Monthly Archive: July 2025

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a...

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter “layer” is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute...

Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages. More information : https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0122906

Grandstream Networks GXP1628

An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi. More information : http://grandstream.com

A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. More information : https://gist.github.com/im4x/10738ee219d69024387737fb14cdba9f

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL...

langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this...

Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the...

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which...

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information...

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software’s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and...

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.  Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the...

Improper Neutralization of CRLF Sequences (‘CRLF Injection’) vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146. More information : https://www.usom.gov.tr/bildirim/tr-25-0182