| CVE-2025-28407 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does not properly validate whether the requesting user has permission to modify the specified dictId | high |
| CVE-2025-28406 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter | critical |
| CVE-2025-28405 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method | critical |
| CVE-2025-28403 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration settings | high |
| CVE-2025-28402 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter | critical |
| CVE-2025-28401 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter | medium |
| CVE-2025-28400 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the postID parameter in the edit method | medium |
| CVE-2025-3372 | A vulnerability, which was classified as critical, was found in PCMan FTP Server 2.0.7. Affected is an unknown function of the component MKDIR Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3371 | A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component DELETE Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | critical |
| CVE-2025-32014 | estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3. | medium |
| CVE-2025-31476 | tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to execution of arbitrary JavaScript code, theft of sensitive data through phishing attacks, or modification of the user interface behavior. This vulnerability is fixed in 1.20.1. | medium |
| CVE-2025-31475 | tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution. An attacker with high privileges could exploit this vulnerability to modify object prototypes, affecting core JavaScript behavior, cause application crashes or unexpected behavior, or potentially introduce further security vulnerabilities depending on the application's architecture. This vulnerability is fixed in 1.20.1. | medium |
| CVE-2025-31138 | tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks. An attacker with high privileges could exploit this vulnerability to overlay malicious UI elements on top of legitimate content, trick users into interacting with hidden elements (clickjacking), or disrupt the intended functionality and accessibility of the website. This vulnerability is fixed in 1.20.1. | medium |
| CVE-2025-30373 | Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9. | medium |
| CVE-2025-3370 | A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. This affects an unknown part of the file /admin/admin-profile.php. The manipulation of the argument contactnumber leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | medium |
| CVE-2025-3369 | A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /novel/friendLink/list. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-30195 | An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would like to thank Volodymyr Ilyin for bringing this issue to our attention. | high |
| CVE-2025-27686 | Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection. | low |
| CVE-2025-2251 | A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. | medium |
| CVE-2025-3360 | A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function. | low |
| CVE-2025-3359 | A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal may jeopardize the environment. | medium |
| CVE-2025-3353 | A vulnerability was found in PHPGurukul Men Salon Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/add-services.php. The manipulation of the argument cost leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3352 | A vulnerability was found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/edit-scdetails.php. The manipulation of the argument contnum leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3351 | A vulnerability has been found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/login.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3350 | A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/view-enquiry.php. The manipulation of the argument viewid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-0050 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to make valid GPU processing operations, including via WebGL or WebGPU, to access a limited amount outside of buffer bounds.This issue affects Bifrost GPU Userspace Driver: from r0p0 through r49p2, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r19p0 through r49p2, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Userspace Driver: from r41p0 through r49p2, from r50p0 through r53p0. | medium |
| CVE-2025-3349 | A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component SYST Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-3348 | A vulnerability classified as critical was found in code-projects Patient Record Management System 1.0. This vulnerability affects unknown code of the file /edit_dpatient.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-21448 | Transient DOS may occur while parsing SSID in action frames. | high |
| CVE-2025-21447 | Memory corruption may occur while processing device IO control call for session control. | high |
| CVE-2025-21443 | Memory corruption while processing message content in eAVB. | high |
| CVE-2025-21442 | Memory corruption while transmitting packet mapping information with invalid header payload size. | high |
| CVE-2025-21441 | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. | high |
| CVE-2025-21440 | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. | high |
| CVE-2025-21439 | Memory corruption may occur while reading board data via IOCTL call when the WLAN driver copies the content to the provided output buffer. | high |
| CVE-2025-21438 | Memory corruption while IOCTL call is invoked from user-space to read board data. | high |
| CVE-2025-21437 | Memory corruption while processing memory map or unmap IOCTL operations simultaneously. | high |
| CVE-2025-21436 | Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads. | high |
| CVE-2025-21435 | Transient DOS may occur while parsing extended IE in beacon. | high |
| CVE-2025-21434 | Transient DOS may occur while parsing EHT operation IE or EHT capability IE. | high |
| CVE-2025-21431 | Information disclosure may be there when a guest VM is connected. | medium |
| CVE-2025-21430 | Transient DOS while connecting STA to AP and initiating ADD TS request from AP to establish TSpec session. | high |
| CVE-2025-21429 | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request. | high |
| CVE-2025-21428 | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request from the AP to establish a TSpec session. | high |
| CVE-2025-21425 | Memory corruption may occur due top improper access control in HAB process. | high |
| CVE-2025-21423 | Memory corruption occurs when handling client calls to EnableTestMode through an Escape call. | high |
| CVE-2025-21421 | Memory corruption while processing escape code in API. | high |
| CVE-2024-49848 | Memory corruption while processing multiple IOCTL calls from HLOS to DSP. | medium |
| CVE-2024-45557 | Memory corruption can occur when TME processes addresses from TZ and MPSS requests without proper validation. | high |
