Skip to main content
CVE-2025-5472 MEDIUM POC PATCH This Month

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

Denial Of Service Llamaindex Red Hat
NVD GitHub
CVSS 3.0
6.5
EPSS
0.0%
CVE-2025-6210 MEDIUM POC PATCH This Month

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2.

Path Traversal Llamaindex D-Link Red Hat
NVD GitHub
CVSS 3.0
6.2
EPSS
0.0%
CVE-2025-4779 MEDIUM POC PATCH This Month

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

XSS Lunary
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-37656 MEDIUM POC This Month

An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the insufficient URL parameter verification in bbs/logout.php.

PHP Open Redirect Gnuboard
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-37658 MEDIUM POC PATCH This Month

An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php.

PHP Open Redirect Gnuboard
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-37657 MEDIUM POC PATCH This Month

An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via thebbs/login.php component.

PHP Open Redirect Gnuboard
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-53526 MEDIUM POC PATCH This Month

WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php. After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53525 MEDIUM POC PATCH This Month

WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53377 MEDIUM POC PATCH This Month

WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-7114 MEDIUM POC This Month

A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-7147 MEDIUM POC This Month

A vulnerability has been found in CodeAstro Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument uname leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7136 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Campcodes Online Recruitment Management System 1.0. Affected is an unknown function of the file /admin/view_vacancy.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7135 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Campcodes Online Recruitment Management System 1.0. This issue affects some unknown processing of the file /admin/ajax.php?action=save_vacancy. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7134 MEDIUM POC This Month

A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_application. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7132 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_payroll. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7131 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_employee_attendance. The manipulation of the argument employee_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7130 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /ajax.php?action=delete_payroll. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7129 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_employee_attendance_single. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7128 MEDIUM POC This Month

A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=calculate_payroll. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7122 MEDIUM POC This Month

A vulnerability was found in Campcodes Complaint Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7120 MEDIUM POC This Month

A vulnerability was found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /users/check_availability.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7119 MEDIUM POC This Month

A vulnerability has been found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /users/index.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-3467 MEDIUM POC PATCH This Month

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.

XSS Mozilla Dify Firefox
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-7107 MEDIUM POC PATCH This Month

A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue.

Path Traversal Sim
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-3044 MEDIUM POC PATCH This Month

A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28.

Information Disclosure Llamaindex Red Hat
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-3264 MEDIUM POC PATCH This Month

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Python Denial Of Service Transformers Hugging Face AI / ML +1
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-3263 MEDIUM POC PATCH This Month

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Denial Of Service Transformers Hugging Face AI / ML Red Hat
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-53167 MEDIUM This Month

CVE-2025-53167 is a security vulnerability (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Information Disclosure Harmonyos
NVD
CVSS 3.1
6.9
EPSS
0.0%
CVE-2025-3705 MEDIUM This Month

A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.

Command Injection
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-20319 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

Command Injection Splunk
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-1351 MEDIUM This Month

IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.

Race Condition Privilege Escalation IBM Storage Virtualize
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-53185 MEDIUM This Month

Virtual address reuse issue in the memory management module, which can be exploited by non-privileged users to access released memory Impact: Successful exploitation of this vulnerability may affect service integrity.

Information Disclosure Use After Free Memory Corruption Emui Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-7259 MEDIUM PATCH This Month

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

Memory Corruption Denial Of Service Ubuntu Debian MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-6712 MEDIUM PATCH This Month

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10

Denial Of Service Ubuntu Debian MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53375 MEDIUM PATCH This Month

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7.

Path Traversal Dokploy
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53184 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53183 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53182 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53181 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53180 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53179 MEDIUM This Month

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Heap Overflow Buffer Overflow Denial Of Service Harmonyos
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-20321 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

CSRF Splunk Splunk Cloud Platform
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-24508 MEDIUM This Month

CVE-2025-24508 is a security vulnerability (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-20320 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

Denial Of Service Path Traversal Splunk Cloud Platform Splunk
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-7056 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

XSS
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-53488 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1.43.X before 1.43.2.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-6044 MEDIUM PATCH This Month

An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16238.64.0 on the garaged stylus devices allows a physical attacker to bypass the lock screen and access user files by removing the stylus while the device is closed and using the screen capture feature.

Google Authentication Bypass Chrome Os Chrome
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-43190 MEDIUM This Month

IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques.

Information Disclosure IBM Engineering Requirements Management Doors Engineering Requirements Management Doors Web Access
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53186 MEDIUM This Month

Vulnerability that allows third-party call apps to send broadcasts without verification in the audio framework module Impact: Successful exploitation of this vulnerability may affect availability.

Privilege Escalation Harmonyos Emui
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53168 MEDIUM This Month

CVE-2025-53168 is a security vulnerability (CVSS 5.7) that allows the peer device. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Harmonyos
NVD
CVSS 3.1
5.7
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy