LiveActive security incident?Get immediate response
CVE archive

April 2025

Browse CVE records published in April 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3966 matching CVEs · Page 1 of 80.

Critical · CVSS 9.1

CVE-2025-41118: Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Published Apr 15, 2026 · Updated Jul 10, 2026

High · CVSS 7

CVE-2025-62718: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Published Apr 9, 2026 · Updated Jul 10, 2026

High · CVSS 7.5

CVE-2025-48431: Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Published Apr 28, 2026 · Updated Jul 9, 2026

Medium · CVSS 5.4

CVE-2025-63743: Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and inclu...

Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2.

Published Apr 13, 2026 · Updated Jul 5, 2026

High · CVSS 8.8

CVE-2025-70364: An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbi...

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.

Published Apr 9, 2026 · Updated Jul 5, 2026

High · CVSS 7.5

CVE-2025-69624: Nitro PDF Pro before 14.43 for Windows contains a NULL pointer dereference vulnerability in the JavaScript...

Nitro PDF Pro before 14.43 for Windows contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. For example, 14.41.1.4 and 14.42.0.34 have been reported as vulnerable.

Published Apr 13, 2026 · Updated Jul 5, 2026

Medium · CVSS 5.3

CVE-2025-60887: An issue was discovered in Cista v0.15 and below.

An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.

Published Apr 28, 2026 · Updated Jul 5, 2026

Critical · CVSS 9.8

CVE-2025-61260: A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through m...

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

Published Apr 14, 2026 · Updated Jul 5, 2026

Medium · CVSS 4.6

CVE-2025-69893: A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Tre...

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.

Published Apr 14, 2026 · Updated Jul 5, 2026

High · CVSS 8.4

CVE-2025-69627: Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of t...

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes.

Published Apr 13, 2026 · Updated Jul 5, 2026

Medium · CVSS 5.4

CVE-2025-70365: A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encodin...

A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. NOTE: the Supplier's position is that a fix for this had already been released for the 8.3.1 branch before the CVE Record was published.

Published Apr 9, 2026 · Updated Jul 5, 2026

Critical · CVSS 9.8

CVE-2025-45949: A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3...

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.

Published Apr 28, 2025 · Updated Jul 5, 2026

Unknown · CVSS Not scored

CVE-2025-23131: dlm: prevent NPD when writing a positive value to event_done

In the Linux kernel, the following vulnerability has been resolved: dlm: prevent NPD when writing a positive value to event_done do_uevent returns the value written to event_done. In case it is a positive value, new_lockspace would undo all the work, and lockspace would not be set. __dlm_new_lockspace, however, would treat that positive value as a success due to commit 8511a2728ab8 ("dlm: fix use count with multiple joins"). Down the line, device_create_lockspace would pass that NULL lockspace to dlm_find_lockspace_local, leading to a NULL pointer dereference. Treating such positive values as successes prevents the problem. Given this has been broken for so long, this is unlikely to break userspace expectations.

Published Apr 16, 2025 · Updated Jul 4, 2026

High · CVSS 7.8

CVE-2025-14576: Possible QML code injection in VectorImage component

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Published Apr 30, 2026 · Updated Jun 30, 2026

Critical · CVSS 9.3

CVE-2025-14813: GOSTCTR implementation unable to process more than 255 blocks correctly

: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. This issue affects BC-JAVA: from 1.59 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Published Apr 15, 2026 · Updated Jun 30, 2026

Medium · CVSS 4.3

CVE-2025-4035: Libsoup: cookie domain validation bypass via uppercase characters in libsoup

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

Published Apr 29, 2025 · Updated Jun 30, 2026

High · CVSS 7.8

CVE-2025-14821: Libssh: libssh: insecure default configuration leads to local man-in-the-middle attacks on windows

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

Published Apr 7, 2026 · Updated Jun 30, 2026

Medium · CVSS 5.7

CVE-2025-13763: Libopensc: opensc: multiple uses of uninitialized variable

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs

Published Apr 23, 2026 · Updated Jun 30, 2026

Medium · CVSS 5.3

CVE-2025-32907: Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.

Published Apr 14, 2025 · Updated Jun 30, 2026

Medium · CVSS 5.9

CVE-2025-3576: Krb5: kerberos rc4-hmac-md5 checksum vulnerability enabling message spoofing via md5 collisions

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Published Apr 15, 2025 · Updated Jun 30, 2026