Total
35128 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4284 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-10 | N/A |
| A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software. | ||||
| CVE-2020-18770 | 2 Gdraheim, Redhat | 2 Zziplib, Enterprise Linux | 2025-07-10 | 5.5 Medium |
| An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. | ||||
| CVE-2018-6541 | 3 Canonical, Gdraheim, Redhat | 3 Ubuntu Linux, Zziplib, Enterprise Linux | 2025-07-10 | N/A |
| In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address (when handling disk64_trailer local entries) in __zzip_fetch_disk_trailer (zzip/zip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | ||||
| CVE-2018-6542 | 1 Gdraheim | 1 Zziplib | 2025-07-10 | N/A |
| In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_trailer seek value) caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. | ||||
| CVE-2018-6484 | 2 Canonical, Gdraheim | 2 Ubuntu Linux, Zziplib | 2025-07-10 | N/A |
| In ZZIPlib 0.13.67, there is a memory alignment error and bus error in the __zzip_fetch_disk_trailer function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | ||||
| CVE-2018-6540 | 2 Canonical, Gdraheim | 2 Ubuntu Linux, Zziplib | 2025-07-10 | N/A |
| In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | ||||
| CVE-2024-3101 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | 7.2 High |
| In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access. | ||||
| CVE-2024-3569 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | N/A |
| A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafted 'Authorization:' header. This vulnerability leads to uncontrolled resource consumption, causing a DoS condition. | ||||
| CVE-2024-3028 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | N/A |
| mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the 'logo_filename' to the path of the target file and invoking the 'remove-logo' API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input. | ||||
| CVE-2024-3029 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-09 | 8.0 High |
| In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerability allows an attacker to remove all existing users and potentially create a new admin user without requiring a password, leading to unauthorized access and control over the application. | ||||
| CVE-2025-49003 | 1 Dataease | 1 Dataease | 2025-07-09 | 9.8 Critical |
| DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available. | ||||
| CVE-2025-0191 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-07-09 | N/A |
| A Denial of Service (DoS) vulnerability exists in the file upload feature of gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. | ||||
| CVE-2023-3735 | 1 Google | 1 Chrome | 2025-07-09 | 4.3 Medium |
| Inappropriate implementation in Web API Permission Prompts in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2023-36908 | 1 Microsoft | 12 Windows 10, Windows 10 1607, Windows 10 1809 and 9 more | 2025-07-09 | 6.5 Medium |
| Windows Hyper-V Information Disclosure Vulnerability | ||||
| CVE-2023-35380 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-07-09 | 7.8 High |
| Windows Kernel Elevation of Privilege Vulnerability | ||||
| CVE-2020-26082 | 1 Cisco | 8 Asyncos, Email Security Appliance C170, Email Security Appliance C190 and 5 more | 2025-07-09 | 5.8 Medium |
| A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass content filters that are configured on an affected device. The vulnerability is due to improper handling of password-protected zip files. An attacker could exploit this vulnerability by sending a malicious file inside a crafted zip-compressed file to an affected device. A successful exploit could allow the attacker to bypass configured content filters that would normally drop the email. | ||||
| CVE-2025-46717 | 1 Trifectatech | 1 Sudo | 2025-07-09 | 3.3 Low |
| sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability. | ||||
| CVE-2025-46718 | 1 Trifectatech | 1 Sudo | 2025-07-09 | 3.3 Low |
| sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This vulnerability allows users with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. Version 0.2.6 fixes the vulnerability. | ||||
| CVE-2020-1192 | 1 Microsoft | 1 Python | 2025-07-08 | 7.8 High |
| A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1171. | ||||
| CVE-2020-1171 | 1 Microsoft | 1 Python | 2025-07-08 | 8.8 High |
| A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads configuration files after opening a project, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1192. | ||||