Latest CVEs
Updates on the latest vulnerabilities detected.
-
CVE-2025-7125 - iSourcecode Employee Management System SQL Injection
CVE ID :CVE-2025-7125
Published : July 7, 2025, 11:15 a.m. | 1 hour, 9 minutes ago
Description :A vulnerability classified as critical was found in itsourcecode Employee Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/editempeducation.php. The manipulation of the argument coursepg leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-7124 - "Code-projects Online Note Sharing Unrestricted File Upload Vulnerability"
CVE ID :CVE-2025-7124
Published : July 7, 2025, 11:15 a.m. | 1 hour, 9 minutes ago
Description :A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. Affected is an unknown function of the file /dashboard/userprofile.php of the component Profile Image Handler. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-7123 - Campcodes Complaint Management System SQL Injection Vulnerability
CVE ID :CVE-2025-7123
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A vulnerability was found in Campcodes Complaint Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/complaint-details.php. The manipulation of the argument cid/uid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-7122 - Campcodes Complaint Management System SQL Injection Vulnerability
CVE ID :CVE-2025-7122
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A vulnerability was found in Campcodes Complaint Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-6386 - Apache Parisneo Timing Attack in Lollms Authentication
CVE ID :CVE-2025-6386
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-6210 - ObsidianReader Hardlink-Based Path Traversal Vulnerability
CVE ID :CVE-2025-6210
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-5472 - Llama Index JSONReader Stack Overflow Denial of Service Vulnerability
CVE ID :CVE-2025-5472
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-4779 - Lunary Ai Lunary Stored Cross-Site Scripting (XSS)
CVE ID :CVE-2025-4779
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3777 - YouTube URL Validation Bypass in Hugging Face Transformers
CVE ID :CVE-2025-3777
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3705 - FirmwareLoader OS Command Injection
CVE ID :CVE-2025-3705
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3626 - Apache Device OS Command Injection
CVE ID :CVE-2025-3626
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3467 - Dify Firefox XSS Token Stealer
CVE ID :CVE-2025-3467
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3466 - Langgenius Dify Arbitrary Code Execution Vulnerability
CVE ID :CVE-2025-3466
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictions are imposed. This can lead to unauthorized access to secret keys, internal network servers, and lateral movement within dify.ai. The issue is resolved in version 1.1.3.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3264 - Hugging Face Transformers Regular Expression Denial of Service (ReDoS)
CVE ID :CVE-2025-3264
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3263 - Hugging Face Transformers ReDoS Vulnerability
CVE ID :CVE-2025-3263
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3262 - Apache Transformers ReDoS
CVE ID :CVE-2025-3262
Published : July 7, 2025, 10:15 a.m. | 2 hours, 9 minutes ago
Description :A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3225 - LLama Index XML Entity Expansion Denial of Service
CVE ID :CVE-2025-3225
Published : July 7, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3046 - "Obsidian Reader Symbolic Link File Read Vulnerability"
CVE ID :CVE-2025-3046
Published : July 7, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3044 - ArxivReader MD5 Hash Collision Vulnerability
CVE ID :CVE-2025-3044
Published : July 7, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-43334 - Gavias Halpes Cross-site Scripting (XSS)
CVE ID :CVE-2024-43334
Published : July 7, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavias Halpes allows Reflected XSS.This issue affects Halpes: from n/a before 1.2.5.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...