LiveActive security incident?Get immediate response
CVE archive

August 2025

Browse CVE records published in August 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3352 matching CVEs · Page 1 of 68.

Medium · CVSS 5.3

CVE-2025-51529: Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Pol...

Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Policy plugin through version 2.29 allows remote attackers to cause a denial of service (database server resource exhaustion) via unlimited database write operations to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint.

Published Aug 19, 2025 · Updated Jul 5, 2026

Critical · CVSS 10

CVE-2025-50567: Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which use...

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.

Published Aug 19, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.5

CVE-2025-51060: An issue was discovered in CPUID cpuz.sys 1.0.5.4.

An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled.

Published Aug 5, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.5

CVE-2025-50864: An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Re...

An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.

Published Aug 20, 2025 · Updated Jul 5, 2026

Medium · CVSS 6.1

CVE-2025-56432: A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2.

A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.

Published Aug 26, 2025 · Updated Jul 5, 2026