LiveActive security incident?Get immediate response
CVE archive

July 2025

Browse CVE records published in July 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3643 matching CVEs · Page 2 of 73.

Low · CVSS 3.7

CVE-2025-51591: A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise...

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.

Published Jul 11, 2025 · Updated Jul 5, 2026

High · CVSS 8.6

CVE-2025-50850: An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security co...

An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.

Published Jul 31, 2025 · Updated Jul 5, 2026

High · CVSS 8

CVE-2025-50849: CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR).

CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers.

Published Jul 31, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.1

CVE-2025-50848: A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code.

A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.

Published Jul 31, 2025 · Updated Jul 5, 2026

High · CVSS 7.8

CVE-2025-50777: The firmware of the AZIOT 2MP Full HD Smart Wi-Fi CCTV Home Security Camera (version V1.00.02) contains an...

The firmware of the AZIOT 2MP Full HD Smart Wi-Fi CCTV Home Security Camera (version V1.00.02) contains an Incorrect Access Control vulnerability that allows local attackers to gain root shell access. Once accessed, the device exposes critical data including Wi-Fi credentials and ONVIF service credentials stored in plaintext, enabling further compromise of the network and connected systems.

Published Jul 30, 2025 · Updated Jul 5, 2026

High · CVSS 8.8

CVE-2025-29534: An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows...

An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which is passed to a system-level function call.

Published Jul 28, 2025 · Updated Jul 5, 2026