LiveActive security incident?Get immediate response
CVE archive

June 2025

Browse CVE records published in June 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3542 matching CVEs · Page 3 of 71.

Medium · CVSS 5.3

CVE-2025-32394: AutoGPT: There is a DoS vulnerability in AITextSummarizerBlock

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.

Published Jun 26, 2026 · Updated Jun 27, 2026

Critical · CVSS 9.3

CVE-2025-71333: Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Published Jun 25, 2026 · Updated Jun 27, 2026

High · CVSS 8.6

CVE-2025-71335: Flowise - Session Invalidation Failure After Password Change

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the legitimate user even after the user rotates their credentials, undermining the security purpose of the password change.

Published Jun 25, 2026 · Updated Jun 26, 2026

Critical · CVSS 9.1

CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.

Published Jun 26, 2026 · Updated Jun 26, 2026

Critical · CVSS 9.1

CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.

Published Jun 26, 2026 · Updated Jun 26, 2026

Critical · CVSS 9.6

CVE-2025-11919: Unprotected temporary directories in Wolfram Cloud may result in privilege escalation

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

Published Jun 26, 2026 · Updated Jun 26, 2026

High · CVSS 8.7

CVE-2025-71328: Flowise - Unverified Password Change via Account Settings

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-password check on the credential change. This can lead to full account takeover, particularly if an attacker can hijack or coerce an authenticated session.

Published Jun 25, 2026 · Updated Jun 26, 2026

High · CVSS 8.1

CVE-2025-71340: picklescan - Remote Code Execution via idlelib.pyshell.ModifiedInterpreter.runcode

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load(), enabling supply chain attacks on PyTorch models and saved Python objects. This is fixed in version 0.0.30.

Published Jun 25, 2026 · Updated Jun 26, 2026

Critical · CVSS 9.3

CVE-2025-71327: Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

Published Jun 25, 2026 · Updated Jun 26, 2026

Critical · CVSS 10

CVE-2025-71338: Flowise - Arbitrary File Write to Remote Code Execution via document-store API

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

Published Jun 25, 2026 · Updated Jun 26, 2026

Critical · CVSS 9.8

CVE-2025-71334: Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.

Published Jun 25, 2026 · Updated Jun 26, 2026

Medium · CVSS 4.9

CVE-2025-64719: Gogs: Denial of Service in repository/wiki file listing web pages

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.

Published Jun 24, 2026 · Updated Jun 25, 2026

Medium · CVSS 5.5

CVE-2025-60468: GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: B...

GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.

Published Jun 24, 2026 · Updated Jun 25, 2026

High · CVSS 8.5

CVE-2025-71332: Flowise - SQL Injection in importChatflows API via chatflow.id Parameter

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Published Jun 24, 2026 · Updated Jun 24, 2026

Medium · CVSS 5.1

CVE-2025-64105: FOSSBilling: IDOR Vulnerability in Support Ticket Creation

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0.

Published Jun 23, 2026 · Updated Jun 24, 2026

High · CVSS 7.2

CVE-2025-52465: GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.

Published Jun 18, 2026 · Updated Jun 24, 2026

High · CVSS 8.1

CVE-2025-71344: picklescan - Arbitrary Code Execution via Undetected ensurepip._run_pip Function

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

Published Jun 22, 2026 · Updated Jun 23, 2026