) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2025-57665 - Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values dire... read CVE-2025-57665
Published: September 09, 2025; 2:15:36 PM -0400 -
CVE-2025-54349 - In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant heap-based buffer overflow.
Published: August 02, 2025; 10:15:35 PM -0400V3.1: 10.0 CRITICAL
-
CVE-2025-34176 - In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the fi... read CVE-2025-34176
Published: September 09, 2025; 5:15:35 PM -0400V3.1: 4.3 MEDIUM
-
CVE-2025-49458 - Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access.
Published: September 09, 2025; 6:15:32 PM -0400 -
CVE-2025-49460 - Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.
Published: September 09, 2025; 6:15:32 PM -0400V3.1: 7.5 HIGH
-
CVE-2025-37925 - In the Linux kernel, the following vulnerability has been resolved: jfs: reject on-disk inodes of an unsupported type Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU... read CVE-2025-37925
Published: April 18, 2025; 3:15:43 AM -0400V3.1: 5.5 MEDIUM
-
CVE-2025-57642 - A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system. This can result in the compro... read CVE-2025-57642
Published: September 10, 2025; 1:15:33 PM -0400 -
CVE-2025-59375 - libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Published: September 14, 2025; 11:15:40 PM -0400 -
CVE-2025-53644 - OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images. Version 4.12.0 fixes the vulnerability.
Published: July 17, 2025; 2:15:27 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2025-10370 - A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possi... read CVE-2025-10370
Published: September 13, 2025; 1:15:31 PM -0400V3.1: 5.4 MEDIUM
-
CVE-2025-55976 - Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by querying this endpoint.
Published: September 10, 2025; 2:15:33 PM -0400 -
CVE-2025-45662 - A cross-site scripting (XSS) vulnerability in the component /master/login.php of mpgram-web commit 94baadb allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.
Published: July 10, 2025; 4:15:26 PM -0400 -
CVE-2025-45156 - Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users.
Published: July 18, 2025; 1:15:29 PM -0400 -
CVE-2025-45157 - Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users.
Published: July 18, 2025; 1:15:30 PM -0400 -
CVE-2025-45467 - Unitree Go1 <= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity validation.
Published: July 25, 2025; 11:15:29 AM -0400 -
CVE-2025-45466 - Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext.
Published: July 25, 2025; 12:15:33 PM -0400 -
CVE-2025-45150 - Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.
Published: August 01, 2025; 1:15:51 PM -0400 -
CVE-2024-9950 - A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows unauthenticated user to modify compliance scripts due to insecure temporary directory.
Published: January 02, 2025; 11:15:08 AM -0500V3.1: 7.8 HIGH
-
CVE-2025-46709 - Possible memory leak or kernel exceptions caused by reading kernel heap data after free or NULL pointer dereference kernel exception.
Published: August 08, 2025; 8:15:26 PM -0400 -
CVE-2025-45146 - ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via supplying crafted data.
Published: August 11, 2025; 12:15:30 PM -0400