIGH This Week

Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the decryptFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24979.

Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2025-6801 HIGH This Week

Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the saveNICParamsToFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24921.

Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2025-6663 HIGH PATCH This Week

GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability.

RCE Buffer Overflow Stack Overflow Gstreamer Red Hat
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-6807 HIGH This Week

Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getDriverTmpPath method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24980.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-6795 HIGH This Week

Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadSize method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24914.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-6713 HIGH PATCH This Week

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Authentication Bypass Ubuntu Debian MongoDB
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2023-51232 HIGH PATCH This Week

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.').

Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-53169 HIGH This Week

Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness.

Authentication Bypass Harmonyos
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-26780 HIGH This Week

An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. The lack of a length check leads to a Denial of Service via a malformed PDCP packet.

Samsung Denial Of Service Modem 5400 Firmware Exynos 2400 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-48367 HIGH PATCH This Week

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Redis Denial Of Service Ubuntu Debian Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-52492 HIGH This Week

A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services.

Information Disclosure Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6386 HIGH PATCH This Week

CVE-2025-6386 is a security vulnerability (CVSS 7.5) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Python
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-6714 HIGH PATCH This Week

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9 Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

Denial Of Service Ubuntu Debian MongoDB
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-7115 HIGH This Week

A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. It has been rated as critical. Affected by this issue is the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts of the component Session Handler. The manipulation of the argument params leads to missing authentication. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is expected that this issue will be fixed in the near future.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-53473 HIGH This Week

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

SSRF Red Hat
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-7145 HIGH This Week

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2024-43334 HIGH PATCH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavias Halpes allows Reflected XSS.This issue affects Halpes: from n/a before 1.2.5.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy