Computer Repair Center would post the daily security alert below. Please check if your server, web server, email server and PC have below Vulnerabilities and fix it as soon as possible. You may also contact our IT expertises at 9145-7188.
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web--10Web Booster Website speed optimization, Cache & Page Speed optimizer | The 10Web Booster - Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition. | 2025-12-06 | 9.6 | CVE-2025-13377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer |
| Advantech--iView | Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. | 2025-12-04 | 7.5 | CVE-2025-13373 | https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183 https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json |
| aimeos--ai-cms-grapesjs | The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8. | 2025-12-02 | 7.7 | CVE-2025-66468 | https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042 |
| ajitdas--Flex QR Code Generator | The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 9.8 | CVE-2025-12673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d71404e-0db8-485b-a626-5e0df2076c05?source=cve https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L457 https://ryankozak.com/posts/cve-2025-12673/ https://github.com/d0n601/CVE-2025-12673 |
| Akamai--Guardicore Platform Agent | The GC-AGENTS-SERVICE running as part of Akamai's Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerability. The service will attempt to read an OpenSSL configuration file from a non-existent location that standard Windows users have default write access to. This allows an unprivileged local user to create a crafted "openssl.cnf" file in that location and, by specifying the path to a custom DLL file in a custom OpenSSL engine definition, execute arbitrary commands with the privileges of the Guardicore Agent process. Since Guardicore Agent runs with SYSTEM privileges, this permits an unprivileged user to fully elevate privileges to SYSTEM level in this manner. | 2025-12-03 | 7.8 | CVE-2025-53841 | https://www.tuv.com/landingpage/en/vulnerability-disclosure/ https://techdocs.akamai.com/guardicore-platform-agent/changelog https://community.akamai.com/customers/s/article/Windows-Agent-Vulnerability-Summary-and-Resolution |
| Argus Technology Inc.--BILGER | Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9. | 2025-12-02 | 7.5 | CVE-2025-13295 | https://www.usom.gov.tr/bildirim/tr-25-0423 |
| Array Networks--ArrayOS AG | Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025. | 2025-12-05 | 7.2 | CVE-2025-66644 | https://www.jpcert.or.jp/at/2025/at250024.html https://x.com/ArraySupport/status/1921373397533032590 https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ |
| auth0--node-jws | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1. | 2025-12-04 | 7.5 | CVE-2025-65945 | https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e |
| Avast--Antivirus | Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3. | 2025-12-01 | 9 | CVE-2025-3500 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98. | 2025-12-01 | 9 | CVE-2025-8351 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | Heap-based Buffer Overflow, Out-of-bounds Write vulnerability in Avast Antivirus on MacOS of a crafted Mach-O file may allow Local Execution of Code or Denial of Service of antivirus protection. This issue affects Antivirus: from 15.7 before 3.9.2025. | 2025-12-01 | 8.1 | CVE-2025-10101 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3. | 2025-12-01 | 7.5 | CVE-2025-7007 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| bacnet-stack--bacnet-stack | BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable. | 2025-12-05 | 7.5 | CVE-2025-66624 | https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48 |
| brainstormforce--Starter Templates AI-Powered Templates for Elementor & Gutenberg | The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-13065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/439e4c99-8f34-4e66-9d86-c0cbb8cf6da0?source=cve https://plugins.trac.wordpress.org/changeset/3395498/astra-sites/tags/4.4.42/inc/lib/starter-templates-importer/importer/wxr-importer/st-wxr-importer.php |
| brainstormforce--SureMail SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers | The SureMail - SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration. | 2025-12-02 | 8.1 | CVE-2025-13516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3a20047-a325-4d29-a848-7ffa525d0bad?source=cve https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L231 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L113 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/admin/plugin.php#L407 https://cwe.mitre.org/data/definitions/434.html https://plugins.trac.wordpress.org/changeset/3403145/suremails/trunk?contextall=1&old=3389326&old_path=%2Fsuremails%2Ftrunk |
| Chanjet--CRM | A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14189 | VDB-334609 | Chanjet CRM jxf_dump_table_demo.php sql injection VDB-334609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699133 | chanjet CRM V1.0 SQL Injection https://github.com/hacker-routing/cve/issues/2 https://github.com/hacker-routing/cve/issues/2#issue-3646348225 |
| Chanjet--TPlus | A flaw has been found in Chanjet TPlus up to 20251121. Affected by this vulnerability is an unknown functionality of the file /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load. This manipulation of the argument currentAccId causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14190 | VDB-334610 | Chanjet TPlus sql injection VDB-334610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699144 | Chanjet Chanjet T+ V1.0 SQL Injection https://github.com/hacker-routing/Changjetong-T-/issues/1 https://github.com/hacker-routing/Changjetong-T-/issues/1#issue-3646765351 |
| coder--coder | Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4. | 2025-12-03 | 7.8 | CVE-2025-66411 | https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74 https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289 https://github.com/coder/coder/releases/tag/v2.26.5 https://github.com/coder/coder/releases/tag/v2.27.7 https://github.com/coder/coder/releases/tag/v2.28.4 |
| CODESYS--CODESYS Control RTE (SL) | An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition. | 2025-12-01 | 7.5 | CVE-2025-41738 | https://certvde.com/de/advisories/VDE-2025-100 |
| CODESYS--CODESYS Development System | An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | 2025-12-01 | 7.8 | CVE-2025-41700 | https://certvde.com/de/advisories/VDE-2025-101 |
| codisto--Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration Powered by Codisto | The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration - Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-04 | 7.2 | CVE-2025-11727 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4e3b796-af9a-4403-8d9a-1b56d7253b45?source=cve https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2101 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3063 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3248 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2117 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3249 |
| contentstudio--ContentStudio | The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12181 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b92b0a4-7ebf-43b3-837b-ad710e5e35ff?source=cve https://wordpress.org/plugins/contentstudio/ |
| Dell--CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2025-12-05 | 7 | CVE-2025-46603 | https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| DesignThemes--DesignThemes LMS | The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-12-02 | 9.8 | CVE-2025-13542 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve https://themeforest.net/item/egrad-education-wordpress-theme/42803015 |
| dripadmin--CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability. | 2025-12-05 | 9.8 | CVE-2025-13313 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/ntzcrm-memberships.php#L42 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L12 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L63 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L795 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-dbquery.php#L287 |
| e4jvikwp--VikRentCar Car Rental Management System | The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 7.5 | CVE-2025-13724 | https://www.wordfence.com/threat-intel/vulnerabilities/id/724a2da0-e4e7-4868-a1ad-fce69a915981?source=cve https://plugins.trac.wordpress.org/browser/vikrentcar/trunk/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.4/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403439%40vikrentcar&new=3403439%40vikrentcar&sfp_email=&sfph_mail= |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 7.1 | CVE-2025-66205 | https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9 https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66295 | https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav's Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66296 | https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66299 | https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.5 | CVE-2025-66300 | https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions. | 2025-12-05 | 7.7 | CVE-2024-9183 | GitLab Issue #494478 HackerOne Bug Bounty Report #2707421 |
| H3C--Magic B0 | A weakness has been identified in H3C Magic B0 up to 100R002. This impacts the function EditWlanMacList of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 8.8 | CVE-2025-14015 | VDB-334256 | H3C Magic B0 aspForm EditWlanMacList buffer overflow VDB-334256 | CTI Indicators (IOB, IOC, IOA) Submit #694755 | New H3C Technologies Co., Ltd. Magic Bo Magic B0<=100R002 Buffer Overflow https://github.com/HungryGoogle/log_attack/blob/main/index2/2.md |
| H3C--Magic B1 | A weakness has been identified in H3C Magic B1 up to 100R004. The affected element is the function sub_44de0 of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14196 | VDB-334616 | H3C Magic B1 aspForm sub_44de0 buffer overflow VDB-334616 | CTI Indicators (IOB, IOC, IOA) Submit #699387 | H3C Magic B1 ≤100R004 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md#poc |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | 2025-12-03 | 9.8 | CVE-2025-13486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve https://plugins.trac.wordpress.org/changeset/3400134/acf-extended |
| IBM--Informix Dynamic Server | IBM Informix Dynamic Server 14.10 could allow a local user on the system to log into the Informix server as administrator without a password. | 2025-12-02 | 8.4 | CVE-2024-45675 | https://www.ibm.com/support/pages/node/7252704 |
| kapilduraphe--mcp-watch | MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL. | 2025-12-01 | 9.8 | CVE-2025-66401 | https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6 |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-13066 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers |
| Linksys--RE6500 | A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14133 | VDB-334522 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wireless_clientlist_setClientsName stack-based overflow VDB-334522 | CTI Indicators (IOB, IOC, IOA) Submit #697980 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14134 | VDB-334523 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334523 | CTI Indicators (IOB, IOC, IOA) Submit #697981 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14135 | VDB-334524 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wired_clientlist_setClientsName stack-based overflow VDB-334524 | CTI Indicators (IOB, IOC, IOA) Submit #697982 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14136 | VDB-334525 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334525 | CTI Indicators (IOB, IOC, IOA) Submit #697983 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md#poc https://www.linksys.com/ |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | 2025-12-03 | 10 | CVE-2025-13390 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/ https://github.com/d0n601/CVE-2025-13390 https://ryankozak.com/posts/cve-2025-13390/ |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 9.8 | CVE-2024-32641 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6 |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 8.8 | CVE-2024-32642 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8 https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960 |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 7.5 | CVE-2024-32643 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c |
| MAXHUB--Pivot client application | The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account. | 2025-12-04 | 7.5 | CVE-2025-53704 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json |
| Medtronic--CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 8.1 | CVE-2025-12995 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Meta--react-server-dom-webpack | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. | 2025-12-03 | 10 | CVE-2025-55182 | https://www.facebook.com/security/advisories/cve-2025-55182 https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection. | 2025-12-02 | 8.3 | CVE-2025-61940 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures. | 2025-12-02 | 8.3 | CVE-2025-62575 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data. | 2025-12-02 | 8.4 | CVE-2025-64298 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions' installation directory paths by default have insecure file permissions, which in certain deployment scenarios can enable users on client workstations to modify the program executables and libraries. | 2025-12-02 | 8 | CVE-2025-64642 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | 2025-12-02 | 7.3 | CVE-2025-64778 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| moderntribe--Auto Thumbnailer | The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12154 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve https://wordpress.org/plugins/auto-thumbnailer/ |
| moxi159753--Mogu Blog v2 | A security flaw has been discovered in moxi159753 Mogu Blog v2 up to 5.2. Impacted is the function LocalFileServiceImpl.uploadPictureByUrl of the file /file/uploadPicsByUrl. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13814 | VDB-333823 | moxi159753 Mogu Blog v2 uploadPicsByUrl LocalFileServiceImpl.uploadPictureByUrl server-side request forgery VDB-333823 | CTI Indicators (IOB, IOC, IOA) Submit #692105 | moxi159753 mogu_blog_v2 <=v5.2 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md#proof-of-concept |
| n/a--ABRT daemon | A flaw was found in the ABRT daemon's handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges. | 2025-12-03 | 8.8 | CVE-2025-12744 | https://access.redhat.com/security/cve/CVE-2025-12744 RHBZ#2412467 |
| n/a--Blood Bank Management System | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63526 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63526.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the remail and rpassword fields, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 10 | CVE-2025-63531 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63531.md |
| n/a--Blood Bank Management System 1.0 | An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. | 2025-12-01 | 9.6 | CVE-2025-63525 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63525.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63532 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63532.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63535 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63535.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63527 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63527.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63528 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63528.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63533 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63533.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63534 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63534.md |
| n/a--MediaCrush | A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header Handler. Such manipulation of the argument Host leads to improper neutralization of http headers for scripting syntax. The attack can be launched remotely. | 2025-12-01 | 7.3 | CVE-2025-13803 | VDB-333813 | MediaCrush Header paths.py http headers for scripting syntax VDB-333813 | CTI Indicators (IOB, IOC, IOA) Submit #691857 | MediaCrush 1.0 Improper Neutralization of HTTP Headers for Scripting Syntax https://github.com/lakshayyverma/CVE-Discovery/blob/main/mediacrush.md |
| n/a--PgBouncer | Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. | 2025-12-03 | 7.5 | CVE-2025-12819 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| NI--LabVIEW | There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in the NI System Web Server 2012 and prior versions. It was fixed in 2013. | 2025-12-04 | 7.5 | CVE-2025-12097 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/relative-path-traversal-vulnerability-in-ni-system-web-server.html |
| nutzam--NutzBoot | A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-01 | 7.3 | CVE-2025-13806 | VDB-333816 | nutzam NutzBoot Transaction API EthModule.java improper authorization VDB-333816 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692061 | NutzBoot project (Nutz community) NutzBoot (Web3j starter + demo module) NutzBoot 2.6.0-SNAPSHOT Improper Access Control (Unauthenticated transaction API) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md#vulnerability-details-and-poc |
| NVIDIA--TAO | NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure. | 2025-12-03 | 8.8 | CVE-2025-33208 | https://nvd.nist.gov/vuln/detail/CVE-2025-33208 https://www.cve.org/CVERecord?id=CVE-2025-33208 https://nvidia.custhelp.com/app/answers/detail/a_id/5730 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large payloads. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33201 | https://nvd.nist.gov/vuln/detail/CVE-2025-33201 https://www.cve.org/CVERecord?id=CVE-2025-33201 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33211 | https://nvd.nist.gov/vuln/detail/CVE-2025-33211 https://www.cve.org/CVERecord?id=CVE-2025-33211 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| open-webui--open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.5 | CVE-2025-65958 | https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685 https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774 |
| open-webui--open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.7 | CVE-2025-65959 | https://github.com/open-webui/open-webui/security/advisories/GHSA-8wvc-869r-xfqf https://github.com/open-webui/open-webui/commit/03cc6ce8eb5c055115406e2304fbf7e3338b8dce |
| orionsec--orion-ops | A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile Handler. This manipulation of the argument ID causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13808 | VDB-333818 | orionsec orion-ops User Profile UserController.java update improper authorization VDB-333818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692068 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Authorization / Horizontal Privilege Escalation https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md#proof-of-concept |
| pickplugins--User Verification by PickPlugins | The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login - User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. | 2025-12-05 | 9.8 | CVE-2025-12374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141 |
| Plesk--Plesk | WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management." | 2025-12-03 | 7.8 | CVE-2025-66431 | https://docs.plesk.com/release-notes/obsidian/whats-new/ https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074 https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-12966 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b03bca1-84e3-4220-b39b-69044c42e9f9?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery/trunk/admin/import-export.php |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later. | 2025-12-03 | 7.1 | CVE-2025-66293 | https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f https://github.com/pnggroup/libpng/issues/764 https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a |
| RashminDungrani--online-banking | A vulnerability was found in RashminDungrani online-banking up to 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. This affects an unknown part of the file /site/dist/auth_login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14192 | VDB-334612 | RashminDungrani online-banking auth_login.php sql injection VDB-334612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699237 | online-banking web 1 SQL Injection https://github.com/BrillBigbang/hole-gap/blob/main/online-banking-have-sql.docx |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. | 2025-12-04 | 8.8 | CVE-2025-66287 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-66287 RHBZ#2418857 https://webkitgtk.org/security/WSA-2025-0009.html |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser. | 2025-12-03 | 7.4 | CVE-2025-13947 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-13947 RHBZ#2418576 |
| Red Hat--Red Hat JBoss Enterprise Application Platform 8 | A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. | 2025-12-03 | 7.5 | CVE-2024-3884 | RHSA-2025:22773 RHSA-2025:22775 RHSA-2025:22777 RHSA-2025:3990 RHSA-2025:3992 https://access.redhat.com/security/cve/CVE-2024-3884 RHBZ#2275287 |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | 7.6 | CVE-2025-65027 | https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx |
| rtowebsites--PostGallery | The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-04 | 8.8 | CVE-2025-13543 | https://www.wordfence.com/threat-intel/vulnerabilities/id/13348eb5-5001-4ec4-bc6a-44795bbed203?source=cve https://plugins.trac.wordpress.org/browser/postgallery/tags/1.12.5/admin/PostGalleryUploader.php |
| Samsung Mobile--MotionPhoto | Improper access control in MPRemoteService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58481 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--MotionPhoto | Improper access control in MPLocalService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58482 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. | 2025-12-03 | 9.8 | CVE-2025-13342 | https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve https://plugins.trac.wordpress.org/changeset/3400432/acf-frontend-form-element |
| sigstore--fulcio | Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3. | 2025-12-04 | 7.5 | CVE-2025-66506 | https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a |
| sigstore--timestamp-authority | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3. | 2025-12-04 | 7.5 | CVE-2025-66564 | https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2024-48882 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2119 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48882---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-17-43_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-23417 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2139 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-26858 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2152 https://www.socomec.fr/sites/default/files/2025-10/CVE-2025-26858---Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-38-44_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus TCP over port 502. | 2025-12-01 | 8.6 | CVE-2025-55221 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503. | 2025-12-01 | 8.6 | CVE-2025-55222 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2024-49572 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2118 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-49572---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-12-08_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability. | 2025-12-01 | 7.5 | CVE-2024-53684 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2116 https://www.socomec.fr/sites/default/files/2025-10/CVE-2024-53684---Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-43-14_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2025-20085 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2138 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-20085---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-14-39_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus TCP messages to port 502 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54848 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 502 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54849 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54850 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54851 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--Easy Config System | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability. | 2025-12-01 | 7.3 | CVE-2024-45370 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2117 https://www.socomec.fr/sites/default/files/2025-11/CVE-2024-45370---ECS-2610---CVSS31_VULNERABILITIES_2025-11-19-09-45-29_English_PLURI_3.pdf |
| Splunk--Splunk Enterprise | In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20386 | https://advisory.splunk.com/advisories/SVD-2025-1205 |
| Splunk--Splunk Enterprise | In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20387 | https://advisory.splunk.com/advisories/SVD-2025-1206 |
| Sprecher Automation--SPRECON-E-C | Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance. | 2025-12-02 | 9.8 | CVE-2025-41742 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf |
| Sprecher Automation--SPRECON-E-C | Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity. | 2025-12-02 | 9.1 | CVE-2025-41744 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stellarwp--Kadence WooCommerce Email Designer | The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 7.2 | CVE-2025-13387 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e0cf512-f676-4f47-abaa-5198998376b7?source=cve https://plugins.trac.wordpress.org/changeset/3399955/kadence-woocommerce-email-designer |
| strimzi--strimzi-kafka-operator | Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | 2025-12-05 | 7.4 | CVE-2025-66623 | https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable. | 2025-12-02 | 8.8 | CVE-2025-12529 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L513 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L262 |
| Sunbird--DCIM dcTrack | DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine. | 2025-12-04 | 7.2 | CVE-2025-66238 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| Synology--BeeDrive for desktop | Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54158 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--BeeDrive for desktop | Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2025-54159 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--BeeDrive for desktop | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54160 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--DiskStation Manager (DSM) | Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. | 2025-12-04 | 9.6 | CVE-2024-45538 | Synology-SA-24:27 DSM |
| Synology--DiskStation Manager (DSM) | Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2024-45539 | Synology-SA-24:27 DSM |
| Synology--Synology Router Manager (SRM) | A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages. | 2025-12-04 | 7.2 | CVE-2025-29846 | Synology-SA-25:04 SRM |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102. | 2025-12-04 | 7.3 | CVE-2025-66561 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-64vw-v5c4-mgvm |
| ThinkInAIXYZ--deepchat | DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. | 2025-12-03 | 9.7 | CVE-2025-66222 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7 |
| TOZED--ZLT M30S | A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14126 | VDB-334521 | TOZED ZLT M30S/ZLT M30S PRO Web hard-coded credentials VDB-334521 | CTI Indicators (IOB, IOC, TTP) Submit #697498 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Backdoor Credentials https://youtu.be/o8rfjSlpRxY |
| TrippWasTaken--PHP-Guitar-Shop | A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 7.3 | CVE-2025-14091 | VDB-334481 | TrippWasTaken PHP-Guitar-Shop Product Details product.php sql injection VDB-334481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696514 | PHP-Guitar-Shop web 1 SQL Injection https://github.com/appaxv/report/blob/main/guitarshopsql.docx |
| trustindex--Widgets for Google Reviews | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site. | 2025-12-06 | 7.2 | CVE-2025-12510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7adf3335-ed13-43f4-a5f3-05e89be44d2d?source=cve https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5932 https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5907 https://plugins.trac.wordpress.org/changeset/3399469/wp-reviews-plugin-for-google/trunk/trustindex-plugin.class.php?old=3398822&old_path=wp-reviews-plugin-for-google%2Ftrunk%2Ftrustindex-plugin.class.php |
| tsaiid--Featured Image via URL | The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12153 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve https://wordpress.org/plugins/featured-image-via-url/ |
| Ubuntu--MAAS | An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment. | 2025-12-03 | 7.7 | CVE-2025-7044 | https://bugs.launchpad.net/maas/+bug/2115714 |
| UGREEN--DH2100+ | A weakness has been identified in UGREEN DH2100+ up to 5.3.0.251125. This affects the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. Executing manipulation of the argument path can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14187 | VDB-334607 | UGREEN DH2100+ nas_svr create handler_file_backup_create buffer overflow VDB-334607 | CTI Indicators (IOB, IOC, IOA) Submit #698652 | UGREEN DH2100+ NAS V4.2.0.601 Buffer Overflow https://www.notion.so/2b16cf4e528a80bbb5fdeff145f110ec |
| UGREEN--DH2100+ | A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14188 | VDB-334608 | UGREEN DH2100+ nas_svr create handler_file_backup_create command injection VDB-334608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698833 | UGREEN DH2100+ NAS V4.2.0.601 Remote Command Execution https://www.notion.so/25e2b76e8e0c80578014fff04a950576 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11131 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11132 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11133 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In dpc modem, there is a possible system crash due to null pointer dereference. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-3012 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61607 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61608 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61609 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61610 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61617 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61618 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61619 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| UTT-- 512W | A vulnerability has been found in UTT è¿›å– 512W up to 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formP2PLimitConfig. Such manipulation of the argument except leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14191 | VDB-334611 | UTT è¿›å– 512W formP2PLimitConfig strcpy buffer overflow VDB-334611 | CTI Indicators (IOB, IOC, IOA) Submit #699220 | UTT艾泰 è¿›å– 512W Router <=v3v1.7.7-171114 Buffer Overflow https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md#poc |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14141 | VDB-334529 | UTT è¿›å– 520W formArpBindConfig strcpy buffer overflow VDB-334529 | CTI Indicators (IOB, IOC, IOA) Submit #698522 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/13.md https://github.com/cymiao1978/cve/blob/main/new/13.md#poc |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947. | 2025-12-02 | 7.8 | CVE-2025-66476 | https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25 https://github.com/vim/vim/releases/tag/v9.1.1947 |
| vinoth06--User Generator and Importer | The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to elevate user privileges by creating arbitrary accounts with administrator privileges via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 8.8 | CVE-2025-12879 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82699a17-ea45-4493-98c4-07f62ca0b1f9?source=cve https://plugins.trac.wordpress.org/browser/user-importer-and-generator/tags/1.2.2/user-generator.php#L145 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend's code on the victim host. This vulnerability is fixed in 0.11.1. | 2025-12-01 | 7.1 | CVE-2025-66448 | https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm https://github.com/vllm-project/vllm/pull/28126 https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 |
| widgetpack--Rich Shortcodes for Google Reviews | The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2. | 2025-12-06 | 7.2 | CVE-2025-12499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2960224-4446-4fc6-8d18-6f9911b4cbad?source=cve https://plugins.trac.wordpress.org/changeset/3411521/widget-google-reviews https://plugins.trac.wordpress.org/changeset/3389203/widget-google-reviews |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-12-03 | 7.2 | CVE-2025-13645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/080683bb-713f-4aa8-b635-90c96f358bec?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1025 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1119 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible. | 2025-12-03 | 7.5 | CVE-2025-13646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59ee0ca2-846d-4ae8-ad19-7c3826861aeb?source=cve https://github.com/WPChill/modula-lite/blob/master/includes/admin/class-modula-gallery-upload.php#L1103 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wphocus--My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2025-12-05 | 8.1 | CVE-2025-12851 | https://www.wordfence.com/threat-intel/vulnerabilities/id/202a8493-6df0-4a5e-b6bf-099219830e01?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wphocus--My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the 'auction_id' parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-05 | 7.5 | CVE-2025-12850 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc4883b8-5783-49ff-ab3b-c568c9923227?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wpkube--Cool Tag Cloud | The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 8.1 | CVE-2025-13614 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac56190-4f81-464d-9737-ae2e3d4b0d0d?source=cve http://plugins.trac.wordpress.org/browser/cool-tag-cloud/trunk/cool-tag-cloud.php?marks=798-799#L682 |
| xwikisas--xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1. | 2025-12-05 | 8.3 | CVE-2025-65036 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0. | 2025-12-05 | 10 | CVE-2025-66570 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xm2j-vfr9-mg9m https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| ZDoom--gzdoom | GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution. | 2025-12-03 | 7.8 | CVE-2025-54065 | https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg |
| ZSPACE--Q2C NAS | A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14106 | VDB-334488 | ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection VDB-334488 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697141 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80bab847dcc1fb677590 |
| ZSPACE--Q2C NAS | A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14107 | VDB-334489 | ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection VDB-334489 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697143 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc |
| ZSPACE--Q2C NAS | A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14108 | VDB-334490 | ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection VDB-334490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697144 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80258f60fa529c48d291 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| adreastrian--WP Social Ninja Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) | The WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page. | 2025-12-02 | 6.1 | CVE-2025-13007 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= |
| ADSLR--B-QE2W401 | A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13797 | VDB-333808 | ADSLR B-QE2W401 send_order.cgi parameterdel_swifimac command injection VDB-333808 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691838 | Adslr B-QE2W401 250814-r037c Remote code execution https://www.notion.so/2a60c75766a88027a6aec07b378332a8 |
| ADSLR--NBR1005GPEV2 | A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13798 | VDB-333809 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_add command injection VDB-333809 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691841 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8805a8973d2ff6a6bcb26 |
| ADSLR--NBR1005GPEV2 | A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13799 | VDB-333810 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_del command injection VDB-333810 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691842 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8801e8e4bdd3be8072d9d |
| ADSLR--NBR1005GPEV2 | A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13800 | VDB-333811 | ADSLR NBR1005GPEV2 send_order.cgi set_mesh_disconnect command injection VDB-333811 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691942 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a70c75766a88023aa0ed833ff0239e1 |
| alexkar--ARK Related Posts | The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109 https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109 |
| AMTT--Hotel Broadband Operation System | A security flaw has been discovered in AMTT Hotel Broadband Operation System 1.0. This affects an unknown part of the file /manager/card/cardmake_down.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14090 | VDB-334480 | AMTT Hotel Broadband Operation System cardmake_down.php sql injection VDB-334480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696460 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/CHENZHUANGLIN/cve/issues/2 |
| anastis--CSSIgniter Shortcodes | The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288419ad-fbb2-4a4a-8a40-89ae024e068d?source=cve https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/trunk/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/tags/2.4.1/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408092%40cssigniter-shortcodes&new=3408092%40cssigniter-shortcodes&sfp_email=&sfph_mail= |
| apptainer--apptainer | Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5. | 2025-12-02 | 4.5 | CVE-2025-65105 | https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/apptainer/apptainer/pull/3226 https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981 https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2 |
| ArcadeAI--arcade-mcp | Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints-including tool enumeration and tool invocation-without credentials. This vulnerability is fixed in 1.5.4. | 2025-12-02 | 6.5 | CVE-2025-66454 | https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438 https://github.com/ArcadeAI/arcade-mcp/pull/691 https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817 |
| arnabkumar--Cute News Ticker | The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/92f53507-4475-401b-b57c-f6652a868be9?source=cve https://wordpress.org/plugins/cute-news-ticker/ https://plugins.trac.wordpress.org/browser/cute-news-ticker/trunk/main-function.php#L60 https://plugins.trac.wordpress.org/browser/cute-news-ticker/tags/1.0/main-function.php#L60 |
| ays-pro--Photo Gallery by Ays Responsive Image Gallery | The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13685 | https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide. | 2025-12-02 | 4.3 | CVE-2025-11726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail= |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages. | 2025-12-04 | 4.3 | CVE-2025-12782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/710ed734-ca98-4ab3-82d5-359e683ee062?source=cve https://plugins.trac.wordpress.org/changeset/3406987/beaver-builder-lite-version |
| bigmaster--Payaza | The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses. | 2025-12-05 | 5.3 | CVE-2025-12355 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acc88688-76e0-4477-8b7c-eeff541881ab?source=cve https://wordpress.org/plugins/payaza/ |
| breadbutter--Bread & Butter: Gate content & Improve lead conversion in 60 seconds | The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb280004-e0ba-44c8-a205-8fec30900d86?source=cve https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Ajax.php#L411 https://github.com/d0n601/CVE-2025-12189 https://ryankozak.com/posts/cve-2025-12189/ |
| cgrymala--List Attachments Shortcode | The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_list' parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a67b4ec2-b337-478f-aaaa-2ce19c4deb4c?source=cve https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L47 https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L85 |
| CKSource--CKFinder | In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided. | 2025-12-05 | 5 | CVE-2016-20023 | https://download.cksource.com/CKFinder/CKFinder%20for%20ASP.NET/2.5.0.1/ |
| code-projects--Employee Profile Management System | A vulnerability was determined in code-projects Employee Profile Management System 1.0. This vulnerability affects unknown code of the file /view_personnel.php. Executing manipulation of the argument per_id can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-07 | 6.3 | CVE-2025-14193 | VDB-334613 | code-projects Employee Profile Management System view_personnel.php sql injection VDB-334613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699245 | code-projects Employee Profile Management System published November 15, 2025 SQL Injection https://github.com/shenxianyuguitian/employee-management-SQL https://code-projects.org/ |
| code-projects--Employee Profile Management System | A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-07 | 6.3 | CVE-2025-14195 | VDB-334615 | code-projects Employee Profile Management System add_file_query.php unrestricted upload VDB-334615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699247 | code-projects Employee Profile Management System published November 15, 2025 Unrestricted Upload https://github.com/shenxianyuguitian/employee-management-UFU https://code-projects.org/ |
| code-projects--Question Paper Generator | A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-12-07 | 6.3 | CVE-2025-14203 | VDB-334646 | code-projects Question Paper Generator selectquestionuser.php sql injection VDB-334646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700153 | code-projects Question Paper 1.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL17.md https://code-projects.org/ |
| codeconfig--CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action. | 2025-12-06 | 5.3 | CVE-2025-13358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad91-072a6e84d9ba?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax.php#L24 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L24 |
| codeconfig--CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility - Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin's global accessibility settings. | 2025-12-06 | 4.3 | CVE-2025-13309 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3344e72-1dd6-45ec-b699-d755589a1566?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L23 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L19 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Enqueue.php#L135 |
| codejunkie--Clik stats | The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-04 | 6.1 | CVE-2025-13513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a047313-fdbc-47fa-912a-a624033bbce1?source=cve https://plugins.trac.wordpress.org/browser/clikstats/trunk/ck_admin.php#L47 https://plugins.trac.wordpress.org/browser/clikstats/tags/0.8/ck_admin.php#L47 |
| CODESYS--CODESYS PLCHandler | An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service. | 2025-12-01 | 5.9 | CVE-2025-41739 | https://certvde.com/de/advisories/VDE-2025-099 |
| contentstudio--ContentStudio | The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/047fd07c-ab07-49bf-8a94-8ae33c92f93e?source=cve https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L380 https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L383 |
| d3395--CryptX | The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `cryptx` shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f8cb7d7-eb40-403e-85de-c16200ee424d?source=cve https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L149 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L237 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L604 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L1295 |
| danrajkumar--Nouri.sh Newsletter | The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13515 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f0587e-1f84-472c-8fb7-13ddda63e2ec?source=cve https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/trunk/templates/options.phtml#L7 https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/tags/v1.0.13/templates/options.phtml#L7 |
| Datateam Information Technologies Inc.--Datactive | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | 2025-12-02 | 4.8 | CVE-2025-13505 | https://www.usom.gov.tr/bildirim/tr-25-0424 |
| dayrui--XunRuiCMS | A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14004 | VDB-334246 | dayrui XunRuiCMS Email Setting admind45f74adbd95.php server-side request forgery VDB-334246 | CTI Indicators (IOB, IOC, IOA) Submit #692907 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-email_test-SSRF/xunruicms-email_test-SSRF.md |
| dayrui--XunRuiCMS | A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14008 | VDB-334250 | dayrui XunRuiCMS Project Domain Change Test admin79f2ec220c7e.php server-side request forgery VDB-334250 | CTI Indicators (IOB, IOC, IOA) Submit #692915 | Sichuan Xunrui Cloud Software Development Co., Ltd x <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-test_site_domain-SSRF/xunruicms-test_site_domain-SSRF.md |
| delabon--Live Sales Notification for Woocommerce Woomotiv | The Live Sales Notification for Woocommerce - Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve https://wordpress.org/plugins/woomotiv/ |
| devsoftbaltic--SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13140 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d96ea1b-1763-4a54-bd67-ac29175e9e01?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/delete_survey.php#L12 https://plugins.trac.wordpress.org/changeset/3403869/surveyjs/trunk/ajax_handlers/delete_survey.php |
| dojodigital--Live CSS Preview | The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. | 2025-12-05 | 4.3 | CVE-2025-12354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve https://wordpress.org/plugins/live-css-preview/ |
| dripadmin--CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators. | 2025-12-05 | 5.3 | CVE-2025-13312 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f61b9de5-5c37-4efb-ad1c-006e9fc05bc2?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L828 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L14 |
| duddi--Image Optimizer by wps.sk | The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12190 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php |
| Edimax--BR-6478AC V3 | A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14092 | VDB-334482 | Edimax BR-6478AC V3 formDebugDiagnosticRun sub_416898 os command injection VDB-334482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696632 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md |
| Edimax--BR-6478AC V3 | A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14093 | VDB-334483 | Edimax BR-6478AC V3 formTracerouteDiagnosticRun sub_416990 os command injection VDB-334483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696633 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/2.md |
| Edimax--BR-6478AC V3 | A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14094 | VDB-334484 | Edimax BR-6478AC V3 formSysCmd sub_44CCE4 os command injection VDB-334484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696668 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data. | 2025-12-02 | 6.3 | CVE-2025-13534 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3541794b-7c8a-42f8-9688-7f3dbbb08e58?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.2/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121 |
| emaude--Canadian Nutrition Facts Label | The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12715 | https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557 |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives. | 2025-12-03 | 6.5 | CVE-2025-64527 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866 |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy's mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches. | 2025-12-03 | 5 | CVE-2025-66220 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p |
| error311--FileRise | FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3. | 2025-12-01 | 4.6 | CVE-2025-66403 | https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29 https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e |
| everestthemes--Everest Backup WordPress Cloud Backup, Migration, Restore & Cloning Plugin | The Everest Backup - WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress. | 2025-12-03 | 5.3 | CVE-2025-10304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400800%40everest-backup&new=3400800%40everest-backup&sfp_email=&sfph_mail= |
| Facebook--proxygen | Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory. | 2025-12-02 | 5.3 | CVE-2025-55181 | https://www.facebook.com/security/advisories/cve-2025-55181 https://github.com/facebook/proxygen/commit/17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f |
| fit2cloud--Halo | A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 4.3 | CVE-2025-14117 | VDB-334494 | fit2cloud Halo cross-site request forgery VDB-334494 | CTI Indicators (IOB, IOC) Submit #697391 | fit2cloud Halo 2.21.10 Cross-Site Request Forgery https://blksword.flowus.cn/ https://github.com/BlkSword/POC |
| floragunn--Search Guard FLX | In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges. | 2025-12-01 | 4.3 | CVE-2025-13653 | https://search-guard.com/cve-advisory/ https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_1 |
| Flux159--mcp-server-kubernetes | MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8. | 2025-12-03 | 6.4 | CVE-2025-66404 | https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b |
| Fortra--GoAnywhere MFT | An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key. | 2025-12-05 | 4.2 | CVE-2025-8148 | https://www.fortra.com/security/advisories/product-security/fi-2025-013 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 6.8 | CVE-2025-66206 | https://github.com/frappe/frappe/security/advisories/GHSA-v4wg-gqfr-rpjm |
| garidium--g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products. | 2025-12-06 | 5.3 | CVE-2025-12720 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634 https://github.com/d0n601/CVE-2025-12720 https://ryankozak.com/posts/cve-2025-12720/ |
| garidium--g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server. | 2025-12-06 | 5.3 | CVE-2025-12721 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fd8c981-081c-4671-ad1e-3caf004669dd?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-sync-endpoint.php#L1385 https://github.com/d0n601/CVE-2025-12721 https://ryankozak.com/posts/cve-2025-12721/ |
| georgestephanis--Application Passwords | The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such as clicking on a link. | 2025-12-06 | 5.4 | CVE-2025-13308 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.8 | CVE-2025-66302 | https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.2 | CVE-2025-66304 | https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | 6.5 | CVE-2025-66307 | https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.9 | CVE-2025-66303 | https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.3 | CVE-2025-66306 | https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62 |
| HCL Software--BigFix SaaS Remediate | The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. | 2025-12-02 | 5.4 | CVE-2025-52622 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127171 |
| helloprint--Plug your WooCommerce into the largest catalog of customized print products from Helloprint | The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID. | 2025-12-06 | 5.3 | CVE-2025-13666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48 https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48 |
| Himool--ERP | A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14089 | VDB-334479 | Himool ERP AdminActionViewSet update_account improper authorization VDB-334479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696049 | https://gitee.com/himool/erp Himool ERP 2.2 Missing Authentication for Critical Function https://github.com/caigo8/CVE-md/blob/main/BoxwoodERP/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md |
| huyme--Webcake Landing Page Builder | The Webcake - Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings. | 2025-12-05 | 4.3 | CVE-2025-12165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve https://wordpress.org/plugins/webcake/ |
| instantsearchplus--Search, Filters & Merchandising for WooCommerce | The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcis_save_email' endpoint in all versions up to, and including, 3.0.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin. | 2025-12-06 | 4.3 | CVE-2025-12091 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daa8f941-6e87-4b94-8526-f73770fe6f82?source=cve https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/tags/3.0.64/public/wcis_plugin.php#L1074 https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/trunk/public/wcis_plugin.php#L1074 |
| jairiidriss--RestaurantWebsite | A vulnerability was determined in jairiidriss RestaurantWebsite up to e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. Impacted is an unknown function of the component Make a Reservation. This manipulation of the argument selected_date causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13802 | VDB-333812 | jairiidriss RestaurantWebsite Make a Reservation cross site scripting VDB-333812 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691839 | restaurant-website-php-mysql-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/restaurant-website-report.docx |
| jevgenisultanov--Norby AI | The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc6f6e2-6777-4056-95d0-e3d3e7ad7a22?source=cve https://plugins.trac.wordpress.org/browser/norby-ai/trunk/api/save.php#L23 https://plugins.trac.wordpress.org/browser/norby-ai/tags/1.0.3/api/save.php#L23 |
| jiangxin--CoSign Single Signon | The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bbeab52-59a9-4d8d-8e3e-ebcbbca9816b?source=cve https://plugins.trac.wordpress.org/browser/cosign-sso/trunk/cosign-sso.php#L423 https://plugins.trac.wordpress.org/browser/cosign-sso/tags/0.3.1/cosign-sso.php#L423 |
| jimmyredline80--SSP Debug | The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. | 2025-12-05 | 5.3 | CVE-2025-13494 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66f29499-1522-43cd-af78-9b734c66af8c?source=cve https://plugins.trac.wordpress.org/browser/ssp-debugging/trunk/ssp-debug.php#L221 https://plugins.trac.wordpress.org/browser/ssp-debugging/tags/1.0.0/ssp-debug.php#L221 |
| jsnjfz--WebStack-Guns | A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13811 | VDB-333821 | jsnjfz WebStack-Guns PageFactory.java sql injection VDB-333821 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692084 | WebStack-Guns Project WebStack-Guns 1.0 SQL Injection https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md#proof-of-concept |
| jsnjfz--WebStack-Guns | A vulnerability was found in jsnjfz WebStack-Guns 1.0. This affects the function renderPicture of the file src/main/java/com/jsnjfz/manage/modular/system/controller/KaptchaController.java. Performing manipulation results in path traversal. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.3 | CVE-2025-13810 | VDB-333820 | jsnjfz WebStack-Guns KaptchaController.java renderPicture path traversal VDB-333820 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692080 | WebStack-Guns Project (GitHub organization jsnjfz) WebStack-Guns 1.0 (latest master) Path Traversal / Arbitrary File Read (CWE-22) https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md#proof-of-concept |
| kaushikankrani--Hide Categories Or Products On Shop Page | The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12128 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/ |
| KDE--KDE Connect information-exchange protocol | In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.3 | CVE-2025-32900 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-2.txt |
| KDE--KDE Connect protocol | The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49. | 2025-12-05 | 4.7 | CVE-2025-66270 | https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://kde.org/info/security/advisory-20251128-1.txt |
| KDE--KDE Connect verification-code protocol | The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.7 | CVE-2025-32898 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-3.txt |
| KDE--KDEConnect | In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP. | 2025-12-05 | 4.3 | CVE-2025-32899 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-1.txt |
| KDE--KDEConnect | In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | 2025-12-05 | 4.3 | CVE-2025-32901 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-4.txt |
| ketr--JEPaaS | A vulnerability was determined in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is an unknown functionality of the file /je/load. This manipulation of the argument Authorization causes improper authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-05 | 6.3 | CVE-2025-14088 | VDB-334478 | ketr JEPaaS load improper authorization VDB-334478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695316 | Beijing Kaite Weiye Science and Technology Co.,Ltd. JEPaaS JEPaaSV7.2.8 vertical privilege escalation vulnerability https://github.com/zhangbuneng/The-Jepaas-platform-has-a-vertical-privilege-escalation-vulnerability./issues/1 |
| kevindees--FitVids for WordPress | The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12124 | https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve https://wordpress.org/plugins/fitvids-for-wordpress/ |
| krupenik--RevInsite | The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13863 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25 https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25 |
| ksakai--Yet Another WebClap for WordPress | The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13857 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca50e5e7-be46-40f1-9782-a72ca8ab7e9a?source=cve https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/trunk/yawebclap.php#L28 https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/tags/0.2/yawebclap.php#L28 |
| LINE Corporation--Central Dogma | Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft. | 2025-12-04 | 6.1 | CVE-2025-11222 | https://github.com/line/centraldogma/security/advisories/GHSA-4hr2-xf7w-jf76 |
| linkwhspr--Link Whisper Free | The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-11263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 4.9 | CVE-2025-13090 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fbf502-2dfb-49e5-94a6-1525aabc08c1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405484%40wpdirectorykit&new=3405484%40wpdirectorykit&sfp_email=&sfph_mail= |
| macrozheng--mall-swarm | A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 5.4 | CVE-2025-14016 | VDB-334257 | macrozheng mall-swarm delete improper authorization VDB-334257 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694797 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/17 |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | 2025-12-01 | 4.3 | CVE-2025-12756 | https://mattermost.com/security-updates |
| Medtronic--CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 5.3 | CVE-2025-12994 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Medtronic--CareLink Network | Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 4.1 | CVE-2025-12996 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| michael_j_reid--Weekly Planner | The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12186 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1cd2d269-5af2-40ab-b424-505c95c56688?source=cve https://wordpress.org/plugins/weekly-planner/#description |
| michaelcole1991--Extra Post Images | The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101 |
| Microsoft--Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network. | 2025-12-05 | 4.3 | CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
| MiR--Robot | Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks. | 2025-12-01 | 6.1 | CVE-2025-13819 | https://mobile-industrial-robots.com/security-advisories/cve-2025-13819-open-redirect https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/ |
| missi--Jabbernotification | The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13622 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e9a872d-575c-455c-8f26-709878817ae0?source=cve https://wordpress.org/plugins/jabberbenachrichtigung/ https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/tags/0.99-RC2/jabbernotification.php#L85 https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/trunk/jabbernotification.php#L85 |
| monkeyboz--Quantic Social Image Hover | The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43a237fd-5d3a-47fb-bacf-ceb5eeaa8bbb?source=cve https://plugins.trac.wordpress.org/browser/tw-image-hover-share/trunk/tw-image-hover.php#L103 https://plugins.trac.wordpress.org/browser/tw-image-hover-share/tags/1.0.8/tw-image-hover.php#L103 |
| moxi159753--Mogu Blog v2 | A weakness has been identified in moxi159753 Mogu Blog v2 up to 5.2. The affected element is an unknown function of the file /file/pictures. This manipulation of the argument filedatas causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13815 | VDB-333824 | moxi159753 Mogu Blog v2 pictures unrestricted upload VDB-333824 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692106 | moxi159753 mogu_blog_v2 <=v5.2 Unrestricted Upload of File with Dangerous Type https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md#proof-of-concept |
| moxi159753--Mogu Blog v2 | A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13816 | VDB-333825 | moxi159753 Mogu Blog v2 ZIP File unzipFile FileOperation.unzip path traversal VDB-333825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692107 | moxi159753 mogu_blog_v2 <=v5.2 Path Traversal / Zip Slip https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md#proof-of-concept |
| moxi159753--Mogu Blog v2 | A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.6 | CVE-2025-13813 | VDB-333822 | moxi159753 Mogu Blog v2 Storage Management Endpoint storage authorization VDB-333822 | CTI Indicators (IOB, IOC, IOA) Submit #692104 | moxi159753 mogu_blog_v2 <=v5.2 Broken Access Control / Missing Authorization https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md#proof-of-concept |
| mrdenny--Time Sheets | The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-10055 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d8b57de-d02c-40c0-abdb-ff490bcf429e?source=cve https://wordpress.org/plugins/time-sheets/ |
| mxchat--MxChat AI Chatbot for WordPress | The MxChat - AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data. | 2025-12-03 | 5.3 | CVE-2025-12585 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cf1a90d-6157-40e7-aed8-4d18bc22432d?source=cve https://plugins.trac.wordpress.org/browser/mxchat-basic/trunk/includes/class-mxchat-integrator.php#L107 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406402%40mxchat-basic&new=3406402%40mxchat-basic&sfp_email=&sfph_mail= |
| n/a--Blood Bank Management System 1.0 | A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account. | 2025-12-01 | 6.1 | CVE-2025-63529 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md |
| n/a--JIZHICMS | A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14011 | VDB-334252 | JIZHICMS Add Display Name Field addcomment.html commentlist sql injection VDB-334252 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694644 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection Submit #694645 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection (Duplicate) https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-addcomment.html-aid%20parameter-SQL%20injection/jizhicms-addcomment.html-aid%20parameter-SQL%20injection.md |
| n/a--JIZHICMS | A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14012 | VDB-334253 | JIZHICMS Batch Delete Comments deleteAll.html delete sql injection VDB-334253 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694647 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection.md |
| n/a--KerOS prior to 5.12 | Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected. | 2025-12-01 | 5.3 | CVE-2024-32388 | https://www.bdosecurity.de/en-gb/advisories/cve-2024-32388 https://keros.docs.kerlink.com/security/security_advisories_kerOS5 |
| n/a--KerOS prior to version 5.10 | Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device. | 2025-12-01 | 6.8 | CVE-2024-32384 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-32384 |
| n/a--nocobase | A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.6 | CVE-2025-13877 | VDB-334033 | nocobase JWT Service jwt-service.ts hard-coded key VDB-334033 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692205 | https://github.com/nocobase https://github.com/nocobase/nocobase Latest Authorization Bypass https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d |
| natambu--Twitscription | The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13623 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6e7756-d8cc-4380-a93e-47d7916a5f7b?source=cve https://wordpress.org/plugins/twitscription/ https://plugins.trac.wordpress.org/browser/twitscription/tags/0.1.1/twitscription.php#L101 https://plugins.trac.wordpress.org/browser/twitscription/trunk/twitscription.php#L101 |
| nedwp--Feedback Modal for Website | The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the 'export_data' parameter. | 2025-12-05 | 5.3 | CVE-2025-13528 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3341c29-a69e-4618-a8a5-11f4141ff88f?source=cve https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/trunk/inc/admin/main.php#L1011 https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/tags/1.0.1/inc/admin/main.php#L1011 |
| Nextcloud--Nextcloud | Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis. | 2025-12-04 | 6.4 | CVE-2025-59788 | https://nextcloud.com https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | 2025-12-05 | 6.3 | CVE-2025-66551 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w787-vwqp-8wr7 https://github.com/nextcloud/tables/pull/1810 https://github.com/nextcloud/tables/commit/39f24a62fb41fd7a8bda65325f8bbafdc91c731c https://hackerone.com/reports/3137895 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page. | 2025-12-05 | 5.4 | CVE-2025-66512 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5 https://github.com/nextcloud/viewer/pull/3023 https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335b63 https://hackerone.com/reports/3357808 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4. | 2025-12-05 | 5.7 | CVE-2025-66550 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv https://github.com/nextcloud/calendar/pull/6971 https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769 https://hackerone.com/reports/3112033 |
| nextcloud--security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2. | 2025-12-05 | 5.4 | CVE-2025-66557 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv https://github.com/nextcloud/deck/pull/7131 https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae https://hackerone.com/reports/3247499 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts. | 2025-12-05 | 4.5 | CVE-2025-66510 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59 https://github.com/nextcloud/server/pull/55657 https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3. | 2025-12-05 | 4.8 | CVE-2025-66511 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27 https://github.com/nextcloud/calendar/pull/7659 https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb https://hackerone.com/reports/3385434 |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | 2025-12-05 | 4.3 | CVE-2025-66513 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw https://github.com/nextcloud/tables/pull/2148 https://github.com/nextcloud/tables/commit/b92b9560b1e70a02b103a7aeb9e22e2ab5231873 https://hackerone.com/reports/3334165 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66547 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2 https://github.com/nextcloud/server/issues/51247 https://github.com/nextcloud/server/pull/51288 https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9 https://hackerone.com/reports/3040887 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66552 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x https://github.com/nextcloud/server/pull/50992 https://github.com/nextcloud/server/commit/7cc005c43c72bc384848cf8cb851895827c412f6 https://hackerone.com/reports/2890071 |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | 2025-12-05 | 4.3 | CVE-2025-66553 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p53h-6294-crjw https://github.com/nextcloud/tables/pull/1891 https://github.com/nextcloud/tables/commit/e975f5bfedb6922f04cdd236cde4e26067fe064e https://hackerone.com/reports/3138721 |
| nutzam--NutzBoot | A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-01 | 4.3 | CVE-2025-13804 | VDB-333814 | nutzam NutzBoot Ethereum Wallet EthModule.java information disclosure VDB-333814 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692050 | NutzBoot project NutzBoot NutzBoot 2.6.0-SNAPSHOT Information Disclosure (Wallet password leakage) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md#vulnerability-details-and-poc |
| omnipressteam--Omnipress | The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-12-05 | 6.4 | CVE-2025-12163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15aabe3b-1b77-4e4e-9710-cf06924dbcbf?source=cve https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/RestApi/Controllers/V1/FileUploadRestController.php#L57 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L85 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L106 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/Core/RestControllersBase.php#L81 https://cwe.mitre.org/data/definitions/434.html https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload |
| opsre--go-ldap-admin | A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. | 2025-12-03 | 5.6 | CVE-2025-13948 | VDB-334163 | opsre go-ldap-admin JWT docker-compose.yaml hard-coded key VDB-334163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692213 | https://github.com/opsre https://github.com/opsre/go-ldap-admin Latest Authorization Bypass https://gist.github.com/H2u8s/a51ac1fe38d62746d1425b70ff49420c |
| optimizingmatters--Autoptimize | The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed5bdb3-c4cd-4982-bc47-feeff527e284?source=cve https://plugins.trac.wordpress.org/changeset/3401333/autoptimize |
| orionsec--orion-ops | A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoController.java of the component SSH Connection Handler. Such manipulation of the argument host/sshPort/username/password/authType leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13809 | VDB-333819 | orionsec orion-ops SSH Connection MachineInfoController.java server-side request forgery VDB-333819 | CTI Indicators (IOB, IOC, IOA) Submit #692069 | orionsec (project owner of Orion-ops) Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md#proof-of-concept |
| orionsec--orion-ops | A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java of the component API. The manipulation results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13807 | VDB-333817 | orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization VDB-333817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692066 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Access Control / Information Disclosure (exposed machin https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md#proof-of-concept |
| ovologics--PDF Catalog for WooCommerce | The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 5.4 | CVE-2025-12191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5f5e33-e066-4a85-9367-4b8c2f948adf?source=cve https://wordpress.org/plugins/pdf-catalog-for-woocommerce/ |
| passionui--Listar Directory Listing & Classifieds WordPress Plugin | The Listar - Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | 2025-12-06 | 4.3 | CVE-2025-12574 | https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| passionui--Listar Directory Listing & Classifieds WordPress Plugin | The Listar - Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details. | 2025-12-06 | 4.3 | CVE-2025-12577 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| paulepro2019--EPROLO Dropshipping | The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | 2025-12-05 | 4.3 | CVE-2025-12133 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve https://wordpress.org/plugins/eprolo-dropshipping/ |
| PDF-XChange Co. Ltd--PDF-XChange Editor | An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. | 2025-12-02 | 6.5 | CVE-2025-58113 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2280 |
| phegman--Trail Manager | The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-13682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb43502e-dedd-46ff-b8e8-68298779f125?source=cve https://wordpress.org/plugins/trail-manager/ |
| pntrinh--TR Timthumb | The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13899 | https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39 https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39 |
| posimyththemes--Nexter Extension Site Enhancements Toolkit | The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13731 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809cd97c-22ea-49e7-be46-688fefe50236?source=cve https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L66 https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L136 https://plugins.trac.wordpress.org/changeset?old=3402155&old_path=nexter-extension%2Ftags%2F4.4.1%2Finclude%2Fclass-nexter-load-ext.php&new=3403967&new_path=nexter-extension%2Ftags%2F4.4.2%2Finclude%2Fclass-nexter-load-ext.php |
| projectopia--Projectopia WordPress Project Management | The Projectopia - WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | 2025-12-05 | 5.3 | CVE-2025-12876 | https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389 |
| ProudMuBai--GoFilm | A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-03 | 6.3 | CVE-2025-13949 | VDB-334164 | ProudMuBai GoFilm FileController.go SingleUpload unrestricted upload VDB-334164 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692774 | GoFilm 1.0.1 Unrestricted Upload https://github.com/yzlala1147/cve/issues/1 |
| Rareprob--HD Video Player All Formats App | A security vulnerability has been detected in Rareprob HD Video Player All Formats App 12.1.372 on Android. Impacted is an unknown function of the component com.rocks.music.videoplayer. The manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.3 | CVE-2025-13876 | VDB-334032 | Rareprob HD Video Player All Formats App com.rocks.music.videoplayer path traversal VDB-334032 | CTI Indicators (IOB, IOC, TTP) Submit #692169 | RAREPROB SOLUTIONS PRIVATE LIMITED HD Video Player All Formats APP(com.rocks.music.videoplayer) V12.1.372 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/HD%20Video%20Player%20All%20Formats/HD%20Video%20Player%20All%20Formats%20APP%20Arbitrary%20File%20Overwrite%20Vulnerability.md |
| Rarlab--RAR App | A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: "This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected." | 2025-12-05 | 5 | CVE-2025-14111 | VDB-334491 | Rarlab RAR App com.rarlab.rar path traversal VDB-334491 | CTI Indicators (IOB, IOC, TTP) Submit #697375 | Rarlab RAR APP(com.rarlab.rar) <=V7.11.build127 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md |
| realloc--myLCO | The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/132efd40-1c90-4d2a-a87c-504526b7a7d4?source=cve https://wordpress.org/plugins/mylco https://plugins.trac.wordpress.org/browser/mylco/trunk/myLCO.php#L438 https://plugins.trac.wordpress.org/browser/mylco/tags/0.8.1/myLCO.php#L438 |
| realmag777--HUSKY Products Filter Professional for WooCommerce | The HUSKY - Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators. | 2025-12-03 | 4.3 | CVE-2025-13109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41de?source=cve https://plugins.trac.wordpress.org/changeset/3400527 |
| Red Hat--Red Hat Ceph Storage 5 | A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access. | 2025-12-04 | 5.5 | CVE-2025-14010 | https://access.redhat.com/security/cve/CVE-2025-14010 RHBZ#2418774 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | 2025-12-05 | 6.1 | CVE-2025-14104 | https://access.redhat.com/security/cve/CVE-2025-14104 RHBZ#2419369 |
| Red Hat--Red Hat OpenShift Dev Spaces | A container privilege escalation flaw was found in certain CodeReady Workspaces images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2025-12-02 | 5.2 | CVE-2025-57850 | https://access.redhat.com/security/cve/CVE-2025-57850 RHBZ#2391103 |
| roselldk--WebP Express | The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data. | 2025-12-04 | 5.3 | CVE-2025-11379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c28479bf-768a-4ab4-8e74-ad367b9b744f?source=cve https://wordpress.org/plugins/webp-express/ |
| roxnor--ShopEngine Elementor WooCommerce Builder Addon All in One WooCommerce Solution | The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link. | 2025-12-03 | 4.3 | CVE-2025-12358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve https://plugins.trac.wordpress.org/changeset/3401226/shopengine |
| roxnor--Wp Social Login and Register Social Counter | The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests. | 2025-12-05 | 5.3 | CVE-2025-13620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa205d7-61ce-4ab9-b532-fd0b46b0f6a0?source=cve https://plugins.trac.wordpress.org/changeset/3402340/wp-social/tags/3.1.4/inc/admin-rest-api.php |
| saadiqbal--Post SMTP Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App | The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | 2025-12-03 | 5.4 | CVE-2025-12887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd9f312-99e1-4dc2-855d-90339c2e24da?source=cve https://plugins.trac.wordpress.org/changeset/3402203 |
| Samsung Mobile--Galaxy Store for Galaxy Watch | Improper export of android application components in Galaxy Store for Galaxy Watch prior to version 1.0.06.29 allows local attacker to install arbitrary application on Galaxy Store. | 2025-12-02 | 5.9 | CVE-2025-58483 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Account | Improper input validation in Samsung Account prior to version 15.5.01.1 allows local attacker to execute arbitrary script. | 2025-12-02 | 4 | CVE-2025-58486 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Account | Improper authorization in Samsung Account prior to version 15.5.01.1 allows local attacker to launch arbitrary activity with Samsung Account privilege. | 2025-12-02 | 4 | CVE-2025-58487 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Cloud Assistant | Incorrect default permissions in Samsung Cloud Assistant prior to version 8.0.03.8 allows local attacker to access partial data in sandbox. | 2025-12-02 | 4 | CVE-2025-58484 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Internet | Improper input validation in Samsung Internet prior to version 29.0.0.48 allows local attackers to inject arbitrary script. | 2025-12-02 | 5.5 | CVE-2025-58485 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen's privilege. | 2025-12-02 | 6.2 | CVE-2025-21080 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in decoding metadata in fingerprint trustlet prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.7 | CVE-2025-21072 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.6 | CVE-2025-58475 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read vulnerability in bootloader prior to SMR Dec-2025 Release 1 allows physical attackers to access out-of-bounds memory. | 2025-12-02 | 4.2 | CVE-2025-58476 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58477 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58478 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58479 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Heap-based buffer overflow in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58480 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--SmartTouchCall | Improper verification of source of a communication channel in SmartTouchCall prior to version 1.0.1.1 allows remote attackers to access sensitive information. User interaction is required for triggering this vulnerability. | 2025-12-02 | 4.5 | CVE-2025-58488 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co.--Onaylarm | Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse.This issue affects Onaylarım: from 25.09.26.01 through 18112025. | 2025-12-01 | 4.3 | CVE-2025-13129 | https://www.usom.gov.tr/bildirim/tr-25-0422 |
| SGAI--Space1 NAS N1211DS | A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14184 | VDB-334604 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI NGNIX_UPLOAD command injection VDB-334604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698568 | SGAI N1211DS NAS v1.0.915 Command Injection Submit #698569 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) Submit #698570 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) https://www.notion.so/2b16cf4e528a80858abbf62b721a54b0 https://www.notion.so/2b16cf4e528a80f2ada9dc83651a4013 |
| SGAI--Space1 NAS N1211DS | A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 4.3 | CVE-2025-14183 | VDB-334603 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI GET_USER_INFO credentials storage VDB-334603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698566 | SGAI N1211DS NAS v1.0.915 Improper Authentication Submit #698567 | SGAI N1211DS NAS v1.0.915 Improper Authentication (Duplicate) https://www.notion.so/2b16cf4e528a8000b30bd543247fa1bd https://www.notion.so/2b16cf4e528a80859264db63f2340d7a |
| siamlottery--Thai Lottery Widget | The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/949eb9d6-0c8f-43f1-8580-998ea78c9549?source=cve https://plugins.trac.wordpress.org/browser/thai-lottery-widget/trunk/thailottery.php#L330 https://plugins.trac.wordpress.org/browser/thai-lottery-widget/tags/2.5/thailottery.php#L330 |
| smackcoders--Export All Posts, Products, Orders, Refunds & Users | The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 6.5 | CVE-2025-13606 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve https://plugins.trac.wordpress.org/changeset/3405694/ |
| smallstep--certificates | Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0. | 2025-12-03 | 5 | CVE-2025-66406 | https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr |
| Sobey--Media Convergence System | A vulnerability has been found in Sobey Media Convergence System 2.0/2.1. This vulnerability affects unknown code of the file /sobey-mchEditor/watermark/upload. The manipulation of the argument File leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14182 | VDB-334602 | Sobey Media Convergence System upload path traversal VDB-334602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698561 | Chengdu Sobey Digital Technology Co., Ltd. Sobey Media Convergence System V2.0-2.1 Uploaded File https://github.com/hacker-routing/cve/issues/1 |
| Socomec--DIRIS Digiware M-70 | A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | 2025-12-01 | 5.9 | CVE-2024-48894 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2115 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48894---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-22-18_English_0.pdf |
| softdiscover--Zigaform Price Calculator & Cost Estimation Form Builder Lite | The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values. | 2025-12-02 | 5.3 | CVE-2025-13696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567?source=cve https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/trunk/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/tags/7.6.5/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&new=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&sfp_email=&sfph_mail= https://github.com/Softdiscover/Zigaform-WP-Cost-Estimator-Lite/commit/f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8 |
| sozan45--Ultra Skype Button | The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20b3c88f-a0df-4814-83b6-27440c5ad38e?source=cve https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L44 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L44 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities. | 2025-12-03 | 5.3 | CVE-2025-20384 | https://advisory.splunk.com/advisories/SVD-2025-1203 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert. | 2025-12-03 | 4.3 | CVE-2025-20383 | https://advisory.splunk.com/advisories/SVD-2025-1202 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS). | 2025-12-03 | 4.3 | CVE-2025-20389 | https://advisory.splunk.com/advisories/SVD-2025-1208 |
| Splunk--Splunk MCP Server | In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions. | 2025-12-03 | 5.4 | CVE-2025-20381 | https://advisory.splunk.com/advisories/SVD-2025-1210 |
| Sprecher Automation--SPRECON-E-C | Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes. | 2025-12-02 | 4 | CVE-2025-41743 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors). | 2025-12-03 | 6.5 | CVE-2025-13359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9bebdc0-1625-4dc4-8c92-37f379868cd5?source=cve https://github.com/TaxoPress/TaxoPress/commit/1097a22181aa10ce55cc9cd5fa8495f7494e18ea |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques. | 2025-12-06 | 6.5 | CVE-2025-13922 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f40cc632-c6af-4c8b-a455-76319f7fe151?source=cve https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/inc/class.admin.php#L1406 https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L180 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3408243%40simple-tags%2Ftrunk&old=3388829%40simple-tags%2Ftrunk&sfp_email=&sfph_mail=#file17 |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | 2025-12-03 | 4.3 | CVE-2025-13354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0 |
| sumotto--CSV Sumotto | The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6aa8089-1c29-41ef-b2c0-06841751f7a5?source=cve https://plugins.trac.wordpress.org/browser/csv-sumotto/trunk/csv_sumotto_settings.php#L53 |
| Sunbird--DCIM dcTrack | DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host. | 2025-12-04 | 6.7 | CVE-2025-66237 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| switch2mac--WP-SOS-Donate Donation Sidebar Plugin | The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13625 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5123c672-e769-4d44-9912-e159d3e186c1?source=cve https://wordpress.org/plugins/wp-sos-donate/ https://plugins.trac.wordpress.org/browser/wp-sos-donate/trunk/wp-sos-donate_options.php#L45 https://plugins.trac.wordpress.org/browser/wp-sos-donate/tags/0.9.2/wp-sos-donate_options.php#L45 |
| sylabs--singularity | SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5. | 2025-12-02 | 4.5 | CVE-2025-64750 | https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/pull/3850 https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33 https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0 https://github.com/advisories/GHSA-fh74-hm69-rqjw |
| Synaptics--Synaptics Fingerprint Driver | A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | 2025-12-01 | 6.6 | CVE-2025-11772 | https://www.synaptics.com/sites/default/files/2025-12/fingerprint-driver-co-installer-security-brief-2025-12-01.pdf |
| Synology--BeeDrive for desktop | Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | 2025-12-04 | 5.6 | CVE-2025-8074 | Synology-SA-25:09 BeeDrive for desktop |
| Synology--DiskStation Manager (DSM) | Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. | 2025-12-04 | 4.3 | CVE-2024-5401 | Synology-SA-24:27 DSM |
| Synology--Synology Mail Server | A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | 2025-12-04 | 6.3 | CVE-2025-2848 | Synology-SA-25:05 Mail Server |
| Synology--Synology Router Manager (SRM) | A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files. | 2025-12-04 | 5.4 | CVE-2025-29843 | Synology-SA-25:04 SRM |
| Synology--Synology Router Manager (SRM) | A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information. | 2025-12-04 | 4.3 | CVE-2025-29844 | Synology-SA-25:04 SRM |
| Synology--Synology Router Manager (SRM) | A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. | 2025-12-04 | 4.3 | CVE-2025-29845 | Synology-SA-25:04 SRM |
| takeads--Takeads | The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options. | 2025-12-05 | 4.3 | CVE-2025-12370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f3619d9-7572-439e-a284-d59ef5de08f3?source=cve https://plugins.trac.wordpress.org/browser/monetize-link/tags/1.0.13/src/MLP_Ajax.php#L8 |
| teamdream--dream gallery | The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13621 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cdf6ba0-2866-4347-8518-bb1d2e40bab3?source=cve https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L254 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L257 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/templates/front.php#L38 https://plugins.trac.wordpress.org/browser/dream-gallery/trunk/dreamgallery.php#L254 |
| techjewel--Fluent Booking The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them. | 2025-12-03 | 4.3 | CVE-2025-13756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7860dfa8-de76-4ca3-bd80-98550afab56b?source=cve https://plugins.trac.wordpress.org/changeset/3404176/fluent-booking/tags/1.10.0/app/Hooks/Handlers/DataImporter.php |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier. | 2025-12-06 | 5.3 | CVE-2025-13748 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php |
| Tekrom Technology Inc.--T-Soft E-Commerce | Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025. | 2025-12-01 | 5.4 | CVE-2025-13296 | https://www.usom.gov.tr/bildirim/tr-25-0421 |
| themeisle--Visualizer: Tables and Charts Manager for WordPress | The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability. | 2025-12-02 | 6.5 | CVE-2025-12483 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499 https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail= |
| torod--Torod The smart shipping and delivery portal for e-shops and retailers | The Torod - The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12373 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80 |
| TOZED--ZLT M30S | A vulnerability was determined in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. This impacts an unknown function of the file /reqproc/proc_post of the component Web Interface. Executing manipulation of the argument goformId with the input REBOOT_DEVICE can lead to denial of service. The attack can only be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.3 | CVE-2025-14105 | VDB-334487 | TOZED ZLT M30S/ZLT M30S PRO Web proc_post denial of service VDB-334487 | CTI Indicators (IOB, IOC, IOA) Submit #696740 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Denial of Service https://youtu.be/RNgsrnPPxgQ |
| tunilame--CSS3 Buttons | The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c1f71ffb-f09c-40f6-b65e-af30ce155466?source=cve https://plugins.trac.wordpress.org/browser/css3-buttons/trunk/css3-buttons.php#L59 https://plugins.trac.wordpress.org/browser/css3-buttons/tags/0.1/css3-buttons.php#L59 |
| Tyche Softwares--Arconix Shortcodes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19. | 2025-12-01 | 6.5 | CVE-2025-13835 | https://vdp.patchstack.com/database/wordpress/plugin/arconix-shortcodes/vulnerability/wordpress-arconix-shortcodes-plugin-2-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TykoDev--cherry-studio-TykoFork | A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14204 | VDB-334647 | TykoDev cherry-studio-TykoFork OAuth Server Discovery oauth-authorization-server redirectToAuthorization os command injection VDB-334647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700182 | GitHub cherry-studio-TykoFork 0.0.1 OS Command Injection https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0 |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/websHostFilter. Performing manipulation of the argument addHostFilter results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 6.5 | CVE-2025-14140 | VDB-334528 | UTT è¿›å– 520W websHostFilter strcpy buffer overflow VDB-334528 | CTI Indicators (IOB, IOC, IOA) Submit #698521 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/12.md https://github.com/cymiao1978/cve/blob/main/new/12.md#poc |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 5.7 | CVE-2025-14139 | VDB-334527 | UTT è¿›å– 520W formConfigDnsFilterGlobal strcpy buffer overflow VDB-334527 | CTI Indicators (IOB, IOC, IOA) Submit #698520 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/11.md https://github.com/cymiao1978/cve/blob/main/new/11.md#poc |
| Verysync-- | A flaw has been found in Verysync 微力åŒæ¥ up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14199 | VDB-334619 | Verysync 微力åŒæ¥ Web Administration text.txt unrestricted upload VDB-334619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699539 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Upload Any File https://github.com/jjjjj-zr/jjjjjzr/issues/10 |
| Verysync-- | A security vulnerability has been detected in Verysync 微力åŒæ¥ up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14197 | VDB-334617 | Verysync 微力åŒæ¥ Web Administration f96956469e7be39d information disclosure VDB-334617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699498 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Unauthorized Access Submit #699537 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Arbitrary File Read (Duplicate) https://github.com/jjjjj-zr/jjjjjzr/issues/6 https://github.com/jjjjj-zr/jjjjjzr/issues/8 |
| Verysync-- | A vulnerability was detected in Verysync 微力åŒæ¥ 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14198 | VDB-334618 | Verysync 微力åŒæ¥ Web Administration download information disclosure VDB-334618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699533 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Download any file https://github.com/jjjjj-zr/jjjjjzr/issues/7 |
| voidek--Voidek Employee Portal | The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. | 2025-12-05 | 5.3 | CVE-2025-12093 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d33b83d5-cfc0-48b6-a54e-1ae8ac52aae1?source=cve https://wordpress.org/plugins/voidek-employee-portal/ |
| watchful--Backup, Restore and Migrate your sites with XCloner | The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | 2025-12-05 | 4.3 | CVE-2025-11759 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore |
| wcvendors--WC Vendors WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors | The WC Vendors - WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12130 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php |
| webdevstudios--Custom Post Type UI | The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations. | 2025-12-04 | 4.8 | CVE-2025-12826 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9 |
| webradykal--Easy Jump Links Menus | The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13860 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e88dc0-4798-4da8-87cf-4c398acc622c?source=cve https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/trunk/easy-jump-links-menus.php#L52 https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/tags/1.0.0/easy-jump-links-menus.php#L52 |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings. | 2025-12-06 | 5.4 | CVE-2025-12505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail= |
| Wireshark Foundation--Wireshark | HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13945 | https://www.wireshark.org/security/wnpa-sec-2025-07.html GitLab Issue #20860 |
| Wireshark Foundation--Wireshark | MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13946 | https://www.wireshark.org/security/wnpa-sec-2025-08.html GitLab Issue #20884 |
| wpblockart--BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'timestamp' attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13697 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b91364fa-7046-427f-84ee-6a36d49bb80f?source=cve https://plugins.trac.wordpress.org/changeset/3404884/ |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12804 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad993a62-457a-494f-a7c8-256b808d18c0?source=cve https://plugins.trac.wordpress.org/changeset/3391614/booking |
| wpdiscover--Social Feed Gallery Portfolio | The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13896 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2a275deb-a0e3-491a-bed6-9f6112918061?source=cve https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L208 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L208 |
| wpeka-club--SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel - Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12417 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d13aadf-c144-4919-9bbd-54cb26cf2527?source=cve https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/public/class-surveyfunnel-lite-public.php#L240 https://developer.wordpress.org/apis/security/escaping/ |
| wpeka-club--SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel - Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses. | 2025-12-05 | 5.3 | CVE-2025-13006 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php |
| wpforchurch--Sermon Manager | The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41116b52-8f94-4d29-8845-a27bdf817b43?source=cve https://wordpress.org/plugins/sermon-manager-for-wordpress https://plugins.trac.wordpress.org/browser/sermon-manager-for-wordpress/tags/2.30.0/includes/vendor/entry-views.php#L114 |
| wpmanageninja--FluentCart A New Era of eCommerce Faster, Lighter, and Simpler | The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-03 | 4.9 | CVE-2025-13495 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2000b23f-d8a2-4b83-9bf7-b90cb16718f3?source=cve https://plugins.trac.wordpress.org/browser/fluent-cart/trunk/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/browser/fluent-cart/tags/1.3.0/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/changeset/3408039/fluent-cart/tags/1.3.2/app/Services/Report/ReportHelper.php |
| xbenx--WP Landing Page | The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-06 | 4.3 | CVE-2025-13629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43d8576b-e6ad-4e0a-b99f-948ba36f53ff?source=cve https://plugins.trac.wordpress.org/browser/wp-landing-page/trunk/includes/wplp-api.php#L14 https://plugins.trac.wordpress.org/browser/wp-landing-page/tags/0.9.3/includes/wplp-api.php#L14 |
| xerrors--Yuxi-Know | A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion). | 2025-12-05 | 4.7 | CVE-2025-14116 | VDB-334492 | xerrors Yuxi-Know embed.py OtherEmbedding.aencode server-side request forgery VDB-334492 | CTI Indicators (IOB, IOC, IOA) Submit #697380 | xerrors Yuxi-Know Yuxi-Know ≤ 0.4.0 Server-Side Request Forgery https://www.notion.so/SSRF-vulnerablity-in-Yuxi-Know-2afea92a3c4180bea524f1a253f8d9a0?source=copy_link https://github.com/xerrors/Yuxi-Know/commit/0ff771dc1933d5a6b78f804115e78a7d8625c3f3 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by get_client_ip() in docker/main.cc, causing access and error logs (nginx_access_logger / nginx_error_logger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0. | 2025-12-05 | 5.3 | CVE-2025-66577 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-gfpf-r66f-5mh2 https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| Yohann0617--oci-helper | A weakness has been identified in Yohann0617 oci-helper up to 3.2.4. This issue affects the function addCfg of the file src/main/java/com/yohann/ocihelper/service/impl/OciServiceImpl.java of the component OCI Configuration Upload. Executing manipulation of the argument File can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 6.3 | CVE-2025-13875 | VDB-334031 | Yohann0617 oci-helper OCI Configuration Upload OciServiceImpl.java addCfg path traversal VDB-334031 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692125 | yohann( https://github.com/Yohann0617 ) oci-helper <=V3.2.4 Directory/Path Traversal https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md#proof-of-concept |
| Yonyou--U8 Cloud | A vulnerability was identified in Yonyou U8 Cloud 5.0/5.0sp/5.1/5.1sp. The affected element is an unknown function of the file nc/pubitf/erm/mobile/appservice/AppServletService.class. Such manipulation of the argument usercode leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14185 | VDB-334605 | Yonyou U8 Cloud AppServletService.class sql injection VDB-334605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698601 | Yonyou Network Technology Co., Ltd. U8 Cloud 5.0,5.0sp,5.1,5.1sp SQL Injection https://github.com/798xuezhiqian-collab/vuln01 |
| youlaitech--youlai-mall | A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-identified variables. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 6.3 | CVE-2025-14051 | VDB-334367 | youlaitech youlai-mall addresses deleteAddress improper control of dynamically-identified variables VDB-334367 | CTI Indicators (IOB, IOC, IOA) Submit #694827 | youlai-mall latest Improper Control of Resource Identifiers Submit #694836 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) Submit #694837 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/18 https://github.com/Hwwg/cve/issues/19 |
| youlaitech--youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14052 | VDB-334368 | youlaitech youlai-mall members getMemberById access control VDB-334368 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694854 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/21 |
| youlaitech--youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14085 | VDB-334476 | youlaitech youlai-mall orders improper control of dynamically-identified variables VDB-334476 | CTI Indicators (IOB, IOC, IOA) Submit #695943 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/23 |
| youlaitech--youlai-mall | A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14086 | VDB-334477 | youlaitech youlai-mall openid access control VDB-334477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695945 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/25 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| alokjaiswal--Hotel-Management-services-using-MYSQL-and-php | A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14200 | VDB-334620 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php Request Pending usersub.php cross site scripting VDB-334620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699993 | Hotel-Management-services-using-MYSQL-and-php web web 1 xxs vnlerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%202xxs.docx |
| alokjaiswal--Hotel-Management-services-using-MYSQL-and-php | A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 2.4 | CVE-2025-14201 | VDB-334621 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php dishsub.php cross site scripting VDB-334621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699994 | Hotel-Management-services-using-MYSQL-and-php web 1 web 1 XSS vulnerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%201%20xxs.docx |
| code-projects--Chamber of Commerce Membership Management System | A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-12-07 | 2.4 | CVE-2025-14205 | VDB-334648 | code-projects Chamber of Commerce Membership Management System Your Info membership_profile.php cross site scripting VDB-334648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700421 | code-projects Chamber of Commerce Membership Management System In PHP With Source Code V1.0 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/u42535181/pm5nde/ky49h1xg6si9d3m8#zdDXX https://code-projects.org/ |
| code-projects--Employee Profile Management System | A vulnerability was identified in code-projects Employee Profile Management System 1.0. This issue affects some unknown processing of the file /view_personnel.php. The manipulation of the argument per_address/dr_school/other_school leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-07 | 3.5 | CVE-2025-14194 | VDB-334614 | code-projects Employee Profile Management System view_personnel.php cross site scripting VDB-334614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699246 | code-projects Employee Profile Management System published November 15, 2025 Cross Site Scripting https://github.com/shenxianyuguitian/employee-management-XSS https://code-projects.org/ |
| dayrui--XunRuiCMS | A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 3.5 | CVE-2025-14006 | VDB-334248 | dayrui XunRuiCMS Add Data Validation admind45f74adbd95.php cross site scripting VDB-334248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692910 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Data%20Validation-XSS/xunruicms-Data%20Validation-XSS.md |
| dayrui--XunRuiCMS | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing manipulation of the argument data[name] can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14005 | VDB-334247 | dayrui XunRuiCMS Add Display Name Field admind45f74adbd95.php cross site scripting VDB-334247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692909 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Basic%20Settings-XSS/xunruicms-Basic%20Settings-XSS.md |
| dayrui--XunRuiCMS | A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2 | CVE-2025-14007 | VDB-334249 | dayrui XunRuiCMS Domain Name Binding admin79f2ec220c7e.php cross site scripting VDB-334249 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692914 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 URL redirection causing remote XSS https://github.com/24-2021/vul/blob/main/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS.md |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. | 2025-12-03 | 3.7 | CVE-2025-64763 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh |
| Grandstream--GXP1625 | A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14186 | VDB-334606 | Grandstream GXP1625 Network Status api.values.post cross site scripting VDB-334606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698650 | Grandstream GXP1625 1.0.7.4 xss https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing |
| hedgedoc--hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4. | 2025-12-05 | 3.7 | CVE-2025-66629 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv https://github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2b |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to | 2025-12-02 | 3.1 | CVE-2025-13870 | https://mattermost.com/security-updates |
| Medtronic--CareLink Network | Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 2.2 | CVE-2025-12997 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| n/a--JIZHICMS | A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14013 | VDB-334254 | JIZHICMS Comment addcomment.html cross site scripting VDB-334254 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694649 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 Storage XSS https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS.md |
| nextcloud--security-advisories | Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code. | 2025-12-05 | 3.5 | CVE-2025-66514 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5 https://github.com/nextcloud/mail/pull/11740 https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09 https://hackerone.com/reports/3357036 |
| nextcloud--security-advisories | Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2. | 2025-12-05 | 3.5 | CVE-2025-66545 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m https://github.com/nextcloud/groupfolders/issues/4041 https://github.com/nextcloud/groupfolders/pull/4076 https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1. | 2025-12-05 | 3.3 | CVE-2025-66546 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95 https://github.com/nextcloud/calendar/pull/7537 https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3 https://hackerone.com/reports/3275810 |
| nextcloud--security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1. | 2025-12-05 | 3.3 | CVE-2025-66548 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 https://github.com/nextcloud/deck/pull/6671 https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a https://hackerone.com/reports/2326618 |
| nextcloud--security-advisories | Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5. | 2025-12-05 | 3.5 | CVE-2025-66554 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2 https://github.com/nextcloud/contacts/pull/4619 https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1 https://hackerone.com/reports/3293290 |
| nextcloud--security-advisories | Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2. | 2025-12-05 | 3.5 | CVE-2025-66556 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh https://github.com/nextcloud/spreed/pull/15532 https://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725 https://hackerone.com/reports/3247386 |
| nextcloud--security-advisories | Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1. | 2025-12-05 | 3.1 | CVE-2025-66558 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q https://github.com/nextcloud/twofactor_webauthn/pull/881 https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d https://hackerone.com/reports/3360354 |
| nextcloud--security-advisories | The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user's file into the "pending approval" without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | 2025-12-05 | 2.7 | CVE-2025-66515 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5 https://github.com/nextcloud/approval/pull/334 https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4 https://hackerone.com/reports/3338748 |
| nextcloud--security-advisories | Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5. | 2025-12-05 | 2.4 | CVE-2025-66549 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw https://github.com/nextcloud/desktop/pull/8330 https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6 https://hackerone.com/reports/3159877 |
| nutzam--NutzBoot | A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. | 2025-12-01 | 3.7 | CVE-2025-13805 | VDB-333815 | nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization VDB-333815 | CTI Indicators (IOB, IOC, IOA) Submit #692053 | Nutz Framework NutzBoot 2.6.0-SNAPSHOT Code Execution (Unauthenticated Java Deserialization) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md#vulnerability-details-and-poc |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2025-12-03 | 3.5 | CVE-2025-20382 | https://advisory.splunk.com/advisories/SVD-2025-1201 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | 2025-12-03 | 2.4 | CVE-2025-20385 | https://advisory.splunk.com/advisories/SVD-2025-1204 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. | 2025-12-03 | 2.7 | CVE-2025-20388 | https://advisory.splunk.com/advisories/SVD-2025-1207 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn's remote management features. | 2025-12-05 | not yet calculated | CVE-2025-34256 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34257 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-defined |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored and later rendered in the map list without HTML sanitization. An attacker can inject malicious script into the area name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34258 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-plan |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map entry name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34259 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-building |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34260 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-schedule |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34261 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicegroups |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34262 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devices-name-agentid |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34263 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who view or interact with the affected rules, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34264 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-dog-agentid |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with the affected rule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34265 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-rulesengine |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34266 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus |
| AI-QL--tuui | TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4. | 2025-12-05 | not yet calculated | CVE-2025-66562 | https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3g https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1 https://github.com/AI-QL/tuui/releases/tag/v1.3.4 |
| airkeyboardapp--AirKeyboard iOS App | AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control. | 2025-12-04 | not yet calculated | CVE-2025-66555 | Exploit Database Entry 52333 AirKeyboard Homepage Apple App Store Link https://www.vulncheck.com/advisories/airkeyboard-ios-app-105-remote-input-injection |
| AMS Development Corp.--GAMS | Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculate the checksum and generate a valid license to grant themselves full privileges without credentials or access to the source code, allowing them unrestricted access to GAMS's mathematical models and commercial solvers. | 2025-12-02 | not yet calculated | CVE-2025-41086 | https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-gams-gams-development-corp https://www.gams.com/latest/docs/RN_51.html |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17. | 2025-12-01 | not yet calculated | CVE-2025-66412 | https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49 https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a |
| anthropic-experimental--sandbox-runtime | Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16. | 2025-12-04 | not yet calculated | CVE-2025-66479 | https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47 https://github.com/anthropic-experimental/sandbox-runtime/commit/bea2930cc1db9c73a1b15acf6dc19c5261aec1f3 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93. | 2025-12-03 | not yet calculated | CVE-2025-66032 | https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3 |
| Apache Software Foundation--Apache bRPC | Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit. | 2025-12-01 | not yet calculated | CVE-2025-59789 | https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx |
| Apache Software Foundation--Apache HTTP Server | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-55753 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-58098 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-59775 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-65082 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-66200 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache Struts | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. | 2025-12-01 | not yet calculated | CVE-2025-64775 | https://cwiki.apache.org/confluence/display/WW/S2-068 |
| Apache Software Foundation--Apache Tika core | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. | 2025-12-04 | not yet calculated | CVE-2025-66516 | https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k https://cve.org/CVERecord?id=CVE-2025-54988 |
| Arm Ltd--Valhall GPU Kernel Driver | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to expose sensitive data.This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0. | 2025-12-01 | not yet calculated | CVE-2025-2879 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd--Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-6349 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd--Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-8045 | https://developer.arm.com/documentation/110697/latest/ |
| Cacti--cacti | Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29. | 2025-12-02 | not yet calculated | CVE-2025-66399 | https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf |
| calcom--cal.com | Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8. | 2025-12-03 | not yet calculated | CVE-2025-66489 | https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98 |
| Canonical--python-apt | NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key. | 2025-12-05 | not yet calculated | CVE-2025-6966 | https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques. | 2025-12-01 | not yet calculated | CVE-2025-66313 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59f |
| Cloudflare--gokey | In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program. | 2025-12-02 | not yet calculated | CVE-2025-13353 | https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm |
| CollaboraOnline--online | Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702. | 2025-12-03 | not yet calculated | CVE-2025-66208 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf |
| ColorOS--ColorOS | A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning. | 2025-12-05 | not yet calculated | CVE-2025-27389 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1996493715665068032 |
| Compass Plustechologies--TranzAxis | TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | 2025-12-04 | not yet calculated | CVE-2025-66574 | ExploitDB-52086 Compass Technologies Homepage https://www.vulncheck.com/advisories/tranzaxis-32411026-stored-cross-site-scripting-xss |
| Data Illusion Zumbrunn--NGSurvey | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * Password hashed with bcrypt * User IP * Email * Full Name | 2025-12-01 | not yet calculated | CVE-2025-13829 | https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28 |
| djangoproject--Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-13372 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| djangoproject--Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-64460 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| docker--mcp-gateway | MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue. | 2025-12-03 | not yet calculated | CVE-2025-64443 | https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e |
| Duc--Duc | A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read. | 2025-12-05 | not yet calculated | CVE-2025-13654 | https://github.com/zevv/duc/releases/tag/1.4.6 https://kb.cert.org/vuls/id/441887 https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc |
| Eclipse Foundation--paho.mqtt.golang (Go MQTT v3.1 library) | In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body). | 2025-12-02 | not yet calculated | CVE-2025-10543 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior. | 2025-12-02 | not yet calculated | CVE-2025-66409 | https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96 https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372 https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946 https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902 https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7 |
| ESTsoft--ALZip | Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29. | 2025-12-03 | not yet calculated | CVE-2025-29864 | https://altools.co.kr/product/ALZIP |
| fastify--fastify-reply-from | fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0. | 2025-12-01 | not yet calculated | CVE-2025-66415 | https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66 |
| FERMAX ELECTRNICA S.A.U--MeetMe | Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5. | 2025-12-02 | not yet calculated | CVE-2025-10971 | https://www.fermax.com/security-advisories |
| Flexsense--DiskBoss | Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2020-36879 | Exploit Database Entry 49022 DiskBoss Homepage DiskBoss Software Link https://www.vulncheck.com/advisories/flexsense-diskboss-service-unquoted-service-path-vulnerability |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Reports and Data Directory' field that allows an attacker to execute arbitrary code on the system. | 2025-12-05 | not yet calculated | CVE-2020-36880 | Exploit Database Entry 48689 Reference https://www.vulncheck.com/advisories/flexsense-diskboss-reports-and-data-directory-buffer-overflow |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Input Directory' component that allows unauthenticated attackers to execute arbitrary code on the system. Attackers can exploit this by pasting a specially crafted directory path into the 'Add Input Directory' field. | 2025-12-05 | not yet calculated | CVE-2020-36881 | Exploit Database Entry 48279 Official Product Homepage Software Link Download GitHub Repository https://www.vulncheck.com/advisories/flexsense-diskboss-add-input-directory-buffer-overflow |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application. | 2025-12-05 | not yet calculated | CVE-2020-36882 | Exploit Database Entry 48276 Official Vendor Homepage Software Download Link https://www.vulncheck.com/advisories/flexsense-diskboss-denial-of-service-by-crashing-the-application |
| flipped-aurora--gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder. | 2025-12-01 | not yet calculated | CVE-2025-66410 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7 https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0. | 2025-12-05 | not yet calculated | CVE-2025-66581 | https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m |
| FreePBX--security-reporting | ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | 2025-12-03 | not yet calculated | CVE-2025-62173 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-q3h9-fmpr-vpfw |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66294 | https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66297 | https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6 https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66298 | https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66301 | https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted-such as a single forward slash (/) or an XSS test string-it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66305 | https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66308 | https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66309 | https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66310 | https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66311 | https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66312 | https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| Go standard library--crypto/x509 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | 2025-12-03 | not yet calculated | CVE-2025-61727 | https://go.dev/cl/723900 https://go.dev/issue/76442 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4175 |
| Go standard library--crypto/x509 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | 2025-12-02 | not yet calculated | CVE-2025-61729 | https://go.dev/cl/725920 https://go.dev/issue/76445 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4155 |
| Google Cloud--Apigee hybrid Javacallout policy | A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+ | 2025-12-05 | not yet calculated | CVE-2025-13426 | https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025 |
| Google Cloud--Apigee-X | A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this. | 2025-12-06 | not yet calculated | CVE-2025-13292 | https://docs.cloud.google.com/apigee/docs/release-notes#October_16_2025 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13630 | |
| Google--Chrome | Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High) | 2025-12-02 | not yet calculated | ||
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13632 | |
| Google--Chrome | Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13633 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13634 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13635 | |
| Google--Chrome | Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13636 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13637 | |
| Google--Chrome | Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13638 | |
| Google--Chrome | Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13639 | |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical access to the device. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13640 | |
| Google--Chrome | Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13720 | |
| Google--Chrome | Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13721 | |
| Google--Chrome | Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-03 | not yet calculated | CVE-2025-13992 | |
| Horde--Groupware | Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to '/imp/attachment.php' including the parameters 'id' and 'u'. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user. | 2025-12-02 | not yet calculated | CVE-2025-41066 | https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware |
| HP Inc--HP Image Assistant | A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages. | 2025-12-03 | not yet calculated | CVE-2025-13492 | https://support.hp.com/us-en/document/ish_13505078-13505143-16/hpsbgn04078 |
| IDI Eikon--Governalia | Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | 2025-12-02 | not yet calculated | CVE-2025-40700 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-governalia-idi-eikon https://governalia.es/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use. | 2025-12-01 | not yet calculated | CVE-2025-58408 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| IndigoSTAR Software--perl2exe | perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized access. | 2025-12-04 | not yet calculated | CVE-2024-58278 | ExploitDB-51825 IndigoSTAR Software Homepage IndigoSTAR Software Download Page https://www.vulncheck.com/advisories/indigostar-software-perl2exe-v3010c-arbitrary-code-execution |
| Industrial Video & Control--Longwatch | A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges. | 2025-12-02 | not yet calculated | CVE-2025-13658 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01 |
| Iskra--iHUB and iHUB Lite | The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings. | 2025-12-02 | not yet calculated | CVE-2025-13510 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02 |
| jpylypiw--Easywall | Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server. | 2025-12-04 | not yet calculated | CVE-2024-58275 | ExploitDB-51856 Easywall Homepage Easywall GitHub Repository https://www.vulncheck.com/advisories/easywall-031-authentication-bypass-via-command-injection-in-ports-save-endpoint |
| JumpCloud Inc.--Remote Assist | JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle. | 2025-12-02 | not yet calculated | CVE-2025-34352 | https://jumpcloud.com/platform/remote-assistance https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory |
| jumpserver--jumpserver | JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5. | 2025-12-01 | not yet calculated | CVE-2025-58044 | https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b |
| Langflow--Langflow | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints - including built-in code-execution functionality - allowing the attacker to execute arbitrary code and achieve full system compromise. | 2025-12-05 | not yet calculated | CVE-2025-34291 | https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform https://github.com/langflow-ai/langflow https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce |
| laradashboard--laradashboard | LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator's reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution. | 2025-12-04 | not yet calculated | CVE-2025-66509 | https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82 https://github.com/laradashboard/laradashboard/commit/cc42f9cdf8e59bce794ee2d812a9709b1e6efa87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments. | 2025-12-04 | not yet calculated | CVE-2025-40214 | https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked. | 2025-12-04 | not yet calculated | CVE-2025-40215 | https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't rely on user vaddr alignment There is no guaranteed alignment for user pointers, however the calculation of an offset of the first page into a folio after coalescing uses some weird bit mask logic, get rid of it. | 2025-12-04 | not yet calculated | CVE-2025-40216 | https://git.kernel.org/stable/c/50998b0ae7d9d552e96d8b7239981cf05f65eff5 https://git.kernel.org/stable/c/f16769241594be59387b56ab525e327f54377e60 https://git.kernel.org/stable/c/3a3c6d61577dbb23c09df3e21f6f9eda1ecd634b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now. | 2025-12-04 | not yet calculated | CVE-2025-40217 | https://git.kernel.org/stable/c/bf0fbf5e8b0aff8a4a0fb35e32b10083baa83c04 https://git.kernel.org/stable/c/3c17001b21b9f168c957ced9384abe969019b609 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN. pte_offset_map_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel. Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem. | 2025-12-04 | not yet calculated | CVE-2025-40218 | https://git.kernel.org/stable/c/677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf https://git.kernel.org/stable/c/ac42320ec873bfe726141069cfdd90ee5bc4e885 https://git.kernel.org/stable/c/0ccd91cf749536d41307a07e60ec14ab0dbf21f5 https://git.kernel.org/stable/c/b93af2cc8e036754c0d9970d9ddc47f43cc94b9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_rescan_remove_lock and checks whether the struct pci_dev still exists, the lack of synchronization makes this checking racy. Other races may also be possible of course though given that this lack of locking persisted so long observable races seem very rare. Even on s390 the list corruption was only observed with certain devices since the platform events are only triggered by config accesses after the removal, so as long as the removal finished synchronously they would not race. Either way the locking is missing so fix this by adding it to the sriov_del_vfs() helper. Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() including for the error case where pci_stop_and_remove_bus_device() is called without the PCI rescan-remove lock being held. Even in the non-error case, adding new PCI devices and buses should be serialized via the PCI rescan-remove lock. Add the necessary locking. | 2025-12-04 | not yet calculated | CVE-2025-40219 | https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01 https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8 https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847 https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. | 2025-12-04 | not yet calculated | CVE-2025-40220 | https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948 https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35 https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049 https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use. | 2025-12-04 | not yet calculated | CVE-2025-40221 | https://git.kernel.org/stable/c/b7f82da7f86479cb6479a76ebe213ece7c77398f https://git.kernel.org/stable/c/b792eba44494b4e6ab5006013335f9819f303b8b https://git.kernel.org/stable/c/c0d3f6969bb4d72476cfe7ea9263831f1c283704 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]--- | 2025-12-04 | not yet calculated | CVE-2025-40222 | https://git.kernel.org/stable/c/2ec9bbd09a6cdf5b8c726be34f29630faf585d07 https://git.kernel.org/stable/c/ef8fef45c74b5a0059488fda2df65fa133f7d7d0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below. | 2025-12-04 | not yet calculated | CVE-2025-40223 | https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809 https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6 https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1 https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly. | 2025-12-04 | not yet calculated | CVE-2025-40224 | https://git.kernel.org/stable/c/240b82b86a091c1aa49d951d4467425420a081a0 https://git.kernel.org/stable/c/a09a5aa8bf258ddc99a22c30f17fe304b96b5350 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178 | 2025-12-04 | not yet calculated | CVE-2025-40225 | https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645 https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters. | 2025-12-04 | not yet calculated | CVE-2025-40226 | https://git.kernel.org/stable/c/d719ce9f286c439795cd2beee4c91f12b84bc5a0 https://git.kernel.org/stable/c/e088efcd97cb7c7297d166bb52c3b87a29f6a0b1 https://git.kernel.org/stable/c/554c9d5c6c695aedaecfb4365c187102709397b0 https://git.kernel.org/stable/c/2290ab43b9d8eafb8046387f10a8dfa2b030ba46 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it. | 2025-12-04 | not yet calculated | CVE-2025-40227 | https://git.kernel.org/stable/c/ba236520ae53418859f4b7c7de3c71478d3c0b5a https://git.kernel.org/stable/c/139e7a572af0b45f558b5e502121a768dc328ba8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series "mm/damon/sysfs: fix commit test damon_ctx [de]allocation". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed. | 2025-12-04 | not yet calculated | CVE-2025-40228 | https://git.kernel.org/stable/c/5b3609d9b9650bdea0bfdf643e0ce57e1aed67fc https://git.kernel.org/stable/c/f0c5118ebb0eb7e4fd6f0d2ace3315ca141b317f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks. | 2025-12-04 | not yet calculated | CVE-2025-40229 | https://git.kernel.org/stable/c/ff8dcf621a4172f4a6d42cbbb25d21659d3ac300 https://git.kernel.org/stable/c/7071537159be845a5c4ed5fb7d3db25aa4bd04a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue. | 2025-12-04 | not yet calculated | CVE-2025-40230 | https://git.kernel.org/stable/c/6fc0a7c99e973a50018c8b4be34914a1b5c7b383 https://git.kernel.org/stable/c/92acf4b04f255d2f0f6770bb0d0a208d8ffb2b77 https://git.kernel.org/stable/c/841a8bfcbad94bb1ba60f59ce34f75259074ae0d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get(). | 2025-12-04 | not yet calculated | CVE-2025-40231 | https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5 https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162 https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80 https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rv: Fully convert enabled_monitors to use list_head as iterator The callbacks in enabled_monitors_seq_ops are inconsistent. Some treat the iterator as struct rv_monitor *, while others treat the iterator as struct list_head *. This causes a wrong type cast and crashes the system as reported by Nathan. Convert everything to use struct list_head * as iterator. This also makes enabled_monitors consistent with available_monitors. | 2025-12-04 | not yet calculated | CVE-2025-40232 | https://git.kernel.org/stable/c/8948a0338d33c4a7ef1e0c439a3ad1d5fe9355ae https://git.kernel.org/stable/c/103541e6a5854b08a25e4caa61e990af1009a52e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. | 2025-12-04 | not yet calculated | CVE-2025-40233 | https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5 https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007 https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357 https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1 https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44 https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep handlers Devices without the AWCC interface don't initialize `awcc`. Add a check before dereferencing it in sleep handlers. | 2025-12-04 | not yet calculated | CVE-2025-40234 | https://git.kernel.org/stable/c/24c3812c9e817d19e4842d7495561594de1ddcb4 https://git.kernel.org/stable/c/a49c4d48c3b60926e6a8cec217bf95aa65388ecc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: <TASK> btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...] | 2025-12-04 | not yet calculated | CVE-2025-40235 | https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73 https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields. | 2025-12-04 | not yet calculated | CVE-2025-40236 | https://git.kernel.org/stable/c/b625d231c66a6041e98817ffc944bf6e4c45b2e3 https://git.kernel.org/stable/c/b2284768c6b32aa224ca7d0ef0741beb434f03aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/ | 2025-12-04 | not yet calculated | CVE-2025-40237 | https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656 https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496 https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030 https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40238 | https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691 https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1 https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception. | 2025-12-04 | not yet calculated | CVE-2025-40239 | https://git.kernel.org/stable/c/da1ef8e9eb5d4a12bec32d11636e521e7d529b9e https://git.kernel.org/stable/c/b093b06826b836c2824858669db080c190c04715 https://git.kernel.org/stable/c/399d10934740ae8cdaa4e3245f7c5f6c332da844 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. | 2025-12-04 | not yet calculated | CVE-2025-40240 | https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9 https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016 https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1 https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in "} while ((cur += bvec.bv_len) < end);" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this. | 2025-12-04 | not yet calculated | CVE-2025-40241 | https://git.kernel.org/stable/c/00d8fe0b72f4ca0a983abced36aad2160038c421 https://git.kernel.org/stable/c/a429b76114aaca3ef1aff4cd469dcf025431bd11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released. | 2025-12-04 | not yet calculated | CVE-2025-40242 | https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641 https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40 https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the "garbage", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and "garbage" in the not initialized memory will be the reason of volume coruptions and file system driver bugs. | 2025-12-04 | not yet calculated | CVE-2025-40243 | https://git.kernel.org/stable/c/fc56548fca732f3d3692c83b40db796259a03887 https://git.kernel.org/stable/c/bf1683078fbdd09a7f7f9b74121ebaa03432bd00 https://git.kernel.org/stable/c/2a112cdd66f5a132da5235ca31a320528c86bf33 https://git.kernel.org/stable/c/e148ed5cda8fd96d4620c4622fb02f552a2d166a https://git.kernel.org/stable/c/cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca https://git.kernel.org/stable/c/3b447fd401824e1ccf0b769188edefe866a1e676 https://git.kernel.org/stable/c/502fa92a71f344611101bd04ef1a595b8b6014f5 https://git.kernel.org/stable/c/2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] <TASK> [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40244 | https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71 https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598 https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899 https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture. | 2025-12-04 | not yet calculated | CVE-2025-40245 | https://git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3 https://git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2 https://git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975 https://git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997 https://git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2c https://git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix out of bounds memory read error in symlink repair xfs/286 produced this report on my test fleet: ================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): memcpy_orig+0x54/0x110 xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] xrep_symlink_salvage+0x100/0x110 [xfs] xrep_symlink+0x2e/0x80 [xfs] xrep_attempt+0x61/0x1f0 [xfs] xfs_scrub_metadata+0x34f/0x5c0 [xfs] xfs_ioc_scrubv_metadata+0x387/0x560 [xfs] xfs_file_ioctl+0xe23/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128 allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago): xfs_init_local_fork+0x79/0xe0 [xfs] xfs_iformat_local+0xa4/0x170 [xfs] xfs_iformat_data_fork+0x148/0x180 [xfs] xfs_inode_from_disk+0x2cd/0x480 [xfs] xfs_iget+0x450/0xd60 [xfs] xfs_bulkstat_one_int+0x6b/0x510 [xfs] xfs_bulkstat_iwalk+0x1e/0x30 [xfs] xfs_iwalk_ag_recs+0xdf/0x150 [xfs] xfs_iwalk_run_callbacks+0xb9/0x190 [xfs] xfs_iwalk_ag+0x1dc/0x2f0 [xfs] xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs] xfs_iwalk+0xa4/0xd0 [xfs] xfs_bulkstat+0xfa/0x170 [xfs] xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs] xfs_file_ioctl+0xbf2/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014 ================================================================== On further analysis, I realized that the second parameter to min() is not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data buffer. if_bytes can be smaller than the data fork size because: (a) the forkoff code tries to keep the data area as large as possible (b) for symbolic links, if_bytes is the ondisk file size + 1 (c) forkoff is always a multiple of 8. Case in point: for a single-byte symlink target, forkoff will be 8 but the buffer will only be 2 bytes long. In other words, the logic here is wrong and we walk off the end of the incore buffer. Fix that. | 2025-12-04 | not yet calculated | CVE-2025-40246 | https://git.kernel.org/stable/c/7c2d68e091584149fe89bcbaf9b99b3162d46ee7 https://git.kernel.org/stable/c/81a8685cac4bf081c93a7df591644f4f80240bb9 https://git.kernel.org/stable/c/678e1cc2f482e0985a0613ab4a5bf89c497e5acc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix pgtable prealloc error path The following splat was reported: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT) pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : build_detached_freelist+0x28/0x224 lr : kmem_cache_free_bulk.part.0+0x38/0x244 sp : ffff000a508c7a20 x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350 x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000 x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000 x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8 x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640 x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30 x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940 x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000 x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8 x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00 Call trace: build_detached_freelist+0x28/0x224 (P) kmem_cache_free_bulk.part.0+0x38/0x244 kmem_cache_free_bulk+0x10/0x1c msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0 msm_vma_job_free+0x30/0x240 msm_ioctl_vm_bind+0x1d0/0x9a0 drm_ioctl_kernel+0x84/0x104 drm_ioctl+0x358/0x4d4 __arm64_sys_ioctl+0x8c/0xe0 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x3c/0xe0 do_el0_svc+0x18/0x20 el0_svc+0x30/0x100 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x170/0x174 Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6) ---[ end trace 0000000000000000 ]--- Since msm_vma_job_free() is called directly from the ioctl, this looks like an error path cleanup issue. Which I think results from prealloc_cleanup() called without a preceding successful prealloc_allocate() call. So handle that case better. Patchwork: https://patchwork.freedesktop.org/patch/678677/ | 2025-12-04 | not yet calculated | CVE-2025-40247 | https://git.kernel.org/stable/c/b865da18b6cb878f33b5920693d03f23b9c4d1a3 https://git.kernel.org/stable/c/830d68f2cb8ab6fb798bb9555016709a9e012af0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ | 2025-12-04 | not yet calculated | CVE-2025-40248 | https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680 https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559 https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81 https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5 https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: make sure the cdev fd is still active before emitting events With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier. Using the regular get_file() routine in this situation triggers the following warning: struct file::f_count incremented from zero; use-after-free condition present! So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released. | 2025-12-04 | not yet calculated | CVE-2025-40249 | https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1 https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation's associated glue object. Note: This error is observed when both fwctl and rds configs are enabled. [1] mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI RIP: 0010:free_irq_cpu_rmap+0x23/0x7d Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40250 | https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0 https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977 https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2025-12-04 | not yet calculated | CVE-2025-40251 | https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2 https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8 https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3 https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-04 | not yet calculated | CVE-2025-40252 | https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0 https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24 https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfree The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' frees it again. Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. Bug detected by the clang static analyzer. | 2025-12-04 | not yet calculated | CVE-2025-40253 | https://git.kernel.org/stable/c/06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2 https://git.kernel.org/stable/c/6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a https://git.kernel.org/stable/c/7616e2eee679746d526c7f5befd4eedb995935b5 https://git.kernel.org/stable/c/43096dab8cc60fc39133205fd149a54d3acebea8 https://git.kernel.org/stable/c/3b177b2ded563df16f6d5920671ffcfe5915d472 https://git.kernel.org/stable/c/b9dbfb1b5699f9f1e4991f96741bdf9047147589 https://git.kernel.org/stable/c/7ff76f8dc6b550f8d16487bf3cebc278be720b5c https://git.kernel.org/stable/c/da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the 'masked' flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the 'is_mask' that says that the value we're parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let's just remove it altogether. It's better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases. | 2025-12-04 | not yet calculated | CVE-2025-40254 | https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7 https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9 https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99 https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987 https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475 https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3 https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower() results in generic_hwtstamp_ioctl_lower() being called with kernel_cfg->ifr as NULL. The generic_hwtstamp_ioctl_lower() function does not expect a NULL ifr and dereferences it, leading to a system crash. Fix this by adding a NULL check for kernel_cfg->ifr in generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL. | 2025-12-04 | not yet calculated | CVE-2025-40255 | https://git.kernel.org/stable/c/8817f816ae41908e9625c0770c4af0dcdcc01238 https://git.kernel.org/stable/c/f796a8dec9beafcc0f6f0d3478ed685a15c5e062 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). | 2025-12-04 | not yet calculated | CVE-2025-40256 | https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715 https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object m ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40257 | https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17 https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12 https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7 https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2 https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 | 2025-12-04 | not yet calculated | CVE-2025-40258 | https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5 https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18 https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309 https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Do not sleep in atomic context sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. | 2025-12-04 | not yet calculated | CVE-2025-40259 | https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b https://git.kernel.org/stable/c/db6ac8703ab2b473e1ec845f57f6dd961a388d9f https://git.kernel.org/stable/c/109afbd88ecc46b6cc7551367222387e97999765 https://git.kernel.org/stable/c/3dfd520c3b4ffe69e0630c580717d40447ab842f https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5 https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix scx_enable() crash on helper kthread creation failure A crash was observed when the sched_ext selftests runner was terminated with Ctrl+\ while test 15 was running: NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 Call Trace: scx_enable.constprop.0+0x32c/0x12b0 (unreliable) bpf_struct_ops_link_create+0x18c/0x22c __sys_bpf+0x23f8/0x3044 sys_bpf+0x2c/0x6c system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec kthread_run_worker() returns an ERR_PTR() on failure rather than NULL, but the current code in scx_alloc_and_add_sched() only checks for a NULL helper. Incase of failure on SIGQUIT, the error is not handled in scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an error pointer. Error handling is fixed in scx_alloc_and_add_sched() to propagate PTR_ERR() into ret, so that scx_enable() jumps to the existing error path, avoiding random dereference on failure. | 2025-12-04 | not yet calculated | CVE-2025-40260 | https://git.kernel.org/stable/c/625e173e2a59b6cf6cbfb51c0a6bea47f3861eab https://git.kernel.org/stable/c/7b6216baae751369195fa3c83d434d23bcda406a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK> | 2025-12-04 | not yet calculated | CVE-2025-40261 | https://git.kernel.org/stable/c/3d78e8e01251da032a5f7cbc9728e4ab1a5a5464 https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d https://git.kernel.org/stable/c/3d81beae4753db3b3dc5b70dc300d4036e0d9cb8 https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167 https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: imx_sc_key - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imx_sc_key_action() function is called. Remove the &. | 2025-12-04 | not yet calculated | CVE-2025-40262 | https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2 https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3 https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2 https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336 https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb - fix an invalid memory access If cros_ec_keyb_register_matrix() isn't called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case. Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 ... x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access `ckdev->idev` and friends if the driver doesn't intend to initialize them. | 2025-12-04 | not yet calculated | CVE-2025-40263 | https://git.kernel.org/stable/c/7bfd959187f2c7584bb43280bbc7b2846e7a5085 https://git.kernel.org/stable/c/8b5ae1521660c16fa830ff17d16e650b4905b71a https://git.kernel.org/stable/c/729d21c82c1b0504ffccb17cc261bf32e024fd0f https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7 https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39 https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 packet") states. The correct way would be to pass the wrb_params from be_xmit(). | 2025-12-04 | not yet calculated | CVE-2025-40264 | https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405 https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284 https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388 https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89 https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfat: fix missing sb_min_blocksize() return value checks When emulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, but without format, a kernel panic was triggered during the early boot stage while attempting to mount a vfat filesystem. [95553.682035] EXT4-fs (nvme0n1): unable to set blocksize [95553.684326] EXT4-fs (nvme0n1): unable to set blocksize [95553.686501] EXT4-fs (nvme0n1): unable to set blocksize [95553.696448] ISOFS: unsupported/invalid hardware sector size 8192 [95553.697117] ------------[ cut here ]------------ [95553.697567] kernel BUG at fs/buffer.c:1582! [95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI [95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary) [95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0 [95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f [95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246 [95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001 [95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000 [95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000 [95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000 [95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000 [95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0 [95553.708439] PKRU: 55555554 [95553.708734] Call Trace: [95553.709015] <TASK> [95553.709266] __getblk_slow+0xd2/0x230 [95553.709641] ? find_get_block_common+0x8b/0x530 [95553.710084] bdev_getblk+0x77/0xa0 [95553.710449] __bread_gfp+0x22/0x140 [95553.710810] fat_fill_super+0x23a/0xfc0 [95553.711216] ? __pfx_setup+0x10/0x10 [95553.711580] ? __pfx_vfat_fill_super+0x10/0x10 [95553.712014] vfat_fill_super+0x15/0x30 [95553.712401] get_tree_bdev_flags+0x141/0x1e0 [95553.712817] get_tree_bdev+0x10/0x20 [95553.713177] vfat_get_tree+0x15/0x20 [95553.713550] vfs_get_tree+0x2a/0x100 [95553.713910] vfs_cmd_create+0x62/0xf0 [95553.714273] __do_sys_fsconfig+0x4e7/0x660 [95553.714669] __x64_sys_fsconfig+0x20/0x40 [95553.715062] x64_sys_call+0x21ee/0x26a0 [95553.715453] do_syscall_64+0x80/0x670 [95553.715816] ? __fs_parse+0x65/0x1e0 [95553.716172] ? fat_parse_param+0x103/0x4b0 [95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0 [95553.717034] ? __do_sys_fsconfig+0x3d9/0x660 [95553.717548] ? __x64_sys_fsconfig+0x20/0x40 [95553.717957] ? x64_sys_call+0x21ee/0x26a0 [95553.718360] ? do_syscall_64+0xb8/0x670 [95553.718734] ? __x64_sys_fsconfig+0x20/0x40 [95553.719141] ? x64_sys_call+0x21ee/0x26a0 [95553.719545] ? do_syscall_64+0xb8/0x670 [95553.719922] ? x64_sys_call+0x1405/0x26a0 [95553.720317] ? do_syscall_64+0xb8/0x670 [95553.720702] ? __x64_sys_close+0x3e/0x90 [95553.721080] ? x64_sys_call+0x1b5e/0x26a0 [95553.721478] ? do_syscall_64+0xb8/0x670 [95553.721841] ? irqentry_exit+0x43/0x50 [95553.722211] ? exc_page_fault+0x90/0x1b0 [95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e [95553.723166] RIP: 0033:0x72ee774f3afe [95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48 [95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af [95553.725892] RAX: ffffffffffffffda RBX: ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40265 | https://git.kernel.org/stable/c/ee767b99b0045be286cceb8265bd4c9831be671e https://git.kernel.org/stable/c/63b5aa01da0f38cdbd97d021477258e511631497 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. | 2025-12-04 | not yet calculated | CVE-2025-40266 | https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041 https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051 https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3 https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation. | 2025-12-06 | not yet calculated | CVE-2025-40267 | https://git.kernel.org/stable/c/094c6467fe05e0de618c5a7fcff4d3ee20aeaef8 https://git.kernel.org/stable/c/d3c9c213c0b86ac5dd8fe2c53c24db20f1f510bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 | 2025-12-06 | not yet calculated | CVE-2025-40268 | https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0]. | 2025-12-06 | not yet calculated | CVE-2025-40269 | https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7 https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9 https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0 https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6 https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. | 2025-12-06 | not yet calculated | CVE-2025-40270 | https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2) | 2025-12-06 | not yet calculated | CVE-2025-40271 | https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491 https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50 https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369 https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774 https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046 https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8 https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110 https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. | 2025-12-06 | not yet calculated | CVE-2025-40272 | https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785 https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367 https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047 https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs | 2025-12-06 | not yet calculated | CVE-2025-40273 | https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4 https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088 https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7 https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 </TASK> Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated--- | 2025-12-06 | not yet calculated | CVE-2025-40274 | https://git.kernel.org/stable/c/a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b https://git.kernel.org/stable/c/393893693a523e053f84d69320d090b93503f79f https://git.kernel.org/stable/c/ae431059e75d36170a5ae6b44cc4d06d43613215 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor. | 2025-12-06 | not yet calculated | CVE-2025-40275 | https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063 https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0 https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted. | 2025-12-06 | not yet calculated | CVE-2025-40276 | https://git.kernel.org/stable/c/7a12f9c96d06b145562f76ffb20369b4692f0911 https://git.kernel.org/stable/c/576c930e5e7dcb937648490611a83f1bf0171048 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. | 2025-12-06 | not yet calculated | CVE-2025-40277 | https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53 https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. | 2025-12-06 | not yet calculated | CVE-2025-40278 | https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1 https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. | 2025-12-06 | not yet calculated | CVE-2025-40279 | https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7 https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70 https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343 https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated--- | 2025-12-06 | not yet calculated | CVE-2025-40280 | https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88 https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901 https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19 https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77 https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373 https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline] | 2025-12-06 | not yet calculated | CVE-2025-40281 | https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4 https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187 https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675 https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8 https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: <IRQ> ... packet_rcv (net/packet/af_packet.c:2152) ... <TASK> __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------ | 2025-12-06 | not yet calculated | CVE-2025-40282 | https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818 https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62 https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237 https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd. | 2025-12-06 | not yet calculated | CVE-2025-40283 | https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8 https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8 https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------ | 2025-12-06 | not yet calculated | CVE-2025-40284 | https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76 https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). | 2025-12-06 | not yet calculated | CVE-2025-40285 | https://git.kernel.org/stable/c/6fc935f798d44a8eb8a5e6659198399fbf57b981 https://git.kernel.org/stable/c/e671f9bb97805771380c98de944e2ceab6949188 https://git.kernel.org/stable/c/dcc51dfe6ff26b52cac106865a172ac982d78401 https://git.kernel.org/stable/c/d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d https://git.kernel.org/stable/c/379510a815cb2e64eb0a379cb62295d6ade65df0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). | 2025-12-06 | not yet calculated | CVE-2025-40286 | https://git.kernel.org/stable/c/0797c6cf3b857cc229ab2bc69552938dcd738d78 https://git.kernel.org/stable/c/63d8706a2c09a0c29b8b0e8a44bc7a1339685de9 https://git.kernel.org/stable/c/f1305587731886da37a214cda812ade246c653b0 https://git.kernel.org/stable/c/bfda5422a16651d0bf864ec468b1c216e1b10d91 https://git.kernel.org/stable/c/6fced056d2cc8d01b326e6fcfabaacb9850b71a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls - SYS_openat, SYS_ftruncate, and SYS_pwrite64 - can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability. | 2025-12-06 | not yet calculated | CVE-2025-40287 | https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs-since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately-skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian) | 2025-12-06 | not yet calculated | CVE-2025-40288 | https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. | 2025-12-06 | not yet calculated | CVE-2025-40289 | https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1 https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0 https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82 |
| loadedcommerce--Loaded Commerce | Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter. | 2025-12-04 | not yet calculated | CVE-2025-66572 | ExploitDB-52084 Loaded Commerce Homepage https://www.vulncheck.com/advisories/loaded-commerce-66-client-side-template-injectioncsti |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66458 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87 https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290 |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66459 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1 https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116 https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442 |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66460 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3 https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e |
| Mautic--Mautic | Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-13827 | https://github.com/mautic/mautic/security/advisories/GHSA-5xw2-57jx-pgjp |
| Mautic--Mautic | SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges. | 2025-12-02 | not yet calculated | CVE-2025-13828 | https://github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x |
| mayurik--dawa-pharma | dawa-pharma-1.0 allows unauthenticated attackers to execute SQL queries on the server, allowing them to access sensitive information and potentially gain administrative access. | 2025-12-04 | not yet calculated | CVE-2023-53734 | ExploitDB-51818 Mayuri K Pharmacy Billing Software GitHub Repository for CVE-nu11secur1ty nu11secur1ty Home Page https://www.vulncheck.com/advisories/dawa-pharma-10-sql-injection-via-email-parameter |
| mborgerding/kissfft--mborgerding/kissfft | KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated before being used in a size calculation (sizeof(kiss_fft_cpx) * (nfft - 1)), which can wrap to a small value when nfft is large. As a result, malloc() allocates an undersized buffer and the subsequent twiddle-factor initialization loop writes nfft elements, causing a heap buffer overflow. This vulnerability only affects 32-bit architectures. | 2025-12-01 | not yet calculated | CVE-2025-34297 | https://github.com/mborgerding/kissfft/commit/1b08316582049c3716154caefc0deab8758506e3 https://github.com/mborgerding/kissfft/issues/120 https://www.vulncheck.com/advisories/kissfft-integer-overflow-heap-buffer-overflow |
| MediaTek, Inc.--MT2718, MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6897, MT6899, MT6980D, MT6983, MT6985, MT6989, MT6990, MT6991, MT8113, MT8115, MT8139, MT8163, MT8168, MT8169, MT8183, MT8186, MT8188, MT8512, MT8516, MT8518, MT8519, MT8532, MT8676, MT8678, MT8695, MT8696, MT8698 | In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833. | 2025-12-02 | not yet calculated | CVE-2025-20765 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4820. | 2025-12-02 | not yet calculated | CVE-2025-20766 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4807. | 2025-12-02 | not yet calculated | CVE-2025-20767 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4804. | 2025-12-02 | not yet calculated | CVE-2025-20769 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4803. | 2025-12-02 | not yet calculated | CVE-2025-20770 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4802. | 2025-12-02 | not yet calculated | CVE-2025-20771 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4801. | 2025-12-02 | not yet calculated | CVE-2025-20772 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797. | 2025-12-02 | not yet calculated | CVE-2025-20773 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4796. | 2025-12-02 | not yet calculated | CVE-2025-20774 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689251; Issue ID: MSV-4840. | 2025-12-02 | not yet calculated | CVE-2025-20754 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647. | 2025-12-02 | not yet calculated | CVE-2025-20758 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8676, MT8791T | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01270690; Issue ID: MSV-4301. | 2025-12-02 | not yet calculated | CVE-2025-20752 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673760; Issue ID: MSV-4650. | 2025-12-02 | not yet calculated | CVE-2025-20759 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689252; Issue ID: MSV-4841. | 2025-12-02 | not yet calculated | CVE-2025-20753 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643. | 2025-12-02 | not yet calculated | CVE-2025-20756 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661199; Issue ID: MSV-4296. | 2025-12-02 | not yet calculated | CVE-2025-20750 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661195; Issue ID: MSV-4297. | 2025-12-02 | not yet calculated | CVE-2025-20751 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible application crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00628396; Issue ID: MSV-4775. | 2025-12-02 | not yet calculated | CVE-2025-20755 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673751; Issue ID: MSV-4644. | 2025-12-02 | not yet calculated | CVE-2025-20757 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01677581; Issue ID: MSV-4701. | 2025-12-02 | not yet calculated | CVE-2025-20790 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661189; Issue ID: MSV-4298. | 2025-12-02 | not yet calculated | CVE-2025-20791 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791T | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01717526; Issue ID: MSV-5591. | 2025-12-02 | not yet calculated | CVE-2025-20792 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4805. | 2025-12-02 | not yet calculated | CVE-2025-20768 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795. | 2025-12-02 | not yet calculated | CVE-2025-20775 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184297; Issue ID: MSV-4759. | 2025-12-02 | not yet calculated | CVE-2025-20776 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4752. | 2025-12-02 | not yet calculated | CVE-2025-20777 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In smi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10259774; Issue ID: MSV-5029. | 2025-12-02 | not yet calculated | CVE-2025-20764 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6781, MT6833, MT6853, MT6877, MT6893, MT8196 | In GPU pdma, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117741; Issue ID: MSV-4538. | 2025-12-02 | not yet calculated | CVE-2025-20789 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In mmdvfs, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267218; Issue ID: MSV-5032. | 2025-12-02 | not yet calculated | CVE-2025-20763 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6991, MT8196 | In GPU pdma, there is a possible memory corruption due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117735; Issue ID: MSV-4539. | 2025-12-02 | not yet calculated | CVE-2025-20788 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| mersive--Solstice Pod API Session Key Extraction via API Endpoint | Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication. | 2025-12-04 | not yet calculated | CVE-2025-66573 | ExploitDB-52104 Mersive Homepage Solstice Documentation https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint |
| modelcontextprotocol--python-sdk | The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.23.0. | 2025-12-02 | not yet calculated | CVE-2025-66416 | https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99 |
| modelcontextprotocol--typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0. | 2025-12-02 | not yet calculated | CVE-2025-66414 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed |
| monkeytypegame--monkeytype | Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags). | 2025-12-04 | not yet calculated | CVE-2025-66563 | https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27 https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695 |
| mozilla--rhino | Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1. | 2025-12-03 | not yet calculated | CVE-2025-66453 | https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x |
| n/a-- Aquarius HelperTool (1.0.003) privileged XPC service on macOS | The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. | 2025-12-03 | not yet calculated | CVE-2025-65842 | https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/ |
| n/a--Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 | Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt. | 2025-12-03 | not yet calculated | CVE-2025-65320 | https://github.com/Smarttfoxx/CVE-2025-- https://packetstorm.news/files/id/212149 |
| n/a--Akamai Ghost on Akamai CDN edge servers before 2025-11-17 | Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain circumstances, Akamai Ghost erroneously forwards the invalid request and subsequent superfluous bytes to the origin server. An attacker could hide a smuggled request in these superfluous bytes. Whether this is exploitable depends on the origin server's behavior and how it processes the invalid request it receives from Akamai Ghost. | 2025-12-04 | not yet calculated | CVE-2025-66373 | https://en.wikipedia.org/wiki/HTTP_request_smuggling https://www.akamai.com/blog/security/cve-2025-66373-http-request-smuggling-chunked-body-size |
| n/a--alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation. | 2025-12-03 | not yet calculated | CVE-2025-65345 | https://github.com/alexusmai/laravel-file-manager https://github.com/tlekrean/CVE-2025-65345 |
| n/a--alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths. | 2025-12-04 | not yet calculated | CVE-2025-65346 | https://github.com/alexusmai/laravel-file-manager https://github.com/Theethat-Thamwasin/CVE-2025-65346 |
| n/a--Alinto Sogo 5.12.3 | Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | 2025-12-04 | not yet calculated | CVE-2025-63499 | https://github.com/poblaguev-tot/CVE-2025-63499 https://email.example.com/SOGo/so/victim@example.com/Mail/view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E |
| n/a--ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | 2025-12-04 | not yet calculated | CVE-2025-29268 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a--ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. | 2025-12-04 | not yet calculated | CVE-2025-29269 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a--ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | 2025-12-04 | not yet calculated | CVE-2025-57210 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/4411663241fa3bbba628d3044dc50451 |
| n/a--ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57212 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/85730f2317cfac2796fe5e23da3ae399 |
| n/a--Aquarius Desktop 3.0.069 | Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed. | 2025-12-03 | not yet calculated | CVE-2025-65843 | https://almightysec.com/insecure-file-handling-via-symlink/ |
| n/a--Aquarius Desktop 3.0.069 for macOS | Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | 2025-12-03 | not yet calculated | CVE-2025-65841 | http://acustica.com http://aquarius.com https://almightysec.com/account-takeover-via-weak-encryption/ |
| n/a--Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18 | Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication. | 2025-12-05 | not yet calculated | CVE-2025-65730 | https://github.com/pommee/goaway/releases/tag/v0.62.16 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L15 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L110 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L69 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/auth.go#L48 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L88 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L40 https://github.com/pommee/goaway/commit/5769f8782b7453ca1c22a201b224b5ce48532f64#diff-4ddfd6cf1311ddfd45734bb1dc53bc208df69584ba92ac4f38866bd558434678L15-L40 https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57198 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57198 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57199 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57199 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57200 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57200 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57201 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57201 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field. | 2025-12-03 | not yet calculated | CVE-2025-57202 | http://avtech.com http://dmg1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57202 |
| n/a--Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 | An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device. | 2025-12-04 | not yet calculated | CVE-2025-63896 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE/blob/main/README.md |
| n/a--Calibre-Web v0.6.25 | A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. | 2025-12-02 | not yet calculated | CVE-2025-65858 | https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md |
| n/a--CiviCRM before v6.7 | A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. | 2025-12-02 | not yet calculated | CVE-2025-65187 | https://civicrm.com/ https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf |
| n/a--code-projects Online Medicine Guide 1.0 | code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter. | 2025-12-02 | not yet calculated | CVE-2025-60736 | https://github.com/WinDyAlphA/CVE-2025-60736 |
| n/a--ComposioHQ v.0.7.20 | Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function. | 2025-12-04 | not yet calculated | CVE-2025-56427 | https://github.com/ComposioHQ/composio/blob/master/python/composio/server/api.py#L278 https://github.com/TOAST-Research/pocs/blob/main/composio/composio_1.md |
| n/a--D-Link R15 (AX1500) 1.20.01 | A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd. | 2025-12-02 | not yet calculated | CVE-2025-60854 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473 |
| n/a--dcat-admin v2.2.3-beta and before | dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. | 2025-12-02 | not yet calculated | CVE-2025-65656 | https://github.com/jqhph/dcat-admin https://github.com/lznlol/operation-log/blob/main/CVE-2025-65656.md |
| n/a--DeepSeek V3.2 | DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. | 2025-12-02 | not yet calculated | CVE-2025-63872 | https://medium.com/@vinitkundu14/cve-2025-63872-svg-based-xss-in-deepseek-chat-v3-2-db4ebc1f1f28 |
| n/a--E-POINT CMS eagle.gsam-1169.1 | The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets. | 2025-12-04 | not yet calculated | CVE-2025-65806 | https://www.e-point.pl/produkty/e-point-cms https://github.com/Bidon47/CVE-2025-65806/blob/main/CVE-2025-65806.md |
| n/a--Edoc-doctor-appointment-system v1.0.1 | Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php. | 2025-12-02 | not yet calculated | CVE-2025-65358 | https://github.com/HashenUdara/edoc-doctor-appointment-system https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-65358 |
| n/a--EduplusCampus 3.0.1 | An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint. | 2025-12-04 | not yet calculated | CVE-2025-61148 | https://drive.google.com/file/d/1BRZRurbl7TY6KU4uaelAUn7L9Cn6XfjC/view?usp=sharing https://medium.com/@Charon19d/how-i-hacked-all-universities-in-my-city-d6b8e320455c https://github.com/sharma19d/CVE-2025-61148 |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing the tamper label and opening the chassis without leaving evidence, and accessing the JTAG connector. This is called F02. | 2025-12-02 | not yet calculated | CVE-2025-59693 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to persistently modify firmware and influence the (insecurely configured) appliance boot process. To exploit this, the attacker must modify the firmware via JTAG or perform an upgrade to the chassis management board firmware. This is called F03. | 2025-12-02 | not yet calculated | CVE-2025-59694 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04. | 2025-12-02 | not yet calculated | CVE-2025-59695 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board. | 2025-12-02 | not yet calculated | CVE-2025-59696 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host OS. This is called F06. | 2025-12-02 | not yet calculated | CVE-2025-59697 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59698 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59699 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection). | 2025-12-02 | not yet calculated | CVE-2025-59700 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted). | 2025-12-02 | not yet calculated | CVE-2025-59701 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | 2025-12-02 | not yet calculated | CVE-2025-59702 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack. | 2025-12-02 | not yet calculated | CVE-2025-59703 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password. | 2025-12-02 | not yet calculated | CVE-2025-59704 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka "Unauthorized Reactivation of the USB interface" or F01. | 2025-12-02 | not yet calculated | CVE-2025-59705 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--ERPNext v15.83.2 and Frappe Framework v15.86.0 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | 2025-12-03 | not yet calculated | CVE-2025-65267 | https://github.com/frappe/frappe https://github.com/frappe/erpnext https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 |
| n/a--EverShop 2.0.1 | EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space. | 2025-12-02 | not yet calculated | CVE-2025-65844 | https://github.com/evershopcommerce/evershop/issues/819 |
| n/a--Eximbills Enterprise 4.1.5 (Built on 2020-10-30) | Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers. | 2025-12-01 | not yet calculated | CVE-2025-64030 | https://chinasystems.com/whatwedo/ee https://0xy37.medium.com/stored-xss-in-chinasystems-eximbills-enterprise-v4-1-5-f8f5a79c4f0b |
| n/a--eyoucms v1.7.1 | XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request. | 2025-12-03 | not yet calculated | CVE-2025-65868 | https://github.com/weng-xianhu/eyoucms/issues/66 |
| n/a--Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2025-64052 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64052.md |
| n/a--Fanvil x210 V2 2.12.20 | A Buffer overflow vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64053 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64053.md |
| n/a--Fanvil x210 V2 2.12.20 | A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64054 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md |
| n/a--Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. | 2025-12-03 | not yet calculated | CVE-2025-64055 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md |
| n/a--Fanvil x210 V2 2.12.20 | File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem. | 2025-12-05 | not yet calculated | CVE-2025-64056 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64056.md |
| n/a--Fanvil x210 V2 2.12.20 | Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts. | 2025-12-05 | not yet calculated | CVE-2025-64057 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64057.md |
| n/a--FeehiCMS 2.1.1 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | 2025-12-01 | not yet calculated | CVE-2025-63520 | https://github.com/liufee/cms/issues/74 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63520.md |
| n/a--FeehiCMS 2.1.1 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | 2025-12-01 | not yet calculated | CVE-2025-63522 | https://github.com/liufee/cms/issues/76 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63522.md |
| n/a--FeehiCMS 2.1.1 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes. | 2025-12-01 | not yet calculated | CVE-2025-63523 | https://github.com/liufee/cms/issues/77 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md |
| n/a--FeehiCMS version 2.1.1 | FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE). | 2025-12-02 | not yet calculated | CVE-2025-65657 | https://github.com/liufee/cms/issues/78 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-65657.md |
| n/a--Genexis Platinum P4410 router (Firmware P4410-V2-1.41) | A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2-1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router's diagnostic endpoint, resulting in command execution as root. | 2025-12-04 | not yet calculated | CVE-2025-65883 | https://0xw41th.medium.com/my-first-cve-cve-2025-65883-remote-code-execution-in-a-genexis-router-0c35749a99bd |
| n/a--github.com/sirupsen/logrus when using Entry.Writer() | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged. | 2025-12-04 | not yet calculated | CVE-2025-65637 | https://github.com/mjuanxd/logrus-dos-poc https://github.com/sirupsen/logrus/issues/1370 https://github.com/sirupsen/logrus/pull/1376 https://github.com/sirupsen/logrus/releases/tag/v1.8.3 https://github.com/sirupsen/logrus/releases/tag/v1.9.1 https://github.com/sirupsen/logrus/releases/tag/v1.9.3 https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391 https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md |
| n/a--Grav CMS 1.7.49 | Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface. | 2025-12-02 | not yet calculated | CVE-2025-65186 | https://github.com/getgrav/grav https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf |
| n/a--HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | 2025-12-03 | not yet calculated | CVE-2025-63401 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyQn/x0oUOgfHG6F0wUhpmSMcmXMuwO2GYuSf_duzWPRebao |
| n/a--HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests | 2025-12-03 | not yet calculated | CVE-2025-63402 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyVd/ckzaFpdm68dwd1nWqgtLfXHp3Pim_YwLUI4WcRB__Ng |
| n/a--InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS | A local privilege escalation vulnerability exists in the InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS. The service accepts unauthenticated XPC connections and executes input via system(), which may allow a local user to execute arbitrary commands with root privileges. | 2025-12-03 | not yet calculated | CVE-2025-55076 | https://almightysec.com/plugin-alliance-helpertool-xpc-service-local-privilege-escalation/ |
| n/a--Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system. | 2025-12-04 | not yet calculated | CVE-2025-65899 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65899/blob/main/README.md |
| n/a--Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users. | 2025-12-04 | not yet calculated | CVE-2025-65900 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65900/blob/main/README.md |
| n/a--KerOS prior 5.12 | The service wmp-agent of KerOS prior 5.12 does not properly validate so-called 'magic URLs' allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall. | 2025-12-01 | not yet calculated | CVE-2024-39148 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148 |
| n/a--LightFTP v2.0 | A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-65403 | https://shimo.im/docs/9030JMJpv4IM4Nkw https://github.com/hfiref0x/LightFTP |
| n/a--Live555 Streaming Media v2018.09.02 | A buffer overflow in the getSideInfo2() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via a crafted MP3 stream. | 2025-12-01 | not yet calculated | CVE-2025-65404 | https://shimo.im/docs/16q8xMxpPlH8Z2q7 https://github.com/rgaufman/live555 |
| n/a--Live555 Streaming Media v2018.09.02 | A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file. | 2025-12-01 | not yet calculated | CVE-2025-65405 | https://github.com/rgaufman/live555 https://shimo.im/docs/25q5XMXpOwSr8w3D |
| n/a--Live555 Streaming Media v2018.09.02 | A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file. | 2025-12-01 | not yet calculated | CVE-2025-65406 | https://github.com/rgaufman/live555 https://shimo.im/docs/1lq7rMrp8lI1vW3e |
| n/a--Live555 Streaming Media v2018.09.02 | A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream. | 2025-12-01 | not yet calculated | CVE-2025-65407 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLpzZcZvoAg |
| n/a--Live555 Streaming Media v2018.09.02 | A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file. | 2025-12-01 | not yet calculated | CVE-2025-65408 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLp57SJ92Ag |
| n/a--long2ice assyncmy thru 0.2.10 | SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys. | 2025-12-02 | not yet calculated | CVE-2025-65896 | https://github.com/long2ice/asyncmy https://github.com/long2ice/asyncmy/issues/134 |
| n/a--Lvzhou CMS | Lvzhou CMS before commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) is vulnerable to SQL injection via the 'title' parameter in com.wanli.lvzhoucms.service.ContentService#findPage. The parameter is concatenated directly into a dynamic SQL query without sanitization or prepared statements, enabling attackers to read sensitive data from the database. | 2025-12-02 | not yet calculated | CVE-2025-65877 | https://github.com/W000i/vuln/issues/1 |
| n/a--mJobtime v15.7.2 | mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly. | 2025-12-01 | not yet calculated | CVE-2025-51682 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a--mJobtime v15.7.2 | A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . | 2025-12-01 | not yet calculated | CVE-2025-51683 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a--open-webui v0.6.33 | open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | 2025-12-04 | not yet calculated | CVE-2025-63681 | https://github.com/open-webui/open-webui/blob/46ae3f4f5d7d4d706041bdae4ad2d802e568712b/backend/open_webui/main.py#L1652 https://github.com/TOAST-Research/pocs/blob/main/openwebui/arbitirary_task_stop/report.md |
| n/a--orderService.queryObject of platform v1.0.0 | Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57213 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/620e4e0cc0f23c903736971e6375f00e |
| n/a--Pepper language | A heap buffer overflow in compiler.c and compiler.h in Pepper language 0.1.1commit 961a5d9988c5986d563310275adad3fd181b2bb7. Malicious execution of a pepper source file(.pr) could lead to arbitrary code execution or Denial of Service. | 2025-12-03 | not yet calculated | CVE-2025-50360 | https://github.com/dannyvankooten/pepper-lang https://github.com/Ch1keen/CVE-2025-50360 |
| n/a--PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65379 | https://phpgurukul.com/billing-system-using-php-and-mysql/ https://github.com/dewcode91/security-research/blob/main/CVE-2025-65379.md |
| n/a--PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65380 | https://phpgurukul.com/billing-system-using-php-and-mysql https://github.com/dewcode91/security-research/blob/main/CVE-2025-65380.md |
| n/a--Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS | A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a local user may exploit the DYLD_INSERT_LIBRARIES environment variable to inject a dynamic library, potentially resulting in code execution with elevated privileges. | 2025-12-03 | not yet calculated | CVE-2025-62686 | https://almightysec.com/plugin-alliance-installationhelper-dylib-injection/ |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65836 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/SSRF_1.md https://github.com/sanluan/PublicCMS/issues/99 |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | 2025-12-01 | not yet calculated | CVE-2025-65838 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/RCE_1.md https://github.com/sanluan/PublicCMS/issues/101 |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65840 | https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/CSRF_1.md https://github.com/sanluan/PublicCMS/issues/102 |
| n/a--Samsung Mobile Processor Exynos 1280 and 2200 | An issue was discovered in Camera in Samsung Mobile Processor Exynos 1280 and 2200. Unnecessary registration of a hardware IP address in the Camera device driver can lead to a NULL pointer dereference, resulting in a denial of service. | 2025-12-03 | not yet calculated | CVE-2025-54326 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54326/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to decode the SOR transparent container lacks bounds checking, which can cause a fatal error. | 2025-12-03 | not yet calculated | CVE-2025-53965 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53965/ |
| n/a--Seafile Community Edition prior to version 13.0.12 | A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12. | 2025-12-04 | not yet calculated | CVE-2025-65516 | https://manual.seafile.com/latest/changelog/server-changelog/ https://gist.github.com/x0root/e5597622fede55b320d29a248dce01e6 |
| n/a--Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism | 2025-12-01 | not yet calculated | CVE-2025-61228 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2025-12-01 | not yet calculated | CVE-2025-61229 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--Shirt Pocket SuperDuper! v3.10 | Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | 2025-12-01 | not yet calculated | CVE-2025-57489 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--SmallBASIC with SDL Before v12_28 | Buffer Overflow was found in SmallBASIC community SmallBASIC with SDL Before v12_28, and commit sha:298a1d495355959db36451e90a0ac74bcc5593fe in the function main.cpp, which can lead to potential information leakage and crash. | 2025-12-03 | not yet calculated | CVE-2025-50361 | https://github.com/smallbasic/SmallBASIC https://github.com/Ch1keen/CVE-2025-50361 |
| n/a--Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | 2025-12-01 | not yet calculated | CVE-2025-65621 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65621 |
| n/a--Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | 2025-12-01 | not yet calculated | CVE-2025-65622 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65622 |
| n/a--SoftSea EPUB File Reader 1.0.0.0 | SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents. | 2025-12-01 | not yet calculated | CVE-2025-63365 | http://epub.com https://jeroscope.com/advisories/2025/jero-2025-001/ |
| n/a--Sourcecodester Student Grades Management System v1.0 | Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | 2025-12-02 | not yet calculated | CVE-2025-64070 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-64070 |
| n/a--Sourcecodester Web-based Pharmacy Product Management System v1.0 | Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | 2025-12-02 | not yet calculated | CVE-2025-65215 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-65215 |
| n/a--Sourcecodester Zoo Management System v1.0 | Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. | 2025-12-02 | not yet calculated | CVE-2025-65881 | https://gist.github.com/MMAKINGDOM/17b85a6e077f08134ee96850f162ed8f https://github.com/MMAKINGDOM/CVE-2025-65881/ |
| n/a--Technitium through v13.2.2 | An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack. | 2025-12-01 | not yet calculated | CVE-2024-56089 | https://technitium.com/dns/ https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-134 |
| n/a--Tempus Ex hello-video-codec v0.1.0 | Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-63095 | https://gist.github.com/thesmartshadow/b092e2493821491b981a069847a33064 https://github.com/tempus-ex/hello-video-codec https://github.com/tempus-ex/hello-video-codec/tree/3e9551c699311ea12ad7f2fce9562fbc990d524c https://github.com/tempus-ex/hello-video-codec/blob/3e9551c699311ea12ad7f2fce9562fbc990d524c/src/bitstream.rs |
| n/a--Terminalfour 8 through 8.4.1.1 | In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it. | 2025-12-02 | not yet calculated | CVE-2025-58386 | https://terminalfour.com https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/ |
| n/a--Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-53963 | https://tools.thermofisher.cn/content/sfs/brochures/One_Touch_2_Spec_Sheet.pdf https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-54304 | https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://www.thermofisher.com/order/catalog/product/4474779 https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1 | The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges. | 2025-12-04 | not yet calculated | CVE-2025-54303 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-54305 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed. | 2025-12-04 | not yet calculated | CVE-2025-54306 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint. | 2025-12-04 | not yet calculated | CVE-2025-54307 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Todoist v8896 | Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment. | 2025-12-01 | not yet calculated | CVE-2025-63317 | https://github.com/sefabasnak/Todoistv8896 |
| n/a--Warehouse Management System v1.2 | The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server's file system. This could lead to the leakage of sensitive system information. | 2025-12-05 | not yet calculated | CVE-2025-65878 | https://github.com/W000i/vuln/issues/2 |
| n/a--Warehouse Management System v1.2 | Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server's UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads. | 2025-12-05 | not yet calculated | CVE-2025-65879 | https://github.com/W000i/vuln/issues/3 |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63361 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-1/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-63362 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-2/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption. | 2025-12-04 | not yet calculated | CVE-2025-63363 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-3/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to transmit Administrator credentials in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63364 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-4/ |
| n/a--yzcheng90 X-SpringBoot 6.0 | This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests when frontend menu updates (such as privilege revocation) fail to propagate to the backend permission table in real-time, creating a dangerous desynchronization. While users lose access to restricted functions through the web interface (as UI elements properly disappear), the stale permission records still validate unauthorized API requests when accessed directly through tools like Postman. Attackers exploiting this inconsistency can perform privileged operations including but not limited to: creating high-permission user accounts, accessing sensitive data beyond their clearance level, and executing admin-level commands. | 2025-12-04 | not yet calculated | CVE-2025-55948 | https://github.com/yzcheng90/X-SpringBoot https://github.com/liuchengjie01/vuln_db/blob/master/x-springboot3x-vul/x-springboot3x-vul.md |
| n/a--zdh_web thru 5.6.17 | zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution. | 2025-12-05 | not yet calculated | CVE-2025-65897 | https://github.com/zhaoyachao/zdh_web https://github.com/zhaoyachao/zdh_web/pull/39 https://github.com/zhaoyachao/zdh_web/commit/b2423378a8bf83f159f19ce4e14eac71c939793a https://github.com/zhaoyachao/zdh_web/issues/40 |
| Nagvis--Nagvis version before 1.9.48 | User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | 2025-12-03 | not yet calculated | CVE-2025-39665 | https://github.com/NagVis/nagvis/pull/411/commits/4acabcf9d5b2d26f390e760f59def8e163908d66 https://www.nagvis.org/downloads/changelog/1.9.48 |
| nopSolutions--nopCommerce | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability. | 2025-12-01 | not yet calculated | CVE-2025-11699 | https://seclists.org/fulldisclosure/2025/Aug/14 https://github.com/nopSolutions/nopCommerce/issues/7044 https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT |
| Obi08/Enrollment System--Obi08/Enrollment System | Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames and passwords. | 2025-12-04 | not yet calculated | CVE-2024-58276 | ExploitDB-51845 Official Product Homepage https://www.vulncheck.com/advisories/obi08-enrollment-system-10-loginphp-sql-injection |
| ObjectPlanet--Opinio | Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication. | 2025-12-02 | not yet calculated | CVE-2025-13871 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet--Opinio | Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination. | 2025-12-02 | not yet calculated | CVE-2025-13872 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet--Opinio | Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey. | 2025-12-02 | not yet calculated | CVE-2025-13873 | https://www.objectplanet.com/opinio/changelog.html |
| OpenSolution--QuickCMS | A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-02 | not yet calculated | CVE-2025-12465 | https://cert.pl/posts/2025/12/CVE-2025-12465/ |
| OpenVPN--OpenVPN | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | 2025-12-01 | not yet calculated | CVE-2025-12106 | https://community.openvpn.net/Security%20Announcements/CVE-2025-12106 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html |
| OpenVPN--OpenVPN | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | 2025-12-03 | not yet calculated | CVE-2025-13086 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html |
| OpenVPN--OpenVPN | Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | 2025-12-03 | not yet calculated | CVE-2025-13751 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13751 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.htmlhttps:// https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html |
| Perforce--BlazeMeter | A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | 2025-12-03 | not yet calculated | CVE-2025-13472 | https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin |
| Ping Identity--One-Time Passcode Integration Kit for PingFederate | The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication. | 2025-12-04 | not yet calculated | CVE-2025-27935 | https://support.pingidentity.com/s/article/SECADV051-PingFederate-OTP-Integration-Kit-authentication-bypass https://www.pingidentity.com/en/resources/downloads/pingfederate.html |
| Portkey-AI--gateway | Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0. | 2025-12-01 | not yet calculated | CVE-2025-66405 | https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp https://github.com/Portkey-AI/gateway/pull/1372 https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885 |
| Pure Storage--PX Enterprise | A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions. | 2025-12-04 | not yet calculated | CVE-2025-9127 | https://support.purestorage.com/category/m_pure_storage_product_security |
| Python Software Foundation--CPython | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | 2025-12-03 | not yet calculated | CVE-2025-12084 | https://github.com/python/cpython/pull/142146 https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0 https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964 |
| Python Software Foundation--CPython | When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | 2025-12-01 | not yet calculated | CVE-2025-13836 | https://github.com/python/cpython/issues/119451 https://github.com/python/cpython/pull/119454 https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155 https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5 https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/ https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 |
| Python Software Foundation--CPython | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | 2025-12-01 | not yet calculated | CVE-2025-13837 | https://github.com/python/cpython/pull/119343 https://github.com/python/cpython/issues/119342 https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/ |
| R Radio Network--Radio Network FM Transmitter | R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access. | 2025-12-04 | not yet calculated | CVE-2024-58277 | ExploitDB-51855 Security Advisory for ZSL-2023-5802 https://www.vulncheck.com/advisories/r-radio-network-fm-transmitter-107-system-settings-disclosure |
| Remotecontrolio--Remote Keyboard Desktop | Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution. | 2025-12-04 | not yet calculated | CVE-2025-66576 | ExploitDB-52299 Vendor Homepage Software Link https://www.vulncheck.com/advisories/remote-keyboard-desktop-101-remote-code-execution-rce |
| ReQuest Serious Play LLC--ReQuest Serious Play Media Player | ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources. | 2025-12-05 | not yet calculated | CVE-2020-36878 | Exploit Database Entry 48949 Zero Science Advisory ZSL-2020-5599 https://www.vulncheck.com/advisories/request-serious-play-f-media-player-directory-traversal-file-disclosure |
| ReQuest Serious Play LLC--ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page. | 2025-12-05 | not yet calculated | CVE-2020-36876 | Exploit Database Entry 48950 Software Link Advisory URL https://www.vulncheck.com/advisories/request-serious-play-f-media-server-debug-log-disclosure |
| ReQuest Serious Play LLC--ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server. | 2025-12-05 | not yet calculated | CVE-2020-36877 | Exploit Database Entry 48952 Vendor Security Advisory for ZSL-2020-5602 Official Product Homepage https://www.vulncheck.com/advisories/request-serious-play-f-media-server-unauthenticated-rce |
| Revive--Revive Adserver | HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne users, such as itz_hari_ and khoof. | 2025-12-02 | not yet calculated | CVE-2025-55129 | https://hackerone.com/reports/3434156 |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65096 | https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65097 | https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g |
| Sanoma--Clickedu | Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2025-12-01 | not yet calculated | CVE-2025-41070 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu |
| Seafile--Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'. | 2025-12-04 | not yet calculated | CVE-2025-41079 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| Seafile--Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'. | 2025-12-04 | not yet calculated | CVE-2025-41080 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 v0.9.2. This vulnerability allows an attacker to remotely exploit memory corruption through the 'read_packet()' function of the TACACSPLUS implementation. | 2025-12-02 | not yet calculated | CVE-2025-11778 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in CircutorSGE-PLC1000/SGE-PLC50 v9.0.2. The 'SetLan' function is invoked when a new configuration is applied. This new configuration function is activated by a management web request, which can be invoked by a user when making changes to the 'index.cgi' web application. The parameters are not being sanitised, which could lead to command injection. | 2025-12-02 | not yet calculated | CVE-2025-11779 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'showMeterReport()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the "meter" parameter. | 2025-12-02 | not yet calculated | CVE-2025-11780 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges. | 2025-12-02 | not yet calculated | CVE-2025-11781 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'ShowDownload()' function uses "sprintf()" to format a string that includes the user-controlled input of 'GetParameter(meter)' in the fixed-size buffer 'acStack_4c' (64 bytes) without checking the length. An attacker can provide an excessively long value for the 'meter' parameter that exceeds the 64-byte buffer size. | 2025-12-02 | not yet calculated | CVE-2025-11782 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The vulnerability is found in the 'AddEvent()' function when copying the user-controlled username input to a fixed-size buffer (48 bytes) without boundary checking. This can lead to memory corruption, resulting in possible remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-11783 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterDatabase()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11784 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11785 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application. | 2025-12-02 | not yet calculated | CVE-2025-11786 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions. | 2025-12-02 | not yet calculated | CVE-2025-11787 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11788 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi()' and then uses it as an index in the 'FilesDownload' array with '(&FilesDownload)[iVar2]'. If the parameter is too large, it will access memory beyond the limits. | 2025-12-02 | not yet calculated | CVE-2025-11789 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| silabs.com--Gecko SDK | When a WF200/WGM160P device is configured to operate as an Access Point, it may be vulnerable to a denial of service triggered by a malformed packet. The device may recover automatically or require a hard reset. | 2025-12-04 | not yet calculated | CVE-2025-12986 | https://community.silabs.com/068Vm00000akaGr |
| silabs.com--Simplicity Studio V6 | The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user's domain password. | 2025-12-04 | not yet calculated | CVE-2025-10285 | https://community.silabs.com/a45Vm0000003UcfIAE |
| SOLIDserver--SOLIDserver IPAM | Directory traversal vulnerability in SOLIDserver IPAM v8.2.3. This vulnerability allows an authenticated user with administrator privileges to list directories other than those to which the have authorized access using the 'directory' parameter in '/mod/ajax.php?action=sections/list/list'.For examplem setting the 'directory' parameter to '/' displays files outside the 'LOCAL:///' folder. | 2025-12-02 | not yet calculated | CVE-2025-13879 | https://www.incibe.es/en/incibe-cert/notices/aviso/directory-traversal-vulnerability-efficientips-solidserver-ipam https://efficientip.com/resources/solidserver-ipam-solutions-3/ |
| SolisCloud--Monitoring Platform (Cloud API & Device Control API) | The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. | 2025-12-04 | not yet calculated | CVE-2025-13932 | url |
| Sonatype--Nexus Repository | Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context. | 2025-12-04 | not yet calculated | CVE-2025-13488 | https://help.sonatype.com/en/sonatype-nexus-repository-3-87-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/46896142768019 |
| Sony Corporation--INZONE Hub | The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer. | 2025-12-01 | not yet calculated | CVE-2025-64772 | https://www.sony.com/electronics/support/others-software/inzone-hub https://jvn.jp/en/jp/JVN28247549/ |
| syntax-tree--mdast-util-to-hast | mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1. | 2025-12-01 | not yet calculated | CVE-2025-66400 | https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7 |
| taikoxyz--taiko-mono | Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer. | 2025-12-04 | not yet calculated | CVE-2025-66559 | https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8 |
| TCMAN--GIM | Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41012 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'. | 2025-12-02 | not yet calculated | CVE-2025-41013 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41014 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41015 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| The Qt Company--Qt | Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0. | 2025-12-03 | not yet calculated | CVE-2025-12385 | https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239 https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766 |
| TOTOLINK--N300RT | TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter. | 2025-12-03 | not yet calculated | CVE-2025-34319 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/154/ids/36.html https://totolink.tw/support_view/N300RT https://www.vulncheck.com/advisories/totolink-n300rt-boa-formwsc-rce |
| Unknown--db-access | The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | 2025-12-02 | not yet calculated | CVE-2025-13000 | https://wpscan.com/vulnerability/aec53f87-6500-4c8a-925a-146be61bbabf/ |
| Unknown--donation | The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | 2025-12-02 | not yet calculated | CVE-2025-13001 | https://wpscan.com/vulnerability/4e7a8154-46bf-44c9-ad9a-273e99ae2104/ |
| Unknown--Timetable and Event Schedule by MotoPress ver. < 2.4.16 | The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor. | 2025-12-03 | not yet calculated | CVE-2025-12954 | https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/ |
| Unknown--UNA CMS ver 9.0.0 | UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code. | 2025-12-04 | not yet calculated | CVE-2025-66571 | ExploitDB-52139 UNA CMS Homepage UNA CMS GitHub Repository Karma Security Advisory https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection |
| Unknown--Upload.am plugin ver. < 1.0.1 | The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options. | 2025-12-02 | not yet calculated | CVE-2025-12630 | https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/ |
| urllib3--urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. | 2025-12-05 | not yet calculated | CVE-2025-66418 | https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 |
| urllib3--urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. | 2025-12-05 | not yet calculated | CVE-2025-66471 | https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37 https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7 |
| VeePN--VeeVPN | VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem. | 2025-12-04 | not yet calculated | CVE-2025-66575 | ExploitDB-52088 VeePN Homepage VeePN GitHub Repository https://www.vulncheck.com/advisories/veevpn-161-unquoted-service-path-remote-code-execution |
| WatchGuard--Fireware OS | A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. This vulnerability affects Fireware OS 12.0 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-11838 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00018 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12026 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00017 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12195 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00019 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12196 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00020 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13936 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00021 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13937 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00022 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13938 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13939 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00024 |
| WatchGuard--Fireware OS | An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13940 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026 |
| WatchGuard--Fireware OS | An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-1545 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025 |
| WatchGuard--Fireware OS | A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This issue affects Fireware OS: from 12.0 through 12.5.12+701324, from 12.6 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1547 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00013 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the IPS module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Firebox: from 12.0 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-6946 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00011 |
| WatchGuard--Mobile VPN with SSL Client | The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.This issue affects the Mobile VPN with SSL Client 12.0 up to and including 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1910 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00008 |
| WEBIGniter--WEBIGniter | WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks. | 2025-12-04 | not yet calculated | CVE-2023-53735 | ExploitDB-51900 Official WEBIGniter Homepage WEBIGniter Demo Page https://www.vulncheck.com/advisories/webigniter-28723-cross-site-scripting-xss-in-user-creation-process |
| xwiki--xwiki-platform | XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0. | 2025-12-01 | not yet calculated | CVE-2025-55749 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9 https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10 https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10 https://jira.xwiki.org/browse/XWIKI-23438 |
| yawkat--lz4-java | yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. | 2025-12-05 | not yet calculated | CVE-2025-66566 | https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840 |
| Zabbix--Zabbix | An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss. | 2025-12-01 | not yet calculated | CVE-2025-27232 | https://support.zabbix.com/browse/ZBX-27282 |
| Zabbix--Zabbix | Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory. | 2025-12-01 | not yet calculated | CVE-2025-49642 | https://support.zabbix.com/browse/ZBX-27283 |
| Zabbix--Zabbix | An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service. | 2025-12-01 | not yet calculated | CVE-2025-49643 | https://support.zabbix.com/browse/ZBX-27284 |
Vulnerability Summary for the Week of November 24, 2025
Posted on Monday December 01, 2025
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 0x4m4--HexStrike AI | By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server's normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025). | 2025-11-30 | 9.1 | CVE-2025-35028 | https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
| AMD--AMD Prof | Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 7.1 | CVE-2025-48510 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 8 | CVE-2025-52538 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | Inadequate lock protection within Xilinx Run time may allow a local attacker to trigger a Use-After-Free condition potentially resulting in loss of confidentiality or availability | 2025-11-24 | 7.3 | CVE-2025-0003 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. | 2025-11-24 | 7.3 | CVE-2025-0005 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability. | 2025-11-24 | 7.3 | CVE-2025-52539 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| ASR--Lapwing_Linux | Out-of-bounds Read vulnerability in ASR1903ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26. | 2025-11-26 | 7.4 | CVE-2025-13735 | https://www.asrmicro.com/en/goods/psirt?cid=41 |
| blubrry--PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-27 | 8.8 | CVE-2025-13536 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d420ee49-e7b3-43d8-a263-8a93abd1133c?source=cve https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3068 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3012 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L2368 https://plugins.trac.wordpress.org/changeset/3402635/ |
| Chanjet--CRM | A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13788 | VDB-333792 | Chanjet CRM upgradeattribute.php sql injection VDB-333792 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690084 | Chanjet CRM V1.0 SQL Injection https://github.com/Bellingham-max/CVE/issues/1 |
| code-projects--COVID Tracking System | A vulnerability was detected in code-projects COVID Tracking System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument code results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13585 | VDB-333349 | code-projects COVID Tracking System login.php sql injection VDB-333349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699840 | code-projects COVID Tracking System V1.0 SQL Injection https://github.com/beamyou/CVE/issues/4 https://code-projects.org/ |
| code-projects--Jonnys Liquor | A security flaw has been discovered in code-projects Jonnys Liquor 1.0. Affected by this issue is some unknown functionality of the file /detail.php of the component GET Parameter Handler. Performing manipulation of the argument Product results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-11-24 | 7.3 | CVE-2025-13582 | VDB-333346 | code-projects Jonnys Liquor GET Parameter detail.php sql injection VDB-333346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699554 | code-projects Jonnys Liquor 1.0 /detail.php SQL injection https://github.com/rassec2/dbcve/issues/5 https://code-projects.org/ |
| code-projects--Library System | A vulnerability has been found in code-projects Library System 1.0. This affects an unknown function of the file /index.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13578 | VDB-333342 | code-projects Library System Login index.php sql injection VDB-333342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699536 | code-projects Library System 1.0 index.php SQL Injection https://github.com/rassec2/dbcve/issues/4 https://code-projects.org/ |
| code-projects--Question Paper Generator | A weakness has been identified in code-projects Question Paper Generator 1.0. This affects an unknown part of the file /signupscript.php of the component POST Parameter Handler. Executing manipulation of the argument Fname can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 7.3 | CVE-2025-13583 | VDB-333347 | code-projects Question Paper Generator POST Parameter signupscript.php sql injection VDB-333347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699591 | code-projects question paper 1.0 /signupscript.php SQL Injection https://github.com/rassec2/dbcve/issues/6 https://code-projects.org/ |
| cursor--cursor | Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution. | 2025-11-26 | 9.8 | CVE-2025-62354 | https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/ |
| Dassault Systmes--DELMIA Service Process Engineer | A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | 2025-11-24 | 8.7 | CVE-2025-10555 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10555 |
| Dassault Systmes--ENOVIA Product Manager | A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | 2025-11-24 | 8.7 | CVE-2025-10554 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10554 |
| DirectoryThemes--Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| DirectoryThemes--Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2025-11-27 | 8.8 | CVE-2025-13680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/645f60ad-c8e5-47ec-94f1-960de4ef7838?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| Eaton--Eaton Galileo Software | Improper input sanitization in the file archives upload functionality of Eaton Galileo software allows traversing paths which could lead into an attacker with local access to execute unauthorized code or commands. This security issue has been fixed in the latest version of Galileo which is available on the Eaton download center. | 2025-11-27 | 7.3 | CVE-2025-59890 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1024.pdf |
| Elated Themes--FindAll Listing | The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin. | 2025-11-27 | 9.8 | CVE-2025-13538 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| Elated Themes--FindAll Membership | The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email. | 2025-11-27 | 9.8 | CVE-2025-13539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| factionsecurity--faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction's extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | 2025-11-26 | 9.7 | CVE-2025-66022 | https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3 |
| fugue-project--fugue | Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326. | 2025-11-25 | 8.8 | CVE-2025-62703 | https://github.com/fugue-project/fugue/security/advisories/GHSA-xv5p-fjw5-vrj6 https://github.com/fugue-project/fugue/commit/6f25326779fd1f528198098d6287c5a863176fc0 |
| geoserver--geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. | 2025-11-25 | 8.2 | CVE-2025-58360 | https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 https://osgeo-org.atlassian.net/browse/GEOS-11682 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads. | 2025-11-26 | 7.5 | CVE-2025-12571 | GitLab Issue #579168 HackerOne Bug Bounty Report #3362239 |
| GL-Inet--GL-AXT1800 | A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | 2025-11-24 | 8.3 | CVE-2025-44018 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2230 |
| HCL Software--iNotes | HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | 2025-11-25 | 8.1 | CVE-2025-0248 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127032 |
| Huawei--HarmonyOS | Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality. | 2025-11-28 | 9.3 | CVE-2025-64314 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8.4 | CVE-2025-58302 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 8.4 | CVE-2025-58303 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the distributed component. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8 | CVE-2025-58310 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | 2025-11-28 | 7.3 | CVE-2025-58308 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | DoS vulnerability in the video-related system service module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 7.3 | CVE-2025-58316 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Janitza--UMG 96-PA | An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | 2025-11-24 | 7.5 | CVE-2025-41729 | https://certvde.com/de/advisories/VDE-2025-094 |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.1 | CVE-2025-53896 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-23h2-3jj8-58hm |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.2 | CVE-2025-53899 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5 |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | 2025-11-27 | 8.5 | CVE-2025-66359 | https://servicedesk.logpoint.com/hc/en-us/articles/29158899698333-XSS-Vulnerability-due-to-insufficient-input-validation |
| Mattermost--Mattermost | Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | 2025-11-27 | 9.9 | CVE-2025-12419 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | 2025-11-27 | 9.9 | CVE-2025-12421 | https://mattermost.com/security-updates |
| mescuwa--entropy-derby | Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | 2025-11-25 | 8.7 | CVE-2025-65951 | https://github.com/mescuwa/entropy-derby/security/advisories/GHSA-pm54-f847-w4mh https://github.com/mescuwa/entropy-derby/commit/2d38d2f16bbb3b4240698148f80d8c5202725c77 |
| Microsoft--Azure App Gateway | Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.4 | CVE-2025-64656 | Azure Application Gateway Elevation of Privilege Vulnerability |
| Microsoft--Azure App Gateway | Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.8 | CVE-2025-64657 | Azure Application Gateway Elevation of Privilege Vulnerability |
| milmor--Telegram Bot & Channel | The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 7.2 | CVE-2025-13068 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45 |
| MISP--MISP | app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. | 2025-11-28 | 8.2 | CVE-2025-66384 | https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5 https://github.com/MISP/MISP/compare/v2.5.23...v2.5.24 |
| n/a--Qualitor | A security flaw has been discovered in Qualitor 8.20/8.24. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13792 | VDB-333796 | Qualitor getResumo.php eval code injection VDB-333796 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691251 | Qualitor Qualitor Web 8.20/8.24 Code Injection https://www.youtube.com/watch?v=hU8YbFc6KpI |
| n/a--validator | Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service. | 2025-11-27 | 7.5 | CVE-2025-12758 | https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476 https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e https://github.com/validatorjs/validator.js/pull/2616 |
| Nozomi Networks--Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share it with victim users, or a victim can be socially engineered to import a malicious dashboard template. When the victim views or imports the dashboard, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2025-11-25 | 7.9 | CVE-2025-40890 | https://security.nozominetworks.com/NN-2025:11-01 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 9.3 | CVE-2025-33187 | https://nvd.nist.gov/vuln/detail/CVE-2025-33187 https://www.cve.org/CVERecord?id=CVE-2025-33187 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service. | 2025-11-25 | 8 | CVE-2025-33188 | https://nvd.nist.gov/vuln/detail/CVE-2025-33188 https://www.cve.org/CVERecord?id=CVE-2025-33188 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges. | 2025-11-25 | 7.8 | CVE-2025-33189 | https://nvd.nist.gov/vuln/detail/CVE-2025-33189 https://www.cve.org/CVERecord?id=CVE-2025-33189 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--NeMo Agent ToolKit | NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service. | 2025-11-25 | 7.6 | CVE-2025-33203 | https://nvd.nist.gov/vuln/detail/CVE-2025-33203 https://www.cve.org/CVERecord?id=CVE-2025-33203 https://nvidia.custhelp.com/app/answers/detail/a_id/5726 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-25 | 7.8 | CVE-2025-33204 | https://nvd.nist.gov/vuln/detail/CVE-2025-33204 https://www.cve.org/CVERecord?id=CVE-2025-33204 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| NVIDIA--NeMo Framework | NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. A successful exploit of this vulnerability may lead to code execution. | 2025-11-25 | 7.3 | CVE-2025-33205 | https://nvd.nist.gov/vuln/detail/CVE-2025-33205 https://www.cve.org/CVERecord?id=CVE-2025-33205 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled. | 2025-11-26 | 7.5 | CVE-2025-64330 | https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437 https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves using default HTTP response body limits and/or disabling http-body-printable logging; body logging is disabled by default. | 2025-11-26 | 7.5 | CVE-2025-64331 | https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is enabled. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling SWF decompression (swf-decompression in suricata.yaml), it is disabled by default; set decompress-depth to lower than half your stack size if swf-decompression must be enabled. | 2025-11-26 | 7.5 | CVE-2025-64332 | https://github.com/OISF/suricata/security/advisories/GHSA-p32q-7wcp-gv92 https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves limiting stream.reassembly.depth to less then half the stack size. Increasing the process stack size makes it less likely the bug will trigger. | 2025-11-26 | 7.5 | CVE-2025-64333 | https://github.com/OISF/suricata/security/advisories/GHSA-537h-xxmx-v87m |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or limiting response-body-limit size. | 2025-11-26 | 7.5 | CVE-2025-64334 | https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w https://github.com/OISF/suricata/commit/00f04daa3a44928dfdd0003cb9735469272c94a1 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data. | 2025-11-26 | 7.5 | CVE-2025-64335 | https://github.com/OISF/suricata/security/advisories/GHSA-v299-h7p3-q4f2 https://github.com/OISF/suricata/commit/c935f08cd988600fd0a4f828a585b181dd5de012 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size. | 2025-11-26 | 7.5 | CVE-2025-64344 | https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a |
| open-circle--valibot | Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0. | 2025-11-26 | 7.5 | CVE-2025-66020 | https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9 https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc |
| Opto 22--groov View Server | The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators. | 2025-11-26 | 7.6 | CVE-2025-13084 | https://www.opto22.com/support/resources-tools/knowledgebase/kb91325 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json |
| ov3rkll--ProjectList | The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 7.2 | CVE-2025-13376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/781c3b84-df80-470e-8bcb-3305a8bbb64a?source=cve https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L27 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L27 |
| phpface--StreamTube Core | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options. | 2025-11-30 | 9.8 | CVE-2025-13615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-64720 | https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww https://github.com/pnggroup/libpng/issues/686 https://github.com/pnggroup/libpng/pull/751 https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-65018 | https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g https://github.com/pnggroup/libpng/issues/755 https://github.com/pnggroup/libpng/pull/757 https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea |
| Qode Interactive--Tiare Membership | The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve https://themeforest.net/item/tiare-wedding-vendor-directory-theme/26589165?s_rank=1 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6. | 2025-11-24 | 8.5 | CVE-2025-62155 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4 |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls. | 2025-11-24 | 8.2 | CVE-2025-13609 | https://access.redhat.com/security/cve/CVE-2025-13609 RHBZ#2416761 |
| Red Hat--Red Hat Enterprise Linux 6 | A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server. | 2025-11-25 | 7.5 | CVE-2025-13502 | https://access.redhat.com/security/cve/CVE-2025-13502 RHBZ#2416300 |
| Redhat--Redhat | A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. | 2025-11-26 | 7.7 | CVE-2025-13601 | https://access.redhat.com/security/cve/CVE-2025-13601 RHBZ#2416741 https://gitlab.gnome.org/GNOME/glib/-/issues/3827 https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 |
| ricardoboss--PubNet | PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3. | 2025-11-29 | 9.4 | CVE-2025-65112 | https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the 'site_id' parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 7.5 | CVE-2025-7402 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 |
| Sneeit--Sneeit Framework | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts. | 2025-11-25 | 9.8 | CVE-2025-6389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes |
| sonalsinha21--SKT PayPal for WooCommerce | The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them. | 2025-11-27 | 7.5 | CVE-2025-7820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a67b1b3-eb39-4e9a-ba44-ea637fc3bba1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403118%40skt-paypal-for-woocommerce&new=3403118%40skt-paypal-for-woocommerce&sfp_email=&sfph_mail= |
| soportecibeles--AI Feeds | The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13597 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5007dd0-a62c-4ad8-8f8b-eb3f4387c370?source=cve https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402321/ai-feeds https://github.com/d0n601/CVE-2025-13597 https://ryankozak.com/posts/cve-2025-13597 |
| soportecibeles--CIBELES AI | The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13595 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402311/cibeles-ai https://github.com/d0n601/CVE-2025-13595 https://ryankozak.com/posts/cve-2025-13595/ |
| taosir--WTCMS | A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Affected by this issue is the function delete of the file application/Admin/Controller/SlideController.class.php of the component SlideController. The manipulation of the argument ids leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13782 | VDB-333786 | taosir WTCMS SlideController SlideController.class.php delete sql injection VDB-333786 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688837 | wtcms cms 1.0 SQL Injection https://www.yuque.com/shangu-vvuup/ydpg69/amhlbdhkw0pgt44g?singleDoc |
| taosir--WTCMS | A vulnerability was detected in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Impacted is the function fetch of the file /index.php. Performing manipulation of the argument content results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13786 | VDB-333790 | taosir WTCMS index.php fetch code injection VDB-333790 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689523 | wtcms cms 1.0 RCE https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md#3-proof-of-concept-poc |
| Tryton--trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 7.1 | CVE-2025-66423 | https://discuss.tryton.org/t/security-release-for-issue-14364/8952 https://foss.heptapod.net/tryton/tryton/-/issues/14364 |
| Uniong--WebITR | WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability. | 2025-11-28 | 7.5 | CVE-2025-13768 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| unitecms--Unlimited Elements for Elementor (Premium) | The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled. | 2025-11-27 | 7.2 | CVE-2025-13692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279 https://plugins.trac.wordpress.org/changeset/3403331/ https://unlimited-elements.com/change-log/ |
| venusweb--EduKart Pro | The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-25 | 9.8 | CVE-2025-13559 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805 |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64126 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely. | 2025-11-26 | 10 | CVE-2025-64127 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64128 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser. | 2025-11-26 | 9.8 | CVE-2025-64130 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device. | 2025-11-26 | 7.6 | CVE-2025-64129 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| zephyrproject-rtos--Zephyr | An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. | 2025-11-26 | 7.6 | CVE-2025-9557 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r3j3-c5v7-2ppf |
| zephyrproject-rtos--Zephyr | There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. | 2025-11-26 | 7.6 | CVE-2025-9558 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8wvr-688x-68vr |
| ZTE--ElasticNet UME R32 | Improper Privilege Management vulnerability in ZTE ElasticNet UME R32 on Linux allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ElasticNet UME R32: ElasticNet_UME_R32_V16.23.20.04. | 2025-11-27 | 7.5 | CVE-2025-66314 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2180460616364429350 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ABB--Terra AC wallbox | Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.This issue affects Terra AC wallbox: through 1.8.33. | 2025-11-28 | 6.1 | CVE-2025-12143 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A8107&LanguageCode=en&DocumentPartId=&Action=Launch |
| AMD--AMD Prof | Improper input validation within AMD uProf can allow a local attacker to write out of bounds, potentially resulting in a crash or denial of service | 2025-11-24 | 5.5 | CVE-2025-29933 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--AMD Prof | Improper input validation within AMD uprof can allow a local attacker to write to an arbitrary physical address, potentially resulting in crash or denial of service. | 2025-11-24 | 5.5 | CVE-2025-48511 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--Xilinx Run Time (XRT) | Insufficient validation within Xilinx Run Time framework could allow a local attacker to escalate privileges from user space to kernel space, potentially compromising confidentiality, integrity, and/or availability. | 2025-11-24 | 5.7 | CVE-2025-0007 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| Anjaliavv51--Retro | Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7. | 2025-11-29 | 6.1 | CVE-2025-66036 | https://github.com/Anjaliavv51/Retro/security/advisories/GHSA-gvv6-p6h6-2vj2 |
| appglut--Locker Content | The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the 'lockerco_submit_post' AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protected by the plugin. | 2025-11-25 | 5.3 | CVE-2025-12525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/927f94b0-2a5d-4d17-a05b-7940d7976158?source=cve https://wordpress.org/plugins/locker-content/ |
| assafp--Poll, Survey & Quiz Maker Plugin by Opinion Stage | The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-13143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195 https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196 |
| autochat--Autochat Automatic Conversation | The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. | 2025-11-25 | 5.3 | CVE-2025-12043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve https://wordpress.org/plugins/auyautochat-for-wp/ |
| ays-pro--AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-11-27 | 6.5 | CVE-2025-13378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/293ad145-dc93-4d7a-83ba-78f8c730ed6d?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| ays-pro--AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files. | 2025-11-27 | 5.3 | CVE-2025-13381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3585 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3268 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3597 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| bestweblayout--Job Board by BestWebSoft | The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results. | 2025-11-25 | 6.1 | CVE-2025-13383 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680 |
| buywptemplates--Ace Post Type Builder | The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies. | 2025-11-25 | 5.3 | CVE-2025-13405 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400 https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400 |
| bylancer--Bookme Free Online Appointment Booking and Scheduling Plugin | The Bookme - Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13385 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c17222-5de5-4ecd-a7c6-beabe7624c5b?source=cve https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/tags/4.2/app/admin/Bookings.php#L123 https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/trunk/app/admin/Bookings.php#L123 |
| bytecodealliance--wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn't expanded to match the increased stack_cell_num. This issue has been patched in version 2.4.4. | 2025-11-25 | 5.1 | CVE-2025-64713 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-gvx3-gg3x-rjcx https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| bytecodealliance--wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has been patched in version 2.4.4. | 2025-11-25 | 4.7 | CVE-2025-64704 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-2f2p-wf5w-82qr https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| caido--caido | Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido's Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a finding generated through the scanner, or other plugins, clicking these injected links could redirect the Caido application to an attacker-controlled domain, enabling phishing style attacks. This issue has been patched in version 0.53.0. | 2025-11-26 | 4.3 | CVE-2025-66025 | https://github.com/caido/caido/security/advisories/GHSA-cf52-h5mw-gmc2 |
| cilium--cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue. | 2025-11-29 | 4 | CVE-2025-64715 | https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97 https://github.com/cilium/cilium/releases/tag/v1.16.17 https://github.com/cilium/cilium/releases/tag/v1.17.10 https://github.com/cilium/cilium/releases/tag/v1.18.4 |
| code-projects--Blog Site | A security vulnerability has been detected in code-projects Blog Site 1.0. Impacted is the function category_exists of the file /resources/functions/blog.php of the component Category Handler. Such manipulation of the argument name/field leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13575 | VDB-333339 | code-projects Blog Site Category blog.php category_exists sql injection VDB-333339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698769 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection Submit #698771 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection1.md https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection2.md https://code-projects.org/ |
| code-projects--Blog Site | A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13576 | VDB-333340 | code-projects Blog Site admin.php improper authorization VDB-333340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698772 | https://code-projects.org/ Blog Site In PHP With Source Code 1.0 Unauthorized https://github.com/Yohane-Mashiro/cve/blob/main/Unauthorized.md https://code-projects.org/ |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. This impacts an unknown function of the file /return.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-11-24 | 6.3 | CVE-2025-13579 | VDB-333343 | code-projects Library System return.php sql injection VDB-333343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699515 | code-projects Library System 1.0 SQL Injection https://github.com/rassec2/dbcve/issues/2 https://code-projects.org/ |
| code-projects--Library System | A vulnerability was determined in code-projects Library System 1.0. Affected is an unknown function of the file /mail.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-24 | 6.3 | CVE-2025-13580 | VDB-333344 | code-projects Library System mail.php sql injection VDB-333344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699534 | code-projects Library System 1.0 mail.php SQL Injection https://github.com/rassec2/dbcve/issues/3 https://code-projects.org/ |
| code-projects--Online Bidding System | A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 4.7 | CVE-2025-13574 | VDB-333338 | code-projects Online Bidding System addcategory.php categoryadd unrestricted upload VDB-333338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698717 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload Submit #698718 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md https://code-projects.org/ |
| contao--contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method. | 2025-11-25 | 6.6 | CVE-2025-65960 | https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r https://contao.org/en/security-advisories/remote-code-execution-in-template-closures |
| deco-cx--apps | A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13796 | VDB-333807 | deco-cx apps Parameter analyticsScript.ts AnalyticsScript server-side request forgery VDB-333807 | CTI Indicators (IOB, IOC, IOA) Submit #691837 | Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery https://github.com/deco-cx/apps/pull/1360 https://github.com/deco-cx/apps/releases/tag/0.120.2 |
| docjojo--atec Duplicate Page & Post | The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure. | 2025-11-25 | 5.3 | CVE-2025-13404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27 https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27 |
| emrevona--WP Fastest Cache | The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated. | 2025-11-27 | 4.3 | CVE-2025-10476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c24cf4de-1392-43a8-85a5-8c66c00c44d7?source=cve https://research.cleantalk.org/cve-2025-10476 https://plugins.trac.wordpress.org/changeset?old_path=/wp-fastest-cache/tags/1.4.0&new_path=/wp-fastest-cache/tags/1.4.1&sfp_email=&sfph_mail= |
| era404--StaffList | The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-27 | 4.4 | CVE-2025-12185 | https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve https://wordpress.org/plugins/stafflist/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail= |
| evolurise--Conditionnal Maintenance Mode for WordPress | The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to enable or disable the site's maintenance mode via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12586 | https://www.wordfence.com/threat-intel/vulnerabilities/id/535f1d8a-8266-4f90-82fa-9c32181bf277?source=cve https://plugins.trac.wordpress.org/browser/maintenance-mode-based-on-user-roles/tags/1.0.0/Maintenance_mode.php#L178 |
| favethemes--Houzez | The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-26 | 6.1 | CVE-2025-9163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| favethemes--Houzez | The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-11-26 | 6.3 | CVE-2025-9191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1c450d9-42d8-40f5-84fc-1bc0c8cfcf9b?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| fonttools--fonttools | fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2. | 2025-11-29 | 6.3 | CVE-2025-66034 | https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 |
| galdub--Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders. | 2025-11-27 | 4.3 | CVE-2025-12971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3845071-8419-4bb2-b22d-f9ae22fb7d6a?source=cve https://research.cleantalk.org/cve-2025-12971/ https://plugins.trac.wordpress.org/browser/folders/trunk/includes/folders.class.php#L3291 https://plugins.trac.wordpress.org/changeset/3402986/ |
| geoserver--geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0. | 2025-11-25 | 6.1 | CVE-2025-21621 | https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72 https://github.com/geoserver/geoserver/pull/7406 https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d https://osgeo-org.atlassian.net/browse/GEOS-11297 |
| getformwork--formwork | Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‘site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‘controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | 2025-11-25 | 6.5 | CVE-2025-65956 | https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj https://github.com/getformwork/formwork/pull/791 https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests. | 2025-11-26 | 6.5 | CVE-2025-12653 | GitLab Issue #579372 HackerOne Bug Bounty Report #3370245 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing. | 2025-11-26 | 6.5 | CVE-2025-7449 | GitLab Issue #554938 HackerOne Bug Bounty Report #3215054 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | 2025-11-26 | 4.3 | CVE-2025-6195 | GitLab Issue #549937 HackerOne Bug Bounty Report #3155693 |
| gungorbudak--Shouty | The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12712 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28252c89-a2db-441a-93e6-f051f3649fea?source=cve https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L138 https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L139 |
| gwendydd--Chamber Dashboard Business Directory | The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details. | 2025-11-25 | 5.3 | CVE-2025-13414 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850 https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850 |
| Huawei--HarmonyOS | Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58294 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Identity authentication bypass vulnerability in the Gallery app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58305 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 6.4 | CVE-2025-58307 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.8 | CVE-2025-58309 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Vulnerability of accessing invalid memory in the component driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.6 | CVE-2025-58314 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the USB driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 5.8 | CVE-2025-58311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the App Lock module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.1 | CVE-2025-58312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Wi-Fi module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.5 | CVE-2025-58315 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.1 | CVE-2025-64311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.3 | CVE-2025-64313 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-58304 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-64312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Configuration defect vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect app data confidentiality and integrity. | 2025-11-28 | 4.4 | CVE-2025-64315 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| humhub--cfiles | Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2. | 2025-11-25 | 5.4 | CVE-2025-65963 | https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4 https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09 |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2025-11-24 | 5.9 | CVE-2025-36150 | https://www.ibm.com/support/pages/node/7252019 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user. | 2025-11-24 | 5.3 | CVE-2025-36112 | https://www.ibm.com/support/pages/node/7252197 |
| Iteras--Peppol-py | Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | 2025-11-28 | 5 | CVE-2025-66371 | https://github.com/iterasdev/peppol-py/pull/16 https://github.com/iterasdev/peppol-py/releases/tag/1.1.1 |
| itsourcecode--Student Information System | A vulnerability was identified in itsourcecode Student Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /schedule_edit1.php. Such manipulation of the argument schedule_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-11-24 | 6.3 | CVE-2025-13581 | VDB-333345 | itsourcecode Student Information System schedule_edit1.php sql injection VDB-333345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699516 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/14 https://itsourcecode.com/ |
| karthiksg--Inline frame Iframe | The Inline frame - Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 6.4 | CVE-2025-12645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76 |
| KDE--Krita | In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative. | 2025-11-26 | 6.7 | CVE-2025-59820 | https://invent.kde.org/graphics/krita/ https://kde.org/info/security/advisory-20250929-1.txt https://invent.kde.org/graphics/krita/-/commit/6d3651ac4df88efb68e013d21061de9846e83fe8 |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, this vulnerability could allow an external attacker to gain access to log information from the system by tricking an administrator into browsing a specifically crafted fake page of Kiteworks MFT. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.8 | CVE-2025-53897 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cxwc-7899-3h4m |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.5 | CVE-2025-53900 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-gjq3-8v6p-2h6h |
| kiteworks--security-advisories | Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.3 | CVE-2025-53939 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-hpf5-6376-2565 |
| kivitendo--kivitendo | Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem. | 2025-11-28 | 5 | CVE-2025-66370 | https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9 https://blog.kivitendo.de/?p=1415 |
| liquidthemes--AI Engine for WordPress: ChatGPT, GPT Content Generator | The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-25 | 6.5 | CVE-2025-13380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae0abace-9bf6-4ef9-a9b8-7efffbf25628?source=cve https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L83 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L315 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L423 https://github.com/d0n601/CVE-2025-13380 https://ryankozak.com/posts/cve-2025-13380/ |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-13525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38 https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39 https://wordpress.org/plugins/wpdirectorykit/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail= |
| lKinderBueno--Streamity Xtream IPTV Player | A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component. | 2025-11-24 | 6.3 | CVE-2025-13588 | VDB-333352 | lKinderBueno Streamity Xtream IPTV Player proxy.php server-side request forgery VDB-333352 | CTI Indicators (IOB, IOC, IOA) Submit #687573 | lKinderBueno Streamity Xtream IPTV Web player 2.8 Server-Side Request Forgery https://github.com/lakshayyverma/CVE-Discovery/blob/main/Streamity.md https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/commit/c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92 https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/releases/tag/v2.8.1 |
| lyrathemes--Social Images Widget | The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-25 | 5.3 | CVE-2025-13386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95ab7473-e368-47ad-a8a0-0efbdafce562?source=cve https://plugins.trac.wordpress.org/browser/social-images-widget/tags/2.1/class-social-images-widget-settings.php#L44 https://plugins.trac.wordpress.org/browser/social-images-widget/trunk/class-social-images-widget-settings.php#L44 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - #164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content (users, videos, photos, collections) on the platform. This can lead to mass flagging attacks, content disruption, and moderation system abuse. This issue has been patched in version 5.5.2 - #164. | 2025-11-29 | 6.5 | CVE-2025-65113 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-9f8v-vph8-pq6q https://github.com/MacWarrior/clipbucket-v5/commit/a83b807e592f85d98f1f156bd3cbb1ffcc230233 |
| mahabubs--YouTube Subscribe | The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12025 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve https://wordpress.org/plugins/easy-youtube-subscribe/ https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242 https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246 |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | 2025-11-27 | 4.3 | CVE-2025-12559 | https://mattermost.com/security-updates |
| MISP--MISP | app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. | 2025-11-28 | 4.1 | CVE-2025-66386 | https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27 |
| Mitsubishi Electric Corporation--GX Works2 | Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. | 2025-11-27 | 5.5 | CVE-2025-3784 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-016_en.pdf https://jvn.jp/vu/JVNVU95288056/ |
| MongoDB Inc.--MongoDB Server | Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1. | 2025-11-25 | 6.5 | CVE-2025-13507 | https://jira.mongodb.org/browse/SERVER-108565 |
| MongoDB Inc.--MongoDB Server | MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2 | 2025-11-25 | 6.5 | CVE-2025-13644 | https://jira.mongodb.org/browse/SERVER-101180 |
| MongoDB Inc.--MongoDB Server | Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2 | 2025-11-25 | 4.2 | CVE-2025-12893 | https://jira.mongodb.org/browse/SERVER-105783 |
| n/a--Scada-LTS | A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13791 | VDB-333795 | Scada-LTS Project Import ZIPProjectManager.java Common.getHomeDir path traversal VDB-333795 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690873 | SCADA-LTS Project Scada-LTS <= commit 1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Path traversal / Zip Slip leading to arbitrary file write https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md#proof-of-concept |
| n/a--Scada-LTS | A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13790 | VDB-333794 | Scada-LTS cross-site request forgery VDB-333794 | CTI Indicators (IOB, IOC) Submit #690871 | SCADA-LTS Project Scada-LTS <=1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Cross-Site Request Forgery (CSRF) https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md#proof-of-concept |
| n/a--ZenTao | A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13789 | VDB-333793 | ZenTao model.php makeRequest server-side request forgery VDB-333793 | CTI Indicators (IOB, IOC, IOA) Submit #690728 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/2 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459 https://www.zentao.net/extension-viewext-6.html |
| n/a--ZenTao | A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component. | 2025-11-30 | 5.4 | CVE-2025-13787 | VDB-333791 | ZenTao File control.php delete privileges management VDB-333791 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689892 | Zentao PMS <=21.7.6-85642 Privilege Escalation https://github.com/ez-lbz/ez-lbz.github.io/issues/1 https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868 https://www.zentao.net/extension-buyext-1601-download.html |
| nextendweb--Nextend Social Login and Register | The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-28 | 4.3 | CVE-2025-13737 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772 https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php |
| nmedia--Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID. | 2025-11-25 | 5.3 | CVE-2025-13389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142 |
| nmedia--Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters. | 2025-11-25 | 4.3 | CVE-2025-13452 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1dd87c-cc28-43b3-8378-4583dc6de195?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L113 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L113 |
| nmedia--Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter. | 2025-11-25 | 4.3 | CVE-2025-13382 | https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L20 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L52 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 6.7 | CVE-2025-33190 | https://nvd.nist.gov/vuln/detail/CVE-2025-33190 https://www.cve.org/CVERecord?id=CVE-2025-33190 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33191 | https://nvd.nist.gov/vuln/detail/CVE-2025-33191 https://www.cve.org/CVERecord?id=CVE-2025-33191 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33192 | https://nvd.nist.gov/vuln/detail/CVE-2025-33192 https://www.cve.org/CVERecord?id=CVE-2025-33192 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 5.7 | CVE-2025-33193 | https://nvd.nist.gov/vuln/detail/CVE-2025-33193 https://www.cve.org/CVERecord?id=CVE-2025-33193 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. A successful exploit of this vulnerability might lead to information disclosure or denial of service. | 2025-11-25 | 5.7 | CVE-2025-33194 | https://nvd.nist.gov/vuln/detail/CVE-2025-33194 https://www.cve.org/CVERecord?id=CVE-2025-33194 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause unexpected memory buffer operations. A successful exploit of this vulnerability might lead to data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 4.4 | CVE-2025-33195 | https://nvd.nist.gov/vuln/detail/CVE-2025-33195 https://www.cve.org/CVERecord?id=CVE-2025-33195 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 4.4 | CVE-2025-33196 | https://nvd.nist.gov/vuln/detail/CVE-2025-33196 https://www.cve.org/CVERecord?id=CVE-2025-33196 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 4.3 | CVE-2025-33197 | https://nvd.nist.gov/vuln/detail/CVE-2025-33197 https://www.cve.org/CVERecord?id=CVE-2025-33197 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| Open-Xchange GmbH--OX App Suite | Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | 2025-11-27 | 6.1 | CVE-2025-59025 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30186 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30190 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-59026 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| OpenPrinting--cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15. | 2025-11-29 | 6 | CVE-2025-61915 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-hxm8-vfpq-jrfc https://github.com/OpenPrinting/cups/commit/db8d560262c22a21ee1e55dfd62fa98d9359bcb0 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| OpenPrinting--cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15. | 2025-11-29 | 5.1 | CVE-2025-58436 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-8wpw-vfgm-qrrr https://github.com/OpenPrinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| oscaruh--Google Drive upload and download link | The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14ee4247-4cfe-440b-add2-d5d840b1f114?source=cve https://plugins.trac.wordpress.org/browser/google-drive-upload-and-download-link/tags/1.0/pickergoogledirve.php#L27 https://wordpress.org/plugins/google-drive-upload-and-download-link/ |
| ov3rkll--ProjectList | The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e424d27b-f719-4fbf-b4eb-83b42130666c?source=cve https://it.wordpress.org/plugins/projectlist/ https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L61 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L61 |
| Oxide--Omicron | In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date. | 2025-11-30 | 5 | CVE-2025-66432 | https://docs.oxide.computer/security/advisories/20251117-1 https://oxide.computer/ https://github.com/oxidecomputer/omicron/compare/01bb875...ec069f0 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64505 | https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 https://github.com/pnggroup/libpng/pull/748 https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64506 | https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6 https://github.com/pnggroup/libpng/pull/749 https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 |
| pr-gateway--Blog2Social: Social Media Auto Post & Scheduler | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash. | 2025-11-25 | 5.4 | CVE-2025-13558 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61b590f5-7854-42f7-b5e2-e6feaaf03a73?source=cve https://plugins.trac.wordpress.org/browser/blog2social/tags/8.7.0/includes/Ajax/Post.php#L1858 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php?rev=3401934#L1867 |
| presstigers--Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12151 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c7b9827-59a7-4a8f-88d5-0b27c3ea2925?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401878%40simple-folio&new=3401878%40simple-folio&sfp_email=&sfph_mail= |
| qodeinteractive--QODE Wishlist for WooCommerce | The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists. | 2025-11-27 | 5.3 | CVE-2025-13157 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95 https://plugins.trac.wordpress.org/changeset/3402469/ |
| quadlayers--Perfect Brands for WooCommerce | The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 6.5 | CVE-2025-10144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4618bfd-77d9-4396-b041-d7ba0f6ec75a?source=cve https://plugins.trac.wordpress.org/browser/perfect-woocommerce-brands/tags/3.6.0/lib/class-woocommerce.php#L112 |
| quadlayers--Search Exclude | The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list. | 2025-11-25 | 4.3 | CVE-2025-10646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve https://plugins.trac.wordpress.org/changeset/3379004/search-exclude |
| realin--wp-twitpic | The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12670 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve https://wordpress.org/plugins/wp-twitpic/ https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42 |
| Red Hat--Red Hat build of Keycloak 26.2 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | 2025-11-25 | 5.5 | CVE-2025-13467 | RHSA-2025:22088 RHSA-2025:22089 RHSA-2025:22090 RHSA-2025:22091 https://access.redhat.com/security/cve/CVE-2025-13467 RHBZ#2416038 |
| Red Hat--Red Hat OpenStack Platform 13 (Queens) | The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content. | 2025-11-26 | 6.5 | CVE-2021-4472 | https://access.redhat.com/security/cve/CVE-2021-4472 https://bugs.launchpad.net/horizon/+bug/1931558 RHBZ#2417321 https://review.opendev.org/c/openstack/mistral-dashboard/+/800952 https://review.opendev.org/c/openstack/python-mistralclient/+/800950 |
| redaxo--redaxo | REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | 2025-11-26 | 6.1 | CVE-2025-66026 | https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgq https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aa |
| rnags--Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings. | 2025-11-27 | 5.3 | CVE-2025-12579 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve https://wordpress.org/plugins/reuters-direct/ |
| rnags--Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-12578 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve https://wordpress.org/plugins/reuters-direct/ |
| shapedplugin--Quick View for WooCommerce | The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to. | 2025-11-27 | 5.3 | CVE-2025-12584 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809472d5-1698-42da-b414-1dda40983a6e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402213%40woo-quickview&new=3402213%40woo-quickview&sfp_email=&sfph_mail= |
| sigalitam--Just Highlight | The Just Highlight plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Highlight Color' setting in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page. | 2025-11-25 | 4.4 | CVE-2025-13311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d21187bc-5bd0-49b9-9ef2-6654263cd93c?source=cve https://plugins.trac.wordpress.org/browser/just-highlight/trunk/just-highlight.php#L169 https://plugins.trac.wordpress.org/browser/just-highlight/tags/1.0.3/just-highlight.php#L169 |
| SourceCodester--Online Student Clearance System | A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 4.7 | CVE-2025-13586 | VDB-333350 | SourceCodester Online Student Clearance System changepassword.php sql injection VDB-333350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700130 | SourceCodester Online Student Clearance System 1.0 SQL Injection https://github.com/CaseyW33/CVE/issues/2 https://www.sourcecodester.com/ |
| sscovil--SortTable Post | The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | 2025-11-27 | 6.4 | CVE-2025-12649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80c700fa-619f-4ffe-a09a-bcdae2f71a7d?source=cve https://plugins.trac.wordpress.org/browser/sorttable-post/tags/4.2/sorttablepost.php#L100 |
| sunarc--Refund Request for WooCommerce | The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected. | 2025-11-25 | 4.3 | CVE-2025-12634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve https://wordpress.org/plugins/refund-request-for-woocommerce/ |
| taosir--WTCMS | A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument ids results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13783 | VDB-333787 | taosir WTCMS CommentadminController CommentadminController.class.php delete sql injection VDB-333787 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688838 | wtcms cms 1.0 SQL Injection Submit #688839 | wtcms cms 1.0 SQL Injection (Duplicate) https://www.yuque.com/shangu-vvuup/ydpg69/dd5zpygt7w5w4d19?singleDoc |
| themehunk--Wishlist for WooCommerce | The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to modify other user's wishlists | 2025-11-25 | 6.5 | CVE-2025-12040 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d7c8f79-4dfd-4d6f-b533-dc7a5998dfc1?source=cve https://wordpress.org/plugins/th-wishlist/ |
| themesupport--Hide Category by User Role for WooCommerce | The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance. | 2025-11-27 | 5.3 | CVE-2025-13441 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b05b0f6d-ffa4-40f4-b969-1153192c52d6?source=cve https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/trunk/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/tags/2.3.1/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402760%40hide-category-by-user-role-for-woocommerce&new=3402760%40hide-category-by-user-role-for-woocommerce&sfp_email=&sfph_mail= |
| trustindex--Customer Reviews Collector for WooCommerce | The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-12123 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6091e396-8cd8-4c56-89cb-7699adb3d798?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389840%40customer-reviews-collector-for-woocommerce&new=3389840%40customer-reviews-collector-for-woocommerce&sfp_email=&sfph_mail= |
| Tryton--sao | Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | 2025-11-30 | 5.4 | CVE-2025-66420 | https://discuss.tryton.org/t/security-release-for-issue-14290/8895 https://foss.heptapod.net/tryton/tryton/-/issues/14290 |
| Tryton--sao | Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | 2025-11-30 | 5.4 | CVE-2025-66421 | https://discuss.tryton.org/t/security-release-for-issue-14363/8951 https://foss.heptapod.net/tryton/tryton/-/issues/14363 |
| Tryton--trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 6.5 | CVE-2025-66424 | https://discuss.tryton.org/t/security-release-for-issue-14366/8953 https://foss.heptapod.net/tryton/tryton/-/issues/14366 |
| Tryton--trytond | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 4.3 | CVE-2025-66422 | https://discuss.tryton.org/t/security-release-for-issue-14354/8950 https://foss.heptapod.net/tryton/tryton/-/issues/14354 |
| Uniong--WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13769 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong--WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13770 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-11-28 | 6.5 | CVE-2025-13771 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| vithanhlam--Zweb Social Mobile ng Dng Nt Gi Mobile | The Zweb Social Mobile - Ứng Dụng Nút Gá»i Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vithanhlam_zsocial_save_messager', 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12032 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve https://wordpress.org/plugins/zweb-social-mobile/ |
| webgarh--Peer Publish | The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12587 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17 https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20 |
| winston-dsouza--Ecommerce-Website | A weakness has been identified in winston-dsouza Ecommerce-Website up to 87734c043269baac0b4cfe9664784462138b1b2e. Affected by this issue is some unknown functionality of the file /includes/header_menu.php of the component GET Parameter Handler. Executing manipulation of the argument Error can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13793 | VDB-333797 | winston-dsouza Ecommerce-Website GET Parameter header_menu.php cross site scripting VDB-333797 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691622 | ecommerce-website-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/ecommerce-website.docx |
| Wireshark Foundation--Wireshark | BPv7 dissector crash in Wireshark 4.6.0 allows denial of service | 2025-11-26 | 5.5 | CVE-2025-13674 | https://www.wireshark.org/security/wnpa-sec-2025-05.html GitLab Issue #20770 |
| wisc--HTCondor | HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3. | 2025-11-30 | 4.2 | CVE-2025-66433 | https://htcondor.org/security/vulnerabilities/HTCONDOR-2025-0002.html |
| wpoets--Soundslides | The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12713 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd7e9d1-a580-4b32-9365-7ce17cdc37cd?source=cve https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L101 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L102 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L117 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L143 |
| yungifez--Skuul School Management System | A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13785 | VDB-333789 | yungifez Skuul School Management System Image profile information disclosure VDB-333789 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689026 | yungifez Skuul v2.6.5 Exposure of Sensitive Information Through Metadata https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| codingWithElias--School Management System | A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the component Edit Student Info Page. This manipulation of the argument First Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13795 | VDB-333806 | codingWithElias School Management System Edit Student Info student-view.php cross site scripting VDB-333806 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691836 | school-management-system-php web 1 XSS vulnerability https://github.com/Al1ce258/MY-CVE-REPORTS/blob/main/school-management-system.md |
| contao--contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | 2025-11-25 | 3.3 | CVE-2025-65961 | https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc https://contao.org/en/security-advisories/cross-site-scripting-in-templates |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions. | 2025-11-26 | 2 | CVE-2025-13611 | GitLab Issue #545947 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. | 2025-11-25 | 3.7 | CVE-2025-36134 | https://www.ibm.com/support/pages/node/7252210 |
| KDE--Skanpage | In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly. | 2025-11-26 | 3.2 | CVE-2025-55174 | https://github.com/KDE/skanpage/tags https://invent.kde.org/utilities/skanpage/-/commit/de3ad2941054a26920e022dc7c4a3dc16c065b5a https://kde.org/info/security/advisory-20250811-1.txt |
| libexpat project--libexpat | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | 2025-11-28 | 2.9 | CVE-2025-66382 | https://github.com/libexpat/libexpat/issues/1076 |
| MongoDB Inc.--MongoDB Server | A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 | 2025-11-25 | 3.1 | CVE-2025-13643 | https://jira.mongodb.org/browse/SERVER-103582 |
| motogadget--mo.lock Ignition Lock | A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be targeted for the attack. A high complexity level is associated with this attack. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-29 | 2 | CVE-2025-6666 | VDB-333785 | motogadget mo.lock Ignition Lock NFC hard-coded key VDB-333785 | CTI Indicators (IOB, IOC, TTP) Submit #701162 | motogadget mo.lock NFC CWE-290, CWE-327, CWE-1394 https://office.dngr.us/s/iZHrwtf2xRPoeJj/download |
| mustangproject--Mustang | Mustang before 2.16.3 allows exfiltrating files via XXE attacks. | 2025-11-28 | 2.8 | CVE-2025-66372 | https://github.com/ZUGFeRD/mustangproject/issues/685 https://github.com/ZUGFeRD/mustangproject/pull/725 https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3 |
| n/a--Eigenfocus | A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.1 is able to resolve this issue. The identifier of the patch is 7dec94c9d1f3e513e0ee38ba68caaba628e08582. Upgrading the affected component is advised. | 2025-11-24 | 3.5 | CVE-2025-13584 | VDB-333348 | Eigenfocus Description cross site scripting VDB-333348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699689 | Eigenfocus Eigenfocus Free Edition 1.4.0 Cross Site Scripting https://github.com/Stolichnayer/eigenfocus-stored-xss https://github.com/Eigenfocus/eigenfocus/pull/358 https://github.com/Eigenfocus/eigenfocus/commit/7dec94c9d1f3e513e0ee38ba68caaba628e08582 https://github.com/Eigenfocus/eigenfocus/releases/tag/v1.4.1-free |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 3.3 | CVE-2025-33198 | https://nvd.nist.gov/vuln/detail/CVE-2025-33198 https://www.cve.org/CVERecord?id=CVE-2025-33198 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. A successful exploit of this vulnerability might lead to data tampering. | 2025-11-25 | 3.2 | CVE-2025-33199 | https://nvd.nist.gov/vuln/detail/CVE-2025-33199 https://www.cve.org/CVERecord?id=CVE-2025-33199 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 2.3 | CVE-2025-33200 | https://nvd.nist.gov/vuln/detail/CVE-2025-33200 https://www.cve.org/CVERecord?id=CVE-2025-33200 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| PHPGurukul--Hostel Management System | A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 3.5 | CVE-2025-13577 | VDB-333341 | PHPGurukul Hostel Management System register-complaint.php cross site scripting VDB-333341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698995 | PHPGurukul Hostel Management System 2.1 Stored Cross Site Scripting https://phpgurukul.com/ |
| Splunk--Splunk Add-on for Palo Alto Networks | In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new "Data Security Accounts". The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | 2025-11-26 | 2.7 | CVE-2025-20373 | https://advisory.splunk.com/advisories/SVD-2025-1105 |
| spotipy-dev--spotipy | Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2. | 2025-11-26 | 3.6 | CVE-2025-66040 | https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 |
| VictoriaMetrics--VictoriaMetrics | VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1. | 2025-11-25 | 2.7 | CVE-2025-65942 | https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5 https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1 |
| yungifez--Skuul School Management System | A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13784 | VDB-333788 | yungifez Skuul School Management System SVG File edit cross site scripting VDB-333788 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689012 | yungifez Skuul v2.6.5 Open Redirect https://gist.github.com/thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ACE SECURITY--WIP-90113 HD Camera | ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36874 | https://packetstorm.news/files/id/156497/ https://cxsecurity.com/issue/WLB-2020020137 https://acesecurity.jp/support/top/wip_series/wip-90113 https://www.vulncheck.com/advisories/ace-security-wip90113-unauthenticated-config-disclosure |
| anchore--grype | Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options. | 2025-11-25 | not yet calculated | CVE-2025-65965 | https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646 https://github.com/anchore/grype/pull/3068 https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1 |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs. | 2025-11-26 | not yet calculated | CVE-2025-66035 | https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37 https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e https://github.com/angular/angular/releases/tag/19.2.16 https://github.com/angular/angular/releases/tag/20.3.14 https://github.com/angular/angular/releases/tag/21.0.1 |
| Apache Software Foundation--Apache CloudStack | In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk. | 2025-11-27 | not yet calculated | CVE-2025-59302 | https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788 |
| Apache Software Foundation--Apache CloudStack | In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-59454 | https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc |
| Apache Software Foundation--Apache Druid | Apache Druid's Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set. | 2025-11-26 | not yet calculated | CVE-2025-59390 | https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8 |
| Apache Software Foundation--Apache Hive | SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public. | 2025-11-26 | not yet calculated | CVE-2025-62728 | https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g |
| Apache Software Foundation--Apache Kvrocks | Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59790 | https://lists.apache.org/thread/dlbz5hmm4ts3npzqnvhofxmqg9w9zt0o |
| Apache Software Foundation--Apache Kvrocks | Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59792 | https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw |
| Apache Software Foundation--Apache SkyWalking | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking: <= 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-54057 | https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr |
| Apache Software Foundation--Apache Syncope | Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue. | 2025-11-24 | not yet calculated | CVE-2025-65998 | https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts |
| Ashlar-Vellum--Cobalt | An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65084 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Ashlar-Vellum--Cobalt | A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65085 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Astak--CM-818T3 2.4GHz Wireless Security Surveillance Camera | Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36873 | https://packetstorm.news/files/id/156532/ https://www.vulncheck.com/advisories/astak-cm818t3-unauthenticated-config-disclosure |
| ASUS--MyASUS | A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory. | 2025-11-25 | not yet calculated | CVE-2025-59373 | https://www.asus.com/content/security-advisory/ |
| ASUS--Router | A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-12003 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A stack buffer overflow vulnerability has been identified in certain router models. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59365 | https://www.asus.com/security-advisory/ |
| ASUS--Router | An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59366 | https://www.asus.com/content/security-advisory/ |
| ASUS--Router | An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59368 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59369 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59370 | https://www.asus.com/security-advisory/ |
| ASUS--Router | An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59371 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59372 | https://www.asus.com/security-advisory/ |
| async_mqtt--Redboltz | Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction order between io_context and endpoint objects. | 2025-11-24 | not yet calculated | CVE-2025-65503 | https://github.com/redboltz/async_mqtt/issues/436 https://github.com/redboltz/async_mqtt/pull/437 |
| ATISoluciones--CIGES | A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise. | 2025-11-24 | not yet calculated | CVE-2025-13596 | https://www.atisoluciones.com/incidentes-cve |
| Automated Logic--WebCTRL | The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server. | 2025-11-27 | not yet calculated | CVE-2024-5539 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--WebCTRL | The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser . | 2025-11-27 | not yet calculated | CVE-2024-5540 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--WebCtrl | A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the device to network visibility. | 2025-11-27 | not yet calculated | CVE-2025-0657 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--Zone Controllers | A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed. | 2025-11-27 | not yet calculated | CVE-2025-0658 | https://https://www.corporate.carrier.com/product-security/advisories-resources/ |
| BACnet Interoperability Test Services, Inc.--BACnet Test Server | BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service. | 2025-11-26 | not yet calculated | CVE-2020-36872 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php https://www.exploit-db.com/exploits/48860 https://packetstormsecurity.com/files/159504 https://cxsecurity.com/issue/WLB-2020100045 https://www.bac-test.com/ https://www.vulncheck.com/advisories/bacnet-test-server-malformed-bvlc-length-dos |
| Beijing Star-Net Ruijie Network Technology Co., Ltd.--NBR Series Routers | Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC. | 2025-11-24 | not yet calculated | CVE-2023-7330 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml https://cn-sec.com/archives/1995366.html https://www.cnblogs.com/Domren/articles/19093295 https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/ https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp |
| Bjango--iStats | iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | 2025-11-24 | not yet calculated | CVE-2025-11921 | https://fluidattacks.com/advisories/muse https://bjango.com/mac/istatmenus/ https://cdn.istatmenus.app/files/istatmenus7/versions/iStatMenus7.10.6.zip |
| body-parser--body-parser | body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1. | 2025-11-24 | not yet calculated | CVE-2025-13466 | https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 |
| cerebrate-project--Cerebrate | UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request. | 2025-11-28 | not yet calculated | CVE-2025-66385 | https://github.com/cerebrate-project/cerebrate/compare/v1.29...v1.30 https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb https://vulnerability.circl.lu/api/vulnerability/gcve-1-2025-0017 |
| classroomio--classroomio | An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | 2025-11-26 | not yet calculated | CVE-2025-65669 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65669 |
| classroomio--classroomio | An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access. | 2025-11-26 | not yet calculated | CVE-2025-65670 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65670 |
| classroomio--classroomio | Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. | 2025-11-26 | not yet calculated | CVE-2025-65672 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65672 |
| classroomio--classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | 2025-11-26 | not yet calculated | CVE-2025-65675 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65675 |
| classroomio--classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | 2025-11-26 | not yet calculated | CVE-2025-65676 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65676 |
| CyberArk--CyberArk Secure Web Sessions Extension | Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305. | 2025-11-27 | not yet calculated | CVE-2025-13762 | https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible to the LibreChat server (such as cloud metadata services, through which impersonation of the server might be possible). This issue has been patched in version 0.8.1-rc2. | 2025-11-29 | not yet calculated | CVE-2025-66201 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v |
| Davantis--DFUSION | Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to "/alarms/<ALARM_ID>/<MEDIA>", where the "MEDIA" parameter can take the value of "snapshot" or "video.mp4". These media files contain images recorded by security cameras in response to triggered alerts. | 2025-11-24 | not yet calculated | CVE-2025-41016 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| Davantis--DFUSION | Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing "/cameras/<CAMERA_ID>/perspective". | 2025-11-24 | not yet calculated | CVE-2025-41017 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php. | 2025-11-26 | not yet calculated | CVE-2025-66250 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files. | 2025-11-26 | not yet calculated | CVE-2025-66251 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop. | 2025-11-26 | not yet calculated | CVE-2025-66252 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root). | 2025-11-26 | not yet calculated | CVE-2025-66253 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files. | 2025-11-26 | not yet calculated | CVE-2025-66254 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution | 2025-11-26 | not yet calculated | CVE-2025-66255 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files. | 2025-11-26 | not yet calculated | CVE-2025-66256 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks. | 2025-11-26 | not yet calculated | CVE-2025-66257 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | 2025-11-26 | not yet calculated | CVE-2025-66258 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command | 2025-11-26 | not yet calculated | CVE-2025-66259 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance. | 2025-11-26 | not yet calculated | CVE-2025-66260 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66261 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise. | 2025-11-26 | not yet calculated | CVE-2025-66262 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66263 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| Desktop Alert--desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | 2025-11-24 | not yet calculated | CVE-2025-54338 | https://desktopalert.net/cve-2025-54338/ |
| Desktop Alert--desktopalert.net | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | 2025-11-24 | not yet calculated | CVE-2025-54341 | https://desktopalert.net/cve-2025-54341/ |
| Desktop Alert--desktopalert.net | A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions. | 2025-11-24 | not yet calculated | CVE-2025-54347 | https://desktopalert.net/cve-2025-54347/ |
| Desktop Alert--desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | 2025-11-24 | not yet calculated | CVE-2025-54563 | https://desktopalert.net/cve-2025-54563/ |
| Devolutions--Server | Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0. | 2025-11-28 | not yet calculated | CVE-2025-13683 | https://devolutions.net/security/advisories/DEVO-2025-0017/ |
| Devolutions--Server | SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13757 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions--Server | Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13758 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions--Server | Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9. | 2025-11-27 | not yet calculated | CVE-2025-13765 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Digital Bazaar--node-forge | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. | 2025-11-25 | not yet calculated | CVE-2025-12816 | https://www.npmjs.com/package/node-forge https://github.com/digitalbazaar/forge/pull/1124 https://github.com/digitalbazaar/forge CERT/CC Vulnerability Notice Github Security Advisory |
| digitalbazaar--forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66030 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb |
| digitalbazaar--forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66031 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27 https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451 |
| Dongyoung Media Tech Co., Ltd.--DM-AP240T/W Wireless Access Point | Dongyoung Media DM-AP240T/W wireless access points contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/sys_system_config management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25226 | https://packetstorm.news/files/id/154719/ https://cxsecurity.com/issue/WLB-2019100012 http://dongyoung.com/ https://www.vulncheck.com/advisories/dongyoung-media-dm-ap240tw-unauthenticated-config-disclosure |
| Drupal--Drupal | Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | 2025-11-26 | not yet calculated | CVE-2025-12848 | https://www.drupal.org/node/3105204 |
| ESCAM--QD-900 WIFI HD Camera | ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup can include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that may facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36871 | https://packetstorm.news/files/id/156492/ https://www.exploit-db.com/exploits/48107 https://www.vulncheck.com/advisories/escam-qd900-unauthenticated-config-disclosure |
| FAST FAC1200R--sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password. | 2025-11-26 | not yet calculated | CVE-2025-50399 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/1 |
| FAST FAC1200R--sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password. | 2025-11-26 | not yet calculated | CVE-2025-50402 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/2 |
| FluentBit--Fluent Bit | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs. | 2025-11-24 | not yet calculated | CVE-2025-12969 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-12970 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory. | 2025-11-24 | not yet calculated | CVE-2025-12972 | https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ |
| FluentBit--Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing. | 2025-11-24 | not yet calculated | CVE-2025-12977 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation. | 2025-11-24 | not yet calculated | CVE-2025-12978 | https://fluentbit.io/announcements/v4.1.0/ |
| Frappe--Frappe CRM | Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1. | 2025-11-26 | not yet calculated | CVE-2025-11461 | https://fluidattacks.com/advisories/oz https://github.com/frappe/crm https://github.com/frappe/crm/pull/1339 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. | 2025-11-24 | not yet calculated | CVE-2025-60632 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/705 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. | 2025-11-24 | not yet calculated | CVE-2025-60633 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/702 https://github.com/free5gc/free5gc/issues/700 https://github.com/free5gc/free5gc/issues/701 https://github.com/free5gc/free5gc/issues/703 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. | 2025-11-24 | not yet calculated | CVE-2025-60638 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/704 |
| Fuji Television Network, Inc.--"FOD" App for Android | "FOD" App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys. | 2025-11-25 | not yet calculated | CVE-2025-64304 | https://help.fod.fujitv.co.jp/hc/ja/articles/48337068747033 https://jvn.jp/en/jp/JVN63368617/ |
| getsentry--sentry-javascript | Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0. | 2025-11-25 | not yet calculated | CVE-2025-65944 | https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp https://github.com/getsentry/sentry-javascript/pull/17475 https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539 https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0 |
| Google Cloud--Looker | An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+ * 25.0.79+ * 25.6.66+ * 25.12.7+ * 25.16.0+ * 25.18.0+ * 25.20.0+ | 2025-11-24 | not yet calculated | CVE-2025-12739 | https://cloud.google.com/support/bulletins#gcp-2025-068 |
| Google Cloud--Looker | A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 25.0.93+ * 25.6.84+ * 25.12.42+ * 25.14.50+ * 25.16.44+ | 2025-11-24 | not yet calculated | CVE-2025-12740 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud--Looker | A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-24 | not yet calculated | CVE-2025-12741 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud--Looker | A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-25 | not yet calculated | CVE-2025-12742 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| GroceryMart--GroceryMart | An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | 2025-11-26 | not yet calculated | CVE-2025-65278 | https://gist.github.com/whoisrushi/7e8d15c85221e3f708b7b480e04ab6ca |
| HCL Technologies--HLC | Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51733 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51734 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51735 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51736 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| iiDk-the-actual--Console | Console is a network used to control Gorilla Tag mods' users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0. | 2025-11-25 | not yet calculated | CVE-2025-65952 | https://github.com/iiDk-the-actual/Console/security/advisories/GHSA-c3f7-xh45-2xc7 https://github.com/iiDk-the-actual/Console/commit/4bcb1cf23ef78f8e6899dd6fe3afa3b24902e458 https://github.com/iiDk-the-actual/Console/commit/e1005b8754594ad463ae58f8a99decda548b1826 |
| ilevia EVE X1--iSee857 | Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | 2025-11-25 | not yet calculated | CVE-2025-60739 | https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF |
| immonit.com--Monnit | An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts. | 2025-11-26 | not yet calculated | CVE-2025-50433 | http://imonnitcom.com http://monnit.com https://youtu.be/-BqcdwHgMMA https://github.com/0xMandor/imonnit-ato-advisory/blob/main/CVE-2025-50433.md |
| Intercom, Inc.--Security Point (Windows) of MaLion | Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Windows client is installed. If the file is a specially crafted DLL file, arbitrary code could be executed with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-59485 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.--Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-62691 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.--Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a heap-based buffer overflow vulnerability in processing Content-Length. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-64693 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercore-Productions--Core-Bot | Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks) where configuration summaries may inadvertently leak sensitive data (e.g., by failing to redact data in summary embeds or logs). This issue has been patched via commit dffe050. | 2025-11-25 | not yet calculated | CVE-2025-65957 | https://github.com/Intercore-Productions/Core-Bot/security/advisories/GHSA-42j6-x28v-38r8 https://github.com/Intercore-Productions/Core-Bot/commit/dffe050d565a580edfcd0242efa45da88ab31260 |
| JAVA-Oracle | Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. | 2025-11-28 | not yet calculated | CVE-2025-12183 | https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 https://github.com/yawkat/lz4-java/releases/tag/v1.8.1 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | 2025-11-25 | not yet calculated | CVE-2025-51742 | https://gitee.com/jishenghua/JSH_ERP https://blog.hackpax.top/jsh-erp/ https://gitee.com/jishenghua https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51743 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp2/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51744 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp3/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51745 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp4/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51746 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp5/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jvde-github--AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-catcher. This vulnerability allows an attacker to write approximately 1KB of arbitrary data into a 128-byte buffer. This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66216 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-v53x-f5hh-g2g6 https://github.com/jvde-github/AIS-catcher/commit/3de0ef785fc3c96265a71b37df7b0a82cb279312 |
| jvde-github--AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, an integer underflow vulnerability exists in the MQTT parsing logic of AIS-catcher. This vulnerability allows an attacker to trigger a massive Heap Buffer Overflow by sending a malformed MQTT packet with a manipulated Topic Length field. This leads to an immediate Denial of Service (DoS) and, when used as a library, severe Memory Corruption that can be leveraged for Remote Code Execution (RCE). This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66217 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-93mj-c8q3-69rg https://github.com/jvde-github/AIS-catcher/commit/e0f7242eee659909adc11a4c561c3f7011bdefe7 |
| keras-team--keras-team/keras | Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter. | 2025-11-28 | not yet calculated | CVE-2025-12638 | https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4 |
| kotaemon 0.11.0--Cinnamon | An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction, successfully uploading a ZIP bomb could still cause the server to consume excessive resources during decompression. Moreover, if no further files are uploaded afterward, the extracted data could occupy disk space and potentially render the system unavailable. Anyone with permission to upload files can carry out this attack. | 2025-11-24 | not yet calculated | CVE-2025-63914 | https://github.com/Cinnamon/kotaemon https://github.com/WxDou/CVE-2025-63914 |
| krpano--krpano | Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled. | 2025-11-29 | not yet calculated | CVE-2025-65892 | https://krpano.com/docu/releasenotes/?version=1.23.3 https://krpano.com/forum/wbb/index.php?thread/20554-krpano-1-23-3d-gaussian-splatting-support/&postID=96997#post96997 |
| LFDT-Lockness--cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. This issue has been patched in version 0.6.3, for full mitigation it is recommended to upgrade to cggmp24 version 0.7.0-alpha.2 as it contains more security checks. | 2025-11-25 | not yet calculated | CVE-2025-66016 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-m95p-425x-x889 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| LFDT-Lockness--cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. In versions 0.6.3 and prior of cggmp21 and version 0.7.0-alpha.1 of cggmp24, presignatures can be used in the way that significantly reduces security. cggmp24 version 0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. | 2025-11-25 | not yet calculated | CVE-2025-66017 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| libcoap--OISM | NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65493 | https://github.com/obgm/libcoap/issues/1743 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65494 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter. | 2025-11-24 | not yet calculated | CVE-2025-65495 | https://github.com/obgm/libcoap/issues/1744 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65496 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65497 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65498 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1. | 2025-11-24 | not yet calculated | CVE-2025-65499 | https://github.com/obgm/libcoap/issues/1747 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65500 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65501 | https://github.com/obgm/libcoap/issues/1748 https://github.com/obgm/libcoap/pull/1750 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected. | 2025-11-24 | not yet calculated | CVE-2025-40212 | https://git.kernel.org/stable/c/b6bc86ce3944b10b9fc181fc00c1a520a20ed965 https://git.kernel.org/stable/c/c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2 https://git.kernel.org/stable/c/8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error. | 2025-11-24 | not yet calculated | CVE-2025-40213 | https://git.kernel.org/stable/c/5c19daa93d9af29f1f46251b47e1ea66bcc8d679 https://git.kernel.org/stable/c/1c9aca1787e8395a2c59fef20e914467958969c5 https://git.kernel.org/stable/c/e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation. | 2025-11-27 | not yet calculated | CVE-2025-66360 | https://servicedesk.logpoint.com/hc/en-us/articles/29160917867549-Redis-communication-exposed-for-internal-communication |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load. | 2025-11-27 | not yet calculated | CVE-2025-66361 | https://servicedesk.logpoint.com/hc/en-us/articles/29160993806749-Process-Data-Exposure-Under-High-Load |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users' personal information. This issue has been patched in version 4.5.6. | 2025-11-29 | not yet calculated | CVE-2025-66027 | https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963 https://github.com/lukevella/rallly/releases/tag/v4.5.6 |
| Lumi Security Camera--Blurams | An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. | 2025-11-24 | not yet calculated | CVE-2025-63674 | http://blurams.com http://a31c.com https://vindivlabs.com/research/lumi_part_2/ |
| lunary-ai--lunary-ai/lunary | lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35. | 2025-11-25 | not yet calculated | CVE-2025-9803 | https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6 https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91 |
| Magewell Pro Convert--Magewell | A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63952 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63952 |
| Magewell Pro Convert--Magewell | A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63953 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63953 |
| MegaTec Taiwan--ClientMate | The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-66264 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--ClientMate | CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges. | 2025-11-26 | not yet calculated | CVE-2025-66265 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--UPSilon2000V6.0 | The RupsMon.exe service executable in UPSilon 2000 has insecure permissions, allowing the 'Everyone' group Full Control. A local attacker can replace the executable with a malicious binary to execute code with SYSTEM privileges or simply change the config path of the service to a command; starting and stopping the service to immediately achieve code execution and privilege escalation | 2025-11-26 | not yet calculated | CVE-2025-66266 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--UPSilon2000V6.0 | The RupsMon and USBMate services in UPSilon 2000 run with SYSTEM privileges and contain unquoted service paths. This allows a local attacker to perform path interception and escalate privileges if they have write permissions to the directories proceeding that of which the real service executables live in | 2025-11-26 | not yet calculated | CVE-2025-66269 | https://www.megatec.com.tw/software-download/ |
| Millensys Vision Tools Workspace--MILLENSYS | MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | 2025-11-24 | not yet calculated | CVE-2025-63958 | https://www.millensys.com/ https://ozex.gitlab.io/tricks_hacks/2025-11-19-cve-2025-63958/index.html |
| Mongoose--Cesenta | Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65502 | https://github.com/cesanta/mongoose/issues/3306 https://github.com/cesanta/mongoose/pull/3307 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/sp/transport/mqtt/broker_tcp.c). The vulnerability is due to improper resource management and premature cleanup of message and pipe structures under specific malformed MQTTV5 retain message traffic conditions. This issue has been patched in version 0.22.5. | 2025-11-25 | not yet calculated | CVE-2025-65953 | https://github.com/nanomq/nanomq/security/advisories/GHSA-r95p-wjm8-2qxr |
| NCP Secure Enterprise-NCP | NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability. | 2025-11-26 | not yet calculated | CVE-2025-26155 | https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf https://www.ncp-e.com/ |
| Netskope--Netskope Client | Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, a local, authenticated user with Administrator privileges can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine. | 2025-11-28 | not yet calculated | CVE-2025-11156 | https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-005 |
| OneUptime--oneuptime | OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0. | 2025-11-26 | not yet calculated | CVE-2025-65966 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574g |
| OneUptime--oneuptime | OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | 2025-11-26 | not yet calculated | CVE-2025-66028 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8 https://github.com/OneUptime/oneuptime/commit/3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370 |
| Online Shopping Portal--PHPGurukul | Insecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter. | 2025-11-25 | not yet calculated | CVE-2025-65647 | https://phpgurukul.com/ https://github.com/SachuuZ/CVE/tree/main/CVE-2025-65647 |
| Open-Source HashTech-HashTech Project | An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-65276 | https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 |
| OpenAtlas v.8.12.0-- Austrian Academy of Science | An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages | 2025-11-24 | not yet calculated | CVE-2025-56423 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-user-enumeration/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint. | 2025-11-24 | not yet calculated | CVE-2025-60914 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-unautorisierter-zugriff-display_logo/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request. | 2025-11-24 | not yet calculated | CVE-2025-60915 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the charge parameter. | 2025-11-24 | not yet calculated | CVE-2025-60916 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-reflected-dom-based-xss-charge/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the color parameter. | 2025-11-24 | not yet calculated | CVE-2025-60917 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-xss-in-farb-feldern-ort/ |
| openbao--openbao | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4. | 2025-11-25 | not yet calculated | CVE-2025-64761 | https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436 https://github.com/openbao/openbao/pull/2143 https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5 |
| openobserve--openobserve | OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0. | 2025-11-29 | not yet calculated | CVE-2025-66223 | https://github.com/openobserve/openobserve/security/advisories/GHSA-c856-2xpx-gw75 |
| OpenSearch--OpenSearch | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0. | 2025-11-25 | not yet calculated | CVE-2025-9624 | https://fluidattacks.com/advisories/chick https://opensearch.org/blog/explore-opensearch-3-3/ |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system's sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66224 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66225 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66289 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application's recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66290 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly request interview attachment URLs and receive the corresponding files. This exposes confidential interview documents-including candidate CVs, evaluations, and supporting files-to unauthorized users. The issue arises from relying on predictable object identifiers and session presence rather than validating the user's association with the relevant recruitment process. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66291 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-v32g-r8xx-4g6g https://github.com/orangehrm/orangehrm/commit/647133d0fdda989a4836845a6531277078a84607 |
| Otsuka Information Technology--FMS | FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-11-24 | not yet calculated | CVE-2025-13589 | https://www.twcert.org.tw/tw/cp-132-10520-03f29-1.html https://www.twcert.org.tw/en/cp-139-10521-abdc1-2.html |
| Overhang.io--Overhang.io | An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | 2025-11-26 | not yet calculated | CVE-2025-65681 | https://github.com/overhangio/tutor https://docs.tutor.edly.io https://github.com/Rivek619/CVE-2025-65681 |
| OWASP--java-html-sanitizer | OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | 2025-11-26 | not yet calculated | CVE-2025-66021 | https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2 |
| pallets--werkzeug | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4. | 2025-11-29 | not yet calculated | CVE-2025-66221 | https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 https://github.com/pallets/werkzeug/releases/tag/3.1.4 |
| pretix--pretix | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing. | 2025-11-27 | not yet calculated | CVE-2025-13742 | https://pretix.eu/about/en/blog/20251126-release-2025-9-1/ |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes. | 2025-11-25 | not yet calculated | CVE-2025-64061 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64061.md |
| Primakon Pi Portal--Primakon | The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., otheruser@user.com), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level. | 2025-11-25 | not yet calculated | CVE-2025-64062 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions. | 2025-11-25 | not yet calculated | CVE-2025-64063 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | 2025-11-25 | not yet calculated | CVE-2025-64064 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64064.md |
| Primakon Pi Portal--Primakon | The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the target user's password or an administrative token and only needs email of user. | 2025-11-25 | not yet calculated | CVE-2025-64065 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64065.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | 2025-11-25 | not yet calculated | CVE-2025-64066 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information. | 2025-11-25 | not yet calculated | CVE-2025-64067 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This issue has been patched in version 6.4.0. | 2025-11-25 | not yet calculated | CVE-2025-66019 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7 https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2 https://github.com/py-pdf/pypdf/releases/tag/6.4.0 |
| RapidCMS--OpenRapid | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | 2025-11-24 | not yet calculated | CVE-2025-64047 | http://rapidcms.com https://gist.github.com/b1uel0n3/b105ad05dbcd3fe148a26e8180dddda7 |
| ray-project--ray | Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0. | 2025-11-26 | not yet calculated | CVE-2025-62593 | https://github.com/ray-project/ray/security/advisories/GHSA-q279-jhrf-cc6v https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09 |
| REDAXO CMS--REDAXO | A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | 2025-11-25 | not yet calculated | CVE-2025-64049 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1SpwL548ZBRYU_uL8W7Riv7VHshr2UN0R?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64049.md |
| REDAXO CMS--REDAXO | A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template. | 2025-11-25 | not yet calculated | CVE-2025-64050 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1Via4r4wn5zCcBllWmHpxYweCPgcbN0bz?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64050.md |
| RSA--RSA | In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable. | 2025-11-24 | not yet calculated | CVE-2024-47856 | https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update |
| Ruckas Unleashed--Ruckus Networks | A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp. | 2025-11-25 | not yet calculated | CVE-2025-63735 | https://www.ruckusnetworks.com/products/network-control-and-management/controller-less/ https://github.com/huthx/CVE-2025-63735-Ruckus-Unleashed-Reflected-XSS |
| Ruoyi--Ruoyi | Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46174 | https://gitee.com/y_project/RuoYi/issues/IC1JZR https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9 |
| Ruoyi--Ruoyi | Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46175 | https://gitee.com/y_project/RuoYi/issues/IC1FS0 https://gitee.com/y_project/RuoYi/commit/f935b2782f4237cdbcc13bdce76703e82c42f4fe https://gist.github.com/Han-tj/74d2ed84ede1909da55090fed410d288 |
| Ruoyi--Ruoyi | An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | 2025-11-26 | not yet calculated | CVE-2025-56396 | https://gitee.com/y_project/RuoYi/issues/ICJ865 https://gist.github.com/Han-tj/22cfd18fa9f116bb886e8e56782f6865 |
| SDMC--NE6037 | Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports. | 2025-11-27 | not yet calculated | CVE-2025-8890 | https://cert.pl/en/posts/2025/11/CVE-2025-8890 |
| shama--willitmerge | willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public. | 2025-11-29 | not yet calculated | CVE-2025-66219 | https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 |
| Shenzhen TVT Digital Technology Co., Ltd.--NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | 2025-11-24 | not yet calculated | CVE-2018-25126 | https://web.archive.org/web/20180614014914/http://en.tvt.net.cn:80/news/227.html https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt https://qkl.seebug.org/vuldb/ssvid-97217 https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-tvt-shenzhen-dvrs-still-lingers https://www.vulncheck.com/advisories/tvt-nvms9000-hardcoded-api-credentials-and-command-injection |
| Shenzhen TVT Digital Technology Co., Ltd.--NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | 2025-11-24 | not yet calculated | CVE-2024-14007 | https://ssd-disclosure.com/ssd-advisory-nvms9000-information-disclosure/ https://www.greynoise.io/blog/surge-exploitation-attempts-tvt-dvrs https://undercodetesting.com/eleven11-botnet-mirai-variant-targeting-nvms-9000-devices/ https://www.vulncheck.com/advisories/tvt-nvms9000-unauthenticated-admin-queries-and-information-disclosure |
| SIGB PBP--SIGB | SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters. | 2025-11-25 | not yet calculated | CVE-2025-61167 | http://pmb.com http://sigb.com https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e |
| SIGB PBP--SIGB | An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | 2025-11-25 | not yet calculated | CVE-2025-61168 | http://pmb.com http://sigb.com https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 |
| Simple SA--Wirtualna Uczelnia | The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353 | 2025-11-27 | not yet calculated | CVE-2025-12140 | https://cert.pl/posts/2025/11/CVE-2025-12140/ |
| SiRcom--SMART Alert (SiSA | SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. | 2025-11-25 | not yet calculated | CVE-2025-13483 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 |
| SOGo--alinto | alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | 2025-11-24 | not yet calculated | CVE-2025-63498 | https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c https://github.com/xryptoh/CVE-2025-63498 https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4 |
| Sony Corporation--SNC-CX600W | Cross-site request forgery vulnerability exists in SNC-CX600W versions prior to Ver.2.8.0. If a user accesses a specially crafted webpage while logged in, unintended operations may be performed. | 2025-11-25 | not yet calculated | CVE-2025-62497 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| Sony Corporation--SNC-CX600W | Cross-site scripting vulnerability exists in SNC-CX600W all versions. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the product. | 2025-11-25 | not yet calculated | CVE-2025-64730 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| SwitchBot--Smart Video Doorbell | Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device. | 2025-11-26 | not yet calculated | CVE-2025-64983 | https://www.switch-bot.com/products/switchbot-video-doorbell?srsltid=AfmBOooGEZArqUag9p59qB8ti2fDP0vCOzxX33NGlpJ8yDlZnzC3vJ_f https://jvn.jp/en/jp/JVN67185535 |
| SY-GPON-1110-WDONT--Sryotech | An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | 2025-11-25 | not yet calculated | CVE-2025-63729 | https://github.com/Yashodhanvivek/CVE-2025-63729-Syrotech-SY-GPON-1110-/blob/main/Syrotech_SY-GPON-1110-WDONT_Security_Assessment.pdf |
| Synergetic Data Systems, Inc.--UnForm Server | UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature's 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement. | 2025-11-25 | not yet calculated | CVE-2025-34350 | https://unform.com/download/uf101_readme.txt https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file-read |
| System USSD Gateway--OpenCode | OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function. | 2025-11-26 | not yet calculated | CVE-2025-65235 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65235-ussd-gw-sql-injection-subusers |
| System USSD Gateway--OpenCode | OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint. | 2025-11-26 | not yet calculated | CVE-2025-65236 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65236-ussd-gateway-sql-injection-sessions |
| System USSD Gateway--OpenCode | A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | 2025-11-26 | not yet calculated | CVE-2025-65237 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65237-ussd-gateway-reflected-cross-site-scripting |
| System USSD Gateway--OpenCode | Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information. | 2025-11-26 | not yet calculated | CVE-2025-65238 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65238-ussd-gateway-broken-access-control-sessions |
| System USSD Gateway--OpenCode | Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | 2025-11-26 | not yet calculated | CVE-2025-65239 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65239-ussd-gateway-broken-access-control-logs |
| Taclia--Taclia's web application | Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2025-11-24 | not yet calculated | CVE-2025-41087 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-stored-taclias-web-application |
| Tellion, Inc.--HN-2204AP Router | Tellion HN-2204AP routers contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/system_config_file management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials, wireless keys, and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25227 | https://packetstorm.news/files/id/154752/ https://web.archive.org/web/20190525010559/https://www.tellion.com/ https://www.vulncheck.com/advisories/tellion-hn2204ap-unauthenticated-config-disclosure |
| TEW-657BRM--TRENDnet | TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows an attacker to execute arbitrary commands with root privileges. | 2025-11-26 | not yet calculated | CVE-2025-65202 | https://github.com/WhereisRain/TEW-657BRM |
| The Ray Team--Anyscale Ray | Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access. | 2025-11-27 | not yet calculated | CVE-2025-34351 | https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration |
| thingsboard--thingsboard | ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. | 2025-11-27 | not yet calculated | CVE-2025-3261 | https://advisory.checkmarx.net/advisory/CVE-2025-3261/ https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03 |
| TIMLEGGE--XML::Sig | XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures. | 2025-11-26 | not yet calculated | CVE-2025-40934 | https://github.com/perl-net-saml2/perl-XML-Sig/issues/63 https://github.com/perl-net-saml2/perl-XML-Sig/pull/64 |
| Tinyproxy--Tinyproxy | Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. | 2025-11-26 | not yet calculated | CVE-2025-63938 | https://github.com/tinyproxy/tinyproxy/issues/586 https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a https://github.com/rayinaw/my-hub/blob/main/CVE-2025-63938/DISCLOSURE.md |
| Tuya Smart--Tuya | Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | 2025-11-24 | not yet calculated | CVE-2025-56400 | http://tuya.com https://src.tuya.com/announcement/30 |
| Ubuntu--edk2 | The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733. | 2025-11-26 | not yet calculated | CVE-2025-2486 | https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797 |
| Unknown--Backup Migration | The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication. | 2025-11-24 | not yet calculated | CVE-2025-12394 | https://wpscan.com/vulnerability/e61293d0-2e1b-4dac-96c5-97fa17e38b16/ |
| Unknown--Broken Link Manager | The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2025-12629 | https://wpscan.com/vulnerability/528e9775-3a2d-4e52-92f7-f123ad787e7d/ |
| Unknown--Guest posting / Frontend Posting / Front Editor | The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | 2025-11-24 | not yet calculated | CVE-2025-12569 | https://wpscan.com/vulnerability/37586572-33f9-4365-bfce-7db277a8df72/ |
| Unknown--TAX SERVICE Electronic HDM | The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements | 2025-11-26 | not yet calculated | CVE-2025-12061 | https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/ |
| Unknown--WordPress eCommerce Plugin | The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2024-14015 | https://wpscan.com/vulnerability/1a70927a-e345-4e2f-98da-1235f4482cc0/ |
| Unknown--WP 2FA | The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them | 2025-11-24 | not yet calculated | CVE-2025-12628 | https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/ |
| Veal98 echo--ECHO | An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users. | 2025-11-25 | not yet calculated | CVE-2025-51741 | http://echo.com https://github.com/Veal98/Echo https://gist.github.com/Paxsizy/9d92e8746778cf0926705d89b4f3618c |
| xmall--xmall | Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | 2025-11-29 | not yet calculated | CVE-2025-65540 | https://github.com/Exrick/xmall/issues/101 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution. | 2025-11-24 | not yet calculated | CVE-2025-63432 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | 2025-11-24 | not yet calculated | CVE-2025-63433 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63433 |
| Xtool AnyScan--Xtooltech | The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-63434 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63434 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | 2025-11-24 | not yet calculated | CVE-2025-63435 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63435 |
| YCCMS 3.4--YCCMS | YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user input in the article title field. | 2025-11-24 | not yet calculated | CVE-2025-64048 | http://yccms.com https://gist.github.com/b1uel0n3/8354650e683ffb0812bfe72b702b482d |
| youlai-boot v2.21--youlai | Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | 2025-11-26 | not yet calculated | CVE-2025-55469 | https://gitee.com/youlaiorg/youlai-boot/issues/ICFCOK https://gitee.com/youlaiorg/youlai-boot https://gist.github.com/old6ma/d6e19c9efbe28431f4c27c063cc9cbb8 |
| youlai-boot v2.21--youlai | Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | 2025-11-26 | not yet calculated | CVE-2025-55471 | https://gitee.com/youlaiorg/youlai-boot https://gitee.com/youlaiorg/youlai-boot/issues/ICFBW8 https://gist.github.com/old6ma/08d83e5aa7d47e7ff18b23337ccd1f1d |
| ZIRA Group WBRM 7.0--Zira Group | ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName. | 2025-11-24 | not yet calculated | CVE-2025-56401 | http://wbrm.com https://mstreet97.github.io/security/cve/sqli/2025/07/25/Zira-WBRM-SQL-Injection-CVE-2025-56401.html |
Vulnerability Summary for the Week of November 17, 2025
Posted on Monday November 24, 2025
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ABB--ABB Ability Edgenius | Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1. | 2025-11-20 | 9.6 | CVE-2025-10571 | https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch   |
| AMD--AMD StoreMI | A DLL hijacking vulnerability in AMD StoreMIâ„¢ could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | 2025-11-23 | 7.3 | CVE-2024-21922 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4010.html   |
| AMD--AMD StoreMI | Incorrect default permissions in AMD StoreMIâ„¢ could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. | 2025-11-23 | 7.3 | CVE-2024-21923 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4010.html   |
| appsbd--Vitepos Point of Sale (POS) for WooCommerce | The Vitepos - Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible. | 2025-11-21 | 8.8 | CVE-2025-13156 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve https://plugins.trac.wordpress.org/changeset/3398044   |
| Broadcom--BCM5820X | A privilege escalation vulnerability exists in the ControlVault WBDI Driver WBIO_USH_ADD_RECORD functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to privilege escalation. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.7 | CVE-2025-31361 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2174   |
| Broadcom--BCM5820X | A hard-coded password vulnerability exists in the ControlVault WBDI Driver functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to execute priviledged operation. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.7 | CVE-2025-31649 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2173   |
| Broadcom--BCM5820X | A buffer overflow vulnerability exists in the CvManager_SBI functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to a arbitrary code execution. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.8 | CVE-2025-32089 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2188   |
| Broadcom--BCM5820X | A buffer overflow vulnerability exists in the CvManager functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.8 | CVE-2025-36553 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2189   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 2 (`WBIO_USH_GET_IDENTITY`) with an improper `ReceiveBuferSize` value. | 2025-11-17 | 7.3 | CVE-2025-36460 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 0 (`WBIO_USH_GET_TEMPLATE`) and with either and an invalid `ReceiveBuferSize` and/or an invalid `SendBufferSize`. | 2025-11-17 | 7.3 | CVE-2025-36461 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO_USH_CREATE_CHALLENGE`) with an invalid `ReceiveBuferSize`. | 2025-11-17 | 7.3 | CVE-2025-36462 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 4 (`WBIO_USH_ADD_RECORD`) and with an invalid `SendBufferSize`. | 2025-11-17 | 7.3 | CVE-2025-36463 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| bww--URL Image Importer | The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file. | 2025-11-21 | 8.8 | CVE-2025-12138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1da18430-1bd0-4f63-9e22-5d26de2be410?source=cve https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L198 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1319 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1353 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1358 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395852%40url-image-importer&new=3395852%40url-image-importer&sfp_email=&sfph_mail=#file9   |
| Campcodes--Online Polling System | A flaw has been found in Campcodes Online Polling System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/checklogin.php. Executing manipulation of the argument myusername can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-11-23 | 7.3 | CVE-2025-13556 | VDB-333323 | Campcodes Online Polling System checklogin.php sql injection VDB-333323 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696614 | Campcodes Online Polling System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/2 https://www.campcodes.com/   |
| Campcodes--Online Polling System | A vulnerability has been found in Campcodes Online Polling System 1.0. Affected by this issue is some unknown functionality of the file /registeracc.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 7.3 | CVE-2025-13557 | VDB-333324 | Campcodes Online Polling System registeracc.php sql injection VDB-333324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696615 | Campcodes Online Polling System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/3 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-11-19 | 7.3 | CVE-2025-13410 | VDB-332937 | Campcodes Retro Basketball Shoes Online Store receipt.php sql injection VDB-332937 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693696 | campcodes Retro Basketball Shoes Online Store V1.0 SQL injection https://github.com/laosijivul/cve/issues/3 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was determined in Campcodes School Fees Payment Management System 1.0. This impacts an unknown function of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13271 | VDB-332606 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690044 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/18 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Affected is an unknown function of the file /manage_course.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-11-17 | 7.3 | CVE-2025-13272 | VDB-332607 | Campcodes School Fees Payment Management System manage_course.php sql injection VDB-332607 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690046 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/19 https://www.campcodes.com/   |
| Campcodes--School File Management System | A vulnerability was detected in Campcodes School File Management System 1.0. Affected is an unknown function of the file /index.php of the component Login. Performing manipulation of the argument stud_no results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-11-23 | 7.3 | CVE-2025-13555 | VDB-333322 | Campcodes School File Management System Login index.php sql injection VDB-333322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696516 | Campcodes School File Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/4 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability was found in Campcodes Supplier Management System 1.0. This affects an unknown part of the file /manufacturer/confirm_order.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-11-17 | 7.3 | CVE-2025-13291 | VDB-332632 | Campcodes Supplier Management System confirm_order.php sql injection VDB-332632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691620 | Campcodes Campcodes Supplier Management System V1.0 SQL Injection https://github.com/Fex212/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A security vulnerability has been detected in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /index.php of the component Login. Such manipulation of the argument txtUsername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-11-23 | 7.3 | CVE-2025-13554 | VDB-333321 | Campcodes Supplier Management System Login index.php sql injection VDB-333321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696515 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber060/CVE/issues/3 https://www.campcodes.com/   |
| Chunghwa Telecom--TenderDocTransfer | TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | 2025-11-17 | 8.1 | CVE-2025-13282 | https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html   |
| Chunghwa Telecom--TenderDocTransfer | TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. | 2025-11-17 | 7.1 | CVE-2025-13283 | https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html   |
| code-projects--Nero Social Networking Site | A flaw has been found in code-projects Nero Social Networking Site 1.0. This issue affects some unknown processing of the file /friendsphoto.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-11-17 | 7.3 | CVE-2025-13277 | VDB-332612 | code-projects Nero Social Networking Site friendsphoto.php sql injection VDB-332612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690140 | code-projects Nero Social Networking Site 1.0 SQL Injection https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_004 https://code-projects.org/   |
| code-projects--Online Shop Project | A vulnerability was found in code-projects Online Shop Project 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-11-20 | 7.3 | CVE-2025-13449 | VDB-333019 | code-projects Online Shop Project login.php sql injection VDB-333019 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694653 | SourceCodester Online Shop Project V1.0 SQL Injection https://github.com/xiaojuzirr/cve/issues/3 https://code-projects.org/   |
| code-projects--Simple Pizza Ordering System | A security flaw has been discovered in code-projects Simple Pizza Ordering System 1.0. Affected is an unknown function of the file /listorder.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-18 | 7.3 | CVE-2025-13323 | VDB-332662 | code-projects Simple Pizza Ordering System listorder.php sql injection VDB-332662 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691844 | code-projects Simple Pizza Ordering System 1.0 SQL Injection https://github.com/daojian1/Simple-Pizza-Ordering-System_V1.0_003 https://code-projects.org/   |
| CodeAstro--Simple Inventory System | A vulnerability was determined in CodeAstro Simple Inventory System 1.0. The impacted element is an unknown function of the file /index.php of the component Login. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13280 | VDB-332615 | CodeAstro Simple Inventory System Login index.php sql injection VDB-332615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691380 | codeastro Simple Inventory System V1.0 SQL Injection https://github.com/umu123456/cvesimpleInventorysystem/issues/1 https://codeastro.com/   |
| codehub666--94list | A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. The impacted element is the function Login of the file /function.php. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-11-19 | 7.3 | CVE-2025-13395 | VDB-332923 | codehub666 94list function.php login sql injection VDB-332923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692095 | github 94list (Current release) SQL Injection https://github.com/codehub666/94list/issues/63 https://github.com/codehub666/94list/issues/63#issue-3607918945   |
| codepeople--CP Contact Form with PayPal | The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email). | 2025-11-22 | 7.5 | CVE-2025-13384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6639c3d8-8f26-4ee5-8c4b-2efcf34668a2?source=cve https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L541 https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L877 https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L925 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399104%40cp-contact-form-with-paypal&new=3399104%40cp-contact-form-with-paypal&sfp_email=&sfph_mail=   |
| codesnippetspro--Code Snippets | The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet. | 2025-11-19 | 8 | CVE-2025-13035 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c7247c-2fc3-46ff-858e-2242b7211476?source=cve https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L296 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397635%40code-snippets%2Ftrunk&old=3395415%40code-snippets%2Ftrunk&sfp_email=&sfph_mail=#file23   |
| D-Link--DIR-822K | A flaw has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This affects an unknown part of the file /boafrm/formDdns. This manipulation of the argument submit-url causes memory corruption. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-23 | 8.8 | CVE-2025-13547 | VDB-333314 | D-Link DIR-822K/DWR-M920 formDdns memory corruption VDB-333314 | CTI Indicators (IOB, IOC, IOA) Submit #693758 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695428 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/30 https://github.com/QIU-DIE/CVE/issues/42 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 8.8 | CVE-2025-13548 | VDB-333315 | D-Link DIR-822K/DWR-M920 formFirewallAdv buffer overflow VDB-333315 | CTI Indicators (IOB, IOC, IOA) Submit #693767 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695433 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/31 https://github.com/QIU-DIE/CVE/issues/43 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was found in D-Link DIR-822K 1.00. This issue affects the function sub_455524 of the file /boafrm/formNtp. Performing manipulation of the argument submit-url results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-11-23 | 8.8 | CVE-2025-13549 | VDB-333316 | D-Link DIR-822K formNtp sub_455524 buffer overflow VDB-333316 | CTI Indicators (IOB, IOC, IOA) Submit #693776 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow https://github.com/QIU-DIE/CVE/issues/32 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Impacted is an unknown function of the file /boafrm/formVpnConfigSetup. Executing manipulation of the argument submit-url can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 8.8 | CVE-2025-13550 | VDB-333317 | D-Link DIR-822K/DWR-M920 formVpnConfigSetup buffer overflow VDB-333317 | CTI Indicators (IOB, IOC, IOA) Submit #693777 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695437 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/33 https://github.com/QIU-DIE/CVE/issues/47 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was identified in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. The affected element is an unknown function of the file /boafrm/formWanConfigSetup. The manipulation of the argument submit-url leads to buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-11-23 | 8.8 | CVE-2025-13551 | VDB-333318 | D-Link DIR-822K/DWR-M920 formWanConfigSetup buffer overflow VDB-333318 | CTI Indicators (IOB, IOC, IOA) Submit #693785 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695436 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/35 https://github.com/QIU-DIE/CVE/issues/46 https://www.dlink.com/   |
| D-Link--DIR-822K | A security flaw has been discovered in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. The impacted element is an unknown function of the file /boafrm/formWlEncrypt. The manipulation of the argument submit-url results in buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-11-23 | 8.8 | CVE-2025-13552 | VDB-333319 | D-Link DIR-822K/DWR-M920 formWlEncrypt buffer overflow VDB-333319 | CTI Indicators (IOB, IOC, IOA) Submit #693803 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695434 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/36 https://github.com/QIU-DIE/CVE/issues/44 https://www.dlink.com/   |
| D-Link--DIR-852 | A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-23 | 7.3 | CVE-2025-13562 | VDB-333327 | D-Link DIR-852 gena.cgi command injection VDB-333327 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697063 | D-Link DIR-852 1.00 Command Injection https://github.com/YZS17/CVE/blob/main/DLink/DLink-DIR852/RCE2.md https://www.dlink.com/   |
| D-Link--DWR-M920 | A security flaw has been discovered in D-Link DWR-M920, DWR-M921, DWR-M960, DWR-M961 and DIR-825M 1.01.07/1.1.47. This vulnerability affects unknown code of the file /boafrm/formPingDiagnosticRun. Performing manipulation of the argument host results in buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 8.8 | CVE-2025-13304 | VDB-332644 | D-Link DWR-M920/DWR-M921/DWR-M960/DWR-M961/DIR-825M formPingDiagnosticRun buffer overflow VDB-332644 | CTI Indicators (IOB, IOC, IOA) Submit #691808 | D-Link DWR-M960 V1.01.07 Buffer Overflow Submit #691810 | D-Link DWR-M961 V1.1.47 Buffer Overflow (Duplicate) Submit #691812 | D-Link DWR-M921 V1.1.50 Buffer Overflow (Duplicate) Submit #691817 | D-Link DWR-M920 V1.1.5 Buffer Overflow (Duplicate) Submit #691821 | D-Link DIR-825m V1.1.12 Buffer Overflow (Duplicate) https://github.com/LX-LX88/cve/issues/11 https://www.dlink.com/   |
| D-Link--DWR-M920 | A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. This issue affects some unknown processing of the file /boafrm/formTracerouteDiagnosticRun. Executing manipulation of the argument host can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 8.8 | CVE-2025-13305 | VDB-332645 | D-Link DWR-M920/DWR-M921/DWR-M960/DIR-822K/DIR-825M formTracerouteDiagnosticRun buffer overflow VDB-332645 | CTI Indicators (IOB, IOC, IOA) Submit #691809 | D-Link DWR-M960 V1.01.07 Buffer Overflow Submit #691816 | D-Link DWR-M920 V1.1.5 Buffer Overflow (Duplicate) Submit #693784 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow (Duplicate) Submit #693806 | D-Link DWR-M921 V1.1.50 Buffer Overflow (Duplicate) Submit #695424 | D-Link DIR-825m v1.1.12 Buffer Overflow (Duplicate) https://github.com/LX-LX88/cve/issues/12 https://www.dlink.com/   |
| D-Link--DWR-M920 | A weakness has been identified in D-Link DWR-M920 1.1.50. This affects the function sub_41C7FC of the file /boafrm/formPinManageSetup. This manipulation of the argument submit-url causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-23 | 8.8 | CVE-2025-13553 | VDB-333320 | D-Link DWR-M920 formPinManageSetup sub_41C7FC buffer overflow VDB-333320 | CTI Indicators (IOB, IOC, IOA) Submit #695435 | D-Link DWR-M920 v1.1.50 Buffer Overflow https://github.com/QIU-DIE/CVE/issues/45 https://www.dlink.com/   |
| dajiaji--hpke-js | hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5. | 2025-11-21 | 9.1 | CVE-2025-64767 | https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4 https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34   |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5. | 2025-11-19 | 8.8 | CVE-2025-65103 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has a Denial of service vulnerability, allowing unauthenticated remote attackers to send specific requests that result in denial of web service. | 2025-11-17 | 7.5 | CVE-2025-13165 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Eksagate Electronic Engineering and Computer Industry Trade Inc.--Webpack Management System | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System allows SQL Injection.This issue affects Webpack Management System: through 20251119. | 2025-11-19 | 9.8 | CVE-2025-10437 | https://www.usom.gov.tr/bildirim/tr-25-0401   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-21 | 9.8 | CVE-2025-11456 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a6f362c1-fe64-4be1-9713-14c0561a59ce?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php?rev=3332203 https://wordpress.org/plugins/elex-helpdesk-customer-support-ticket-system/ https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php   |
| esm-dev--esm.sh | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136. | 2025-11-19 | 8.2 | CVE-2025-65025 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16   |
| flothemesplugins--Flo Forms Easy Drag & Drop Form Builder | The Flo Forms - Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise. | 2025-11-21 | 7.1 | CVE-2025-13159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8c529017-2fb9-4665-97a6-3ec062908299?source=cve https://plugins.trac.wordpress.org/browser/flo-forms/trunk/includes/class-flo-forms.php#L301 https://plugins.trac.wordpress.org/browser/flo-forms/trunk/public/class-flo-forms-public.php#L502 https://plugins.trac.wordpress.org/browser/flo-forms/trunk/admin/class-flo-forms-admin.php#L821   |
| Fortinet--FortiClientWindows | A Heap-based Buffer Overflow vulnerability [CWE-122] in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.8 may allow an authenticated local IPSec user to execute arbitrary code or commands via "fortips_74.sys". The attacker would need to bypass the Windows heap integrity protections | 2025-11-18 | 7.1 | CVE-2025-46373 | https://fortiguard.fortinet.com/psirt/FG-IR-25-125   |
| Fortinet--FortiClientWindows | An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.9 may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection. | 2025-11-18 | 7.1 | CVE-2025-47761 | https://fortiguard.fortinet.com/psirt/FG-IR-25-112   |
| Fortinet--FortiVoice | An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. | 2025-11-18 | 7.7 | CVE-2025-58692 | https://fortiguard.fortinet.com/psirt/FG-IR-25-666   |
| freeprojectscodes--Sports Club Management System | A vulnerability was detected in freeprojectscodes Sports Club Management System 1.0. The affected element is an unknown function of the file /dashboard/admin/change_s_pwd.php. Performing manipulation of the argument login_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-19 | 7.3 | CVE-2025-13422 | VDB-332944 | freeprojectscodes Sports Club Management System change_s_pwd.php sql injection VDB-332944 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696004 | freeprojectscodes Sports Club Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/10   |
| g33kyrash--Online-Banking-System | A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-11-17 | 7.3 | CVE-2025-13276 | VDB-332611 | g33kyrash Online-Banking-System index.php sql injection VDB-332611 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690087 | Report_Online-Banking-System web 1.0 SQL Injection https://github.com/Nianalb/Report_Online-Banking-System/blob/main/SQL.docx   |
| genetechproducts--Pie Forms Drag & Drop Form Builder | The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability. | 2025-11-18 | 8.1 | CVE-2025-12528 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4941a0ce-67f1-430d-bbad-3c97a4ed449e?source=cve https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L331 https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L475 https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L18   |
| Grafana--Grafana Enterprise | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true | 2025-11-21 | 10 | CVE-2025-41115 | https://grafana.com/security/security-advisories/CVE-2025-41115   |
| Gravity Forms--Gravity Forms | The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar. | 2025-11-18 | 8.1 | CVE-2025-12974 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/upload.php#L97 https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/common/common.php#L4178 https://docs.gravityforms.com/gravityforms-change-log/   |
| HAProxy Technologies--HAProxy Community Edition | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | 2025-11-19 | 7.5 | CVE-2025-11230 | https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability   |
| HashiCorp--Tooling | Vault's Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0. | 2025-11-21 | 7.4 | CVE-2025-13357 | https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking 100 Series Cellular Bridge | A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations. | 2025-11-18 | 7.5 | CVE-2025-37161 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04970en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system. | 2025-11-18 | 7.8 | CVE-2025-37155 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Management Software (Airwave) | A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system. | 2025-11-18 | 7.2 | CVE-2025-37163 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US   |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3. | 2025-11-19 | 8.1 | CVE-2025-64759 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53 https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059   |
| husainali52--WP AUDIO GALLERY | The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted. | 2025-11-21 | 8.1 | CVE-2025-13322 | https://www.wordfence.com/threat-intel/vulnerabilities/id/101675ae-88cf-42fc-b9ea-5dd37cdf7464?source=cve https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L150 https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L513 https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L607   |
| IBM--IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system. | 2025-11-17 | 8 | CVE-2025-36357 | https://www.ibm.com/support/pages/node/7251265   |
| IBM--Storage Virtualize | IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request. | 2025-11-17 | 7.5 | CVE-2025-36118 | https://www.ibm.com/support/pages/node/7250954   |
| IBM--webMethods Integration | IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data. | 2025-11-20 | 8.8 | CVE-2025-36072 | https://www.ibm.com/support/pages/node/7252090   |
| ideastocode--Enable SVG, WebP, and ICO Upload | The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.2. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-18 | 8.8 | CVE-2025-13069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5716c4e1-a6d3-42e8-b90c-d16f204c8503?source=cve https://wordpress.org/plugins/enable-svg-webp-ico-upload/   |
| ikhodal--Category and Product Woocommerce Tabs | The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server. | 2025-11-18 | 8.8 | CVE-2025-13088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c3938bbb-dc3d-4550-a05d-0cde970e38f8?source=cve https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108   |
| iqonicdesign--WPBookit | The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 7.2 | CVE-2025-12135 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15 https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118 https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16 https://github.com/d0n601/CVE-2025-12135 https://ryankozak.com/posts/cve-2025-12135/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail=   |
| isaacs--node-glob | Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0. | 2025-11-17 | 7.5 | CVE-2025-64756 | https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146   |
| itsourcecode--Human Resource Management System | A weakness has been identified in itsourcecode Human Resource Management System 1.0. This issue affects some unknown processing of the file /src/store/EventStore.php. This manipulation of the argument eventSubject causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-19 | 7.3 | CVE-2025-13420 | VDB-332942 | itsourcecode Human Resource Management System EventStore.php sql injection VDB-332942 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695952 | itsourcecode Human Resource Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/8 https://itsourcecode.com/   |
| itsourcecode--Human Resource Management System | A security vulnerability has been detected in itsourcecode Human Resource Management System 1.0. Impacted is an unknown function of the file /src/store/NoticeStore.php. Such manipulation of the argument noticeDesc leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-19 | 7.3 | CVE-2025-13421 | VDB-332943 | itsourcecode Human Resource Management System NoticeStore.php sql injection VDB-332943 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695953 | itsourcecode Human Resource Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/9 https://itsourcecode.com/   |
| itsourcecode--Inventory Management System | A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. The affected element is an unknown function of the file /admin/user/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 7.3 | CVE-2025-13257 | VDB-332592 | itsourcecode Inventory Management System index.php sql injection VDB-332592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687863 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/iamzzzzz/iam/issues/3 https://itsourcecode.com/   |
| itsourcecode--Online File Management System | A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-21 | 7.3 | CVE-2025-13485 | VDB-333085 | itsourcecode Online File Management System ajax.php sql injection VDB-333085 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696405 | Itsourcecode Itsourcecode Online File Management System V1.0 SQL Injection https://github.com/jaisurya-me/CVE/issues/1 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A vulnerability was identified in itsourcecode Online Voting System 1.0. The affected element is an unknown function of the file /login.php. Such manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-11-17 | 7.3 | CVE-2025-13285 | VDB-332625 | itsourcecode Online Voting System login.php sql injection VDB-332625 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690884 | itsourcecode Online Voting System V1.0 SQL Injection Submit #690887 | itsourcecode Online Voting System V1.0 SQL Injection (Duplicate) https://github.com/WANGshuyan2025/cve/issues/6 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A security vulnerability has been detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. The impacted element is an unknown function of the file /course/controller.php. Such manipulation leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 7.3 | CVE-2025-13297 | VDB-332637 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332637 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691786 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/3 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability was detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. This affects an unknown function of the file /enrollment/controller.php. Performing manipulation results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-17 | 7.3 | CVE-2025-13298 | VDB-332638 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332638 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691787 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/4 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A flaw has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. This impacts an unknown function of the file /user/controller.php. Executing manipulation can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-11-17 | 7.3 | CVE-2025-13299 | VDB-332639 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691789 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/5 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Affected is an unknown function of the file /settings/controller.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 7.3 | CVE-2025-13300 | VDB-332640 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332640 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691790 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/6 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability was found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /subject/controller.php. The manipulation results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-11-17 | 7.3 | CVE-2025-13301 | VDB-332641 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691793 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/7 https://itsourcecode.com/   |
| jackdewey--Community Events | The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'dayofyear' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-19 | 7.5 | CVE-2025-12646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/579b6eb0-dbb7-4586-aecc-f295889a2b2b?source=cve https://plugins.trac.wordpress.org/changeset/3396731/community-events/trunk/community-events.php   |
| jemoreto--Multiple Roles per User | The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles. | 2025-11-18 | 7.2 | CVE-2025-11620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30741601-50b9-4799-a340-11f6ffa59553?source=cve https://plugins.trac.wordpress.org/browser/multiple-roles-per-user/trunk/multiple-roles-per-user.php#L54 https://plugins.trac.wordpress.org/browser/multiple-roles-per-user/trunk/multiple-roles-per-user.php#L121   |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-21 | 7.5 | CVE-2025-13138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0cad8c48-5c96-484c-acda-b33d8d8d10d3?source=cve https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.3/application/controllers/Wdk_frontendajax.php#L546 https://wordpress.org/plugins/wpdirectorykit/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail=   |
| lsfusion--platform | A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13262 | VDB-332597 | lsfusion platform UploadFileRequestHandler.java UploadFileRequestHandler path traversal VDB-332597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689414 | lsFusion 6.1 Arbitrary File Upload https://github.com/lsfusion/platform/issues/1544 https://github.com/lsfusion/platform/issues/1544#issue-3589610731   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users' polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4. | 2025-11-19 | 9.1 | CVE-2025-65021 | https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65029 | https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65033 | https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65034 | https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting user owns the comment or has permission to remove it. This issue has been patched in version 4.5.4. | 2025-11-19 | 7.1 | CVE-2025-65030 | https://github.com/lukevella/rallly/security/advisories/GHSA-4j32-25f9-qgfm https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| METZ CONNECT--Energy-Controlling EWIO2-M | The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials. | 2025-11-18 | 9.8 | CVE-2025-41733 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. | 2025-11-18 | 9.8 | CVE-2025-41734 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution. | 2025-11-18 | 8.8 | CVE-2025-41735 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. | 2025-11-18 | 8.8 | CVE-2025-41736 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. | 2025-11-18 | 7.5 | CVE-2025-41737 | https://certvde.com/de/advisories/VDE-2025-097   |
| Microsoft--Azure Bastion Developer | Azure Bastion Elevation of Privilege Vulnerability | 2025-11-20 | 10 | CVE-2025-49752 | Azure Bastion Elevation of Privilege Vulnerability   |
| Microsoft--Azure Monitor Control Service | Azure Monitor Elevation of Privilege Vulnerability | 2025-11-20 | 8.6 | CVE-2025-62207 | Azure Monitor Elevation of Privilege Vulnerability   |
| Microsoft--Dynamics OmniChannel SDK Storage Containers | Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network. | 2025-11-20 | 8.8 | CVE-2025-64655 | Dynamics OmniChannel SDK Storage Containers Elevation of Privilege Vulnerability   |
| Microsoft--Microsoft 365 Defender Portal | Microsoft Defender Portal Spoofing Vulnerability | 2025-11-20 | 8.3 | CVE-2025-62459 | Microsoft Defender Portal Spoofing Vulnerability   |
| Microsoft--Microsoft SharePoint Online | Microsoft SharePoint Online Elevation of Privilege Vulnerability | 2025-11-20 | 9.8 | CVE-2025-59245 | Microsoft SharePoint Online Elevation of Privilege Vulnerability   |
| Mitsubishi Electric Corporation--MILCO.S Setting Application | Uncontrolled Search Path Element Vulnerability in Setting and Operation Application for Lighting Control System MILCO.S Setting Application all versions, MILCO.S Setting Application (IR) all versions, MILCO.S Easy Setting Application (IR) all versions, and MILCO.S Easy Switch Application (IR) all versions allows a local attacker to execute malicious code by having installer to load a malicious DLL. However, if the signer name "Mitsubishi Electric Lighting" appears on the "Digital Signatures" tab of the properties for "MILCO.S Lighting Control.exe", the application is a fixed one. This vulnerability only affects when the installer is run, not after installation. If a user downloads directly from Mitsubishi Electric website and installs the affected product, there is no risk of malicious code being introduced. | 2025-11-18 | 7 | CVE-2025-10089 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-015_en.pdf https://jvn.jp/vu/JVNVU97181602/   |
| Muse Group--MuseHub | A security flaw has been discovered in Muse Group MuseHub 2.1.0.1567. The affected element is an unknown function of the file C:\Program Files\WindowsApps\Muse.MuseHub_2.1.0.1567_x64__rb9pth70m6nz6\Muse.Updater.exe of the component Windows Service. The manipulation results in unquoted search path. The attack is only possible with local access. A high complexity level is associated with this attack. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 7 | CVE-2025-13433 | VDB-332977 | Muse Group MuseHub Windows Service Muse.Updater.exe unquoted search path VDB-332977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687547 | Muse Group MuseHub 2.1.0.1567 Unquoted Search Path https://github.com/lakshayyverma/CVE-Discovery/blob/main/Musehub.md   |
| n/a--cbor2 through version 5.7.0 | Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1. | 2025-11-18 | 7.5 | CVE-2025-64076 | https://github.com/agronholm/cbor2/issues/264 https://github.com/agronholm/cbor2/pull/265 https://github.com/agronholm/cbor2/commit/851473490281f82d82560b2368284ef33cf6e8f9   |
| Narkom Communication and Software Technologies Trade Ltd. Co.--Pyxis Signage | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Stored XSS.This issue affects Pyxis Signage: through 31012025. | 2025-11-20 | 7.2 | CVE-2025-0643 | https://www.usom.gov.tr/bildirim/tr-25-0404   |
| Narkom Communication and Software Technologies Trade Ltd. Co.--Pyxis Signage | Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Pyxis Signage: through 31012025. | 2025-11-20 | 7.2 | CVE-2025-0645 | https://www.usom.gov.tr/bildirim/tr-25-0404   |
| nazsabuz--WP Dropzone | The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-18 | 8.8 | CVE-2025-12775 | https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7aeb7-2c6f-4b23-b8b1-52fb010e5aac?source=cve https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L88 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L127 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395966%40wp-dropzone&new=3395966%40wp-dropzone&sfp_email=&sfph_mail=   |
| Nettec AS--Digi On-Prem Manager | An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack. | 2025-11-17 | 8.8 | CVE-2025-13319 | https://dom.nettec.no/security-advisories/DOM-25-001/   |
| nmedia--Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 7.2 | CVE-2025-12160 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9bb5e60d-f7c9-4b47-ba6f-0f2d1d060263?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396064%40wp-registration&new=3396064%40wp-registration&sfp_email=&sfph_mail=   |
| nootheme--Realty Portal | The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | 2025-11-21 | 8.8 | CVE-2025-11985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cve https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189 https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198 https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224 https://cwe.mitre.org/data/definitions/862.html https://developer.wordpress.org/reference/functions/current_user_can/   |
| NVIDIA--NVIDIA Isaac-GR00T N1.5 | NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-18 | 7.8 | CVE-2025-33183 | https://nvd.nist.gov/vuln/detail/CVE-2025-33183 https://www.cve.org/CVERecord?id=CVE-2025-33183 https://nvidia.custhelp.com/app/answers/detail/a_id/5725   |
| NVIDIA--NVIDIA Isaac-GR00T N1.5 | NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-18 | 7.8 | CVE-2025-33184 | https://nvd.nist.gov/vuln/detail/CVE-2025-33184 https://www.cve.org/CVERecord?id=CVE-2025-33184 https://nvidia.custhelp.com/app/answers/detail/a_id/5725   |
| oc3dots--S2B AI Assistant ChatBot, ChatGPT, OpenAI, Content & Image Generator | The S2B AI Assistant - ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-21 | 7.2 | CVE-2025-12973 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac9d2b64-aff6-418a-bfe7-ec91b177ad6b?source=cve https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399267%40s2b-ai-assistant&new=3399267%40s2b-ai-assistant&sfp_email=&sfph_mail= https://github.com/d0n601/CVE-2025-12973 https://ryankozak.com/posts/cve-2025-12973/   |
| OpenStack--Keystone | OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. | 2025-11-17 | 7.5 | CVE-2025-65073 | https://www.openwall.com/lists/oss-security/2025/11/04/2   |
| Piwigo--Piwigo | Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0. | 2025-11-18 | 8.1 | CVE-2025-62406 | https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6 https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda request parameter, which is directly concatenated into multiple SQL queries without proper sanitization. This issue has been patched in commit b473f92. | 2025-11-19 | 7.2 | CVE-2025-65022 | https://github.com/portabilis/i-educar/security/advisories/GHSA-4hrj-5gwx-r4w4 https://github.com/portabilis/i-educar/commit/b473f92b5326f45d7bce2de93a5381bed7ca8ac7   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3. | 2025-11-19 | 7.2 | CVE-2025-65023 | https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc https://github.com/portabilis/i-educar/commit/a00dfa3f129bc84e27873aa01cbd3f82e5b6c6c8   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a. | 2025-11-19 | 7.2 | CVE-2025-65024 | https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghx https://github.com/portabilis/i-educar/commit/3e9763a561b328edaed21a7dc2e0dba0bbbc6e22   |
| premmerce--Premmerce Wholesale Pricing for WooCommerce | The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable. | 2025-11-18 | 7.1 | CVE-2025-12411 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e27e0-bbb0-498a-b425-9e9d60dfed0f?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wholesale-pricing/tags/1.1.10/src/Models/Model.php#L171 https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wholesale-pricing/tags/1.1.10/src/Admin/Admin.php#L83   |
| projectworlds--Advanced Library Management System | A vulnerability was identified in projectworlds Advanced Library Management System 1.0. This affects an unknown part of the file /delete_admin.php. The manipulation of the argument admin_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-11-23 | 7.3 | CVE-2025-13572 | VDB-333336 | projectworlds Advanced Library Management System delete_admin.php sql injection VDB-333336 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698645 | projectworlds Advanced Library Management System V1.0 SQL Injection https://github.com/GYSakura/tmp/blob/main/report.md   |
| rajeshsingh520--Live sales notification for WooCommerce | The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. | 2025-11-18 | 7.5 | CVE-2025-12955 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394241%40live-sales-notifications-for-woocommerce&old=3389540%40live-sales-notifications-for-woocommerce&sfp_email=&sfph_mail=   |
| Ribose--RNP | In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path. | 2025-11-21 | 7.5 | CVE-2025-13470 | Introducing commit Ubuntu package Arch Linux AUR package Bugzilla report (may become public) https://bugzilla.redhat.com/show_bug.cgi?id=2415863 https://access.redhat.com/security/cve/cve-2025-13402 https://open.ribose.com/advisories/ra-2025-11-20/ https://github.com/rnpgp/rnp/releases/tag/v0.18.1   |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. | 2025-11-21 | 8.1 | CVE-2025-65946 | https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p https://github.com/RooCodeInc/Roo-Code/pull/7667 https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3   |
| SEIKO EPSON CORPORATION--EPSON WebConfig for SEIKO EPSON Projector Products | EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack. | 2025-11-21 | 9.8 | CVE-2025-64310 | https://www.epson.jp/support/misc_t/251120_oshirase.htm https://jvn.jp/en/vu/JVNVU95021911/   |
| Siemens--PS/IGES Parasolid Translator Component | A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755) | 2025-11-17 | 7.8 | CVE-2025-40936 | https://cert-portal.siemens.com/productcert/html/ssa-241605.html   |
| simonhaenisch--md-to-pdf | md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5. | 2025-11-21 | 10 | CVE-2025-65108 | https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw https://github.com/simonhaenisch/md-to-pdf/commit/46bdcf2051c8d1758b391c1353185a179a47a4d9   |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 2025-11-19 | 7.2 | CVE-2025-13145 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116 https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php   |
| SMCI--MBD-X13SEDW-F | There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. After logging into the BMC Web server, an attacker can use a specially crafted payload to trigger the Stack buffer overflow vulnerability. | 2025-11-18 | 7.2 | CVE-2025-8076 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| SMCI--X13SEDW-F | There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. After logging into the BMC Web server, an attacker can use a specially crafted payload to trigger the Stack buffer overflow vulnerability. | 2025-11-18 | 7.2 | CVE-2025-8727 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| smub--Giveaways and Contests by RafflePress Get More Website Traffic, Email Subscribers, and Social Followers | The Giveaways and Contests by RafflePress - Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 7.2 | CVE-2025-12484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail=   |
| SolarWinds--Serv-U | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | 2025-11-18 | 9.1 | CVE-2025-40547 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SolarWinds--Serv-U | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | 2025-11-18 | 9.1 | CVE-2025-40548 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SolarWinds--Serv-U | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. | 2025-11-18 | 9.1 | CVE-2025-40549 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SourceCodester--Company Website CMS | A vulnerability was found in SourceCodester Company Website CMS 1.0. This affects an unknown part of the file /admin/reset-password.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-11-23 | 7.3 | CVE-2025-13560 | VDB-333325 | SourceCodester Company Website CMS reset-password.php sql injection VDB-333325 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696637 | sourcecodester Company Website CMS V1.0 SQL InjectionSQL https://github.com/miwangdemaoxianzhe/CVE/issues/1 https://www.sourcecodester.com/   |
| SourceCodester--Company Website CMS | A vulnerability was determined in SourceCodester Company Website CMS 1.0. This vulnerability affects unknown code of the file /admin/index.php. This manipulation of the argument Username causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 7.3 | CVE-2025-13561 | VDB-333326 | SourceCodester Company Website CMS index.php sql injection VDB-333326 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696684 | sourcecodester Company Website CMS V1.0 SQL InjectionSQL https://github.com/miwangdemaoxianzhe/CVE/issues/2 https://www.sourcecodester.com/   |
| SourceCodester--Online Shop Project | A vulnerability was identified in SourceCodester Online Shop Project 1.0. The affected element is an unknown function of the file /action.php. Such manipulation of the argument Search leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-11-20 | 7.3 | CVE-2025-13451 | VDB-333021 | SourceCodester Online Shop Project action.php sql injection VDB-333021 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694674 | SourceCodester Online Shop Project V1.0 SQL Injection https://github.com/xiaojuzirr/cve/issues/4 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-18 | 7.3 | CVE-2025-13344 | VDB-332762 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332762 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691940 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/14 https://www.sourcecodester.com/   |
| stellarwp--GiveWP Donation Plugin and Fundraising Platform | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability. | 2025-11-19 | 7.2 | CVE-2025-13206 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59 https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230 https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135 https://plugins.trac.wordpress.org/changeset/3398128/   |
| Tenda--AC20 | A vulnerability was detected in Tenda AC20 up to 16.03.08.12. The impacted element is an unknown function of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. | 2025-11-17 | 8.8 | CVE-2025-13258 | VDB-332593 | Tenda AC20 WifiExtraSet buffer overflow VDB-332593 | CTI Indicators (IOB, IOC, IOA) Submit #688716 | Tenda AC20 Router Affected firmware version: <= V16.03.08.12 Buffer Overflow https://github.com/DavCloudz/cve/blob/main/Tenda/Tengda%20AC20%20Router%20WifiExtraSet%20Buffer%20Overflow%20Vulnerability.md https://github.com/DavCloudz/cve/blob/main/Tenda/Tengda%20AC20%20Router%20WifiExtraSet%20Buffer%20Overflow%20Vulnerability.md#poc https://www.tenda.com.cn/   |
| Tenda--AC21 | A flaw has been found in Tenda AC21 16.03.08.16. This affects an unknown part of the file /goform/SetIpMacBind. Executing manipulation of the argument list can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-20 | 8.8 | CVE-2025-13445 | VDB-333017 | Tenda AC21 SetIpMacBind stack-based overflow VDB-333017 | CTI Indicators (IOB, IOC, IOA) Submit #694066 | Tenda AC21 V16.03.08.16 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN7.md https://www.tenda.com.cn/   |
| Tenda--AC21 | A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-11-20 | 8.8 | CVE-2025-13446 | VDB-333018 | Tenda AC21 SetSysTimeCfg stack-based overflow VDB-333018 | CTI Indicators (IOB, IOC, IOA) Submit #694425 | Tenda AC21 V16.03.08.16 Buffer Overflow Submit #694430 | Tenda AC21 V16.03.08.16 Buffer Overflow (Duplicate) https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN9.md https://www.tenda.com.cn/   |
| Tenda--CH22 | A security vulnerability has been detected in Tenda CH22 1.0.0.1. This impacts the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 8.8 | CVE-2025-13288 | VDB-332628 | Tenda CH22 PPTPUserSetting fromPptpUserSetting buffer overflow VDB-332628 | CTI Indicators (IOB, IOC, IOA) Submit #691594 | Tenda Technology Co., Ltd. Tenda V1.0.0.1 Buffer Overflow https://github.com/yyyy1g/CVE/issues/1 https://www.tenda.com.cn/   |
| Tenda--CH22 | A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-19 | 8.8 | CVE-2025-13400 | VDB-332926 | Tenda CH22 WrlExtraGet formWrlExtraGet buffer overflow VDB-332926 | CTI Indicators (IOB, IOC, IOA) Submit #692145 | Tenda CH22 V1.0.0.1 Buffer Overflow https://github.com/f000x0/cve/issues/14 https://www.tenda.com.cn/   |
| The Browser Company of New York--Dia | This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | 2025-11-21 | 7.4 | CVE-2025-13132 | https://www.diabrowser.com/security/bulletins#CVE-2025-13132   |
| ThinPLUS--ThinPLUS | ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-11-17 | 9.8 | CVE-2025-13284 | https://www.twcert.org.tw/tw/cp-132-10512-e196b-1.html https://www.twcert.org.tw/en/cp-139-10513-0d82b-2.html   |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14. | 2025-11-17 | 7.2 | CVE-2025-62519 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4 https://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14   |
| UTT-- 750W | A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 7.3 | CVE-2025-13442 | VDB-333015 | UTT 进取 750W formPdbUpConfig system command injection VDB-333015 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688782 | UTT (AiTai) Jinqi 750W <=v5v3.2.2-191225 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/20   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1. | 2025-11-21 | 8.8 | CVE-2025-62164 | https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf https://github.com/vllm-project/vllm/pull/27204 https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b   |
| walterpinem--OneClick Chat to Order | The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL. | 2025-11-22 | 7.5 | CVE-2025-13526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/547a0c73-044e-49ba-9bec-4f80b41b8ea2?source=cve https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/trunk/includes/buttons/wa-order-thank-you.php#L126 https://plugins.trac.wordpress.org/changeset/3391625/   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0. | 2025-11-21 | 7.7 | CVE-2025-30201 | https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x https://github.com/wazuh/wazuh/pull/30060 https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a   |
| Wireshark Foundation--Wireshark | Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service | 2025-11-21 | 7.8 | CVE-2025-13499 | https://www.wireshark.org/security/wnpa-sec-2025-06.html GitLab Issue #20823   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8. | 2025-11-19 | 7.1 | CVE-2025-64764 | https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723 https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91   |
| wpwham--Checkout Files Upload for WooCommerce | The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page. | 2025-11-18 | 7.2 | CVE-2025-4212 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09d9785a-db71-4735-b86b-7fa10cf36a0b?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/checkout-files-upload-woocommerce/tags/2.2.1&new_path=/checkout-files-upload-woocommerce/tags/2.2.2   |
| WSO2--WSO2 API Manager | A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate-based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected. | 2025-11-18 | 9.8 | CVE-2025-9312 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494/   |
| WSO2--WSO2 Open Banking AM | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments. | 2025-11-18 | 8.8 | CVE-2025-6670 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4117/   |
| zozothemes--Zegen Core | The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 8.8 | CVE-2025-11087 | https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve https://themeforest.net/item/zegen-church-wordpress-theme/25116823   |
| Zyxel--DX3300-T0 firmware | A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute operating system (OS) commands on an affected device. | 2025-11-18 | 8.8 | CVE-2025-8693 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025   |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1000projects--Design & Development of Student Database Management System | A vulnerability was detected in 1000projects Design & Development of Student Database Management System 1.0. Affected is an unknown function of the file /TeacherLogin/Academics/SubjectDetails.php. The manipulation of the argument SubCode results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13289 | VDB-332629 | 1000projects Design & Development of Student Database Management System SubjectDetails.php sql injection VDB-332629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691612 | 1000projects Design & Development of Student Database Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/2   |
| _luigi--The Permalinks Cascade | The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings. | 2025-11-18 | 4.3 | CVE-2025-12372 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c08d420d-d521-4215-9ef7-b5d1c44a19d3?source=cve https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/admin/admin-controller.class.php#L109 https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/includes/core.class.php#L36   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks. | 2025-11-21 | 6.5 | CVE-2025-10938 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d8aa06eb-774a-4cd9-bd35-2d6409475696?source=cve https://wordpress.org/plugins/uipress-lite/   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_ui_template' function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to save templates that contain custom JavaScript. | 2025-11-21 | 6.4 | CVE-2025-11003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a01ccc-c98e-4fcc-8eaf-721ec46584fc?source=cve https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.08/admin/core/uiBuilder.php#L613 https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.08/admin/classes/PostTypes/UiTemplates.php#L416   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected. | 2025-11-21 | 4.3 | CVE-2025-11815 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8d7397-0201-4194-8604-057f905ef10b?source=cve https://plugins.trac.wordpress.org/browser/uipress-lite/trunk/admin/core/ajax-functions.php#L396 https://plugins.trac.wordpress.org/changeset/3398753/   |
| aioseo--Broken Link Checker by AIOSEO Easily Fix/Monitor Internal and External links | The Broken Link Checker by AIOSEO - Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint. | 2025-11-18 | 5.4 | CVE-2025-11734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo   |
| alekv--Pixel Manager for WooCommerce Track Conversions and Analytics, Google Ads, TikTok and more | The Pixel Manager for WooCommerce - Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to. | 2025-11-18 | 5.3 | CVE-2025-12545 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9babb946-4033-4e66-8f59-b73185ffcd49?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L343 https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L1235   |
| amans2k--FunnelKit Funnel Builder for WooCommerce Checkout | The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-12878 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4d?source=cve https://wordpress.org/plugins/funnel-builder https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L30 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L96 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L101 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L116 https://plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.php   |
| AMD--AMD EPYC 9004 Series Processors | A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity. | 2025-11-21 | 5.3 | CVE-2025-29934 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3029.html   |
| AMD--AMD Prof | Improper input validation within AMD uprof can allow a local attacker to overwrite MSR registers, potentially resulting in crash or denial of service. | 2025-11-21 | 5.5 | CVE-2025-48502 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html   |
| antiochinteractive--Shortcode for Google Street View | The Shortcode for Google Street View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'streetview' shortcode in all versions up to, and including, 0.5.7. This is due to insufficient input sanitization and output escaping on the 'id' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a5b5ce-9975-449b-bdd1-d139f1360297?source=cve https://plugins.trac.wordpress.org/browser/wp-google-street-view-shortcode/tags/0.5.7/gsv-shortcode.php#L108   |
| arkadiykilesso--Download Panel (Biggiko Team) | The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations. | 2025-11-18 | 4.3 | CVE-2025-12961 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1a1df7e-1a57-45b3-a4b3-cb3218782ad9?source=cve https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L50 https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L51   |
| artibot--ArtiBot Free Chat Bot for WebSites | The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efe48adb-af9f-45dc-b693-ae56dce1bfe2?source=cve https://wordpress.org/plugins/artibot/   |
| ashraf-kabir--travel-agency | A weakness has been identified in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected is an unknown function of the file /customer_register.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-23 | 6.3 | CVE-2025-13544 | VDB-333311 | ashraf-kabir travel-agency customer_register.php unrestricted upload VDB-333311 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690975 | travel-agency web 1 File Upload Vulnerability https://github.com/www223-ai/CVE/blob/main/travel-File%20Upload.docx   |
| ashraf-kabir--travel-agency | A vulnerability was detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this issue is some unknown functionality of the file /results.php of the component Search. The manipulation of the argument user_query results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-11-23 | 6.3 | CVE-2025-13546 | VDB-333313 | ashraf-kabir travel-agency Search results.php sql injection VDB-333313 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691466 | travel-agency web 1 SQL Injection vulnerability https://github.com/www223-ai/CVE/blob/main/travel-sql2.docx   |
| ashraf-kabir--travel-agency | A security vulnerability has been detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this vulnerability is an unknown functionality of the file /admin_area/index.php. The manipulation of the argument edit_pack leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-23 | 4.7 | CVE-2025-13545 | VDB-333312 | ashraf-kabir travel-agency index.php sql injection VDB-333312 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690978 | travel-agency web 1 SQL Injection Vulnerability https://github.com/www223-ai/CVE/blob/main/travel-sql.docx   |
| awensley--Project Honey Pot Spam Trap | The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12406 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e774476d-3696-4489-b028-16c25f8db1ca?source=cve https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L244 https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L248 https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L293   |
| AWS--Wickr | Improper resource release in the call termination process in AWS Wickr before version 6.62.13 on Windows, macOS and Linux may allow a call participant to continue receiving audio input from another user after they close their call window. This issue occurs under certain conditions, which require the affected user to take a particular action within the application To mitigate this issue, users should upgrade AWS Wickr, Wickr Gov and Wickr Enterprise desktop version to version 6.62.13. | 2025-11-21 | 5.7 | CVE-2025-13524 | https://aws.amazon.com/security/security-bulletins/AWS-2025-029/ https://docs.aws.amazon.com/wickr/latest/enterpriseadminguide/clients-release-notes-6.62.html   |
| ays-pro--Quiz Maker | The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question. | 2025-11-19 | 5.3 | CVE-2025-12426 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc524e3e-9b7c-47ae-ab44-c327b287b81a?source=cve https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L8490 https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/includes/class-quiz-maker.php#L393 https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L179   |
| bandido--Checkbox | The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files. | 2025-11-21 | 5.3 | CVE-2025-12170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16735e63-d652-4b0e-b454-2bd13368d8a7?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392710%40checkbox&new=3392710%40checkbox&sfp_email=&sfph_mail=   |
| bartboy011--Bulma Shortcodes | The Bulma Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' shortcode attribute in the bulma-notification shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11802 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e119d542-7cac-47e4-ae13-5382911f1f5e?source=cve https://plugins.trac.wordpress.org/browser/bulma-shortcodes/tags/1.0/inc/components.php#L36   |
| bdeleasa--WP Company Info | The WP Company Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'social-networks' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11826 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6743a762-6d40-4ed9-95f2-f1b405683f26?source=cve https://plugins.trac.wordpress.org/browser/wp-company-info/tags/1.9.0/classes/class-wp-company-info-social-links.php#L244   |
| bdthemes--Element Pack Addons for Elementor | The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 5.4 | CVE-2025-13196 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0da6a080-260f-4b19-a32c-453d2781389a?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3396544%40bdthemes-element-pack-lite&old=3395028%40bdthemes-element-pack-lite&sfp_email=&sfph_mail=   |
| beycanpress--Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO | The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters. | 2025-11-21 | 5.3 | CVE-2025-11771 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275   |
| beycanpress--Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO | The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the WordPress option `tokenico_deployed_contracts`, poisoning the smart contract addresses displayed. | 2025-11-21 | 4.3 | CVE-2025-11773 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02597b1-eea6-4fdd-baeb-527201d1c61f?source=cve https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L108   |
| bhargavbhandari90--Meta Display Block | The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-12088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68251e79-d064-4be4-a218-92a03e27b59d?source=cve https://wordpress.org/plugins/meta-display-block/   |
| billybigpotatoes--BrightTALK WordPress Shortcode | The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e3b5433-e17b-4ece-9e5c-ef4d818068dc?source=cve https://plugins.trac.wordpress.org/browser/brighttalk-wp-shortcode/tags/2.4.0/brighttalk-wp-shortcode.php#L130   |
| Black Duck--Black Duck SCA | Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible. Exploitation does not grant full system control, but it may enable unauthorized changes to project configurations or access to system sensitive information. | 2025-11-21 | 5.4 | CVE-2025-0504 | https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2025-0504   |
| BlackBerry--BlackBerry AtHoc (OnPrem) | An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System (IWS). | 2025-11-19 | 5 | CVE-2025-12766 | https://support.blackberry.com/pkb/s/article/140929   |
| bplugins--Icon List Block Add Icon-Based Lists with Custom Styles | The Icon List Block - Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response. | 2025-11-18 | 6.4 | CVE-2025-12376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168   |
| brainstormforce--SureForms Contact Form, Custom Form Builder, Calculator & More | The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugin legitimately needs to support unauthenticated form submissions, it incorrectly uses generic REST nonces instead of form-specific nonces. This makes it possible for unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely solely on nonce verification without additional authentication checks, allowing them to trigger unauthorized actions such as the plugin's own post-submission hooks and potentially other plugins' REST endpoints. | 2025-11-19 | 5.3 | CVE-2025-12535 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b083cf9d-bcfe-4234-a816-2d216da28b57?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/background-process.php#L74 https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/admin-ajax.php#L45 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391762%40sureforms%2Ftrunk&old=3382423%40sureforms%2Ftrunk&sfp_email=&sfph_mail=   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-11-19 | 4.7 | CVE-2025-13411 | VDB-332938 | Campcodes Retro Basketball Shoes Online Store admin_football.php unrestricted upload VDB-332938 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693697 | campcodes Retro Basketball Shoes Online Store V1.0 Unrestricted Upload https://github.com/laosijivul/cve/issues/2 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-19 | 4.7 | CVE-2025-13423 | VDB-332945 | Campcodes Retro Basketball Shoes Online Store admin_product.php unrestricted upload VDB-332945 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696051 | Campcodes Retro Basketball Shoes Online Store v1.0 Unrestricted Upload https://github.com/Abxery/cveee/issues/6 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability has been found in Campcodes School Fees Payment Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=save_payment. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13269 | VDB-332604 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690034 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/17 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was found in Campcodes School Fees Payment Management System 1.0. This affects an unknown function of the file /ajax.php?action=save_course. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-11-17 | 6.3 | CVE-2025-13270 | VDB-332605 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690039 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/16 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A security flaw has been discovered in Campcodes School Fees Payment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_payment. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13273 | VDB-332608 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690048 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/20 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13274 | VDB-332609 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690886 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/21 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /manufacturer/edit_unit.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-17 | 6.3 | CVE-2025-13259 | VDB-332594 | Campcodes Supplier Management System edit_unit.php sql injection VDB-332594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688780 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber060/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /manufacturer/edit_product.php. Such manipulation of the argument cmbProductUnit leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13260 | VDB-332595 | Campcodes Supplier Management System edit_product.php sql injection VDB-332595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689268 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_product.php. The manipulation of the argument txtProductName leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-20 | 4.7 | CVE-2025-13424 | VDB-332946 | Campcodes Supplier Management System add_product.php sql injection VDB-332946 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696053 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/3 https://www.campcodes.com/   |
| code-projects--Courier Management System | A vulnerability was determined in code-projects Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /search-edit.php. This manipulation of the argument Consignment causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 6.3 | CVE-2025-13303 | VDB-332642 | code-projects Courier Management System search-edit.php sql injection VDB-332642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691792 | code-projects Courier Management System V1.0 SQL Injection https://github.com/labi1106/cve/issues/2 https://code-projects.org/   |
| code-projects--Courier Management System | A weakness has been identified in code-projects Courier Management System 1.0. This affects an unknown function of the file /add-office.php. This manipulation of the argument OfficeName causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-19 | 6.3 | CVE-2025-13396 | VDB-332924 | code-projects Courier Management System add-office.php sql injection VDB-332924 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692127 | code-projects Courier Management System V1.0 SQL Injection https://github.com/beamyou/CVE/issues/1 https://code-projects.org/   |
| code-projects--Courier Management System | A vulnerability was identified in code-projects Courier Management System 1.0. This affects an unknown part of the file /add-new-officer.php. Such manipulation of the argument ManagerName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-17 | 4.7 | CVE-2025-13302 | VDB-332643 | code-projects Courier Management System add-new-officer.php sql injection VDB-332643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691791 | code-projects Courier Management System V1.0 SQL Injection https://github.com/labi1106/cve/issues/1 https://code-projects.org/   |
| code-projects--Nero Social Networking Site | A vulnerability was found in code-projects Nero Social Networking Site 1.0. The affected element is an unknown function of the file /profilefriends.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-11-17 | 6.3 | CVE-2025-13279 | VDB-332614 | code-projects Nero Social Networking Site profilefriends.php sql injection VDB-332614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690963 | code-projects Nero Social Networking Site 1.0 SQL Injection https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_005 https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_005/blob/main/report.md https://code-projects.org/   |
| code-projects--Simple Food Ordering System | A vulnerability has been found in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /saveorder.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13290 | VDB-332631 | code-projects Simple Food Ordering System saveorder.php sql injection VDB-332631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691619 | code-projects Simple Food Ordering System 1.0 Unrestricted Upload https://github.com/liaoliao-hla/cve/issues/1 https://code-projects.org/   |
| code-projects--Simple Food Ordering System | A vulnerability was determined in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /listorder.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 6.3 | CVE-2025-13571 | VDB-333335 | code-projects Simple Food Ordering System listorder.php sql injection VDB-333335 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698495 | Code-Projects Simple Food Ordering System 1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr/issues/1 https://code-projects.org/   |
| codepeople--Appointment Booking Calendar | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations. | 2025-11-22 | 5.3 | CVE-2025-13317 | https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail=   |
| codepeople--Booking Calendar Contact Form | The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter. | 2025-11-22 | 5.3 | CVE-2025-13318 | https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399906%40booking-calendar-contact-form&new=3399906%40booking-calendar-contact-form&sfp_email=&sfph_mail=   |
| codeyatri--Gutenify Visual Site Builder Blocks & Site Templates. | The Gutenify - Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-8605 | https://www.wordfence.com/threat-intel/vulnerabilities/id/853b86ca-0231-4b1c-b1d2-b8c23dbdc3c5?source=cve https://wordpress.org/plugins/gutenify/#developers   |
| coffeebite--Padlet Shortcode | The Padlet Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'key' parameter in the 'wallwisher' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12660 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09989141-43ba-446c-8230-0485add7a1e2?source=cve https://wordpress.org/plugins/wallwisher-shortcode/ https://plugins.trac.wordpress.org/browser/wallwisher-shortcode/tags/1.3/wallwisher.php#L22   |
| cozmoslabs--User Profile Builder Beautiful User Registration Forms, User Profiles & User Role Editor | The User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppb-embed shortcode in all versions up to, and including, 3.14.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-13054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3830ae19-cafc-40db-afde-2424cae23031?source=cve https://plugins.trac.wordpress.org/changeset/3397155/profile-builder   |
| cyberlord92--WP Login and Register using JWT | The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints. | 2025-11-19 | 4.3 | CVE-2025-12822 | https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397900%40login-register-using-jwt&new=3397900%40login-register-using-jwt&sfp_email=&sfph_mail=   |
| D-Link--DWR-M920 | A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 6.3 | CVE-2025-13306 | VDB-332646 | D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection VDB-332646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691813 | D-Link DWR-M920 V1.1.5 Command Injection Submit #693805 | D-Link DIR-822k TK_1.00_20250513164613 Command Injection (Duplicate) Submit #693807 | D-Link DWR-M921 V1.1.50 Command Injection (Duplicate) Submit #695426 | D-Link DIR-825m v1.1.12 Command Injection (Duplicate) https://github.com/LX-LX88/cve/issues/15 https://www.dlink.com/   |
| darto--Islamic Phrases | The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11768 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e9bcc72-e434-4f6f-9e90-eec8cad31035?source=cve https://plugins.trac.wordpress.org/browser/islamic-phrases/tags/2.12.2015/islamic-phrases.php#L89   |
| davidangel--AudioTube | The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11801 | https://www.wordfence.com/threat-intel/vulnerabilities/id/258a2d5d-a176-4b89-bc4c-089d072982dd?source=cve https://plugins.trac.wordpress.org/browser/audiotube/tags/0.0.3/index.php#L64   |
| denishua--Top Friends | The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-12827 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155   |
| DependencyTrack--frontend | @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6. | 2025-11-17 | 4.8 | CVE-2025-64758 | https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5 https://github.com/DependencyTrack/frontend/pull/1378 https://github.com/DependencyTrack/frontend/pull/986 https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be   |
| developdaly--Stock Tools | The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11765 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1d852dba-39ea-4cc9-9fcf-7f2ac3e1b5d0?source=cve https://plugins.trac.wordpress.org/browser/stock-tools/tags/1.1/stock-tools.php#L67   |
| devitemsllc--HT Mega Absolute Addons For Elementor | The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lack of a tag name whitelist allowing dangerous tags like 'script', 'iframe', and 'object' to be injected even though tag_escape() is used for sanitization. While some blocks use esc_html() for content, this can be bypassed using JavaScript encoding techniques (unquoted strings, backticks, String.fromCharCode()). This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-13141 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8bf04325-e313-4a68-89a0-b560bdef5a14?source=cve https://plugins.trac.wordpress.org/changeset/3398480/   |
| devsmip--BigBuy Dropshipping Connector for WooCommerce | The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to retrieve the output of phpinfo(). | 2025-11-21 | 5.3 | CVE-2025-12039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3d5a5-4673-41e7-9868-99699852f330?source=cve https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L225 https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L260   |
| dfactory--Responsive Lightbox & Gallery | The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image dimensions for gallery items. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. | 2025-11-19 | 5.4 | CVE-2025-12359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4c0bd6-f289-4a52-ac11-345076c32d84?source=cve https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-frontend.php#L1531 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-fast-image.php#L25 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/functions.php#L108 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-galleries.php#L3648 https://research.cleantalk.org/cve-2025-12359 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397940%40responsive-lightbox%2Ftrunk&old=3358021%40responsive-lightbox%2Ftrunk&sfp_email=&sfph_mail=   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | 2025-11-17 | 4.9 | CVE-2025-13163 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend. | 2025-11-17 | 4.9 | CVE-2025-13164 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Dreampie--Resty | A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 5.6 | CVE-2025-13435 | VDB-332979 | Dreampie Resty HttpClient HttpClient.java request path traversal VDB-332979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687603 | Dreampie Resty Framework - HttpClient Module 1.3.1.SNAPSHOT Path Traversal / Directory Traversal (CWE-22) https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md   |
| Dromara--dataCompare | A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-11-17 | 6.3 | CVE-2025-13268 | VDB-332603 | Dromara dataCompare JDBC URL DbconfigServiceImpl.java DbConfig injection VDB-332603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689460 | dromara dataCompare 1.0.1 Improper Input Validation https://github.com/dromara/dataCompare/issues/13   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role. | 2025-11-21 | 5.3 | CVE-2025-10054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07c92f79-94ac-4153-9ab2-9608601508b0?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L77 https://plugins.trac.wordpress.org/changeset/3399391/   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets. | 2025-11-21 | 4.3 | CVE-2025-10039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259 https://plugins.trac.wordpress.org/changeset/3391342/   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets. | 2025-11-21 | 4.3 | CVE-2025-12022 | https://www.wordfence.com/threat-intel/vulnerabilities/id/982b23c5-2414-48f7-a2f5-96fef54f8d69?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-archive-ajax-functions.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets. | 2025-11-21 | 4.3 | CVE-2025-12023 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4599b145-cb89-48d4-8581-e1ee7a7bd323?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash. | 2025-11-21 | 4.3 | CVE-2025-12085 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89696d1c-8e6e-402a-9d7a-03fe0f364a72?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option. | 2025-11-21 | 4.3 | CVE-2025-12169 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve https://plugins.trac.wordpress.org/changeset/3391816   |
| elextensions--WSChat WordPress Live Chat | The WSChat - WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | 2025-11-19 | 4.3 | CVE-2025-12751 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0be6658d-aec8-404c-a994-bde10a3cdbac?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395773%40wschat-live-chat&new=3395773%40wschat-live-chat&sfp_email=&sfph_mail=   |
| esm-dev--esm.sh | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136. | 2025-11-19 | 6.1 | CVE-2025-65026 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c   |
| etruel--WP Delete Post Copies | The WP Delete Post Copies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-21 | 4.4 | CVE-2025-12066 | https://www.wordfence.com/threat-intel/vulnerabilities/id/92ab1f56-5ca6-48e8-b380-ac2e302d63d2?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394571%40etruel-del-post-copies&new=3394571%40etruel-del-post-copies&sfp_email=&sfph_mail=   |
| everviz--everviz Charts, Maps and Tables Interactive and responsive | The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<div id=...>` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-11868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3b265d9-dddd-4cf7-8d1a-980fdd17777d?source=cve https://plugins.trac.wordpress.org/browser/everviz/tags/1.0/highcharts-editor.php#L136   |
| f1logic--WP Twitter Auto Publish | The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12079 | https://www.wordfence.com/threat-intel/vulnerabilities/id/562456ac-a113-4b3d-bc5d-6dedde635d5e?source=cve https://wordpress.org/plugins/twitter-auto-publish/   |
| Facebook--WhatsApp Business for iOS | Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user's device. We have not seen evidence of exploitation in the wild. | 2025-11-18 | 5.4 | CVE-2025-55179 | https://www.facebook.com/security/advisories/cve-2025-55179 https://www.whatsapp.com/security/advisories/2025/   |
| farvehandleren--Custom Post Type | The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 4.3 | CVE-2025-13142 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29   |
| fastmover--Shortcodes Bootstrap | The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11764 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9363db7-4535-427d-a6ae-2580f215b965?source=cve https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16   |
| Fortinet--FortiADC | An Out-of-bounds Write vulnerability [CWE-787] in FortiADC 8.0.0, 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests. | 2025-11-18 | 6.3 | CVE-2025-48839 | https://fortiguard.fortinet.com/psirt/FG-IR-25-225   |
| Fortinet--FortiADC | A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL. | 2025-11-19 | 4.2 | CVE-2025-58412 | https://fortiguard.fortinet.com/psirt/FG-IR-25-736   |
| Fortinet--FortiClientWindows | An active debug code vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.10, FortiClientWindows 7.0 all versions may allow a local attacker to run the application step by step and retrieve the saved VPN user password | 2025-11-18 | 4.9 | CVE-2025-54660 | https://fortiguard.fortinet.com/psirt/FG-IR-25-844   |
| Fortinet--FortiExtender | A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands. | 2025-11-18 | 6.3 | CVE-2025-46776 | https://fortiguard.fortinet.com/psirt/FG-IR-25-251   |
| Fortinet--FortiExtender | A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands. | 2025-11-18 | 5.2 | CVE-2025-46775 | https://fortiguard.fortinet.com/psirt/FG-IR-25-259   |
| Fortinet--FortiOS | A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted packets | 2025-11-18 | 6.9 | CVE-2025-53843 | https://fortiguard.fortinet.com/psirt/FG-IR-25-358   |
| Fortinet--FortiSandbox | An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file. | 2025-11-18 | 5 | CVE-2025-46215 | https://fortiguard.fortinet.com/psirt/FG-IR-24-501   |
| Fortinet--FortiSASE | A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiSASE 25.3.b allows attacker to execute unauthorized code or commands via specially crafted packets | 2025-11-18 | 6.9 | CVE-2025-58413 | https://fortiguard.fortinet.com/psirt/FG-IR-25-632   |
| Fortinet--FortiWeb | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. | 2025-11-18 | 6.7 | CVE-2025-58034 | https://fortiguard.fortinet.com/psirt/FG-IR-25-513   |
| Fortinet--FortiWeb | A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data | 2025-11-18 | 4.8 | CVE-2025-59669 | https://fortiguard.fortinet.com/psirt/FG-IR-25-843   |
| fpcorso--Tips Shortcode | The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11767 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c13495-23c3-4b07-9bfb-678723daa43f?source=cve https://plugins.trac.wordpress.org/browser/tips-shortcode/tags/0.2.1/tips_shortcode.php#L33   |
| Gallagher--HBUS Devices | Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior. | 2025-11-18 | 5.7 | CVE-2025-52457 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-52457   |
| Gallagher--High Sec End of Line Module | Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device communications. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior. | 2025-11-18 | 5.7 | CVE-2025-52578 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-52578   |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. | 2025-11-21 | 5 | CVE-2025-9825 | https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/ GitLab Issue #567301 HackerOne Bug Bounty Report #3319800   |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers | 2025-11-23 | 6.4 | CVE-2025-12800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb7db4-bef7-4799-9b65-ebe77976e21c?source=cve https://plugins.trac.wordpress.org/changeset/3397946/   |
| goauthentik--authentik | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid. | 2025-11-19 | 5.8 | CVE-2025-64708 | https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830   |
| goauthentik--authentik | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not. | 2025-11-19 | 4.8 | CVE-2025-64521 | https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c   |
| HashiCorp--Terraform Enterprise | Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3. | 2025-11-21 | 4.3 | CVE-2025-13432 | https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821   |
| HCL Software--Glovius Cloud | A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint. | 2025-11-20 | 6.8 | CVE-2025-62346 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0126459   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networkign AOS-CX | A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. | 2025-11-18 | 6.7 | CVE-2025-37157 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking 100 Series Cellular Bridge | A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | 2025-11-18 | 6.5 | CVE-2025-37162 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04970en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional. | 2025-11-18 | 6.8 | CVE-2025-37156 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. | 2025-11-18 | 6.7 | CVE-2025-37158 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. | 2025-11-18 | 5.8 | CVE-2025-37159 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data. | 2025-11-18 | 5.3 | CVE-2025-37160 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| humanityco--Cookie Notice & Compliance for GDPR / CCPA | The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookies_accepted shortcode in all versions up to, and including, 2.5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-22 | 6.4 | CVE-2025-11186 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19700658-1bef-4e85-a995-d86fff508cdf?source=cve https://plugins.trac.wordpress.org/browser/cookie-notice/tags/2.5.7/cookie-notice.php#L1060 https://plugins.trac.wordpress.org/browser/cookie-notice/tags/2.5.7/cookie-notice.php#L1181   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-11-20 | 6.1 | CVE-2025-36153 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output. | 2025-11-20 | 6.2 | CVE-2025-36159 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying. | 2025-11-20 | 5.1 | CVE-2025-36158 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system. | 2025-11-20 | 5.3 | CVE-2025-36160 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | 2025-11-20 | 5.9 | CVE-2025-36161 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--i | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation.  A user with access to the database plan cache could see information they do not have authority to view. | 2025-11-19 | 6.5 | CVE-2025-36371 | https://www.ibm.com/support/pages/node/7251699   |
| IBM--IBM Concert Software | IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | 2025-11-21 | 6.3 | CVE-2025-36149 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system. | 2025-11-17 | 4.3 | CVE-2025-36299 | https://www.ibm.com/support/pages/node/7251265   |
| iCam365--P201 | The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information. | 2025-11-20 | 6.8 | CVE-2025-62674 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-02.json https://icam365.net/en/aboutUs/   |
| iCam365--P201 | The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information. | 2025-11-20 | 6.8 | CVE-2025-64770 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02 https://icam365.net/en/aboutUs/ https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-02.json   |
| icegram--Email Subscribers & Newsletters Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce | The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects. | 2025-11-19 | 5.3 | CVE-2025-12349 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=   |
| ideastocode--Enable SVG, WebP, and ICO Upload | The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-18 | 6.4 | CVE-2025-12457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a?source=cve https://plugins.trac.wordpress.org/browser/enable-svg-webp-ico-upload/tags/1.1.2/includes/class-svg.php#L21   |
| integrationshotelrunner--HotelRunner Booking Widget | The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-13135 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df2854c4-5d57-4c39-a28f-41dab36a086e?source=cve https://wordpress.org/plugins/hotelrunner/#developers   |
| interledger--Coil Web Monetization | The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restrict_content function. This makes it possible for unauthenticated attackers to trigger CSS selector detection functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-9625 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa4cb93-7af3-4427-a17f-160b27fcebb8?source=cve https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/functions.php#L48 https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L202 https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L195   |
| Iqbolshoh--php-business-website | A security vulnerability has been detected in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This affects an unknown part of the file /admin/about.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-11-17 | 4.7 | CVE-2025-13275 | VDB-332610 | Iqbolshoh php-business-website about.php unrestricted upload VDB-332610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690049 | php-business-website web 1 Unrestricted Upload https://github.com/mhszed/Report/blob/main/php-business-website%20upload.docx   |
| itsourcecode--COVID Tracking System | A vulnerability was detected in itsourcecode COVID Tracking System 1.0. This affects an unknown function of the file /admin/?page=establishment. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-11-23 | 6.3 | CVE-2025-13567 | VDB-333331 | itsourcecode COVID Tracking System page sql injection VDB-333331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698116 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Abxery/cveee/issues/9 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A flaw has been found in itsourcecode COVID Tracking System 1.0. This impacts an unknown function of the file /admin/?page=people. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-11-23 | 6.3 | CVE-2025-13568 | VDB-333332 | itsourcecode COVID Tracking System page sql injection VDB-333332 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698117 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Abxery/cveee/issues/10 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/?page=city. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 6.3 | CVE-2025-13569 | VDB-333333 | itsourcecode COVID Tracking System page sql injection VDB-333333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698655 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/58 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=state. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-11-23 | 6.3 | CVE-2025-13570 | VDB-333334 | itsourcecode COVID Tracking System page sql injection VDB-333334 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698656 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/59 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A security flaw has been discovered in itsourcecode Online Voting System 1.0. The impacted element is an unknown function of the file /ajax.php?action=save_user. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13286 | VDB-332626 | itsourcecode Online Voting System ajax.php sql injection VDB-332626 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690888 | itsourcecode Online Voting System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/8 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A weakness has been identified in itsourcecode Online Voting System 1.0. This affects an unknown function of the file /index.php?page=categories. Executing manipulation of the argument id/category can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13287 | VDB-332627 | itsourcecode Online Voting System index.php sql injection VDB-332627 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690889 | itsourcecode Online Voting System V1.0 SQL Injection Submit #690891 | itsourcecode Online Voting System V1.0 SQL Injection (Duplicate) https://github.com/WANGshuyan2025/cve/issues/9 https://itsourcecode.com/   |
| itsourcecode--Student Information System | A vulnerability was determined in itsourcecode Student Information System 1.0. The affected element is an unknown function of the file /enrollment_edit1.php. Executing manipulation of the argument en_id can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-11-18 | 6.3 | CVE-2025-13325 | VDB-332669 | itsourcecode Student Information System enrollment_edit1.php sql injection VDB-332669 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691929 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/chenxiyue-2006/CVE/issues/1 https://itsourcecode.com/   |
| itvn9online--EchBay Admin Security | The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-11885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e7bd966-9a98-4192-83d9-e1682ec00a02?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398386%40echbay-admin-security&new=3398386%40echbay-admin-security&sfp_email=&sfph_mail=   |
| jameschz--Hush Framework | A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 5.3 | CVE-2025-13434 | VDB-332978 | jameschz Hush Framework HTTP Host Header Util.php http headers for scripting syntax VDB-332978 | CTI Indicators (IOB, IOC, IOA) Submit #687568 | jameschz Hush 2.0 Improper Neutralization of HTTP Headers for Scripting Syntax https://github.com/lakshayyverma/CVE-Discovery/blob/main/hush.md   |
| jcollings--Import WP Export and Import CSV and XML files to WordPress | The Import WP - Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp. | 2025-11-21 | 5.3 | CVE-2025-12894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28ca9590-dc0b-40c9-9de6-1480094ea8be?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394624%40jc-importer&new=3394624%40jc-importer&sfp_email=&sfph_mail=   |
| johnjamesjacoby--Post Type Switcher | The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | 2025-11-18 | 5.4 | CVE-2025-12524 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d875514c-c7d3-4236-842b-6e772048448d?source=cve https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L469 https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L486 https://cwe.mitre.org/data/definitions/639.html https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391983%40post-type-switcher%2Ftrunk&old=3331072%40post-type-switcher%2Ftrunk&sfp_email=&sfph_mail=   |
| Kaspersky--Kaspersky Endpoint Security | Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and Kaspersky Endpoint Security for Mac (12.0.0.325, 12.1.0.553, and 12.2.0.694 with anti-virus databases prior to 18.11.2025) that could have allowed a reflected XSS attack to be carried out by an attacker using phishing techniques. | 2025-11-20 | 6.1 | CVE-2025-64984 | Advisory issued on November 18, 2025   |
| kurudrive--VK All in One Expansion Unit | The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.", | 2025-11-18 | 6.4 | CVE-2025-11265 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9e5a6158-03d4-4ac7-8a4b-666cedabb433?source=cve https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/class-vk-call-to-action.php#L198 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L259 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L271 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394731%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=#file2   |
| kurudrive--VK All in One Expansion Unit | The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-11267 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8996a0f0-8a49-4310-917b-62172c12afdb?source=cve https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/admin/class-veu-metabox.php#L178 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/css-customize/css-customize-single.php#L32 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393317%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=   |
| kwmanagement--Pet-Manager Petfinder | The Pet-Manager - Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-12710 | https://www.wordfence.com/threat-intel/vulnerabilities/id/35b0d959-2adb-4de4-b51b-1bfead49bc7d?source=cve https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L133 https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L163 https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L164 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396792%40tier-management-petfinder&new=3396792%40tier-management-petfinder&sfp_email=&sfph_mail=   |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK. | 2025-11-21 | 6.5 | CVE-2025-65107 | https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim's browser. This issue has been patched in version 25.11.0. | 2025-11-18 | 6.2 | CVE-2025-65013 | https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0. | 2025-11-18 | 5.5 | CVE-2025-65093 | https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9   |
| lightgalleryteam--LightGallery WP | Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-20 | 6.4 | CVE-2025-5092 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acaa3142-2bbc-43d3-8ecc-05e8edb931ec?source=cve https://github.com/sachinchoolur/lightGallery https://plugins.trac.wordpress.org/changeset/3311382/ https://plugins.trac.wordpress.org/changeset/3356089/ https://plugins.trac.wordpress.org/changeset/3372141/ https://plugins.trac.wordpress.org/changeset/3343557/   |
| lsfusion--platform | A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely. | 2025-11-17 | 6.3 | CVE-2025-13265 | VDB-332600 | lsfusion platform ZipUtils.java unpackFile path traversal VDB-332600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689427 | lsFusion 6.1 Arbitrary File Overwrite and Deletion https://github.com/lsfusion/platform/issues/1545   |
| lsfusion--platform | A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-11-17 | 5.3 | CVE-2025-13261 | VDB-332596 | lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal VDB-332596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689412 | lsFusion 6.1 Unauthorized Arbitrary File Read https://github.com/lsfusion/platform/issues/1543 https://github.com/lsfusion/platform/issues/1543#issue-3576922131   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65020 | https://github.com/lukevella/rallly/security/advisories/GHSA-44w7-pf32-gv5m https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants' votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65028 | https://github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gp https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65031 | https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user's name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65032 | https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| macrozheng--mall | A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-20 | 5.4 | CVE-2025-13443 | VDB-333016 | macrozheng mall delete access control VDB-333016 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690892 | mall <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/15   |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker's domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim's password and take over the account. This issue has been patched in version 5.5.2#162. | 2025-11-20 | 6.8 | CVE-2025-62709 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xhhf-mpqr-2cq5 https://github.com/MacWarrior/clipbucket-v5/commit/1a93532e665217b5d329808ca78e37e59e9f8a9d   |
| Microsoft--Visual Studio Code | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network. | 2025-11-20 | 5.7 | CVE-2025-64660 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability   |
| MongoDB--C Driver | A mongoc_bulk_operation_t may read invalid memory if large options are passed. | 2025-11-18 | 6.8 | CVE-2025-12119 | https://github.com/mongodb/mongo-php-driver/releases/tag/1.21.2 https://github.com/mongodb/mongo-c-driver/releases/tag/1.30.6 https://github.com/mongodb/mongo-c-driver/releases/tag/2.1.2   |
| n/a--libvirt | A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability. | 2025-11-17 | 5.5 | CVE-2025-13193 |
https://access.redhat.com/security/cve/CVE-2025-13193 |
| nalam-1--Magical Products Display Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search | The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12964 | https://www.wordfence.com/threat-intel/vulnerabilities/id/758e23b9-c3d5-4f1c-9659-66483d6f0578?source=cve https://plugins.trac.wordpress.org/browser/magical-products-display/tags/1.1.29/includes/widgets/pricing-table.php#L2149 https://plugins.trac.wordpress.org/browser/magical-products-display/tags/1.1.29/includes/widgets/pricing-table.php#L2167 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394768%40magical-products-display&new=3394768%40magical-products-display&sfp_email=&sfph_mail=   |
| nikolayyordanov--Like-it | The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ad1d9f5-c224-4d28-8d73-439b3c5ca24f?source=cve https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L130 https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L131 https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/tpl/config.php#L37   |
| ninjateam--WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information. | 2025-11-18 | 4.3 | CVE-2025-12481 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61105f6a-1bd7-415d-9481-a1c2c310f778?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Page/Settings.php#L92 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Classes/ButtonDuplicate.php#L137 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394773%40wp-duplicate-page%2Ftrunk&old=3386144%40wp-duplicate-page%2Ftrunk&sfp_email=&sfph_mail=   |
| NixOS--nixpkgs | NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05. | 2025-11-17 | 5.3 | CVE-2025-64766 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-58m4-5wg3-5g5v https://github.com/NixOS/nixpkgs/pull/462100 https://github.com/NixOS/nixpkgs/pull/462204 https://github.com/NixOS/nixpkgs/commit/8e74d05e3de4ee5ad320cd585a7e0f12a4730869 https://github.com/NixOS/nixpkgs/commit/cec38dec00df26a901eb8b424d53bbb3bcc72eec   |
| open-formulieren--open-forms | Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3. | 2025-11-18 | 4.3 | CVE-2025-64515 | https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18 https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18   |
| Opto22--GRV-EPIC-PR1 | A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root. | 2025-11-20 | 6.2 | CVE-2025-13087 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03 https://www.opto22.com/support/resources-tools/knowledgebase/kb91326 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json   |
| OSC--ondemand | Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability. | 2025-11-20 | 4.3 | CVE-2025-62724 | https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw   |
| pluginsGLPI--databaseinventory | pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3. | 2025-11-18 | 4.3 | CVE-2025-53360 | https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-5j5j-xr62-jr58 https://github.com/pluginsGLPI/databaseinventory/commit/0a376a0c6f4142e11ea518faefe95c01b176fd87 https://github.com/pluginsGLPI/databaseinventory/commit/7dcad1efb6ee84e9cffb3b446cdb47dc0be1091e https://github.com/pluginsGLPI/databaseinventory/commit/e9d4474acdab4141a6f4798cdd406b0d04480269   |
| powerblogservice--AuthorSure | The AuthorSure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the 'authorsure' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-13134 | https://www.wordfence.com/threat-intel/vulnerabilities/id/81070529-b269-44b0-8f21-b08add63a099?source=cve https://drive.google.com/file/d/1ZVmQSyjgRxNVGef7Zkzdws8kLraxOt59/view?pli=1   |
| Progress--MOVEit Transfer | Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. | 2025-11-19 | 5.3 | CVE-2025-13147 | https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html   |
| projectworlds--Advanced Library Management System | A vulnerability was identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /add_member.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-11-17 | 6.3 | CVE-2025-13254 | VDB-332589 | projectworlds Advanced Library Management System add_member.php sql injection VDB-332589 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687854 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/Wyg2002yx/cve/blob/main/002/report.md   |
| projectworlds--Advanced Library Management System | A security flaw has been discovered in projectworlds Advanced Library Management System 1.0. This issue affects some unknown processing of the file /book_search.php. Performing manipulation of the argument book_pub/book_title results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13255 | VDB-332590 | projectworlds Advanced Library Management System book_search.php sql injection VDB-332590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687855 | projectworlds Advanced Library Management System 1.0 SQL Injection Submit #687857 | projectworlds Advanced Library Management System 1.0 SQL Injection (Duplicate) https://github.com/Wyg2002yx/cve/blob/main/003/report.md https://github.com/Wyg2002yx/cve/blob/main/004/report.md   |
| projectworlds--Advanced Library Management System | A weakness has been identified in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrow.php. Executing manipulation of the argument roll_number can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13256 | VDB-332591 | projectworlds Advanced Library Management System borrow.php sql injection VDB-332591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687856 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/Wyg2002yx/cve/blob/main/005/report.md   |
| projectworlds--Advanced Library Management System | A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrowed_book_search.php. Such manipulation of the argument datefrom/dateto leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13278 | VDB-332613 | projectworlds Advanced Library Management System borrowed_book_search.php sql injection VDB-332613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690797 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/CH0ico/CVE_choco_1/blob/master/report.md   |
| projectworlds--can pass malicious payloads | A security flaw has been discovered in projectworlds can pass malicious payloads up to 1.0. This vulnerability affects unknown code of the file /add_book.php. The manipulation of the argument image results in unrestricted upload. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-11-23 | 6.3 | CVE-2025-13573 | VDB-333337 | projectworlds can pass malicious payloads add_book.php unrestricted upload VDB-333337 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698646 | projectworlds Advanced Library Management System V1.0 Unrestricted Upload https://github.com/GYSakura/tmp75/blob/main/report.md   |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint. | 2025-11-21 | 4.3 | CVE-2025-13149 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f   |
| qzzr--Pollcaster Shortcode Plugin | The Pollcaster Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'pollcaster' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12661 | https://www.wordfence.com/threat-intel/vulnerabilities/id/120ba9e5-9594-4a4f-b475-ef3fcf5f4565?source=cve https://wordpress.org/plugins/pollcaster-shortcode/ https://plugins.trac.wordpress.org/browser/pollcaster-shortcode/tags/1.0/pollcaster.php#L33   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability | 2025-11-18 | 4.9 | CVE-2025-54770 | https://access.redhat.com/security/cve/CVE-2025-54770 RHBZ#2413813   |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. | 2025-11-18 | 4.9 | CVE-2025-54771 | https://access.redhat.com/security/cve/CVE-2025-54771 RHBZ#2413823   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited. | 2025-11-18 | 4.8 | CVE-2025-61661 | https://access.redhat.com/security/cve/CVE-2025-61661 RHBZ#2413827   |
| Red Hat--Red Hat Enterprise Linux 10 | A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. | 2025-11-18 | 4.9 | CVE-2025-61662 | https://access.redhat.com/security/cve/CVE-2025-61662 RHBZ#2414683   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded. | 2025-11-18 | 4.9 | CVE-2025-61663 | https://access.redhat.com/security/cve/CVE-2025-61663 RHBZ#2414684   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity. | 2025-11-18 | 4.9 | CVE-2025-61664 | https://access.redhat.com/security/cve/CVE-2025-61664 RHBZ#2414685   |
| rometheme--RTMKit | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-8609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a4601d9e-02bb-4b27-b16e-7cfc0fc19919?source=cve https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php#L1032 https://plugins.trac.wordpress.org/changeset/3369481/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php   |
| rsync--rsync | A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue. | 2025-11-18 | 4.3 | CVE-2025-10158 | https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1   |
| Rumpus--FTP Server | CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 2025-11-17 | 6.8 | CVE-2025-55055 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-11-17 | 4.8 | CVE-2025-55056 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | Multiple CWE-352 Cross-Site Request Forgery (CSRF) | 2025-11-17 | 4.5 | CVE-2025-55057 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | CWE-20 Improper Input Validation | 2025-11-17 | 4.5 | CVE-2025-55058 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-11-17 | 4.8 | CVE-2025-55059 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| rustaurius--Affiliate AI Lite | The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai_img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11799 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b05f4ef4-aa64-4cf4-a278-604df8407d12?source=cve https://plugins.trac.wordpress.org/browser/affiliate-ai-lite/tags/1.0.1/includes/afx-img.php#L53 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399153%40affiliate-ai-lite&new=3399153%40affiliate-ai-lite   |
| rustybadrobot--Display Pages Shortcode | The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11763 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df4ada5f-6008-40b9-ad83-c6af82e64e9f?source=cve https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L513 https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L517   |
| saadiqbal--New User Approve | The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured. | 2025-11-19 | 5.3 | CVE-2025-12770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f1cf77a-64b4-405b-adcb-ef16d9e82ab2?source=cve https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L104 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L40 https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/zapier/includes/rest-api.php#L104   |
| sayontan--Photonic Gallery & Lightbox for Flickr, SmugMug & Others | The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2025-11-18 | 6.4 | CVE-2025-12691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f21f4a4-4b50-4396-8d94-26d68c0eb3a3?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3392284%40photonic&old=3336902%40photonic&sfp_email=&sfph_mail=   |
| Saysis Computer Systems Trade Ltd. Co.--StarCities | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61. | 2025-11-19 | 5.4 | CVE-2025-11963 | https://www.usom.gov.tr/bildirim/tr-25-0403   |
| scottpaterson--Subscriptions & Memberships for PayPal | The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fake payment entries that have not actually occurred. | 2025-11-22 | 5.3 | CVE-2025-12752 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f706b78-2d67-442c-b7a0-7d7a0fd24b2d?source=cve https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397608%40subscriptions-memberships-for-paypal&new=3397608%40subscriptions-memberships-for-paypal&sfp_email=&sfph_mail=   |
| seventhqueen--Restrictions for BuddyPress | The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking. | 2025-11-18 | 5.3 | CVE-2025-12391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve https://wordpress.org/plugins/bp-restrict/   |
| Shopside Software Technologies Inc.--Shopside | Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | 2025-11-19 | 4.7 | CVE-2025-0421 | https://www.usom.gov.tr/bildirim/tr-25-0402   |
| Siemens--Mendix RichText | A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks. | 2025-11-17 | 5.7 | CVE-2025-40834 | https://cert-portal.siemens.com/productcert/html/ssa-190588.html   |
| SMCI--MBD-X13SEDW-F | Stack-based buffer overflow in the SMASH-CLP shell. An authenticated attacker with SSH access to the BMC can exploit a stack buffer overflow via a crafted SMASH command, overwrite the return address and registers, and achieve arbitrary code execution on the BMC firmware operating system | 2025-11-18 | 5.4 | CVE-2025-7623 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| SMCI--MBD-X13SEDW-F | Stack buffer overflow vulnerability exists in the Supermicro BMC Shared library. An authenticated attacker with access to the BMC exploit stack buffer via a crafted  header and achieve arbitrary code execution of the BMC's firmware operating system. | 2025-11-18 | 5.5 | CVE-2025-8404 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| softaculous--SiteSEO SEO Simplified | The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who have been granted access to at least on SiteSEO setting capability, to reset the plugin's settings. | 2025-11-19 | 5.3 | CVE-2025-12814 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a376cafb-656c-4fe1-b5c1-c7e38dc5040e?source=cve https://plugins.trac.wordpress.org/browser/siteseo/tags/1.3.2/main/ajax.php#L90 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397272%40siteseo&new=3397272%40siteseo&sfp_email=&sfph_mail=   |
| softaculous--SiteSEO SEO Simplified | The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for authenticated attackers with the siteseo_manage capability (e.g., Author-level users who have been granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they cannot edit, via the custom field variable resolution feature granted they have been given access to SiteSEO by an administrator and legacy storage is enabled. In affected WooCommerce installations, this exposes sensitive customer billing information including names, email addresses, phone numbers, physical addresses, and payment methods. | 2025-11-19 | 4.3 | CVE-2025-13085 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4d740ba8-4877-4b27-a1cb-26095f851ea6?source=cve https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/ajax.php#L542 https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/titlesmetas.php#L494 https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/admin.php#L106 https://plugins.trac.wordpress.org/changeset/3397272/siteseo/trunk?contextall=1&old=3387094&old_path=%2Fsiteseo%2Ftrunk   |
| SolarWinds--SolarWinds Observability Self-Hosted | SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | 2025-11-18 | 5.4 | CVE-2025-26391 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26391 https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4-1_release_notes.htm   |
| SolarWinds--SolarWinds Observability Self-Hosted | SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. | 2025-11-18 | 4.8 | CVE-2025-40545 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40545 https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4-1_release_notes.htm   |
| SourceCodester--Alumni Management System | A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-20 | 5.4 | CVE-2025-13468 | VDB-333041 | SourceCodester Alumni Management System Delete admin_class.php delete_event authorization VDB-333041 | CTI Indicators (IOB, IOC, IOA) Submit #694826 | SourceCodester Alumni Management System 1.0 Missing Authorization https://hackmd.io/@mlgzackfly/SourceCodester https://www.sourcecodester.com/   |
| SourceCodester--Dental Clinic Appointment Reservation System | A vulnerability was detected in SourceCodester Dental Clinic Appointment Reservation System 1.0. Impacted is an unknown function of the file /success.php. Performing manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13267 | VDB-332602 | SourceCodester Dental Clinic Appointment Reservation System success.php sql injection VDB-332602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689450 | Dental Clinic Appointment Reservation System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Dental_Clinic_Appointment_Reservation_System_Time-Based_SQL_Injection2.md https://www.sourcecodester.com/   |
| SourceCodester--Inventory Management System | A weakness has been identified in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the file /model/user/resetPassword.php. Executing manipulation can lead to weak password recovery. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-11-23 | 5.3 | CVE-2025-13565 | VDB-333329 | SourceCodester Inventory Management System resetPassword.php password recovery VDB-333329 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697984 | SourceCodester Inventory Management System 1.0 Business Logic Errors https://www.notion.so/Unauthenticated-Password-Reset-Vulnerability-in-SourceCodester-Inventory-Management-System-2b023917db8c8001b5ecf4c50a54dfbd?source=copy_link https://www.sourcecodester.com/   |
| SourceCodester--Online Magazine Management System | A vulnerability was identified in SourceCodester Online Magazine Management System 1.0. Affected by this issue is some unknown functionality of the file /categories.php. The manipulation of the argument c leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-11-17 | 6.3 | CVE-2025-13263 | VDB-332598 | SourceCodester Online Magazine Management System categories.php sql injection VDB-332598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689416 | Online Magazine Management System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Online%20Magazine%20Management%20System%20SQL%20blind%20injection(SQLI).md https://www.sourcecodester.com/   |
| SourceCodester--Online Magazine Management System | A security flaw has been discovered in SourceCodester Online Magazine Management System 1.0. This affects an unknown part of the file /view_magazine.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13264 | VDB-332599 | SourceCodester Online Magazine Management System view_magazine.php sql injection VDB-332599 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689424 | Online Magazine Management System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Online%20Magazine%20Management%20System%20SQL%20blind%20injection2(SQLI)%20.md https://www.sourcecodester.com/   |
| SourceCodester--Pre-School Management System | A security flaw has been discovered in SourceCodester Pre-School Management System 1.0. Impacted is the function removefile of the file app/controllers/FilehelperController.php. Performing manipulation of the argument filepath results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-11-23 | 5.4 | CVE-2025-13564 | VDB-333328 | SourceCodester Pre-School Management System FilehelperController.php removefile denial of service VDB-333328 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697083 | Pre-School Management System 1.0 delete file https://github.com/0xffaaa/cve/blob/main/Pre_School_Management_System_Arbitrary_File_Deletion_Vulnerabilit.md https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_ticket. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-18 | 6.3 | CVE-2025-13345 | VDB-332763 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332763 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691943 | SonarSource Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/15 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-18 | 6.3 | CVE-2025-13346 | VDB-332764 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691944 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/16 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-18 | 6.3 | CVE-2025-13347 | VDB-332765 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691945 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/17 https://www.sourcecodester.com/   |
| sscovil--CSV to SortTable | The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-12823 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53c59793-27db-44fa-92c8-2184d6914d8f?source=cve https://wordpress.com/plugins/csv-to-sorttable   |
| sundayfanz--wModes Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce | The wModes - Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX endpoint. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information including user emails, usernames, roles, capabilities, and WooCommerce data such as products and payment methods. | 2025-11-18 | 4.3 | CVE-2025-12639 | https://www.wordfence.com/threat-intel/vulnerabilities/id/979001c4-45dd-4168-8749-c8eebe237b60?source=cve https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L12 https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L29 https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L165 https://plugins.trac.wordpress.org/changeset/3392651/catalog-mode-pricing-enquiry-forms-promotions/trunk?contextall=1&old=3390779&old_path=%2Fcatalog-mode-pricing-enquiry-forms-promotions%2Ftrunk#file11   |
| surbma--Surbma | MiniCRM Shortcode | The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7509053-fc70-420a-b998-b7158732c147?source=cve https://plugins.trac.wordpress.org/browser/surbma-minicrm-shortcode/tags/2.0/surbma-minicrm-shortcode.php#L34   |
| tainacan--Tainacan | The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-12746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/014dd0ee-0bd0-477c-a0fa-bde8ce5a099c?source=cve https://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/theme-helper/template-tags.php#L1652 https://plugins.trac.wordpress.org/changeset/3395909/tainacan/trunk/classes/theme-helper/template-tags.php   |
| tainacan--Tainacan | The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private. | 2025-11-21 | 5.3 | CVE-2025-12747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c64869f0-a4dd-4135-8ed8-a6ff82a48e1f?source=cve https://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/class-tainacan-private-files.php https://github.com/tainacan/tainacan/compare/1.0.0...1.0.1   |
| Tanium--TanOS | Tanium addressed an arbitrary file deletion vulnerability in TanOS. | 2025-11-19 | 5.6 | CVE-2025-13225 | TAN-2025-036   |
| techjewel--FluentCRM Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution | The FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fluentcrm_content' shortcode in all versions up to, and including, 2.9.84 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12935 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7129e5cb-ce70-477a-a8f1-3acf152dfc21?source=cve https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/actions.php#L172 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/Handlers/PrefFormHandler.php#L175 https://plugins.trac.wordpress.org/changeset/3399640/   |
| techlabpro1--Classified Listing AI-Powered Classified ads & Business Directory Plugin | The The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | 2025-11-17 | 5.4 | CVE-2025-7711 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9b10db9-0c7c-4f13-9d98-6d407446cfb8?source=cve https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.0.2/app/Controllers/Hooks/FilterHooks.php#L367   |
| themeatelier--IDonate Blood Donation, Request And Donor Management System | The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. | 2025-11-22 | 5.3 | CVE-2025-12877 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php   |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs. | 2025-11-21 | 5.3 | CVE-2025-11368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41 https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23 https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail=   |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving. | 2025-11-18 | 6.8 | CVE-2025-8084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3b497bc0-bf47-43c7-9d5f-8e130dd0bab2?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/rest.php#L742 https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/services/image.php#L89   |
| timeslotplugins--Booking Plugin for WordPress Appointments Time Slot | The Booking Plugin for WordPress Appointments - Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution. | 2025-11-19 | 5.3 | CVE-2025-12842 | https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21 https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail=   |
| trainingbusinesspros--Groundhogg CRM, Newsletters, and Marketing Automation | The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-21 | 4.9 | CVE-2025-12750 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3d231e1-a63e-4b41-a6b7-91e6dfc33600?source=cve https://github.com/groundhoggwp/groundhogg/blob/master/includes/functions.php#L5705 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394550%40groundhogg&new=3394550%40groundhogg&sfp_email=&sfph_mail=#file14   |
| tripleatechnology--Cryptocurrency Payment Gateway for WooCommerce | The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking. | 2025-11-18 | 5.3 | CVE-2025-12392 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96d48392-fb64-4e5e-be9c-21df0bf75de6?source=cve https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/   |
| userelements--Ultimate Member Widgets for Elementor WordPress User Directory | The Ultimate Member Widgets for Elementor - WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses. | 2025-11-20 | 5.3 | CVE-2025-12778 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor   |
| valentinpellegrin--ACF Flexible Layouts Manager | The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages. | 2025-11-18 | 6.5 | CVE-2025-12937 | https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4   |
| vaniivan--Simple User Import Export | The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration | 2025-11-18 | 6.6 | CVE-2025-13133 | https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve https://it.wordpress.org/plugins/a3-user-importer/   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1. | 2025-11-21 | 6.5 | CVE-2025-62426 | https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p https://github.com/vllm-project/vllm/pull/27205 https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610 https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814   |
| westerndeal--GSheetConnector For Ninja Forms | The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system. | 2025-11-22 | 4.3 | CVE-2025-13136 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5770cb94-8603-44d9-8cda-925175851b51?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399046%40gsheetconnector-ninja-forms&new=3399046%40gsheetconnector-ninja-forms&sfp_email=&sfph_mail=   |
| willbontrager--Local Syndication | The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks. | 2025-11-18 | 6.4 | CVE-2025-12962 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7774cdfd-622a-4608-9efd-273923a0d0aa?source=cve https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L64 https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L41   |
| winkm89--WP Admin Microblog | The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'wp-admin-microblog' page. This makes it possible for unauthenticated attackers to send messages on behalf of an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-12173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c26a76d-a104-4ea6-be9f-9e8dfc3b5cd5?source=cve https://wordpress.org/plugins/wp-admin-microblog/   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9. | 2025-11-19 | 5.4 | CVE-2025-65019 | https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533   |
| wpengine--WP Migrate Lite WordPress Migration Made Easy | The WP Migrate Lite - WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services. | 2025-11-18 | 5.8 | CVE-2025-11427 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b098711-ed01-4a71-b0df-30ff4fffa930?source=cve https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/MigrationPersistence/Persistence.php#L50 https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/Migration/Flush.php#L69   |
| wpfanyi--WPSite Shortcode | The WPSite Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the wpsite_y shortcode and the 'before' attribute in the wpsite_postauthor shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping in error messages. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d9712c2-1698-4c67-a700-a4598cb25a95?source=cve https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L19 https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L35 https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L51   |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-6251 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ead108c4-ac09-42ea-95c5-e95dc514f1cb?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L4023   |
| wpswings--Return Refund and Exchange For WooCommerce | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages. | 2025-11-21 | 5.4 | CVE-2025-12881 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail=   |
| wpswings--Return Refund and Exchange For WooCommerce | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests. | 2025-11-21 | 4.3 | CVE-2025-12086 | https://www.wordfence.com/threat-intel/vulnerabilities/id/126e2b92-322e-440c-a924-1b604330f164?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail=   |
| wpwax--Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings | The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change' AJAX actions in all versions up to, and including, 8.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export listing details and change the directorist slug. | 2025-11-19 | 6.5 | CVE-2025-12174 | https://www.wordfence.com/threat-intel/vulnerabilities/id/796c0ded-3a23-4dd6-968a-a8e60bd8ea0e?source=cve https://plugins.trac.wordpress.org/changeset/3394856/directorist/tags/8.5.3/includes/classes/class-ajax-handler.php   |
| wwwlike--vlife | A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java of the component VLifeApi. Such manipulation of the argument fileName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 5.3 | CVE-2025-13266 | VDB-332601 | wwwlike vlife VLifeApi SysFileApi.java create path traversal VDB-332601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689436 | vlife 2.0.1 Arbitrary File Read https://github.com/wwwlike/vlife/issues/3   |
| xwikisas--application-admintools | XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. This issue has been patched in version 1.1. A workaround involves setting the view rights for the AdminTools space to be only available for the XWikiAdminGroup. | 2025-11-18 | 5.3 | CVE-2025-54990 | https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw   |
| xwikisas--xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0. | 2025-11-19 | 6.8 | CVE-2025-65089 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-8c52-x9w7-vc95   |
| yithemes--YITH WooCommerce Wishlist | The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale. | 2025-11-19 | 5.3 | CVE-2025-12427 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0   |
| yithemes--YITH WooCommerce Wishlist | The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check. | 2025-11-19 | 5.3 | CVE-2025-12777 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0088a97c-5a06-4500-a923-242499596aca?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L96 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-frontend.php#L740 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L222 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0   |
| zhengdon-- | The 简数采集器 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-21 | 4.9 | CVE-2025-11973 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66dc2ca2-c61c-4c73-aa2a-0017299cbca5?source=cve https://wordpress.org/plugins/keydatas/   |
| Zyxel--DX3301-T0 firmware | An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected. | 2025-11-18 | 5.3 | CVE-2025-6599 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025   |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Campcodes--Complete Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-11-20 | 2.4 | CVE-2025-13484 | VDB-333084 | Campcodes Complete Online Beauty Parlor Management System customer-list.php cross site scripting VDB-333084 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696054 | Campcodes Complete Online Beauty Parlor Management System V1.0 Cross Site Scripting https://github.com/Abxery/cveee/issues/8 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-11-19 | 2.4 | CVE-2025-13412 | VDB-332939 | Campcodes Retro Basketball Shoes Online Store admin_running.php cross site scripting VDB-332939 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693698 | campcodes Retro Basketball Shoes Online Store V1.0 cross site scripting https://github.com/laosijivul/cve/issues/1 https://www.campcodes.com/   |
| Canva--Canva | The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva. | 2025-11-18 | 3.2 | CVE-2025-12792 | https://trust.canva.com/?tcuUid=1e77a34b-f586-450b-b30d-b6e17d15b443   |
| Fortinet--FortiADC | An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2 all versions may allow an admin with read-only permission to get the external resources password via the logs of the product | 2025-11-18 | 3.9 | CVE-2025-54971 | https://fortiguard.fortinet.com/psirt/FG-IR-25-686   |
| Fortinet--FortiMail | An improper neutralization of crlf sequences ('crlf injection') in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link | 2025-11-18 | 3.9 | CVE-2025-54972 | https://fortiguard.fortinet.com/psirt/FG-IR-25-634   |
| Fortinet--FortiPAM | A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in Fortinet FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands. | 2025-11-18 | 3.8 | CVE-2025-61713 | https://fortiguard.fortinet.com/psirt/FG-IR-25-789   |
| Fortinet--FortiProxy | An Improper Privilege Management vulnerability [CWE-269] in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command. | 2025-11-18 | 1.8 | CVE-2025-54821 | https://fortiguard.fortinet.com/psirt/FG-IR-25-545   |
| Gallagher--T21 Reader | Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),  all versions of 9.00 and prior. | 2025-11-18 | 2.4 | CVE-2025-64734 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-64734   |
| HCL Software--Connections | HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data. | 2025-11-18 | 3.5 | CVE-2025-52639 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124241   |
| icret--EasyImages | A vulnerability was identified in icret EasyImages up to 2.8.6. This affects an unknown part of the file /app/upload.php of the component SVG Image Handler. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. | 2025-11-19 | 3.5 | CVE-2025-13415 | VDB-332940 | icret EasyImages SVG Image upload.php cross site scripting VDB-332940 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693732 | GitHub EasyImages2.0 <=V2.8.6 Improper Neutralization of Alternate XSS Syntax https://github.com/icret/EasyImages2.0/issues/260   |
| jarun--nnn | A security vulnerability has been detected in jarun nnn up to 5.1. The impacted element is the function show_content_in_floating_window/run_cmd_as_plugin of the file nnn/src/nnn.c. The manipulation leads to double free. An attack has to be approached locally. The identifier of the patch is 2f07ccdf21e705377862e5f9dfa31e1694979ac7. It is suggested to install a patch to address this issue. | 2025-11-23 | 3.3 | CVE-2025-13566 | VDB-333330 | jarun nnn nnn.c run_cmd_as_plugin double free VDB-333330 | CTI Indicators (IOB, IOC, IOA) Submit #698113 | nnn v5.1 Double Free https://github.com/jarun/nnn/issues/2091#issue-3635886658 https://github.com/jarun/nnn/issues/2091#issuecomment-3547591759 https://github.com/jarun/nnn/commit/2f07ccdf21e705377862e5f9dfa31e1694979ac7   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0. | 2025-11-18 | 3.7 | CVE-2025-65014 | https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g   |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | 2025-11-18 | 3 | CVE-2025-55074 | https://mattermost.com/security-updates   |
| Medical Informatics Engineering--Enterprise Health | Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14. | 2025-11-20 | 3.5 | CVE-2025-35029 | url url   |
| n/a--mrubyc | A security vulnerability has been detected in mrubyc up to 3.4. This impacts the function mrbc_raw_realloc of the file src/alloc.c. Such manipulation of the argument ptr leads to null pointer dereference. An attack has to be approached locally. The name of the patch is 009111904807b8567262036bf45297c3da8f1c87. It is advisable to implement a patch to correct this issue. | 2025-11-19 | 3.3 | CVE-2025-13397 | VDB-332925 | mrubyc alloc.c mrbc_raw_realloc null pointer dereference VDB-332925 | CTI Indicators (IOB, IOC, IOA) Submit #692130 | mrubyc 3.4 NULL Pointer Dereference https://github.com/mrubyc/mrubyc/issues/244 https://github.com/mrubyc/mrubyc/issues/244#issuecomment-3400382026 https://github.com/mrubyc/mrubyc/commit/009111904807b8567262036bf45297c3da8f1c87   |
| OpenPrinting--cups-filters | cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when processing maliciously crafted input data. This issue can be exploited to trigger memory corruption, potentially leading to arbitrary code execution. This issue has been patched via commit 956283c. | 2025-11-20 | 3.3 | CVE-2025-64524 | https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06   |
| Public Knowledge Project--omp | A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the argument manualInstructions leads to cross site scripting. The attack can be initiated remotely. You should upgrade the affected component. | 2025-11-20 | 2.4 | CVE-2025-13469 | VDB-333042 | Public Knowledge Project omp/ojs Payment Instructions Setting paymentForm.tpl cross site scripting VDB-333042 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695020 | Public Knowledge Project Open Journal System 3.5.0-1 Cross Site Scripting https://github.com/pkp/pkp-lib/issues/12022 https://github.com/pkp/pkp-lib/issues/12022#event-20904087480 https://github.com/pkp/pkp-lib/issues/12022#event-20904112770   |
| SourceCodester--Interview Management System | A security flaw has been discovered in SourceCodester Interview Management System 1.0. Affected is an unknown function of the file /editQuestion.php. The manipulation of the argument Question results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-18 | 3.5 | CVE-2025-13343 | VDB-332761 | SourceCodester Interview Management System editQuestion.php cross site scripting VDB-332761 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691936 | SourceCodester Interview Management System V1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/puppytgyh/-CVE/issues/11 https://www.sourcecodester.com/   |
| SourceCodester--Online Shop Project | A vulnerability was determined in SourceCodester Online Shop Project 1.0. Impacted is an unknown function of the file /shop/register.php. This manipulation of the argument f_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-20 | 3.5 | CVE-2025-13450 | VDB-333020 | SourceCodester Online Shop Project register.php cross site scripting VDB-333020 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694780 | SourceCodester Online Shop Project V1.0 Cross Site Scripting https://github.com/xiaojuzirr/cve/issues/5 https://www.sourcecodester.com/   |
| SourceCodester--Student Grades Management System | A vulnerability has been found in SourceCodester Student Grades Management System 1.0. This issue affects some unknown processing of the file /grades.php of the component Add New Grade Page. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-18 | 3.5 | CVE-2025-13349 | VDB-332766 | SourceCodester Student Grades Management System Add New Grade grades.php cross site scripting VDB-332766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692065 | SourceCodester Student Grades Management System 1.0 Cross Site Scripting https://medium.com/@ankitkaushal43731/title-student-grades-management-system-stored-xss-authenticated-in-grades-php-remarks-field-d9625243df06 https://www.sourcecodester.com/   |
| Tinexta Infocert--GoSign Desktop | GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files. | 2025-11-17 | 3.2 | CVE-2025-65083 | https://www.firma.infocert.it/prodotti/gosign https://securityaffairs.com/184672/hacking/multiple-vulnerabilities-in-gosign-desktop-lead-to-remote-code-execution.html   |
| withastro--astro | Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. | 2025-11-19 | 3.5 | CVE-2025-64757 | https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7   |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753. | 2025-11-19 | not yet calculated | CVE-2025-11001 | ZDI-25-949   |
| AMD--AMD Ryzen 9000HX Series Processors | Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values. | 2025-11-21 | not yet calculated | CVE-2025-62626 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7055.html   |
| AMD--Kria SOM | The security state of the calling processor into Arm® Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SOC. | 2025-11-23 | not yet calculated | CVE-2025-48507 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8017.html   |
| AMD--Versal Adaptive SoC Devices | The Secure Flag passed to Versalâ„¢ Adaptive SoC's Arm® Trusted Firmware for Cortex®-A processors (TF-A) for Arm's Power State Coordination Interface (PSCI) commands were incorrectly set to secure instead of using the processor's actual security state. This would allow the PSCI requests to appear they were from processors in the secure state instead of the non-secure state. | 2025-11-23 | not yet calculated | CVE-2025-54515 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8020.html   |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31. | 2025-11-21 | not yet calculated | CVE-2025-64755 | https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q   |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39. | 2025-11-19 | not yet calculated | CVE-2025-65099 | https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv   |
| Apache Software Foundation--Apache Causeway | Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.  This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue. | 2025-11-19 | not yet calculated | CVE-2025-64408 | https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b   |
| Apple--iPadOS | The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles. | 2025-11-21 | not yet calculated | CVE-2025-31216 | https://support.apple.com/en-us/122405 https://support.apple.com/en-us/122404   |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.5, macOS Sonoma 14.7.3. An app may be able to access sensitive user data. | 2025-11-21 | not yet calculated | CVE-2025-31248 | https://support.apple.com/en-us/122069 https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122070   |
| Apple--macOS | A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window. | 2025-11-21 | not yet calculated | CVE-2025-31266 | https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122719   |
| Apple--macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, macOS Sequoia 15.5, watchOS 11.5. An attacker in physical proximity may be able to cause an out-of-bounds read in kernel memory. | 2025-11-21 | not yet calculated | CVE-2025-43374 | https://support.apple.com/en-us/122069 https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122405 https://support.apple.com/en-us/122404 https://support.apple.com/en-us/122721 https://support.apple.com/en-us/122722 https://support.apple.com/en-us/122070   |
| ASUSTOR--ABP and AES | When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges. This issue affects ABP and AES: from ABP 2.0 through 2.0.7.9050, from AES 1.0 through 1.0.6.8290. | 2025-11-19 | not yet calculated | CVE-2025-13051 | https://www.asustor.com/security/security_advisory_detail?id=48   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product's web-accessible directory structure and subsequently execute them. | 2025-11-19 | not yet calculated | CVE-2025-34328 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-upload-rce-via-ajaxscript   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM. | 2025-11-19 | not yet calculated | CVE-2025-34329 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold-related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks. | 2025-11-19 | not yet calculated | CVE-2025-34330 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-prompt-file-upload-via-ajaxpromptuploadfile   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data. | 2025-11-19 | not yet calculated | CVE-2025-34331 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-read-via-download   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services. When certain service actions are requested through ajaxPost.php, these scripts are invoked by PHP using system() under the NT AUTHORITY\\SYSTEM account. The batch files in this directory are writable by any authenticated local user due to overly permissive ACLs, allowing them to replace script contents with arbitrary commands. On the next service start/stop operation, the modified script is executed as SYSTEM, enabling elevation of local privileges. | 2025-11-19 | not yet calculated | CVE-2025-34332 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-insecure-service-control-scripts-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Authenticated local users have modify rights on this directory, while the associated web server process runs as NT AUTHORITY\\SYSTEM. As a result, any local user can create or alter server-side scripts within the webroot and then trigger them via HTTP requests, causing arbitrary code to execute with SYSTEM privileges. | 2025-11-19 | not yet calculated | CVE-2025-34333 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-world-writable-webroot-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by AudioCodes_files/TestFax.php. When a fax "send" test is requested, the application builds a faxsender command line using attacker-supplied parameters and passes it to GlobalUtils::RunBatchFile without proper validation or shell-argument sanitization. The resulting batch file is written into a temporary run directory and then executed via a backend service that runs as NT AUTHORITY\\SYSTEM. An authenticated attacker with access to the fax test interface can craft parameter values that inject additional shell commands into the generated batch file, leading to arbitrary command execution with SYSTEM privileges. In addition, because the generated batch files reside in a location with overly permissive file system permissions, a local low-privilege user on the server can modify pending batch files to achieve the same elevation. | 2025-11-19 | not yet calculated | CVE-2025-34334 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-testfax-and-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. When a license file is uploaded, the application derives a new filename by combining a generated base name with the attacker-controlled extension portion of the original upload name, then constructs a command line for fax_server_lic_cmdline.exe that includes this path. The extension value is incorporated into the command string without input validation, escaping, or proper argument quotation before being passed to exec(). An authenticated user with access to the license upload interface can supply a specially crafted filename whose extension injects additional shell metacharacters, causing arbitrary commands to be executed as NT AUTHORITY\\SYSTEM. | 2025-11-19 | not yet calculated | CVE-2025-34335 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-activatelicense   |
| authlib--joserfc | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured - or entirely absent - production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2. | 2025-11-18 | not yet calculated | CVE-2025-65015 | https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4 https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7 https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b https://github.com/authlib/joserfc/releases/tag/1.3.5 https://github.com/authlib/joserfc/releases/tag/1.4.2   |
| authzed--spicedb | SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1. | 2025-11-21 | not yet calculated | CVE-2025-65111 | https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2   |
| Automated Logic--WebCtrl | Open Redirect in URL parameter in Automated Logic WebCTRL and Carrier i-Vu versions 6.0, 6.5, 7.0, 8.0, 8.5, 9.0 may allow attackers to exploit user sessions. | 2025-11-19 | not yet calculated | CVE-2024-8527 | https://www.corporate.carrier.com/product-security/advisories-resources/   |
| Automated Logic--WebCtrl | Reflected XSS using a specific URL in Automated Logic WebCTRL and Carrier i-VU can allow delivery of malicious payload due to a specific GET parameter not being sanitized. | 2025-11-19 | not yet calculated | CVE-2024-8528 | https://www.corporate.carrier.com/product-security/advisories-resources/   |
| BASIS International Ltd.--BASIS BBj | BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessible to the account running the service. Retrieved configuration artifacts may contain account credentials used for BBj Enterprise Manager; possession of these credentials enables administrative access and use of legitimate management functionality that can result in execution of system commands under the service account. Depending on the operating system and the privileges of the BBj service account, this issue may also allow access to other sensitive files on the host, including operating system or application data, potentially exposing additional confidential information. | 2025-11-20 | not yet calculated | CVE-2025-34320 | https://myemail.constantcontact.com/BASIS-International-Ltd--releases-BBj---the-Barista--Application-Framework--and-AddonSoftware--by-Barista-version-25-00.html?soid=1103463119019&aid=WbfWkReLRVE https://www.vulncheck.com/advisories/basis-bbj-unauthenticated-arbitrary-file-read-rce   |
| BEIMS--Contractor Web | A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input validation on /BEIMSWeb/contractor.asp endpoint and successful exploitation requires a contractor.asp endpoint open to the internet. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity and potentially the availability of the database.  Version 5.7.139  has been confirmed as vulnerable. Other versions have not been confirmed by the vendor and users should assume that all versions of BEIMS Contractor Web may be impacted until further guidance is provided by the vendor. | 2025-11-17 | not yet calculated | CVE-2025-10460 | https://help.fmiworks.com/knowledge/beims-web https://help.fmiworks.com/knowledge/contractor-web-operational-requirements   |
| boldthemes--Bold Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows DOM-Based XSS.This issue affects Bold Page Builder: from n/a through <= 5.5.2. | 2025-11-21 | not yet calculated | CVE-2025-66057 | https://vdp.patchstack.com/database/Wordpress/Plugin/bold-page-builder/vulnerability/wordpress-bold-page-builder-plugin-5-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| bPlugins--Tiktok Feed | Missing Authorization vulnerability in bPlugins Tiktok Feed b-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tiktok Feed: from n/a through <= 1.0.22. | 2025-11-21 | not yet calculated | CVE-2025-66110 | https://vdp.patchstack.com/database/Wordpress/Plugin/b-tiktok-feed/vulnerability/wordpress-tiktok-feed-plugin-1-0-22-broken-access-control-vulnerability?_s_id=cve   |
| bqworks--Accordion Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13. | 2025-11-21 | not yet calculated | CVE-2025-66092 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordion-slider/vulnerability/wordpress-accordion-slider-plugin-1-9-13-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Camille V--Travelers' Map | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Camille V Travelers' Map travelers-map allows Stored XSS.This issue affects Travelers' Map: from n/a through <= 2.3.2. | 2025-11-21 | not yet calculated | CVE-2025-66098 | https://vdp.patchstack.com/database/Wordpress/Plugin/travelers-map/vulnerability/wordpress-travelers-map-plugin-2-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Checkmk GmbH--Checkmk | Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information | 2025-11-18 | not yet calculated | CVE-2025-58121 | https://checkmk.com/werk/18983   |
| Checkmk GmbH--Checkmk | Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure. | 2025-11-18 | not yet calculated | CVE-2025-58122 | https://checkmk.com/werk/18982   |
| Checkmk GmbH--Checkmk | In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data. | 2025-11-18 | not yet calculated | CVE-2025-64996 | https://checkmk.com/werk/18570   |
| Cozmoslabs--WP Webhooks | Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8. | 2025-11-21 | not yet calculated | CVE-2025-66073 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve   |
| Cozy Vision--SMS Alert Order Notifications | Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.8. | 2025-11-21 | not yet calculated | CVE-2025-66086 | https://vdp.patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-8-broken-access-control-vulnerability?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Retrieve Embedded Sensitive Data.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66059 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-sensitive-data-exposure-vulnerability?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66060 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-broken-access-control-vulnerability-2?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Cross-Site Request Forgery (CSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Cross Site Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66061 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| dataease--dataease | Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17. | 2025-11-20 | not yet calculated | CVE-2025-64428 | https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53 https://github.com/dataease/dataease/releases/tag/v2.10.17   |
| Design--Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5. | 2025-11-21 | not yet calculated | CVE-2025-66091 | https://vdp.patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Drupal--Drupal core | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13080 | https://www.drupal.org/sa-core-2025-005   |
| Drupal--Drupal core | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13081 | https://www.drupal.org/sa-core-2025-006   |
| Drupal--Drupal core | User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13082 | https://www.drupal.org/sa-core-2025-007   |
| Drupal--Drupal core | Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13083 | https://www.drupal.org/sa-core-2025-008   |
| Drupal--Email TFA | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | 2025-11-18 | not yet calculated | CVE-2025-12760 | https://www.drupal.org/sa-contrib-2025-115   |
| Drupal--Simple multi step form | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0. | 2025-11-18 | not yet calculated | CVE-2025-12761 | https://www.drupal.org/sa-contrib-2025-116   |
| Eclipse Foundation--Jersey | In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC) | 2025-11-18 | not yet calculated | CVE-2025-12383 | https://gitlab.eclipse.org/security/cve-assignment/-/issues/74   |
| eGovFramework/egovframe-common-components--eGovFramework/egovframe-common-components | eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without authentication, pass the uploaded content to a shared upload helper, and store the file on the server under a framework-controlled path. The framework then returns a download URL that can be used to retrieve the uploaded content, including an attacker-controlled Content-Type within the limits of the image upload functionality. While a filename extension whitelist is enforced, the attacker fully controls the file contents. The response MIME type used is also attacker-controlled when the file is served up to version < 4.1.2. Since version 4.1.2, it is possible to download any image uploaded with any whitelisted content type. But any file uploaded other than an image will be served with the `application/octet-stream` content type (the content type is no longer controlled by the attacker since version 4.1.2). This enables an unauthenticated attacker to use any affected application as a persistent file hosting service for arbitrary content under the application's origin. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5280." | 2025-11-19 | not yet calculated | CVE-2025-34336 | https://www.egovframe.go.kr/eng/sub.do?menuNo=2 https://github.com/eGovFramework/egovframe-common-components https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html https://pierrekim.github.io/advisories/2025-egovframe.txt https://www.vulncheck.com/advisories/egovframework-unauthenticated-file-upload-via-web-editor-image-upload-endpoints   |
| eGovFramework/egovframe-common-components--eGovFramework/egovframe-common-components | eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows attackers to generate valid ciphertext for chosen values. The image upload endpoints /utl/wed/insertImage.do and /utl/wed/insertImageCk.do encrypt server-side paths, filenames, and MIME types and embed them directly into a download URL that is returned to the client. Because these same encrypted parameters are trusted by other endpoints, such as /utl/web/imageSrc.do and /cmm/fms/getImage.do, an unauthenticated attacker can abuse the upload functionality to obtain encrypted representations of attacker-chosen identifiers and then replay those ciphertext values to file-serving APIs. This design failure allows an attacker to bypass access controls that rely solely on the secrecy of encrypted parameters and retrieve arbitrary stored files that are otherwise expected to require an existing session or specific authorization context. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5281." | 2025-11-19 | not yet calculated | CVE-2025-34337 | https://www.egovframe.go.kr/eng/sub.do?menuNo=2 https://github.com/eGovFramework/egovframe-common-components https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html https://pierrekim.github.io/advisories/2025-egovframe.txt https://www.vulncheck.com/advisories/egovframework-unauthenticated-encryption-oracle-via-web-editor-image-upload-endpoints   |
| EmbySupport--Emby.Security | Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta. | 2025-11-18 | not yet calculated | CVE-2025-64325 | https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-2gwc-988r-2r7x   |
| EnvoThemes--Envo Extra | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo Extra envo-extra allows Stored XSS.This issue affects Envo Extra: from n/a through <= 1.9.11. | 2025-11-21 | not yet calculated | CVE-2025-66066 | https://vdp.patchstack.com/database/Wordpress/Plugin/envo-extra/vulnerability/wordpress-envo-extra-plugin-1-9-11-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5. | 2025-11-17 | not yet calculated | CVE-2025-64342 | https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768 https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925   |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726. | 2025-11-21 | not yet calculated | CVE-2025-65092 | https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8 https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42 https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17 https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27   |
| Essential Plugin--Featured Post Creative | Missing Authorization vulnerability in Essential Plugin Featured Post Creative featured-post-creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through <= 1.5.5. | 2025-11-21 | not yet calculated | CVE-2025-66106 | https://vdp.patchstack.com/database/Wordpress/Plugin/featured-post-creative/vulnerability/wordpress-featured-post-creative-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve   |
| Frank Goossens--WP YouTube Lyte | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28. | 2025-11-21 | not yet calculated | CVE-2025-66062 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-youtube-lyte/vulnerability/wordpress-wp-youtube-lyte-plugin-1-7-28-open-redirection-vulnerability?_s_id=cve   |
| FunnelKit--Funnel Builder by FunnelKit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows DOM-Based XSS.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.13.1.2. | 2025-11-21 | not yet calculated | CVE-2025-66067 | https://vdp.patchstack.com/database/Wordpress/Plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-13-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| getkirby--kirby | Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the "Changes" dialog. If another authenticated user subsequently opened the dialog in their Panel, the malicious code would be executed. This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. This issue has been patched in version 5.1.4. | 2025-11-18 | not yet calculated | CVE-2025-65012 | https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j https://github.com/getkirby/kirby/releases/tag/5.1.4   |
| golang.org/x/crypto--golang.org/x/crypto/ssh | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | 2025-11-19 | not yet calculated | CVE-2025-58181 | https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA https://go.dev/cl/721961 https://go.dev/issue/76363 https://pkg.go.dev/vuln/GO-2025-4134   |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | 2025-11-19 | not yet calculated | CVE-2025-47914 | https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA https://go.dev/cl/721960 https://go.dev/issue/76364 https://pkg.go.dev/vuln/GO-2025-4135   |
| Google Cloud--Looker | An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+ | 2025-11-20 | not yet calculated | CVE-2025-12414 | https://cloud.google.com/support/bulletins#GCP-2025-067   |
| Google Cloud--Looker | An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+ | 2025-11-19 | not yet calculated | CVE-2025-12472 | https://cloud.google.com/support/bulletins#gcp-2025-052   |
| Google Cloud--Looker | The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+ | 2025-11-19 | not yet calculated | CVE-2025-12743 | https://cloud.google.com/support/bulletins#gcp-2025-052 https://www.tenable.com/security/research/tra-2025-43   |
| Google--Android | In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-11-18 | not yet calculated | CVE-2025-48593 | https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c69c78d7c4f623201f35831d32e6c401156e76cc https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5ed63461b44198c80d5aff7e1af1df812f782abb https://source.android.com/security/bulletin/2025-11-01   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13223 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13224 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13226 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13227 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13228 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13229 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13230 |   |
| Google--OSV-SCALIBR | A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR. | 2025-11-20 | not yet calculated | CVE-2025-13425 | https://github.com/google/osv-scalibr/commit/e67c4e198ca099cb7c16957a80f6c5331d90a672   |
| Google--zx | When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory. | 2025-11-20 | not yet calculated | CVE-2025-13437 | https://github.com/google/zx/issues/1348   |
| hupe13--Extensions for Leaflet Map | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a through <= 4.8. | 2025-11-21 | not yet calculated | CVE-2025-66093 | https://vdp.patchstack.com/database/Wordpress/Plugin/extensions-leaflet-map/vulnerability/wordpress-extensions-for-leaflet-map-plugin-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Icegram--Email Subscribers & Newsletters | Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10. | 2025-11-21 | not yet calculated | CVE-2025-66055 | https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-email-subscribers-newsletters-plugin-5-9-10-php-object-injection-vulnerability?_s_id=cve   |
| Igor Jerosimi--I Order Terms | Cross-Site Request Forgery (CSRF) vulnerability in Igor Jerosimić I Order Terms i-order-terms allows Cross Site Request Forgery.This issue affects I Order Terms: from n/a through <= 1.5.0. | 2025-11-21 | not yet calculated | CVE-2025-66097 | https://vdp.patchstack.com/database/Wordpress/Plugin/i-order-terms/vulnerability/wordpress-i-order-terms-plugin-1-5-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| ilbers--isar | Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb. | 2025-11-19 | not yet calculated | CVE-2025-65100 | https://github.com/ilbers/isar/security/advisories/GHSA-3r9w-6cp6-7hm4 https://github.com/ilbers/isar/commit/3383fd808a4ced93e41e012660dfe364a3384434 https://github.com/ilbers/isar/commit/738bcbb716c7eb7b34cbb2293cae4f264b3925fe   |
| Imagination Technologies--Graphics DDK | Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine. | 2025-11-17 | not yet calculated | CVE-2025-58407 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/   |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource. | 2025-11-17 | not yet calculated | CVE-2025-58410 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/   |
| Imtiaz Rayhan--Table Block by Tableberg | Missing Authorization vulnerability in Imtiaz Rayhan Table Block by Tableberg tableberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by Tableberg: from n/a through <= 0.6.9. | 2025-11-21 | not yet calculated | CVE-2025-66096 | https://vdp.patchstack.com/database/Wordpress/Plugin/tableberg/vulnerability/wordpress-table-block-by-tableberg-plugin-0-6-9-broken-access-control-vulnerability?_s_id=cve   |
| Informtica del Este--WinPlus | Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application. | 2025-11-18 | not yet calculated | CVE-2025-41346 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'. | 2025-11-18 | not yet calculated | CVE-2025-41347 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'. | 2025-11-18 | not yet calculated | CVE-2025-41348 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-18 | not yet calculated | CVE-2025-41349 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-18 | not yet calculated | CVE-2025-41350 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Iqonic Design--KiviCare | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13. | 2025-11-21 | not yet calculated | CVE-2025-66095 | https://vdp.patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability?_s_id=cve   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59110 | https://windu.org/ https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59111 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59112 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59113 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59114 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59115 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59116 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59117 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| Jeff Starr--Head Meta Data | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Head Meta Data head-meta-data allows Stored XSS.This issue affects Head Meta Data: from n/a through <= 20250327. | 2025-11-21 | not yet calculated | CVE-2025-66081 | https://vdp.patchstack.com/database/Wordpress/Plugin/head-meta-data/vulnerability/wordpress-head-meta-data-plugin-20250327-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Jegstudio--Gutenverse | Missing Authorization vulnerability in Jegstudio Gutenverse gutenverse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse: from n/a through <= 3.2.1. | 2025-11-21 | not yet calculated | CVE-2025-66065 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse/vulnerability/wordpress-gutenverse-plugin-3-2-1-broken-access-control-vulnerability?_s_id=cve   |
| Jegstudio--Gutenverse Form | Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.2.0. | 2025-11-21 | not yet calculated | CVE-2025-66079 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-form/vulnerability/wordpress-gutenverse-form-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve   |
| jgwhite33--WP Google Review Slider | Missing Authorization vulnerability in jgwhite33 WP Google Review Slider wp-google-places-review-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Google Review Slider: from n/a through <= 17.4. | 2025-11-21 | not yet calculated | CVE-2025-66063 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-places-review-slider/vulnerability/wordpress-wp-google-review-slider-plugin-17-4-broken-access-control-vulnerability?_s_id=cve   |
| jzeuzs--thread-amount | thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2. | 2025-11-21 | not yet calculated | CVE-2025-65947 | https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2 https://github.com/jzeuzs/thread-amount/pull/29 https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5   |
| KDDI CORPORATION--'' App for iOS | Improper certificate validation vulnerability exists in 'デジラアプリ' App for iOS prior to ver.80.10.00. If this vulnerability is exploited, a man-in-the-middle attack may allow an attacker to eavesdrop on and/or tamper with an encrypted communication. | 2025-11-17 | not yet calculated | CVE-2025-60022 | https://jvn.jp/en/jp/JVN54005037/   |
| Kriesi--Enfold | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows Stored XSS.This issue affects Enfold: from n/a through <= 7.1.2. | 2025-11-21 | not yet calculated | CVE-2025-66053 | https://vdp.patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| kubevirt--kubevirt | KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue. | 2025-11-18 | not yet calculated | CVE-2025-64324 | https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh https://github.com/kubevirt/kubevirt/pull/15037 https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764 https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69   |
| langchain-ai--langchain | LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7. | 2025-11-21 | not yet calculated | CVE-2025-65106 | https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00   |
| LimeSurvey--LimeSurvey | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability. | 2025-11-20 | not yet calculated | CVE-2025-41074 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| LimeSurvey--LimeSurvey | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability. | 2025-11-20 | not yet calculated | CVE-2025-41075 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| LimeSurvey--LimeSurvey | In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker. | 2025-11-20 | not yet calculated | CVE-2025-41076 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths. | 2025-11-21 | not yet calculated | CVE-2025-40209 | https://git.kernel.org/stable/c/3412d0e973e8f8381747d69033eda809a57a2581 https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d057e3c995db73b7b3aae414 https://git.kernel.org/stable/c/f260c6aff0b8af236084012d14f9f1bf792ea883   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now. | 2025-11-21 | not yet calculated | CVE-2025-40210 | https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b https://git.kernel.org/stable/c/3e7f011c255582d7c914133785bbba1990441713   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ] | 2025-11-21 | not yet calculated | CVE-2025-40211 | https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149 https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659 https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11   |
| Lite XL--Lite XL | Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process. | 2025-11-20 | not yet calculated | CVE-2025-12120 | https://github.com/lite-xl/lite-xl/pull/2164 https://kb.cert.org/vuls/id/579478   |
| Lite XL--Lite XL | Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the "open in system" command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process. | 2025-11-20 | not yet calculated | CVE-2025-12121 | https://github.com/lite-xl/lite-xl/pull/2163 https://kb.cert.org/vuls/id/579478   |
| LogStare Inc.--Installer of LogStare Collector (for Windows) | Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). If exploited, arbitrary code may be executed with the privilege of the user invoking the installer. | 2025-11-21 | not yet calculated | CVE-2025-64695 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege. | 2025-11-21 | not yet calculated | CVE-2025-58097 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the user who logs in to the product's management page. | 2025-11-21 | not yet calculated | CVE-2025-61949 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request. | 2025-11-21 | not yet calculated | CVE-2025-62189 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | Cross-site request forgery vulnerability exists in LogStare Collector. If a user views a crafted page while logged, unintended operations may be performed. | 2025-11-21 | not yet calculated | CVE-2025-62687 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector improperly handles the password hash data. An administrative user may obtain the other users' password hashes. | 2025-11-21 | not yet calculated | CVE-2025-64299 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1. | 2025-11-19 | not yet calculated | CVE-2025-65095 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-m9g6-23c8-vrxf https://github.com/Lookyloo/lookyloo/commit/ac2f73dbfcad88b815b18c42cca77a1c645f1726 https://github.com/Lookyloo/lookyloo/blob/main/website/web/default_csp.py https://vulnerability.circl.lu/vuln/gcve-1-2025-0018   |
| Lynxtechnology--Twonky Server | Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password. | 2025-11-19 | not yet calculated | CVE-2025-13315 | https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/   |
| Lynxtechnology--Twonky Server | Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server. | 2025-11-19 | not yet calculated | CVE-2025-13316 | https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/   |
| M-Files Corporation--M-Files Server | Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash. | 2025-11-17 | not yet calculated | CVE-2025-11681 | https://product.m-files.com/security-advisories/cve-2025-11681/   |
| magepeopleteam--WpEvently | Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66082 | https://vdp.patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-4-broken-access-control-vulnerability?_s_id=cve   |
| magepeopleteam--WpEvently | Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66083 | https://vdp.patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-4-broken-access-control-vulnerability-2?_s_id=cve   |
| MatrixAddons--Easy Invoice | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4. | 2025-11-21 | not yet calculated | CVE-2025-66115 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-1-4-local-file-inclusion-vulnerability?_s_id=cve   |
| Merlot Digital (by TNC)--TNC Toolbox: Web Performance | Missing Authorization vulnerability in Merlot Digital (by TNC) TNC Toolbox: Web Performance tnc-toolbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TNC Toolbox: Web Performance: from n/a through <= 2.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66108 | https://vdp.patchstack.com/database/Wordpress/Plugin/tnc-toolbox/vulnerability/wordpress-tnc-toolbox-web-performance-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve   |
| mindersec--minder | Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84. | 2025-11-21 | not yet calculated | CVE-2025-65109 | https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47 https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8   |
| ml-explore--mlx | MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4. | 2025-11-21 | not yet calculated | CVE-2025-62608 | https://github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6 https://github.com/ml-explore/mlx/pull/1 https://github.com/ml-explore/mlx/pull/2   |
| ml-explore--mlx | MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4. | 2025-11-21 | not yet calculated | CVE-2025-62609 | https://github.com/ml-explore/mlx/security/advisories/GHSA-j842-xgm4-wf88   |
| n/a--Ascertia SigningHub through 8.6.8 | In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests. | 2025-11-18 | not yet calculated | CVE-2025-54320 | https://www.ascertia.com/company/vulnerability-disclosure-policy/ https://github.com/saykino/CVE-2025-54320   |
| n/a--Ascertia SigningHub through 8.6.8 | In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests. | 2025-11-18 | not yet calculated | CVE-2025-54321 | https://www.ascertia.com/company/vulnerability-disclosure-policy/ https://github.com/saykino/CVE-2025-54321   |
| n/a--Awesome Miner thru 11.2.4 | A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. This is due to the implementation of an insecure version of WinRing0 (1.2.0.5, renamed to IntelliBreeze.Maintenance.Service.sys) that lacks a properly secured DACL, allowing unprivileged users to interact with the driver and, as a result, the kernel. This can result in local privilege escalation, information disclosure, denial of service, and other unspecified impacts. | 2025-11-18 | not yet calculated | CVE-2025-63602 | https://www.awesomeminer.com/download https://dreadsec.co/p/cve-2025-63602-hijacking-system-calls-with-a-popular-crypto-miner.html   |
| n/a--Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) | The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63221 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control   |
| n/a--Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) | The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63223 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control   |
| n/a--Axel Technology WOLF1MS and WOLF2MS devices | The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63218 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control   |
| n/a--Backdrop CMS 1.32.1 | Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection. | 2025-11-18 | not yet calculated | CVE-2025-63828 | https://github.com/mertdurum06/BackdropCms-1.32.1/ https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt   |
| n/a--bridgetech | An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions 6.5.0-9, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63205 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63205_bridgetech%20probes%20Information%20Disclosure   |
| n/a--bridgetech VB288 | An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63208 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63208_bridgetech%20VB288%20Information%20Disclosure   |
| n/a--bridgetech VBC Server & Element Manager | Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63211 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63211_bridgetech%20VBC%20Server%20and%20Element%20Manager%20Stored%20%20xss   |
| n/a--bridgetech VBC Server & Element Manager | An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts. | 2025-11-19 | not yet calculated | CVE-2025-63214 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63214_bridgetech%20VBC%20Server%20and%20Element%20Manager%20Broken%20Access%20Control   |
| n/a--Campcodes Online Hospital Management System 1.0  | Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection in /admin/index.php via the parameter username. | 2025-11-19 | not yet calculated | CVE-2025-63719 | https://github.com/Pei4AN/CVE/issues/6   |
| n/a--Clerk-js 5.88.0 | An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. | 2025-11-20 | not yet calculated | CVE-2025-63700 | https://clerk.com https://github.com/itsnishat08/CVE-2025-63700   |
| n/a--couch-auth 0.21.2 | Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking. | 2025-11-20 | not yet calculated | CVE-2025-60794 | https://www.npmjs.com/package/@perfood/couch-auth https://github.com/perfood/couch-auth https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md   |
| n/a--D-Link Router DIR-868L | D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. The HNAP service provided by cgibin does not filter the HTTP SOAPAction header field. The unauthenticated remote attacker can execute the shell command. | 2025-11-19 | not yet calculated | CVE-2025-63932 | https://www.dlink.com/en/security-bulletin/ https://github.com/WhereisRain/DIR-868/tree/main https://github.com/WhereisRain/DIR-868   |
| n/a--Dasan Switch DS2924 | An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser. | 2025-11-19 | not yet calculated | CVE-2025-63206 | http://dasansmc.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63206_Dasan%20Switch%20DS2924%20Authentication%20Bypass   |
| n/a--DzzOffice 2.3.x | The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up. | 2025-11-18 | not yet calculated | CVE-2025-63693 | https://github.com/Yohane-Mashiro/dzzoffice_xss https://github.com/zyx0814/dzzoffice/issues/363   |
| n/a--DzzOffice v2.3.7 | DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. | 2025-11-18 | not yet calculated | CVE-2025-63694 | https://github.com/zyx0814/dzzoffice/issues/364 https://github.com/Yohane-Mashiro/dzzoffice_sql   |
| n/a--DzzOffice v2.3.7 | DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. | 2025-11-18 | not yet calculated | CVE-2025-63695 | https://github.com/zyx0814/dzzoffice/issues/365 https://github.com/Yohane-Mashiro/dzzoffice_upload   |
| n/a--E-commerce Project v1.0 | A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter. | 2025-11-19 | not yet calculated | CVE-2025-63879 | https://www.linkedin.com/in/rumana-khatun-208aa731b/ https://github.com/rumanaemu/CVE-Research/blob/main/CVE-2025-63879.md   |
| n/a--ELCA Star Transmitter | The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system. | 2025-11-19 | not yet calculated | CVE-2025-63209 | https://www.elcaradio.com https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63209_ELCA%20Star%20Transmitter%20Remote%20Control%20-%20Information%20Disclosure   |
| n/a--electic-shop v1.0 | A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it into the DOM via unsafe sinks (innerHTML/insertAdjacentHTML/document.write) without proper sanitization or context-aware encoding. An attacker can craft a malicious URL that, when opened by a victim, causes arbitrary JavaScript to execute in the victim's browser under the electic-shop origin. | 2025-11-18 | not yet calculated | CVE-2025-63883 | https://github.com/minhajultaivin/security-advisories/blob/main/CVE-2025-63883.md   |
| n/a--eProsima Fast-DDS v3.3 | eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function. | 2025-11-18 | not yet calculated | CVE-2025-63829 | https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/fastdds/core/Time_t.cpp#L67 https://gist.github.com/lkloliver/b00377bec754d4aa1dc731be210d5889   |
| n/a--Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) | The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation. | 2025-11-18 | not yet calculated | CVE-2025-63225 | http://eurolab-srl.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63225_Eurolab_ELTS100_UBX_Broken_Access_Control   |
| n/a--FileCodeBox v2.2 | A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization. | 2025-11-19 | not yet calculated | CVE-2025-51661 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/349   |
| n/a--FileCodeBox version 2.2 and earlier | A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code. | 2025-11-19 | not yet calculated | CVE-2025-51662 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/351   |
| n/a--FileCodeBox version 2.2 and earlier | A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2.2 allows remote attackers to bypass ip-based rate limit protection and failed attempt restrictions by faking X-Real-IP and X-Forwarded-For HTTP headers. This can enable attackers to perform DoS attacks or brute force share codes. | 2025-11-19 | not yet calculated | CVE-2025-51663 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/350   |
| n/a--Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1-r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) | Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1-r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025. | 2025-11-17 | not yet calculated | CVE-2025-63292 | https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/   |
| n/a--GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000 | GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out. | 2025-11-19 | not yet calculated | CVE-2025-63212 | https://www.gatesair.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63212%20_GatesAir%20Flexiva-LX%20Series%20_%20Session%20Hijacking   |
| n/a--Github Restaurant Website Restoran v1.0 | Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page. | 2025-11-19 | not yet calculated | CVE-2025-63878 | https://www.linkedin.com/in/rumana-khatun-208aa731b/ https://github.com/rumanaemu/CVE-Research/blob/main/CVE-2025-63878.md   |
| n/a--H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129) | A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129). Attackers are able to exploit this vulnerability via injecting crafted commands into the sessionid parameter. | 2025-11-18 | not yet calculated | CVE-2025-63258 | http://h3c.com https://zhiliao.h3c.com/Theme/details/232571   |
| n/a--Ilevia EVE X1 Server Firmware | Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component | 2025-11-20 | not yet calculated | CVE-2025-60737 | https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF   |
| n/a--Ilevia EVE X1 Server Firmware | An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters | 2025-11-20 | not yet calculated | CVE-2025-60738 | https://github.com/iSee857/ilevia-EVE-X1-Server   |
| n/a--Institute-of-Current-Students v1.0 | Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries. | 2025-11-20 | not yet calculated | CVE-2025-52410 | https://github.com/mathurvishal/Institute-of-Current-Students---PHP-Project/issues/2   |
| n/a--Itel DAB Encoder (IDEnc build 25aec8d) | The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-19 | not yet calculated | CVE-2025-63224 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63224_Itel%20DAB%20Encoder%20Authentication%20Bypass   |
| n/a--Itel DAB Gateway (IDGat build c041640a) | The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-18 | not yet calculated | CVE-2025-63216 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63216_Itel%20DAB%20Gateway%20Authentication%20Bypass   |
| n/a--Itel DAB Gateway (IDGat build c041640a) | The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-18 | not yet calculated | CVE-2025-63217 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63217%20_%20Itel%20DAB%20MUX%20Authentication%20Bypass   |
| n/a--ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) | The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity. | 2025-11-19 | not yet calculated | CVE-2025-63219 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63219_ITEL%20ISO%20FM%20SFN%20Adapter%20-%20Session%20Hijacking   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the recover_email parameter in user_password_recover.php. | 2025-11-17 | not yet calculated | CVE-2024-44651 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44651.md   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email, username, user_firstname, user_lastname, and user_address parameters in user_register.php. | 2025-11-17 | not yet calculated | CVE-2024-44652 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44652.md   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email parameter in user_login.php. | 2025-11-17 | not yet calculated | CVE-2024-44653 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44653.md   |
| n/a--kashipara School Management System 1.0 | kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php. | 2025-11-17 | not yet calculated | CVE-2024-46334 | https://www.kashipara.com/project/php/73/school-management-system-download-project-source-code-in-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46334.md   |
| n/a--kashipara School Management System 1.0 | kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php. | 2025-11-17 | not yet calculated | CVE-2024-46336 | https://www.kashipara.com/project/php/73/school-management-system-download-project-source-code-in-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46336.md   |
| n/a--kishan0725 Hospital Management System | kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter. | 2025-11-18 | not yet calculated | CVE-2025-63514 | https://github.com/kishan0725/Hospital-Management-System/issues/54 https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_Stored_XSS.md   |
| n/a--kishan0725 Hospital Management System v4 | kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality. | 2025-11-18 | not yet calculated | CVE-2025-63513 | https://github.com/kishan0725/Hospital-Management-System/issues/55 https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_IDOR.md   |
| n/a--kishan0725 Hospital Management System/ v4 | kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. The application fails to properly sanitize or parameterize user-supplied input from the demail parameter before incorporating it directly into a dynamic SQL query. | 2025-11-18 | not yet calculated | CVE-2025-63512 | https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_SQL2.md   |
| n/a--Kotaemon 0.11.0 | Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | 2025-11-18 | not yet calculated | CVE-2025-56526 | https://github.com/Cinnamon/kotaemon/commit/37cdc28 https://github.com/Cinnamon/kotaemon https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363 https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73   |
| n/a--Kotaemon 0.11.0 | Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage. | 2025-11-18 | not yet calculated | CVE-2025-56527 | https://github.com/Cinnamon/kotaemon/commit/37cdc28 https://github.com/Cinnamon/kotaemon https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74 https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73   |
| n/a--Local Agent DVR versions thru 6.6.1.0 | Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands. | 2025-11-18 | not yet calculated | CVE-2025-63408 | https://www.ericholub.com/blog/agent-dvr-rce/ https://ispysoftware.github.io/Agent_API/   |
| n/a--MCP Data Science Server | A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). The function uses Python's exec() to execute user-supplied scripts but fails to restrict the __builtins__ dictionary in the globals parameter. When __builtins__ is not explicitly defined, Python automatically provides access to all built-in functions including __import__, exec, eval, and open. This allows an attacker to execute arbitrary Python code with full system privileges, leading to complete system compromise. The vulnerability can be exploited by submitting a malicious script to the run_script tool, requiring no authentication or special privileges. | 2025-11-18 | not yet calculated | CVE-2025-63603 | https://github.com/reading-plus-ai/mcp-server-data-exploration/issues/12   |
| n/a--mihomo v1.19.11 | Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file. | 2025-11-18 | not yet calculated | CVE-2025-56499 | https://github.com/MetaCubeX/mihomo/tree/v1.19.11 https://github.com/Cherrling/CVE-2025-56499   |
| n/a--Milos Paripovic OneCommander 3.102.0.0 | Milos Paripovic OneCommander 3.102.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | 2025-11-19 | not yet calculated | CVE-2025-63371 | https://www.onecommander.com/ https://jeroscope.com/advisories/2025/jero-2025-007/   |
| n/a--Modular Max Serve before 25.6 | Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. | 2025-11-18 | not yet calculated | CVE-2025-60455 | https://github.com/modular/modular/issues/4795 https://github.com/modular/modular/blame/main/max/serve/kvcache_agent/kvcache_agent.py#L220 https://github.com/modular/modular/commit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4 https://github.com/modular/modular/commit/ee9c4ab02345dd30bed8b79771b6909ff1b930a1 https://github.com/modular/modular/commit/b20e749fa892dbe772e890a268002f732164d9f5 https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise. | 2025-11-18 | not yet calculated | CVE-2025-63227 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63227_Mozart_FM_Transmitter_authenticated_File_Upload   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise. | 2025-11-18 | not yet calculated | CVE-2025-63228 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63228_Mozart_FM_Transmitter_Unauthenticated_File_Upload   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions. | 2025-11-18 | not yet calculated | CVE-2025-63229 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63229_Mozart_FM_Transmitter_xss   |
| n/a--MyScreenTools v2.2.1.0 | MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe. | 2025-11-17 | not yet calculated | CVE-2025-63916 | https://github.com/luotengyuan/MyScreenTools/blob/master/GIFSicleTool/Form_gif_sicle_tool.cs https://github.com/luotengyuan/MyScreenTools/tree/master https://github.com/cydtseng/Vulnerability-Research/blob/main/myscreentools/OSCommandInjection-GifCompression.md   |
| n/a--FS[.]com | FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch, 8 x Gigabit RJ45, with 2 x 1Gb SFP, Fanless. All versions before 2.2.0D Build 135103 were discovered to transmit cookies for their web based administrative application containing usernames and passwords. These were transmitted in cleartext using simple base64 encoding during every POST request made to the server. | 2025-11-20 | not yet calculated | CVE-2025-25613 | http://fs.com http://s3150-8t2f.com https://github.com/SwiftSecur/S3150-8T2F-FS.com-Research/wiki   |
| n/a--openml.org | The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover. | 2025-11-18 | not yet calculated | CVE-2025-55796 | https://github.com/openml https://github.com/openml/openml.org https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6   |
| n/a--n/a | A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. The vulnerability stems from the exposure of dangerous Python built-in functions (__import__, getattr, hasattr) in the execution namespace and the direct use of exec() to execute user-supplied code. An attacker can craft malicious queries to execute arbitrary Python code, leading to AWS credential theft (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), file system access, environment variable disclosure, and potential system compromise. The vulnerability allows attackers to bypass intended security controls and gain unauthorized access to sensitive AWS resources and credentials stored in the server's environment. | 2025-11-18 | not yet calculated | CVE-2025-63604 | https://github.com/baryhuang/mcp-server-aws-resources-python/issues/8   |
| n/a--Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 | The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserName flow, the attacker can gain Superuser or Operator access without providing valid credentials. | 2025-11-19 | not yet calculated | CVE-2025-63210 | https://www.newtec.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63210_Newtec%20Celox%20UHD%20Authentication%20Bypass%20_%20Privilege%20Escalation   |
| n/a--Open Source Point of Sale 3.4.1 | The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts. | 2025-11-18 | not yet calculated | CVE-2025-63800 | https://github.com/opensourcepos/opensourcepos https://opensourcepos.org/ https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800   |
| n/a--OpenRapid RapidCMS 1.3.1 | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | 2025-11-17 | not yet calculated | CVE-2025-64046 | http://rapidcms.com https://gist.github.com/b1uel0n3/c8467f156f523fcf16dc572a34693126   |
| n/a--PDFPatcher thru 1.1.3.4663 | PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks. | 2025-11-17 | not yet calculated | CVE-2025-63917 | https://www.cnblogs.com/pdfpatcher https://github.com/wmjordan/PDFPatcher https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md   |
| n/a--PDFPatcher  | PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations. | 2025-11-17 | not yet calculated | CVE-2025-63918 | https://www.cnblogs.com/pdfpatcher https://github.com/wmjordan/PDFPatcher https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/DirectoryTraversal-ImageExport.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44654 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44654.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php. | 2025-11-17 | not yet calculated | CVE-2024-44655 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44655.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the fromdate and todate parameters in between-date-userreport.php. | 2025-11-17 | not yet calculated | CVE-2024-44657 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44657.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php. | 2025-11-17 | not yet calculated | CVE-2024-44658 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44658.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php. | 2025-11-17 | not yet calculated | CVE-2024-46335 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46335.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44659 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44659.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php. | 2025-11-17 | not yet calculated | CVE-2024-44660 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44660.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php. | 2025-11-17 | not yet calculated | CVE-2024-44661 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44661.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the username parameter in the admin page. | 2025-11-17 | not yet calculated | CVE-2024-44662 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44662.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the product parameter in search-result.php. | 2025-11-17 | not yet calculated | CVE-2024-44663 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44663.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the name, summary, review, quality, price, and value parameters in product-details.php. | 2025-11-17 | not yet calculated | CVE-2024-44664 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44664.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the oldpass parameter in change-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44641 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44641.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the frm_id and aremark parameters in manage-tickets.php. | 2025-11-17 | not yet calculated | CVE-2024-44644 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44644.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php. | 2025-11-17 | not yet calculated | CVE-2024-44647 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44647.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via id and adminremark parameters in quote-details.php. | 2025-11-17 | not yet calculated | CVE-2024-44648 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44648.md   |
| n/a--PHPGurukul Student Record System v3.2 | A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS). | 2025-11-18 | not yet calculated | CVE-2025-63955 | https://phpgurukul.com/student-record-system-php/ https://github.com/Wayne-arul/CVE-Disclosures/tree/main/CVE-2025-63955   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions. | 2025-11-20 | not yet calculated | CVE-2025-60796 | https://github.com/phppgadmin/phppgadmin/blob/master/sequences.php#L316 https://github.com/phppgadmin/phppgadmin/blob/master/indexes.php#L29 https://github.com/phppgadmin/phppgadmin/blob/master/admin.php#L35 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation. | 2025-11-20 | not yet calculated | CVE-2025-60797 | https://github.com/phppgadmin/phppgadmin/blob/master/dataexport.php#L118 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise. | 2025-11-20 | not yet calculated | CVE-2025-60798 | https://github.com/phppgadmin/phppgadmin/blob/master/display.php#L396 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. | 2025-11-20 | not yet calculated | CVE-2025-60799 | https://github.com/phppgadmin/phppgadmin/blob/master/sql.php#L68-L76 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60799.md   |
| n/a--Pixeon WebLaudos 25.1 (01) | A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks. | 2025-11-19 | not yet calculated | CVE-2025-63243 | https://www.pixeon.com/ https://medium.com/@wagneralves_87750/cve-2025-63243-reflected-cross-site-scripting-in-loginalterarsenha-asp-via-sle-slogin-parameter-53808fbbeeee   |
| n/a--pnetlab 5.3.11 | pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter. | 2025-11-18 | not yet calculated | CVE-2025-63749 | https://github.com/XunMInt/cve/blob/main/Pnetlab-20251013.md   |
| n/a--QaTraq 6.9.2 | QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server. | 2025-11-17 | not yet calculated | CVE-2025-63748 | http://qatraq.com https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce   |
| n/a--QaTraq 6.9.2 ships | QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access. | 2025-11-17 | not yet calculated | CVE-2025-63747 | http://qatraq.com https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce   |
| n/a--Qlik Sense Enterprise v14.212.13 | Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory. | 2025-11-20 | not yet calculated | CVE-2025-61138 | https://gist.github.com/Israel0x00/8a81ec98162e9ca8e4a3a6c8b4ef4762   |
| n/a--Quark Cloud Drive v3.23.2 | Quark Cloud Drive v3.23.2 has a DLL Hijacking vulnerability. This vulnerability stems from the insecure loading of system libraries. Specifically, the application does not validate the path or signature of [regsvr32.exe] it loads. An attacker can place a crafted malicious DLL in the application's startup directory, which will be loaded and executed when the user launches the program. | 2025-11-20 | not yet calculated | CVE-2025-63685 | https://github.com/QIU-DIE/CVE/issues/5   |
| n/a--QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) | The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software. | 2025-11-19 | not yet calculated | CVE-2025-63213 | https://qvidium.tv/ https://undercodetesting.com/zero-day-vulnerabilities-discovered-in-qvidium-opera11-remote-code-execution-rce-exploit/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63213_QVidium%20Opera11%20RCE   |
| n/a--R.V.R Elettronica TEX | The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise. | 2025-11-19 | not yet calculated | CVE-2025-63207 | https://www.rvr.it/en/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63207_RVR%20Elettronica%20TEX%20Broken%20Access%20Control   |
| n/a--Requarks Wiki.js 2.5.307 | Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism. | 2025-11-18 | not yet calculated | CVE-2025-56643 | https://github.com/0xBS0D27/CVE-2025-56643   |
| n/a--RichFilemanager v2.7.6 | An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. | 2025-11-18 | not yet calculated | CVE-2025-63994 | https://github.com/psolom/RichFilemanager/issues/412   |
| n/a--Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) | The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities. | 2025-11-18 | not yet calculated | CVE-2025-63226 | https://www.sencore.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63226_Sencore_SMP100_Session_Hijacking   |
| n/a--Snipe-IT v8.3.4 | Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. | 2025-11-20 | not yet calculated | CVE-2025-64027 | https://github.com/grokability/snipe-it https://github.com/cybercrewinc/CVE-2025-64027/   |
| n/a--Sound4 FIRST | The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | 2025-11-19 | not yet calculated | CVE-2025-63220 | https://www.sound4helpdesk.com/ https://www.sound4helpdesk.com/first-downloads/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63220_Sound4%20FIRST%20RCE   |
| n/a--Sound4 IMPACT | The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | 2025-11-18 | not yet calculated | CVE-2025-63215 | https://www.sound4helpdesk.com/ https://www.sound4helpdesk.com/impact-downloads/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63215%20_%20Sound4%20IMPACT%20%20RCE   |
| n/a--SourceCodester AI Font Matcher (nid=18425, 2025-10-10) | Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts. | 2025-11-17 | not yet calculated | CVE-2025-63708 | https://www.sourcecodester.com/javascript/18425/ai-font-matcher-using-html-css-and-javascript-source-code.html https://github.com/DylanDavis1/CVE-2025-64708   |
| n/a--SourceCodester Student Grades Management System 1.0 | A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting. | 2025-11-18 | not yet calculated | CVE-2025-63892 | http://student.com http://sourcecodester.com https://github.com/minhajultaivin/security-advisories/blob/main/CVE-2025-63892.md   |
| n/a--SWISH prolog thru 2.2.0 | Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook. | 2025-11-20 | not yet calculated | CVE-2025-63848 | https://github.com/SWI-Prolog https://github.com/coderMohammed1/CVE-2025-63848   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow in: /goform/SetVirtualServerCfg via the list parameter. | 2025-11-20 | not yet calculated | CVE-2025-65220 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN1.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list parameter of /goform/setPptpUserList. | 2025-11-20 | not yet calculated | CVE-2025-65221 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN2.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the rebootTime parameter of /goform/SetSysAutoRebbotCfg. | 2025-11-20 | not yet calculated | CVE-2025-65222 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN3.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls parameter of /goform/saveParentControlInfo. | 2025-11-20 | not yet calculated | CVE-2025-65223 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN4.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the deviceId parameter in /goform/saveParentControlInfo. | 2025-11-20 | not yet calculated | CVE-2025-65226 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN5.md   |
| n/a--ThinkPHP 5.0.24 | The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. | 2025-11-20 | not yet calculated | CVE-2025-63888 | https://www.yuque.com/lcc316/df0kgm/mglhbxltgbmzfh2s https://gist.github.com/Master-0-0/0bf54cbb335b586b42b0db0db804e7aa   |
| n/a--ThinkPHP 5.0.24 | The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value. | 2025-11-20 | not yet calculated | CVE-2025-63889 | https://www.yuque.com/lcc316/df0kgm/xqkrw5rfz5vqxo9t https://gist.github.com/Master-0-0/dd63209602f04267f1a27a75a064df26   |
| n/a--weijiang1994 university-bbs | An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods. | 2025-11-20 | not yet calculated | CVE-2025-63807 | https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd   |
| Nagios--Log Server | Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature. Configuration values for this feature are read from the application settings and incorporated into a system command without adequate validation or restriction of special characters. An authenticated user with access to global configuration can abuse these settings to execute arbitrary operating system commands with the privileges of the web server account, leading to compromise of the Log Server host. | 2025-11-17 | not yet calculated | CVE-2025-34322 | https://www.nagios.com/products/security/#log-server https://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/ https://www.vulncheck.com/advisories/nagios-log-server-authenticated-command-injection-via-natural-language-queries   |
| Nagios--Log Server | Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to unsafe interaction between sudo rules and file system permissions. The web server account is granted passwordless sudo access to certain maintenance scripts while also being a member of a group that has write access to the directory containing those scripts. A local attacker running as the web server user can replace one of the permitted scripts with a malicious program and then execute it via sudo, resulting in arbitrary code execution with root privileges. | 2025-11-17 | not yet calculated | CVE-2025-34323 | https://www.nagios.com/products/security/#log-server https://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/ https://www.vulncheck.com/advisories/nagios-log-server-local-privilege-escalation-via-writable-scripts-and-sudo-rules   |
| NEC Corporation--RakurakuMusen Start EX | DLL Loading vulnerability in NEC Corporation RakurakuMusen Start EX All Verisons allows a attacker to manipulate the PC environment to cause unintended operations on the user's device. | 2025-11-19 | not yet calculated | CVE-2025-12852 | https://jpn.nec.com/security-info/secinfo/nv25-007_en.html   |
| Nelio Software--Nelio Popups | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nelio Software Nelio Popups nelio-popups allows Stored XSS.This issue affects Nelio Popups: from n/a through <= 1.3.0. | 2025-11-21 | not yet calculated | CVE-2025-66111 | https://vdp.patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| octolize--Cart Weight for WooCommerce | Missing Authorization vulnerability in octolize Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11. | 2025-11-21 | not yet calculated | CVE-2025-66109 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-cart-weight/vulnerability/wordpress-cart-weight-for-woocommerce-plugin-1-9-11-broken-access-control-vulnerability?_s_id=cve   |
| openfga--openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1. | 2025-11-21 | not yet calculated | CVE-2025-64751 | https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc https://github.com/openfga/openfga/releases/tag/v1.11.1   |
| OpenText--uCMDB | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts This issue affects uCMDB: 24.4. | 2025-11-19 | not yet calculated | CVE-2025-11884 | https://portal.microfocus.com/s/article/KM000043674?language=en_US   |
| OSC--ondemand | Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability. | 2025-11-20 | not yet calculated | CVE-2025-64185 | https://github.com/OSC/ondemand/security/advisories/GHSA-r2cg-hg78-gq9p   |
| pjsip--pjproject | PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that. This issue affects PJSIP users who use the Opus audio codec in receiving direction. The vulnerability can lead to unexpected application termination due to a memory overwrite. This issue has been patched in version 2.16. | 2025-11-21 | not yet calculated | CVE-2025-65102 | https://github.com/pjsip/pjproject/security/advisories/GHSA-w5vr-39x7-h8g5 https://github.com/pjsip/pjproject/commit/6e9bd2e7d25bba26f852771b40693f45da14fa8f   |
| Progress--DataDirect Connect for JDBC for Amazon Redshift | Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver supports an undocumented syntax construct for the option value that if discovered can be used by an attacker. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker can use the undocumented syntax to cause the driver to load an arbitrary class on the class path and execute a constructor on that class.   This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022 | 2025-11-19 | not yet calculated | CVE-2025-10702 | https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025   |
| Progress--DataDirect Connect for JDBC for Amazon Redshift | Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022 | 2025-11-19 | not yet calculated | CVE-2025-10703 | https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025   |
| Property Hive--PropertyHive | Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | 2025-11-21 | not yet calculated | CVE-2025-66087 | https://vdp.patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-1-12-broken-access-control-vulnerability?_s_id=cve   |
| Revive--Revive Adserver | Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality. | 2025-11-20 | not yet calculated | CVE-2025-48986 | https://hackerone.com/reports/3398283   |
| Revive--Revive Adserver | Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack. | 2025-11-20 | not yet calculated | CVE-2025-48987 | https://hackerone.com/reports/3399191   |
| Revive--Revive Adserver | Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due to a fatal PHP error. | 2025-11-20 | not yet calculated | CVE-2025-52666 | https://hackerone.com/reports/3399218   |
| Revive--Revive Adserver | Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | 2025-11-20 | not yet calculated | CVE-2025-52667 | https://hackerone.com/reports/3399809   |
| Revive--Revive Adserver | Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | 2025-11-20 | not yet calculated | CVE-2025-52668 | https://hackerone.com/reports/3400506   |
| Revive--Revive Adserver | Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system. | 2025-11-20 | not yet calculated | CVE-2025-52669 | https://hackerone.com/reports/3401464   |
| Revive--Revive Adserver | Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts | 2025-11-20 | not yet calculated | CVE-2025-52670 | https://hackerone.com/reports/3401612   |
| Revive--Revive Adserver | Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use. | 2025-11-20 | not yet calculated | CVE-2025-52671 | https://hackerone.com/reports/3403450   |
| Revive--Revive Adserver | Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users. | 2025-11-20 | not yet calculated | CVE-2025-55123 | https://hackerone.com/reports/3404968   |
| Revive--Revive Adserver | Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script. | 2025-11-20 | not yet calculated | CVE-2025-55124 | https://hackerone.com/reports/3403727   |
| Revive--Revive Adserver | HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS | 2025-11-20 | not yet calculated | CVE-2025-55126 | https://hackerone.com/reports/3411750   |
| Revive--Revive Adserver | HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion. | 2025-11-20 | not yet calculated | CVE-2025-55127 | https://hackerone.com/reports/3413764   |
| Revive--Revive Adserver | HackerOne community member Dao Hoang Anh (yoyomiski) has reported an uncontrolled resource consumption vulnerability in the "userlog-index.php". An attacker with access to the admin interface could request an arbitrarily large number of items per page, potentially leading to a denial of service | 2025-11-20 | not yet calculated | CVE-2025-55128 | https://hackerone.com/reports/3413890   |
| Sabuj Kundu--CBX Bookmark & Favorite | Missing Authorization vulnerability in Sabuj Kundu CBX Bookmark & Favorite cbxwpbookmark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CBX Bookmark & Favorite: from n/a through <= 2.0.1. | 2025-11-21 | not yet calculated | CVE-2025-66101 | https://vdp.patchstack.com/database/Wordpress/Plugin/cbxwpbookmark/vulnerability/wordpress-cbx-bookmark-favorite-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve   |
| Scott Paterson--Subscriptions & Memberships for PayPal | Missing Authorization vulnerability in Scott Paterson Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscriptions & Memberships for PayPal: from n/a through <= 1.1.7. | 2025-11-21 | not yet calculated | CVE-2025-66107 | https://vdp.patchstack.com/database/Wordpress/Plugin/subscriptions-memberships-for-paypal/vulnerability/wordpress-subscriptions-memberships-for-paypal-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve   |
| Shahjahan Jewel--FluentCommunity | Missing Authorization vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentCommunity: from n/a through <= 2.0.0. | 2025-11-21 | not yet calculated | CVE-2025-66084 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-community/vulnerability/wordpress-fluentcommunity-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve   |
| Shelly--Pro 3EM | Out-of-bounds Read in Shelly Pro 3EM (before v1.4.4) allows Overread Buffers. | 2025-11-19 | not yet calculated | CVE-2025-12056 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-12056 https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-03   |
| Shelly--Pro 4PM | Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network. | 2025-11-19 | not yet calculated | CVE-2025-11243 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-11243 https://www.nozominetworks.com/blog/shelly-pro-4pm-vulnerabilities https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-02   |
| silabs.com--RS9116W | In a Bluetooth device, using RS9116-WiseConnect SDK experiences a Denial of Service, if it receives malformed L2CAP packets, only hard reset will bring the device to normal operation | 2025-11-17 | not yet calculated | CVE-2025-4321 | https://community.silabs.com/068Vm00000YV9DL   |
| sonalsinha21--SKT Skill Bar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows DOM-Based XSS.This issue affects SKT Skill Bar: from n/a through <= 2.5. | 2025-11-21 | not yet calculated | CVE-2025-66090 | https://vdp.patchstack.com/database/Wordpress/Plugin/skt-skill-bar/vulnerability/wordpress-skt-skill-bar-plugin-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| SonicWall--Email Security | Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution. | 2025-11-20 | not yet calculated | CVE-2025-40604 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018   |
| SonicWall--Email Security | A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path. | 2025-11-20 | not yet calculated | CVE-2025-40605 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018   |
| SonicWall--SonicOS | A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash. | 2025-11-20 | not yet calculated | CVE-2025-40601 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62293 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62294 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62295 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62296 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62297 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62729 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62730 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62731 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| Stiofan--UsersWP | Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through <= 1.2.47. | 2025-11-21 | not yet calculated | CVE-2025-66072 | https://vdp.patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-47-broken-access-control-vulnerability?_s_id=cve   |
| SUSE--openSUSE Tumbleweed | An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1. | 2025-11-20 | not yet calculated | CVE-2025-62875 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875 https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html   |
| Syed Balkhi--Giveaways and Contests by RafflePress | Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Giveaways and Contests by RafflePress rafflepress allows Cross Site Request Forgery.This issue affects Giveaways and Contests by RafflePress: from n/a through <= 1.12.20. | 2025-11-21 | not yet calculated | CVE-2025-66064 | https://vdp.patchstack.com/database/Wordpress/Plugin/rafflepress/vulnerability/wordpress-giveaways-and-contests-by-rafflepress-plugin-1-12-20-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| theme funda--Show Variations as Single Products Woocommerce | Missing Authorization vulnerability in theme funda Show Variations as Single Products Woocommerce woo-show-single-variations-shop-category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Show Variations as Single Products Woocommerce: from n/a through <= 2.0. | 2025-11-21 | not yet calculated | CVE-2025-66114 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-show-single-variations-shop-category/vulnerability/wordpress-show-variations-as-single-products-woocommerce-plugin-2-0-broken-access-control-vulnerability?_s_id=cve   |
| ThemeAtelier--Better Chat Support for Messenger | Missing Authorization vulnerability in ThemeAtelier Better Chat Support for Messenger better-chat-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Chat Support for Messenger: from n/a through <= 1.2.18. | 2025-11-21 | not yet calculated | CVE-2025-66113 | https://vdp.patchstack.com/database/Wordpress/Plugin/better-chat-support/vulnerability/wordpress-better-chat-support-for-messenger-plugin-1-2-18-broken-access-control-vulnerability?_s_id=cve   |
| ThemeAtelier--Chat Help | Missing Authorization vulnerability in ThemeAtelier Chat Help chat-help allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chat Help: from n/a through <= 3.1.3. | 2025-11-21 | not yet calculated | CVE-2025-66099 | https://vdp.patchstack.com/database/Wordpress/Plugin/chat-help/vulnerability/wordpress-chat-help-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve   |
| Themeisle--PPOM for WooCommerce | Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16. | 2025-11-21 | not yet calculated | CVE-2025-66069 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-product-addon/vulnerability/wordpress-ppom-for-woocommerce-plugin-33-0-16-broken-access-control-vulnerability?_s_id=cve   |
| Times Software--E-Payroll | Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure.  Patching status is unknown because the vendor has not replied to messages sent by the CNA. | 2025-11-18 | not yet calculated | CVE-2025-9977 | https://cert.pl/en/posts/2025/11/CVE-2025-9977 https://www.timesoftsg.com.sg/payroll-software/   |
| Tinexta InfoCert S.p.A.--GoSign Desktop | GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate validation can be disabled when a proxy is configured, allowing an attacker who can intercept network traffic to supply a malicious update manifest and corresponding package with a matching hash. This can cause the client to download and install a tampered update, resulting in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or with elevated privileges on some Linux deployments. A local attacker who can modify proxy settings may also abuse this behavior to escalate privileges by forcing installation of a crafted update. | 2025-11-18 | not yet calculated | CVE-2025-34324 | https://www.ush.it/2025/11/14/multiple-vulnerabilities-gosign-desktop-remote-code-execution/ https://infocert.digital/consumer/gosign-suite/ https://www.vulncheck.com/advisories/gosign-desktop-insecure-update-mechanism-rce https://www.ush.it/2025/11/14/vulnerabilita-multiple-gosign-desktop-esecuzione-remota-codice-arbitrario/   |
| TP-Link System Inc.--TL-WR940N V6 | Improper input validation vulnerability in TP-Link System Inc. TL-WR940N V6 (UPnP modules), which allows unauthenticated adjacent attackers to perform DoS attack. This issue affects TL-WR940N V6 <= Build 220801. | 2025-11-20 | not yet calculated | CVE-2025-11676 | https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/en/support/faq/4755/   |
| tychesoftwares--Arconix Shortcodes | Missing Authorization vulnerability in tychesoftwares Arconix Shortcodes arconix-shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arconix Shortcodes: from n/a through <= 2.1.18. | 2025-11-21 | not yet calculated | CVE-2025-66085 | https://vdp.patchstack.com/database/Wordpress/Plugin/arconix-shortcodes/vulnerability/wordpress-arconix-shortcodes-plugin-2-1-18-broken-access-control-vulnerability?_s_id=cve   |
| tychesoftwares--Custom Order Numbers for WooCommerce | Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0. | 2025-11-21 | not yet calculated | CVE-2025-66071 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-order-numbers-for-woocommerce/vulnerability/wordpress-custom-order-numbers-for-woocommerce-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve   |
| Uncanny Owl--Uncanny Automator | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Uncanny Owl Uncanny Automator uncanny-automator allows Retrieve Embedded Sensitive Data.This issue affects Uncanny Automator: from n/a through < 6.10.0. | 2025-11-21 | not yet calculated | CVE-2025-66056 | https://vdp.patchstack.com/database/Wordpress/Plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-6-10-0-sensitive-data-exposure-vulnerability?_s_id=cve   |
| Unknown--attention-bar | The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks | 2025-11-20 | not yet calculated | CVE-2025-12502 | https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/   |
| Unknown--Mstoreapp Mobile App | The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address. | 2025-11-21 | not yet calculated | CVE-2025-11127 | https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/   |
| Unknown--W3 Total Cache | The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post. | 2025-11-17 | not yet calculated | CVE-2025-9501 | https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/   |
| Unknown--WavePlayer | The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE | 2025-11-19 | not yet calculated | CVE-2025-12057 | https://wpscan.com/vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/   |
| upKeeper Solutions--upKeeper Manager | Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.2.0 before 5.2.12. | 2025-11-19 | not yet calculated | CVE-2025-11446 | https://support.upkeeper.se/hc/en-us/articles/23693858370076-CVE-2025-11446-Insertion-of-Sensitive-Information-into-Log-File   |
| Vivotek--Affected device model numbers are FD7131-VVTK,FD7131-VVTK,FD7131-VVTK,FD7141-VVTK,IP7131-VVTK,IP7133-VVTK,IP7133-VVTK,IP7133-VVTK,IP7134-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7138-VVTK,IP7142-VVTK,IP7142-VVTK,IP7151-VVTK,IP7152-VVTK,IP7153-VVTK,IP7153-VVTK,IP7154-VVTK,IP7330-VVTK,IP7330-VVTK,IP7330-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131W-VVTK,PT7135-VVTK,PT7137-TCON,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PZ7131-VVTK,PZ7131-VVTK,PZ71X1-VVTK,PZ71X1-VVTK,PZ71X2-VVTK,SD73X3-VVTK,SD73X3-VVTK,SD73X3-VVTK,TC5330-VVTK,TC5332-TCVV,TC5333-TCVV,TC5633-TCVV,TC5633-VVTK,VS7100-VVTK,VS7100-VVTK,VS7100-VVTK | Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. | 2025-11-19 | not yet calculated | CVE-2025-12592 | https://www.akamai.com/blog/security-research/rce-zero-day-in-legacy-vivotek-firmware http://www.vapidlabs.com/advisory.php?v=219   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1. | 2025-11-21 | not yet calculated | CVE-2025-62372 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw https://github.com/vllm-project/vllm/pull/27204 https://github.com/vllm-project/vllm/pull/6613 https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0. | 2025-11-21 | not yet calculated | CVE-2025-54866 | https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37 https://github.com/wazuh/wazuh/pull/31187 https://github.com/wazuh/wazuh/commit/606f19e688944ebe5d28d72eb81ac36f8fffb143 https://github.com/wazuh/wazuh/releases/tag/v4.13.0   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 3.7.0 to before 4.12.0, fim_alert() implementation does not check whether oldsum->md5 is NULL or not before dereferencing it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. This issue has been patched in version 4.12.0. | 2025-11-21 | not yet calculated | CVE-2025-64169 | https://github.com/wazuh/wazuh/security/advisories/GHSA-hc35-h924-8596   |
| wazuh--wazuh-dashboard-plugins | Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API - Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | 2025-11-21 | not yet calculated | CVE-2025-64483 | https://github.com/wazuh/wazuh-dashboard-plugins/security/advisories/GHSA-gwf3-8gm3-qrmj   |
| WBCE--WBCE_CMS | WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4. | 2025-11-19 | not yet calculated | CVE-2025-65094 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44 https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e   |
| WebToffee--Accessibility Toolkit by WebYes | Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66112 | https://vdp.patchstack.com/database/Wordpress/Plugin/accessibility-plus/vulnerability/wordpress-accessibility-toolkit-by-webyes-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve   |
| WebToffee--Product Feed for WooCommerce | Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.1. | 2025-11-21 | not yet calculated | CVE-2025-66089 | https://vdp.patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application's middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8. | 2025-11-19 | not yet calculated | CVE-2025-64765 | https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce   |
| wofSSL--wolfSSL | Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. | 2025-11-21 | not yet calculated | CVE-2025-11933 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9132   |
| wolfSSL--wolfSSL | Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. | 2025-11-21 | not yet calculated | CVE-2025-11931 | https://github.com/wolfSSL/wolfssl/pull/9223   |
| wolfSSL--wolfSSL | The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | 2025-11-21 | not yet calculated | CVE-2025-11932 | https://github.com/wolfSSL/wolfssl/pull/9223   |
| wolfSSL--wolfSSL | Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. | 2025-11-21 | not yet calculated | CVE-2025-11934 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9113   |
| wolfSSL--wolfSSL | With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. | 2025-11-21 | not yet calculated | CVE-2025-11935 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9112   |
| wolfSSL--wolfSSL | Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. | 2025-11-21 | not yet calculated | CVE-2025-11936 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9117   |
| wolfSSL--wolfSSL | Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. | 2025-11-21 | not yet calculated | CVE-2025-12888 | https://https://github.com/wolfSSL/wolfssl/pull/9275   |
| wolfSSL--wolfSSL | With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. | 2025-11-21 | not yet calculated | CVE-2025-12889 | https://github.com/wolfSSL/wolfssl/pull/9395   |
| workos--authkit-nextjs | The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication. | 2025-11-21 | not yet calculated | CVE-2025-64762 | https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5724a15ea https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1   |
| WP Legal Pages--WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3. | 2025-11-21 | not yet calculated | CVE-2025-66075 | https://vdp.patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability?_s_id=cve   |
| wpWax--Legal Pages | Missing Authorization vulnerability in wpWax Legal Pages legal-pages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Legal Pages: from n/a through <= 1.4.6. | 2025-11-21 | not yet calculated | CVE-2025-66077 | https://vdp.patchstack.com/database/Wordpress/Plugin/legal-pages/vulnerability/wordpress-legal-pages-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve   |
Vulnerability Summary for the Week of November 10, 2025
Posted on Monday November 17, 2025
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| leopardhost--TNC Toolbox: Web Performance | The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment. | 2025-11-11 | 10 | CVE-2025-12539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6 |
| IBM--AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346. | 2025-11-13 | 10 | CVE-2025-36250 | https://www.ibm.com/support/pages/node/7251173 |
| SAP_SE--SQL Anywhere Monitor (Non-Gui) | SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | 2025-11-11 | 10 | CVE-2025-42890 | https://me.sap.com/notes/3666261 https://url.sap/sapsecuritypatchday |
| General Industrial Controls--Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device. | 2025-11-14 | 10 | CVE-2025-58083 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| kddiwebcommunications--WP for CPI | The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-11 | 9.8 | CVE-2025-11170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve https://wordpress.org/plugins/cpi-wp-migration/ |
| easycommerce--EasyCommerce AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin | The EasyCommerce - AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.5.0. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site. | 2025-11-11 | 9.8 | CVE-2025-11457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ebe84ba-abc1-410c-b315-118746ff235a?source=cve https://wordpress.org/plugins/easycommerce/ |
| TrioFox--TrioFox | Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. | 2025-11-10 | 9.1 | CVE-2025-12480 | https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md https://www.triofox.com/ https://access.triofox.com/releases_history/ https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480 |
| pgadmin.org--pgAdmin 4 | pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | 2025-11-13 | 9.1 | CVE-2025-12762 | https://github.com/pgadmin-org/pgadmin4/issues/9320 |
| strix-bubol5--Holiday class post calendar | The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | 2025-11-11 | 9.8 | CVE-2025-12813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve https://plugins.trac.wordpress.org/browser/holiday-class-post-calendar/trunk/holiday_class_post_calendar.php#L1234 |
| Hundred Plus--EIP Plus | EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password. | 2025-11-10 | 9.8 | CVE-2025-12866 | https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html |
| CyberTutor--New Site Server | New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website. | 2025-11-10 | 9.8 | CVE-2025-12868 | https://www.twcert.org.tw/tw/cp-132-10493-bf807-1.html https://www.twcert.org.tw/en/cp-139-10492-84a10-2.html |
| aEnrich--a+HRD | The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges. | 2025-11-12 | 9.8 | CVE-2025-12870 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| aEnrich--a+HRD | The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges. | 2025-11-12 | 9.8 | CVE-2025-12871 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| Avast--(Free/Premiium/Ultimeat) Antivirus | Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3 on windows allows local attacker to escalate privelages via pool overflow. | 2025-11-11 | 9.9 | CVE-2025-13032 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| D-Link--DIR-816L | A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-14 | 9.8 | CVE-2025-13188 | VDB-332476 | D-Link DIR-816L authentication.cgi authenticationcgi_main stack-based overflow VDB-332476 | CTI Indicators (IOB, IOC, IOA) Submit #685538 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(authentication.cgi).pdf https://www.dlink.com/ |
| IBM--AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques. | 2025-11-13 | 9 | CVE-2025-36096 | https://www.ibm.com/support/pages/node/7251173 |
| IBM--AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56347. | 2025-11-13 | 9.6 | CVE-2025-36251 | https://www.ibm.com/support/pages/node/7251173 |
| SAP_SE--SAP Solution Manager | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | 2025-11-11 | 9.9 | CVE-2025-42887 | https://me.sap.com/notes/3668705 https://url.sap/sapsecuritypatchday |
| Dell--Data Lakehouse | Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity. | 2025-11-12 | 9.1 | CVE-2025-46608 | https://www.dell.com/support/kbdoc/en-us/000390529/dsa-2025-375-security-update-for-dell-data-lakehouse-multiple-vulnerabilities |
| Microsoft--Microsoft Office LTSC for Mac 2021 | Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 9.8 | CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability |
| Fortinet--FortiWeb | A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | 2025-11-14 | 9.1 | CVE-2025-64446 | https://fortiguard.fortinet.com/psirt/FG-IR-25-910 |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability. | 2025-11-10 | 9.1 | CVE-2025-64522 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-vwq2-jx9q-9h9f https://github.com/charmbracelet/soft-serve/commit/bb73b9a0eea0d902da4811420535842a4f9aae3b https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.1 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token | 2025-11-10 | 9.6 | CVE-2025-64689 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| baptisteArno--typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue. | 2025-11-13 | 9.6 | CVE-2025-64709 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr |
| Zohocorp--ManageEngine Analytics Plus | Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. | 2025-11-11 | 9.8 | CVE-2025-8324 | https://www.manageengine.com/analytics-plus/CVE-2025-8324.html |
| Siemens--Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to run arbitrary commands via the user interface. This user interface can be used via the network and allows the execution of commands as administrative application user. | 2025-11-11 | 8.8 | CVE-2024-32011 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Axis Communications AB--AXIS Optimizer | AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system. This vulnerability can only be exploited if the attacker has access to the local Windows machine and sufficient access rights (administrator) to write data into the installation path of AXIS Optimizer. | 2025-11-11 | 8.4 | CVE-2025-10714 | https://www.axis.com/dam/public/a2/c7/8c/cve-2025-10714pdf-en-US-504221.pdf |
| mvirik--Mementor Core | The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. This is due to plugin not properly handling the user switch back function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges by accessing an administrator account through the switch back functionality. | 2025-11-11 | 8.8 | CVE-2025-11168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2460e7c4-76dc-4bc3-bc06-b52df64f5353?source=cve http://plugins.trac.wordpress.org/browser/mementor-core/trunk/inc/functions.php#L1033 https://wordpress.org/plugins/mementor-core/ |
| astrasecuritysuite--Astra Security Suite Firewall & Malware Scan | The Astra Security Suite - Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-11 | 8.1 | CVE-2025-11521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve https://wordpress.org/plugins/getastra/ |
| chrisbadgett--LifterLMS WP LMS for eLearning, Online Courses, & Quizzes | The LifterLMS - WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the update_item_permissions_check() function returns true when a user updates their own account without verifying the role changes. This makes it possible for authenticated attackers, with student-level access and above, to escalate their privileges to administrator by updating their own roles array via a crafted REST API request. Another endpoint intended for instructors also provides an attack vector. Affected version ranges are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, 9.1.0. | 2025-11-13 | 8.8 | CVE-2025-11923 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc13d13c-6b79-4bf1-8e77-c8cb836dc0c5?source=cve https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/server/class-llms-rest-students-controller.php#L386 https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/abstracts/class-llms-rest-users-controller.php#L721 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393703%40lifterlms%2Ftrunk&old=3388956%40lifterlms%2Ftrunk&sfp_email=&sfph_mail= |
| Premierturk Information Technologies Inc.--Excavation Management Information System | Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.This issue affects Excavation Management Information System: before v.10.2025.01. | 2025-11-11 | 8.1 | CVE-2025-11959 | https://www.usom.gov.tr/bildirim/tr-25-0388 |
| n/a--cloudinary | Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response. | 2025-11-10 | 8.6 | CVE-2025-12613 | https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740 https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050 https://github.com/cloudinary/cloudinary_npm/pull/709 |
| koopersmith--Elastic Theme Editor | The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-11 | 8.8 | CVE-2025-12637 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php |
| wpallimport--Import any XML, CSV or Excel File to WordPress | The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution. | 2025-11-13 | 8.8 | CVE-2025-12733 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail= |
| creativethemeshq--Blocksy Companion | The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-11 | 8.8 | CVE-2025-12846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf?source=cve https://plugins.trac.wordpress.org/changeset/3391933/blocksy-companion/trunk/framework/features/svg.php |
| e-Excellence--U-Office Force | U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-11-10 | 8.8 | CVE-2025-12864 | https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html |
| e-Excellence--U-Office Force | U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-11-10 | 8.8 | CVE-2025-12865 | https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html |
| AWS--JDBC Wrapper | An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We recommend customers upgrade to the following versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS NodeJS Wrapper to v2.0.1, AWS Python Wrapper to v1.4.0 and AWS PGSQL ODBC driver to v1.0.1 | 2025-11-10 | 8 | CVE-2025-12967 | https://aws.amazon.com/security/security-bulletins/AWS-2025-028/ https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/2.6.5 https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2025-10-17 https://github.com/aws/aws-advanced-python-wrapper/releases/tag/1.4.0 https://github.com/aws/aws-pgsql-odbc/releases/tag/1.0.1 https://github.com/aws/aws-advanced-nodejs-wrapper/releases/tag/2.0.1 https://github.com/aws/aws-advanced-python-wrapper/security/advisories/GHSA-4jvf-wx3f-2x8q https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-7xw4-g7mm-r4hh https://github.com/aws/aws-pgsql-odbc/security/advisories/GHSA-q327-fgm8-7mxf https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-7wq2-32h4-9hc9 https://github.com/aws/aws-advanced-nodejs-wrapper/security/advisories/GHSA-8wj8-cfxr-9374 |
| D-Link--DIR-816L | A vulnerability has been found in D-Link DIR-816L 2_06_b09_beta. This affects the function genacgi_main of the file gena.cgi. The manipulation of the argument SERVER_ID/HTTP_SID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13189 | VDB-332478 | D-Link DIR-816L gena.cgi genacgi_main stack-based overflow VDB-332478 | CTI Indicators (IOB, IOC, IOA) Submit #685540 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(gena.cgi).pdf https://www.dlink.com/ |
| D-Link--DIR-816L | A vulnerability was found in D-Link DIR-816L 2_06_b09_beta. This vulnerability affects the function scandir_main of the file /portal/__ajax_exporer.sgi. The manipulation of the argument en results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13190 | VDB-332479 | D-Link DIR-816L __ajax_exporer.sgi scandir_main stack-based overflow VDB-332479 | CTI Indicators (IOB, IOC, IOA) Submit #685541 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(scandir.sgi).pdf https://www.dlink.com/ |
| D-Link--DIR-816L | A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta. This issue affects the function soapcgi_main of the file /soap.cgi. This manipulation causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-15 | 8.8 | CVE-2025-13191 | VDB-332480 | D-Link DIR-816L soap.cgi soapcgi_main stack-based overflow VDB-332480 | CTI Indicators (IOB, IOC, IOA) Submit #685543 | D-Link DIR-816L DIR816L_REVB_FW_2_06_b09_beta Stack-based Buffer Overflow https://github.com/scanleale/IOT_sec/blob/main/DIR-816L%20stack%20overflow(soap.cgi).pdf https://www.dlink.com/ |
| Cisco--Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 8.8 | CVE-2025-20341 | cisco-sa-catc-priv-esc-VS8EeCuX |
| n/a--Intel(R) CIP software | Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-24299 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-24838 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| Red Hat--Cluster Observability Operator 1.3.0 | A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues. | 2025-11-12 | 8.8 | CVE-2025-2843 | RHSA-2025:21146 https://access.redhat.com/security/cve/CVE-2025-2843 RHBZ#2355222 |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 8.2 | CVE-2025-30255 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Microsoft--Nuance PowerScribe 360 version 4.0.5 | Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 8.1 | CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability |
| n/a--Intel(R) Arc(TM) B-series GPUs | Incorrect default permissions in some firmware for the Intel(R) Arc(TM) B-series GPUs within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.2 | CVE-2025-32091 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a--Intel QuickAssist Technology | Improper input validation for some Intel QuickAssist Technology before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 8.8 | CVE-2025-33000 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| NVIDIA--AuthN component of NVIDIA AIStore | NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering. | 2025-11-11 | 8.8 | CVE-2025-33186 | https://nvd.nist.gov/vuln/detail/CVE-2025-33186 https://www.cve.org/CVERecord?id=CVE-2025-33186 https://nvidia.custhelp.com/app/answers/detail/a_id/5724 |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 8.2 | CVE-2025-35971 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| IBM--AIX | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to write arbitrary files on the system. | 2025-11-13 | 8.2 | CVE-2025-36236 | https://www.ibm.com/support/pages/node/7251173 |
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2025-11-12 | 8.8 | CVE-2025-46427 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. | 2025-11-12 | 8.8 | CVE-2025-46428 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | 2025-11-10 | 8.8 | CVE-2025-47773 | https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3 |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | 2025-11-10 | 8.8 | CVE-2025-47932 | https://github.com/Combodo/iTop/security/advisories/GHSA-rmxq-fx69-7wg5 |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0. | 2025-11-10 | 8.5 | CVE-2025-48055 | https://github.com/Combodo/iTop/security/advisories/GHSA-684h-f39j-5gq8 |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | 2025-11-10 | 8.8 | CVE-2025-48065 | https://github.com/Combodo/iTop/security/advisories/GHSA-292c-hgcf-2g22 |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | 2025-11-10 | 8.7 | CVE-2025-49145 | https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j |
| General Industrial Controls--Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | 2025-11-14 | 8.2 | CVE-2025-55034 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Red Hat--Red Hat Enterprise Linux 10 | If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected. | 2025-11-12 | 8.6 | CVE-2025-59088 | RHSA-2025:21138 RHSA-2025:21139 RHSA-2025:21140 RHSA-2025:21141 RHSA-2025:21142 RHSA-2025:21448 https://access.redhat.com/security/cve/CVE-2025-59088 RHBZ#2393955 https://github.com/latchset/kdcproxy/pull/68 |
| Microsoft--Microsoft SQL Server 2017 (GDR) | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-11-11 | 8.8 | CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| vega--vega | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties. | 2025-11-13 | 8.1 | CVE-2025-59840 | https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-62204 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft--Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | 2025-11-11 | 8.7 | CVE-2025-62210 | Dynamics 365 Field Service (online) Spoofing Vulnerability |
| Microsoft--Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | 2025-11-11 | 8.7 | CVE-2025-62211 | Dynamics 365 Field Service (online) Spoofing Vulnerability |
| Microsoft--Windows Subsystem for Linux GUI | Heap-based buffer overflow in Windows Subsystem for Linux GUI allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 8.8 | CVE-2025-62220 | Windows Subsystem for Linux GUI Remote Code Execution Vulnerability |
| Microsoft--Microsoft Visual Studio Code CoPilot Chat Extension | Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network. | 2025-11-11 | 8.8 | CVE-2025-62222 | Agentic AI and Visual Studio Code Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-11-11 | 8 | CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Zoom Communications Inc.--Zoom Workplace | Inefficient regular expression complexity in certain Zoom Workplace Clients before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2025-11-13 | 8.1 | CVE-2025-62484 | https://www.zoom.com/en/trust/security-bulletin/zsb-25048 |
| evervault--evervault-go | Evervault is a payment security solution. A vulnerability was identified in the `evervault-go` SDK's attestation verification logic in versions of `evervault-go` prior to 1.3.2 that may allow incomplete documents to pass validation. This may cause the client to trust an enclave operator that does not meet expected integrity guarantees. The exploitability of this issue is limited in Evervault-hosted environments as an attacker would require the pre-requisite ability to serve requests from specific evervault domain names, following from our ACME challenge based TLS certificate acquisition pipeline. The vulnerability primarily affects applications which only check PCR8. Though the efficacy is also reduced for applications that check all PCR values, the impact is largely remediated by checking PCR 0, 1 and 2. The identified issue has been addressed in version 1.3.2 by validating attestation documents before storing in the cache, and replacing the naive equality checks with a new SatisfiedBy check. Those who useevervault-go to attest Enclaves that are hosted outside of Evervault environments and cannot upgrade have two possible workarounds available. Modify the application logic to fail verification if PCR8 is not explicitly present and non-empty and/or add custom pre-validation to reject documents that omit any required PCRs. | 2025-11-12 | 8.7 | CVE-2025-64186 | https://github.com/evervault/evervault-go/security/advisories/GHSA-88h9-77c7-p6w4 https://github.com/evervault/evervault-go/pull/48 https://github.com/evervault/evervault-go/commit/7c824d289bba11ec0bea46a338023f5b128bbb28 |
| Brightpick AI--Brightpick Mission Control / Internal Logic Control | Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques. | 2025-11-14 | 8.6 | CVE-2025-64309 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| JetBrains--ReSharper | In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation | 2025-11-10 | 8.4 | CVE-2025-64456 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| oauth2-proxy--oauth2-proxy | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy's filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way. | 2025-11-10 | 8.5 | CVE-2025-64484 | https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-vjrc-mh2v-45x6 https://datatracker.ietf.org/doc/html/rfc2616#section-4.2 https://datatracker.ietf.org/doc/html/rfc822#section-3.2 https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html https://www.uptimia.com/questions/why-are-http-headers-with-underscores-dropped-by-nginx |
| pdfminer--pdfminer.six | Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue. | 2025-11-10 | 8.6 | CVE-2025-64512 | https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 https://github.com/pdfminer/pdfminer.six/releases/tag/20251107 |
| torrentpier--torrentpier | TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In versions up to and including 2.8.8, an authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can exploit this vulnerability by supplying a malicious `topic_id` (`t`) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database. Although it requires moderator privileges, it is still severe. A malicious or compromised moderator account can leverage this vulnerability to read, modify, or delete data. A patch is available at commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80. | 2025-11-10 | 8.8 | CVE-2025-64519 | https://github.com/torrentpier/torrentpier/security/advisories/GHSA-4rwr-8c3m-55f6 https://github.com/torrentpier/torrentpier/commit/6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure | 2025-11-10 | 8.1 | CVE-2025-64685 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.--Zoom Workplace for Android | Improper authorization handling in Zoom Workplace for Android before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2025-11-13 | 8.1 | CVE-2025-64741 | https://www.zoom.com/en/trust/security-bulletin/zsb-25043 |
| Fujitsu--fbiosdrv.sys | Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability. | 2025-11-12 | 8.2 | CVE-2025-65001 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-FCCL-2025-072319-Security-Notice.pdf https://hexaplex.ai |
| Optimus Software--Brokerage Automation | Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | 2025-11-14 | 8.1 | CVE-2025-8855 | https://www.usom.gov.tr/bildirim/tr-25-0396 |
| Zohocorp--ManageEngine Applications Manager | Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature. | 2025-11-11 | 8.8 | CVE-2025-9223 | https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9223.html |
| AVEVA--Edge | The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users' app-native or Active Directory passwords through computational brute-forcing of weak hashes. | 2025-11-14 | 8.4 | CVE-2025-9317 | https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-006.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-03.json |
| zephyrproject-rtos--Zephyr | System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. | 2025-11-11 | 8.2 | CVE-2025-9408 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3r6j-5mp3-75wr |
| Siemens--Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user. | 2025-11-11 | 7.8 | CVE-2024-32008 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Siemens--Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to wrongly set permissions to a binary which allows any local attacker to gain administrative privileges. | 2025-11-11 | 7.8 | CVE-2024-32009 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Siemens--Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to extraction of database credentials via a world-readable credential file. This allows an attacker to connect to the database as privileged application user and to run system commands via the database. | 2025-11-11 | 7.8 | CVE-2024-32010 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| ceph--ceph | Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist. | 2025-11-12 | 7.5 | CVE-2024-47866 | https://github.com/ceph/ceph/security/advisories/GHSA-mgrm-g92q-f8h8 |
| Turkguven Software Technologies Inc.--Perfektive | Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass.This issue affects Perfektive: before Version: 12574 Build: 2701. | 2025-11-11 | 7.3 | CVE-2025-10161 | https://www.usom.gov.tr/bildirim/tr-25-0387 |
| Lenovo--App Store | A potential vulnerability was reported in the Lenovo PC Manager, Lenovo App Store, Lenovo Browser, and Lenovo Legion Zone client applications that, under certain conditions, could allow an attacker on the same logical network to execute arbitrary code. | 2025-11-12 | 7.5 | CVE-2025-10495 | https://iknow.lenovo.com.cn/detail/434328 |
| Ivanti--Endpoint Manager | Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk | 2025-11-11 | 7.1 | CVE-2025-10918 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US |
| miunosoft--Auto Amazon Links Amazon Associates Affiliate Plugin | The Auto Amazon Links - Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-11 | 7.5 | CVE-2025-11451 | https://www.wordfence.com/threat-intel/vulnerabilities/id/568254a4-400d-45ea-8a96-1669b0694d70?source=cve https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/output/_abstract/AmazonAutoLinks_UnitOutput_Base.php https://plugins.trac.wordpress.org/browser/amazon-auto-links/trunk/include/core/component/unit/_common/option/template/AmazonAutoLinks_UnitOutput__TemplatePath.php |
| Autodesk--3ds Max | A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-11-12 | 7.8 | CVE-2025-11795 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0023 |
| Autodesk--3ds Max | A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-11-12 | 7.8 | CVE-2025-11797 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0023 |
| DivvyDrive Information Technologies Inc.--Digital Corporate Warehouse | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc. Digital Corporate Warehouse allows Stored XSS.This issue affects Digital Corporate Warehouse: before v.4.8.2.22. | 2025-11-12 | 7.3 | CVE-2025-11962 | https://www.usom.gov.tr/bildirim/tr-25-0393 |
| yudiz--Easy Email Subscription | The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-12 | 7.2 | CVE-2025-11994 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5bb14c1-8713-4aa1-b50a-53bed07a5f80?source=cve https://plugins.svn.wordpress.org/email-subscription-with-secure-captcha/tags/1.3/subscriber-form.php https://plugins.svn.wordpress.org/email-subscription-with-secure-captcha/tags/1.3/simple-email-subscription.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388578%40email-subscription-with-secure-captcha&new=3388578%40email-subscription-with-secure-captcha&sfp_email=&sfph_mail= |
| Lenovo--Scanner Pro | An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system. | 2025-11-12 | 7.5 | CVE-2025-12048 | https://iknow.lenovo.com.cn/detail/434326 |
| ameliabooking--Booking for Appointments and Events Calendar Amelia | The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-16 | 7.5 | CVE-2025-12482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php |
| stellarwp--Booking Calendar | Appointment Booking | Bookit | The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | 2025-11-12 | 7.5 | CVE-2025-12633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2263d356-b2ed-4e16-98ee-b01d4274d1d9?source=cve https://plugins.trac.wordpress.org/changeset/3393159/bookit/tags/2.5.1/src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php?old=3121677&old_path=bookit%2Ftags%2F2.5.0%2Fsrc%2FBookit%2FGateways%2FStripeConnect%2FREST%2FReturn_Endpoint.php |
| pgadmin.org--pgAdmin 4 | pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS. | 2025-11-13 | 7.5 | CVE-2025-12764 | https://github.com/pgadmin-org/pgadmin4/issues/9325 |
| pgadmin.org--pgAdmin 4 | pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification. | 2025-11-13 | 7.5 | CVE-2025-12765 | https://github.com/pgadmin-org/pgadmin4/issues/9324 |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the 'rest_simpleTranscribeAudio' and 'rest_simpleVisionQuery' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-11-13 | 7.1 | CVE-2025-12844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c39c1b72-e3e0-44fb-8fb8-602cb0aa61e3?source=cve https://github.com/jordymeow/ai-engine/blob/main/classes/modules/files.php#L237 https://github.com/jordymeow/ai-engine/blob/main/classes/api.php#L799 https://github.com/jordymeow/ai-engine/blob/main/classes/services/image.php#L43 https://github.com/jordymeow/ai-engine/blob/main/classes/engines/chatml.php#L960-L967 https://plugins.trac.wordpress.org/changeset/3392052/ |
| Hundred Plus--EIP Plus | EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-11-10 | 7.2 | CVE-2025-12867 | https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html |
| mrclayton--Payment Plugins Braintree For WooCommerce | The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions. | 2025-11-12 | 7.5 | CVE-2025-12903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23 https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35 https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41 https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392259%40woo-payment-gateway&new=3392259%40woo-payment-gateway&sfp_email=&sfph_mail= |
| otacke--SNORDIAN's H5PxAPIkatchu | The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-14 | 7.2 | CVE-2025-12904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90552d5a-6103-48c7-ad44-52ee8ecac114?source=cve https://plugins.trac.wordpress.org/changeset/3392176/h5pxapikatchu |
| rymcu--forest | A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-11-10 | 7.3 | CVE-2025-12925 | VDB-331645 | rymcu forest UserDicController.java deleteDic authorization VDB-331645 | CTI Indicators (IOB, IOC, IOA) Submit #681080 | RYMCU forest V1.0 Missing Authentication https://github.com/rymcu/forest/issues/199 |
| code-projects--Online Job Search Engine | A vulnerability was detected in code-projects Online Job Search Engine 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument username/phone results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-10 | 7.3 | CVE-2025-12928 | VDB-331648 | code-projects Online Job Search Engine login.php sql injection VDB-331648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681740 | code-projects Online Job Search Engine 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Online%20Job%20Search%20Engine.md https://github.com/lakshayyverma/CVE-Discovery/blob/main/Online%20Job%20Search%20Engine.md#proof-of-concept-poc https://code-projects.org/ |
| SourceCodester--Survey Application System | A flaw has been found in SourceCodester Survey Application System 1.0. This impacts the function save_user/update_user of the file /LoginRegistration.php. Executing manipulation of the argument fullname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. Other parameters might be affected as well. | 2025-11-10 | 7.3 | CVE-2025-12929 | VDB-331649 | SourceCodester Survey Application System LoginRegistration.php update_user sql injection VDB-331649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681746 | sourcecodester Survey Application System 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Survey%20Application%20System.md https://www.sourcecodester.com/ |
| projectworlds--Online Admission System | A vulnerability was identified in projectworlds Online Admission System 1.0. Affected by this vulnerability is an unknown functionality of the file /process_login.php. The manipulation of the argument keywords leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-10 | 7.3 | CVE-2025-12938 | VDB-331662 | projectworlds Online Admission System process_login.php sql injection VDB-331662 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682313 | Projectworlds Online Attendance System V1.0 SQL Injection https://github.com/juzidddd/CVE/issues/1 |
| Red Hat--Red Hat Advanced Cluster Management for Kubernetes 2 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls. | 2025-11-14 | 7.5 | CVE-2025-13033 | https://access.redhat.com/security/cve/CVE-2025-13033 RHBZ#2402179 https://github.com/nodemailer/nodemailer https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626 https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87 |
| ViewLead Technology--Bacteriology Laboratory Reporting System | Bacteriology Laboratory Reporting System developed by ViewLead Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-12 | 7.5 | CVE-2025-13046 | https://www.twcert.org.tw/tw/cp-132-10498-61fa4-1.html https://www.twcert.org.tw/en/cp-139-10499-15678-2.html |
| ViewLead Technology--Bacteriology Laboratory Reporting System | Bacteriology Laboratory Reporting System developed by ViewLead Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-12 | 7.5 | CVE-2025-13047 | https://www.twcert.org.tw/tw/cp-132-10498-61fa4-1.html https://www.twcert.org.tw/en/cp-139-10499-15678-2.html |
| SourceCodester--Survey Application System | A security vulnerability has been detected in SourceCodester Survey Application System 1.0. This affects an unknown function of the file /view_survey.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-12 | 7.3 | CVE-2025-13060 | VDB-332187 | SourceCodester Survey Application System view_survey.php sql injection VDB-332187 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682565 | sourcecodester Survey Application System 1.0 SQL Injection https://github.com/lakshayyverma/CVE-Discovery/blob/main/Survey%20Application%20System%202%20.md https://www.sourcecodester.com/ |
| DinukaNavaratna--Dee Store | A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | 2025-11-12 | 7.3 | CVE-2025-13063 | VDB-332189 | DinukaNavaratna Dee Store authorization VDB-332189 | CTI Indicators (IOB, IOC) Submit #682708 | DinukaNavaratna Dee_Store-Simple_Online_Shopping_Website 1.0 Missing Authorization https://github.com/DinukaNavaratna/Dee_Store-Simple_Online_Shopping_Website/issues/1 |
| cameasy--Liketea | A security vulnerability has been detected in cameasy Liketea 1.0.0. Impacted is the function list of the file laravel/app/Http/Controllers/Front/StoreController.php of the component API Endpoint. Such manipulation of the argument lng/lat leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-11-13 | 7.3 | CVE-2025-13121 | VDB-332349 | cameasy Liketea API Endpoint StoreController.php list sql injection VDB-332349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683659 | liketea 1.0.0 SQL Injection https://github.com/ictrun/liketea-sql-injection/blob/main/README.md https://github.com/ictrun/liketea-sql-injection/blob/main/README.md#proof-of-concept |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. The affected element is the function getPatientAppointment of the file /php/api_patient_checkin.php. Performing manipulation of the argument appointmentID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-11-13 | 7.3 | CVE-2025-13122 | VDB-332350 | SourceCodester Patients Waiting Area Queue Management System api_patient_checkin.php getPatientAppointment sql injection VDB-332350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683789 | SourceCodester User-Management-PHP-MYSQL web v1 SQL Injection https://www.sourcecodester.com/ |
| n/a--Radarr | A vulnerability has been found in Radarr 5.28.0.10274. The affected element is an unknown function of the file C:\ProgramData\Radarr\bin\Radarr.Console.exe of the component Service. Such manipulation leads to incorrect default permissions. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 7.8 | CVE-2025-13130 | VDB-332361 | Radarr Service Radarr.Console.exe default permission VDB-332361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683876 | Radarr 5.28.0.10274 Incorrect Default Permissions https://github.com/lakshayyverma/CVE-Discovery/blob/main/Radarr.md |
| n/a--Sonarr | A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:\ProgramData\Sonarr\bin\Sonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with local access. The vendor confirms this vulnerability but classifies it as a "low severity issue due to the default service user being used as it would either require someone to intentionally change the service to a highly privileged account or an attacker would need an admin level account". It is planned to fix this issue in the next major release v5. | 2025-11-13 | 7.8 | CVE-2025-13131 | VDB-332362 | Sonarr Service Sonarr.Console.exe default permission VDB-332362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683894 | Sonarr 4.0.15.2940 Incorrect Default Permissions https://github.com/lakshayyverma/CVE-Discovery/blob/main/Sonarr.md |
| IQ Service International--IQ-Support | IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-11-14 | 7.5 | CVE-2025-13161 | https://www.twcert.org.tw/en/cp-139-10502-11c6d-2.html https://www.twcert.org.tw/tw/cp-132-10501-a25a6-1.html |
| code-projects--Simple Online Hotel Reservation System | A security vulnerability has been detected in code-projects Simple Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /add_query_reserve.php. Such manipulation of the argument room_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-14 | 7.3 | CVE-2025-13169 | VDB-332457 | code-projects Simple Online Hotel Reservation System add_query_reserve.php sql injection VDB-332457 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684616 | code-projects Simple Online Hotel Reservation System 1.0 SQL Injection https://github.com/hanshi-798/CVE/blob/main/tmp72/report.md https://code-projects.org/ |
| code-projects--Simple Online Hotel Reservation System | A vulnerability was detected in code-projects Simple Online Hotel Reservation System 1.0. This issue affects some unknown processing of the file /admin/edit_account.php. Performing manipulation of the argument admin_id results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-14 | 7.3 | CVE-2025-13170 | VDB-332458 | code-projects Simple Online Hotel Reservation System edit_account.php sql injection VDB-332458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684617 | Code-projects SIMPLE ONLINE HOTEL RESERVATION SYSTEM 1.0 SQL Injection https://github.com/pfdlyy/CVE/issues/1 https://code-projects.org/ |
| code-projects--Simple Cafe Ordering System | A vulnerability was identified in code-projects Simple Cafe Ordering System 1.0. Affected by this issue is some unknown functionality of the file /login.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-11-15 | 7.3 | CVE-2025-13201 | VDB-332499 | code-projects Simple Cafe Ordering System login.php sql injection VDB-332499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685619 | code-projects Simple Cafe Ordering System published October 30, 2025 SQL Injection https://github.com/shenxianyuguitian/cafeorder_vuln_SQL/blob/main/README.md https://code-projects.org/ |
| code-projects--Simple Cafe Ordering System | A weakness has been identified in code-projects Simple Cafe Ordering System 1.0. This vulnerability affects unknown code of the file /addmem.php. Executing manipulation of the argument studentnum can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 7.3 | CVE-2025-13203 | VDB-332501 | code-projects Simple Cafe Ordering System addmem.php sql injection VDB-332501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686708 | Code-Projects Simple Cafe Ordering System V1.0 SQL Injection https://github.com/JasonCyberYu/SimpleCafe/issues/1 https://code-projects.org/ |
| itsourcecode--Inventory Management System | A vulnerability has been found in itsourcecode Inventory Management System 1.0. The affected element is an unknown function of the file /index.php?q=single-item. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13233 | VDB-332559 | itsourcecode Inventory Management System index.php sql injection VDB-332559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686683 | itsourcecode Inventory Management System V1.0 sql https://github.com/3169417664/cve/issues/2 https://itsourcecode.com/ |
| itsourcecode--Inventory Management System | A vulnerability was determined in itsourcecode Inventory Management System 1.0. This affects an unknown function of the file /admin/login.php. Executing manipulation of the argument user_email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 7.3 | CVE-2025-13235 | VDB-332561 | itsourcecode Inventory Management System login.php sql injection VDB-332561 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686701 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/52914/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--Inventory Management System | A security flaw has been discovered in itsourcecode Inventory Management System 1.0. Affected is an unknown function of the file /LogSignModal.PHP. The manipulation of the argument U_USERNAME results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-16 | 7.3 | CVE-2025-13237 | VDB-332563 | itsourcecode Inventory Management System LogSignModal.PHP sql injection VDB-332563 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686734 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/57 https://itsourcecode.com/ |
| code-projects--Student Information System | A vulnerability was detected in code-projects Student Information System 2.0. This affects an unknown part of the file /searchquery.php. Performing manipulation of the argument s results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13240 | VDB-332566 | code-projects Student Information System searchquery.php sql injection VDB-332566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687522 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL12.md https://code-projects.org/ |
| code-projects--Student Information System | A flaw has been found in code-projects Student Information System 2.0. This vulnerability affects unknown code of the file /index.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-16 | 7.3 | CVE-2025-13241 | VDB-332567 | code-projects Student Information System index.php sql injection VDB-332567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687526 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL13.md https://code-projects.org/ |
| code-projects--Student Information System | A vulnerability has been found in code-projects Student Information System 2.0. This issue affects some unknown processing of the file /register.php. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-11-16 | 7.3 | CVE-2025-13242 | VDB-332568 | code-projects Student Information System register.php sql injection VDB-332568 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687527 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL14.md https://code-projects.org/ |
| PHPGurukul--Tourism Management System | A security flaw has been discovered in PHPGurukul Tourism Management System 1.0. The affected element is an unknown function of the file /admin/user-bookings.php. The manipulation of the argument uid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-16 | 7.3 | CVE-2025-13247 | VDB-332581 | PHPGurukul Tourism Management System user-bookings.php sql injection VDB-332581 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687578 | PHPGurukul Tourism Management System in PHP with Source code V1.0 SQL Injection https://github.com/L-Bitter/CVE/issues/3 https://phpgurukul.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is an unknown function of the file /php/api_patient_schedule.php. This manipulation of the argument appointmentID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-16 | 7.3 | CVE-2025-13248 | VDB-332582 | SourceCodester Patients Waiting Area Queue Management System api_patient_schedule.php sql injection VDB-332582 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687580 | SourceCodester Patients Waiting Area Queue Management System 1.0 SQL Injection https://github.com/2H-K/mycve/issues/2 https://www.sourcecodester.com/ |
| shsuishang--ShopSuite ModulithShop | A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. | 2025-11-16 | 7.3 | CVE-2025-13252 | VDB-332587 | shsuishang ShopSuite ModulithShop RSA/OAuth2/Database hard-coded credentials VDB-332587 | CTI Indicators (IOB, IOC, TTP) Submit #687685 | shsuishang modulithshop v1.0.0 Hardcoded Secrets and Credentials https://github.com/shsuishang/modulithshop/issues/2 https://github.com/shsuishang/modulithshop/issues/2#issue-3580272472 |
| n/a--Intel(R) Processor Identification Utility | Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 7.8 | CVE-2025-20010 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | 2025-11-11 | 7.8 | CVE-2025-23357 | https://nvd.nist.gov/vuln/detail/CVE-2025-23357 https://www.cve.org/CVERecord?id=CVE-2025-23357 https://nvidia.custhelp.com/app/answers/detail/a_id/5712 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-11 | 7.8 | CVE-2025-23361 | https://nvd.nist.gov/vuln/detail/CVE-2025-23361 https://www.cve.org/CVERecord?id=CVE-2025-23361 https://nvidia.custhelp.com/app/answers/detail/a_id/5718 |
| n/a--Intel(R) QAT Windows software | Out-of-bounds write for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 7.8 | CVE-2025-27713 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--Intel UEFI reference platforms | Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable data alteration. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts. | 2025-11-11 | 7.9 | CVE-2025-30185 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01378.html |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-33029 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection. A successful exploit of this vulnerability may lead to Code execution, Escalation of privileges, Information disclosure, and Data tampering. | 2025-11-11 | 7.8 | CVE-2025-33178 | https://nvd.nist.gov/vuln/detail/CVE-2025-33178 https://www.cve.org/CVERecord?id=CVE-2025-33178 https://nvidia.custhelp.com/app/answers/detail/a_id/5718 |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-35963 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2025-11-11 | 7.4 | CVE-2025-35967 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Siemens--Solid Edge SE2025 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | 2025-11-11 | 7.5 | CVE-2025-40744 | https://cert-portal.siemens.com/productcert/html/ssa-522291.html |
| Siemens--Altair Grid Engine | A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly validate environment variables when loading shared libraries, allowing path hijacking through malicious library substitution. This could allow a local attacker to execute arbitrary code with superuser privileges by manipulating the environment variable and placing a malicious library in the controlled path. | 2025-11-11 | 7.8 | CVE-2025-40763 | https://cert-portal.siemens.com/productcert/html/ssa-514895.html |
| Siemens--LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not properly validate the structure of TCP packets in several methods. This could allow an attacker to cause buffer overflows, get control over the instruction counter and run custom code. | 2025-11-11 | 7.2 | CVE-2025-40815 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| Siemens--LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to manipulate the devices IP address, which means the device would not be reachable. | 2025-11-11 | 7.6 | CVE-2025-40816 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| Siemens--Siemens Software Center | A vulnerability has been identified in Siemens Software Center (All versions < V3.5), Solid Edge SE2025 (All versions < V225.0 Update 10). The affected application is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system. | 2025-11-11 | 7.8 | CVE-2025-40827 | https://cert-portal.siemens.com/productcert/html/ssa-365596.html |
| Jumo--variTRON300 | A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled. | 2025-11-10 | 7.4 | CVE-2025-41731 | https://jumo.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-086.json |
| SAP_SE--SAP CommonCryptoLib | SAP CommonCryptoLib does not perform necessary boundary checks during pre-authentication parsing of manipulated ASN.1 data over the network. This may result in memory corruption followed by an application crash, hence leading to a high impact on availability. There is no impact on confidentiality or integrity. | 2025-11-11 | 7.5 | CVE-2025-42940 | https://me.sap.com/notes/3633049 https://url.sap/sapsecuritypatchday |
| Dell--Alienware Command Center | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Detection of Error Condition Without Action vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary Code Execution. | 2025-11-13 | 7.8 | CVE-2025-46367 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell--Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation. | 2025-11-13 | 7.8 | CVE-2025-46369 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell--Display and Peripheral Manager | Dell Display and Peripheral Manager, versions prior to 2.1.2.12, contains an Execution with Unnecessary Privileges vulnerability in the Installer. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2025-11-10 | 7.3 | CVE-2025-46430 | https://www.dell.com/support/kbdoc/en-us/000384546/dsa-2025-411 |
| Microsoft--Azure Monitor | Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.3 | CVE-2025-59504 | Azure Monitor Agent Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59505 | Windows Smart Card Reader Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59506 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59507 | Windows Speech Runtime Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59508 | Windows Speech Recognition Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59511 | Windows WLAN Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59512 | Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper privilege management in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-59514 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-59515 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability |
| General Industrial Controls--Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information. | 2025-11-14 | 7.5 | CVE-2025-59780 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60703 | Windows Remote Desktop Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. | 2025-11-11 | 7.5 | CVE-2025-60704 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60705 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Multimedia Class Scheduler Service (MMCSS) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Out-of-bounds read in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60709 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60710 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2019 | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows OLE allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-60714 | Windows OLE Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60717 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 24H2 | Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60718 | Windows Administrator Protection Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-60719 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Privilege context switching error in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7.8 | CVE-2025-60721 | Windows Administrator Protection Elevation of Privilege Vulnerability |
| Microsoft--Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 7.1 | CVE-2025-60726 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft--Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-60727 | Microsoft Excel Remote Code Execution Vulnerability |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61814 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61815 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe--InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61816 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe--InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61817 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe--InCopy | InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61818 | https://helpx.adobe.com/security/products/incopy/apsb25-107.html |
| Adobe--Photoshop Desktop | Photoshop Desktop versions 26.8.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61819 | https://helpx.adobe.com/security/products/photoshop/apsb25-108.html |
| Adobe--Illustrator | Illustrator versions 28.7.10, 29.8.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61820 | https://helpx.adobe.com/security/products/illustrator/apsb25-109.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61824 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe--Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61826 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe--Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61827 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe--Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61828 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe--Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61829 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe--Adobe Pass | Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | 2025-11-11 | 7.1 | CVE-2025-61830 | https://helpx.adobe.com/security/products/pass/apsb25-112.html |
| Adobe--Illustrator | Illustrator versions 28.7.10, 29.8.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61831 | https://helpx.adobe.com/security/products/illustrator/apsb25-109.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61832 | https://helpx.adobe.com/security/products/indesign/apsb25-106.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61833 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61834 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61835 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| Adobe--Illustrator on iPad | Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61836 | https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-111.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61837 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61838 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-61839 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Microsoft--Microsoft Office 2016 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62200 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62201 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 7.1 | CVE-2025-62202 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62203 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62205 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62213 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-11-11 | 7.8 | CVE-2025-62216 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62218 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Double free in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 7 | CVE-2025-62219 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability |
| General Industrial Controls--Lynx+ Gateway | General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow an attacker to observe network traffic to obtain sensitive information, including plaintext credentials. | 2025-11-14 | 7.5 | CVE-2025-62765 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-08.json |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead. | 2025-11-10 | 7.1 | CVE-2025-64167 | https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38 |
| Golemiq--0 Day Analytics | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Golemiq 0 Day Analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through 4.0.0. | 2025-11-12 | 7.6 | CVE-2025-64293 | https://vdp.patchstack.com/database/wordpress/plugin/0-day-analytics/vulnerability/wordpress-0-day-analytics-plugin-4-0-0-sql-injection-vulnerability?_s_id=cve |
| Brightpick AI--Brightpick Mission Control / Internal Logic Control | The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle. | 2025-11-14 | 7.5 | CVE-2025-64308 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| symfony--symfony | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`. | 2025-11-12 | 7.3 | CVE-2025-64500 | https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass |
| etaminstudio--prosemirror_to_html | ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1. | 2025-11-10 | 7.6 | CVE-2025-64501 | https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509. | 2025-11-10 | 7.5 | CVE-2025-64508 | https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v https://github.com/google/brotli/issues/1327 https://github.com/google/brotli/issues/1375 https://github.com/bugsink/bugsink/pull/266 https://github.com/google/brotli/pull/1234 https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5 https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627 https://github.com/google/brotli/releases/tag/v1.2.0 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink 2.0.6. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-fc2v-vcwj-269v/CVE-2025-64508. | 2025-11-10 | 7.5 | CVE-2025-64509 | https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can access internal network services such as databases through Python code in the tool module, although the process runs in a sandbox. Version 2.3.1 fixes the issue. | 2025-11-13 | 7.4 | CVE-2025-64511 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9287-g7px-9rp4 |
| CycloneDX--cyclonedx-core-java | The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. | 2025-11-10 | 7.5 | CVE-2025-64518 | https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r https://github.com/CycloneDX/cyclonedx-core-java/pull/737 https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9 https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314 https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory |
| apollographql--federation | Apollo Federation is an architecture for declaratively composing APIs into a unified graph. A vulnerability in versions of Apollo Federation's composition logic prior to 2.9.5, 2.10.4, 2.11.5, and 2.12.1 allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline fragments, for example. A fix to versions 2.9.5, 2.10.4, 2.11.5, and 2.12.1 of composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives. Some workarounds are available. Users of Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema. Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action. | 2025-11-13 | 7.5 | CVE-2025-64530 | https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 7.8 | CVE-2025-64531 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget | 2025-11-10 | 7.4 | CVE-2025-64688 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.--Zoom Workplace VDI Client | Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access. | 2025-11-13 | 7.5 | CVE-2025-64740 | https://www.zoom.com/en/trust/security-bulletin/ZSB-25042 |
| Fujitsu / Fsas Technologies--iRMC | Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters. | 2025-11-12 | 7.5 | CVE-2025-65002 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-ISS-2025-082610-Security-Notice.pdf |
| Zohocorp--ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report. | 2025-11-11 | 7.3 | CVE-2025-7429 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7429.html |
| Zohocorp--ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. | 2025-11-11 | 7.3 | CVE-2025-7430 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7430.html |
| Zohocorp--ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. | 2025-11-11 | 7.3 | CVE-2025-7632 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7632.html |
| Zohocorp--ManageEngine Exchange Reporter Plus | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report. | 2025-11-11 | 7.3 | CVE-2025-7633 | https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7633.html |
| Lenovo--App Store | An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application. | 2025-11-12 | 7.3 | CVE-2025-8485 | https://iknow.lenovo.com.cn/detail/434329 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Control of Generation of Code ('Code Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | 2025-11-12 | 6.7 | CVE-2024-48829 | https://www.dell.com/support/kbdoc/en-us/000391062/dsa-2025-407-security-update-for-dell-networking-os10-vulnerabilities |
| kayapati--Angel Fashion Model Agency WordPress CMS Theme | The Angel - Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option. | 2025-11-13 | 6.4 | CVE-2025-10295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab747c34-219d-40c8-a73d-5b0dffba003b?source=cve https://themeforest.net/item/angel-fashion-model-agency-wordpress-cms-theme/4251413 |
| mheob--Include Fussball.de Widgets | The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a3df32-aa07-4cc0-97ba-bb4ab64ba6b9?source=cve https://plugins.trac.wordpress.org/browser/include-fussball-de-widgets/trunk/Frontend/Fubade.php#L231 https://plugins.trac.wordpress.org/browser/include-fussball-de-widgets/trunk/Frontend/Fubade.php#L232 |
| giuse--Specific Content For Mobile Customize the mobile version without redirections | The Specific Content For Mobile - Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with COntributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-12 | 6.5 | CVE-2025-11454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed99dfd-6ca6-41e7-a844-d53eec7068c1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387807%40specific-content-for-mobile&new=3387807%40specific-content-for-mobile&sfp_email=&sfph_mail= |
| Red Hat--Red Hat build of Keycloak 26.4 | A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. | 2025-11-13 | 6.8 | CVE-2025-11538 | RHSA-2025:21370 RHSA-2025:21371 https://access.redhat.com/security/cve/CVE-2025-11538 RHBZ#2402622 |
| aumsrini--WordPress Content Flipper | The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-13 | 6.4 | CVE-2025-11769 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d591a6-4bbe-435b-aef6-ed176c42dca2?source=cve https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L144 https://plugins.trac.wordpress.org/browser/wp-flipper/tags/0.1/wp-flipper.php#L258 |
| doytch--Skip to Timestamp | The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11805 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48e62d66-d058-419c-93cf-0cb890177751?source=cve https://wordpress.org/plugins/skip-to-timestamp/ https://plugins.trac.wordpress.org/browser/skip-to-timestamp/tags/1.4.4/skiptotimestamp.php#L74 |
| elvismdev--Woocommerce Products By Custom Tax | The Woocommerce - Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woo_products_custom_tax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11821 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbc26607-a588-4059-9a37-afede7c9e3f6?source=cve https://wordpress.org/plugins/woocommerce-products-by-custom-tax/ https://plugins.trac.wordpress.org/browser/woocommerce-products-by-custom-tax/tags/2.2/public/class-woocommerce-products-by-custom-tax-public.php#L90 |
| virtus-designs--WP Bootstrap Tabs | The WP Bootstrap Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bootstrap_tab' shortcode in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11822 | https://www.wordfence.com/threat-intel/vulnerabilities/id/173305ee-9c89-4192-8ccf-227947b142d1?source=cve https://wordpress.org/plugins/wp-bootstrap-tabs/ https://plugins.trac.wordpress.org/browser/wp-bootstrap-tabs/tags/1.0.4/wp-bootstrap-tabs.php#L120 |
| pubudu-malalasekara--Magazine Companion | The Magazine Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headerHtmlTag' attribute in the bnm-blocks/featured-posts-1 block in all versions up to, and including, 1.2.3. This is due to insufficient input sanitization and output escaping when using user-supplied values as HTML tag names. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11828 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8fa2e98b-5054-46fd-b22e-eac59b581a3c?source=cve https://wordpress.org/plugins/bnm-blocks https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.2.3/src/blocks/posts/featured-posts-1/view.php#L34 |
| five9--Five9 Live Chat | The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11829 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28548108-a004-4aeb-a0ad-269a73a71331?source=cve https://plugins.trac.wordpress.org/browser/five9/tags/1.1.2/includes/class-widget.php#L151 |
| eventbee--Eventbee Ticketing Widget | The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c439193-cc7d-4e40-8585-87cb2c40fe9b?source=cve https://plugins.trac.wordpress.org/browser/eventbee-ticketing-widget/tags/1.0/ticket-widget.php#L23 |
| coenjacobs--Paypal Donation Shortcode | The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the 'title' and 'text' parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b66ab7c4-7963-424f-afec-0e52b987c6b3?source=cve https://plugins.trac.wordpress.org/browser/paypal-donation-shortcode/tags/0.1/paypal-donation-shortcode.php#L23 |
| caselock--Twitter Feed | The Twitter Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ottwitter_feed' shortcode in all versions up to, and including, 1.3.1. This is due to the plugin not properly sanitizing user input and output of the 'width' and 'height' parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11860 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ce182e57-a9d4-4c4b-b124-e6626ccdd712?source=cve https://plugins.trac.wordpress.org/browser/ot-twitter-feed/trunk/ottwitterfeed-shortcode.php#L27 |
| mindstien--My Geo Posts Free | The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeo_city' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11863 | https://www.wordfence.com/threat-intel/vulnerabilities/id/374a26dd-dd62-4583-8aff-90e5ae6b7468?source=cve https://plugins.trac.wordpress.org/browser/my-geo-posts-free/tags/1.2/inc/shortcodes.php#L22 |
| simonpedge--Precise Columns | The Precise Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wrap_id` shortcode attribute in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input or escaping output when inserting the wrapper ID into the generated HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11869 | https://www.wordfence.com/threat-intel/vulnerabilities/id/909afec0-7ff5-430d-814d-d75fcfcd6232?source=cve https://plugins.trac.wordpress.org/browser/precise-columns/tags/1.0/precise-columns.php#L522 |
| eflyjason--WP BBCode | The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11873 | https://www.wordfence.com/threat-intel/vulnerabilities/id/23623d4c-5859-48f8-b28d-3e3f15bade7d?source=cve https://plugins.trac.wordpress.org/browser/wp-bbcode/tags/1.8.1/wp-bbcode.php#L162 |
| ethoseo--Simple Donate | The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-11882 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d661c24e-48f3-4b97-aa34-e46bd3907546?source=cve https://plugins.trac.wordpress.org/browser/simple-donate/tags/1.0/index.php#L237 |
| Aryom Software High Technology Systems Inc.--KVKNET | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryom Software High Technology Systems Inc. KVKNET allows Reflected XSS.This issue affects KVKNET: before 2.1.8. | 2025-11-11 | 6.1 | CVE-2025-11960 | https://www.usom.gov.tr/bildirim/tr-25-0386 |
| wpkube--Authors List | The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes | 2025-11-11 | 6.5 | CVE-2025-12010 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5189c1c0-2d4c-47f5-b8d9-3192a670e586?source=cve https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.6.1/includes/class-authors-list-shortcode.php#L868 https://plugins.trac.wordpress.org/browser/authors-list/tags/2.0.6.1/includes/class-authors-list-shortcode.php#L852 |
| hectavex--WP-OAuth | The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'error_description' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-11 | 6.1 | CVE-2025-12021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72702870-8a1a-446b-8f9f-bd435e9257f2?source=cve https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/login-google.php#L42 https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/wp-oauth.php#L430 https://plugins.trac.wordpress.org/browser/wp-oauth/tags/0.4.1/wp-oauth.php#L545 |
| supsysticcom--Data Tables Generator by Supsystic | The Data Tables Generator by Supsystic plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cleanCache() function in all versions up to, and including, 1.10.45. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-11-13 | 6.5 | CVE-2025-12089 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15e671e5-a9a6-4439-93cc-8d46fe0cde16?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394112%40data-tables-generator-by-supsystic&new=3394112%40data-tables-generator-by-supsystic&sfp_email=&sfph_mail= |
| baronen--WP-Walla | The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-11 | 6.1 | CVE-2025-12589 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ed9f7a1-54ef-4f88-b89c-756b8b646254?source=cve https://plugins.trac.wordpress.org/browser/wp-walla/tags/0.5.3.5/wpwalla_admin.php#L2 https://plugins.trac.wordpress.org/browser/wp-walla/tags/0.5.3.5/wpwalla_admin.php#L83 https://developer.wordpress.org/plugins/security/nonces/ https://developer.wordpress.org/reference/functions/esc_attr/ |
| andreaferracani--YSlider | The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses an injected page. | 2025-11-11 | 6.1 | CVE-2025-12590 | https://www.wordfence.com/threat-intel/vulnerabilities/id/79f03bfe-dd7e-47e7-9e6f-4539d26cc101?source=cve https://plugins.trac.wordpress.org/browser/yslider/tags/1.1/content-config.php#L2 https://plugins.trac.wordpress.org/browser/yslider/tags/1.1/content-config.php#L48 |
| wpcox--Nonaki Drag and Drop Email Template builder and Newsletter plugin for WordPress | The Nonaki - Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom field values that are retrieved and rendered by the shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12644 | https://www.wordfence.com/threat-intel/vulnerabilities/id/467261ba-f41f-4e94-8941-e5b3d8392fdb?source=cve https://plugins.trac.wordpress.org/browser/nonaki-email-template-customizer/tags/1.0.11/includes/shortcode.php#L21 https://plugins.trac.wordpress.org/browser/nonaki-email-template-customizer/tags/1.0.11/includes/helper.php#L108 |
| eggemplo--Live Photos on WordPress | The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12651 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fba3090f-2cc2-4e40-8080-ae83ba321a67?source=cve https://plugins.trac.wordpress.org/browser/live-photos/tags/0.1/core/class-livephotos-shortcodes.php#L42 |
| oscaruribe--Ungapped Widgets | The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25d0921b-39b1-4abb-9197-952fc55f80e6?source=cve https://plugins.trac.wordpress.org/browser/ungapped-widgets/tags/1/ungapped-widgets-plugin.php#L38 |
| mmdeveloper--Preload Current Images | The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'complete' parameter in the 'preload_progress_bar' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12658 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b9909373-48d7-425b-a20b-bb8bf2a80e9b?source=cve https://wordpress.org/plugins/preload-current-images/ https://plugins.trac.wordpress.org/browser/preload-current-images/tags/1.3/preload-current-images.php#L31 |
| andrico--Coon Google Maps | The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12662 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d0eaa0-ad8f-418c-bb61-eb209ba0249b?source=cve https://wordpress.org/plugins/coon-google-maps/ https://plugins.trac.wordpress.org/browser/coon-google-maps/tags/1.0/coon-google-maps.php#L71 |
| jahed--Jeba Cute forkit | The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12663 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d4aa9303-953f-4bc3-8069-8e9a967461a9?source=cve https://wordpress.org/plugins/jeba-cute-forkit/ https://plugins.trac.wordpress.org/browser/jeba-cute-forkit/tags/1.0/jeba-forkit-index.php#L58 |
| paul1999--GitHub Gist Shortcode Plugin | The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12667 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6468bf-37b6-4dd7-b2e5-e880e3cc3c32?source=cve https://wordpress.org/plugins/github-gist-shortcode/ https://plugins.trac.wordpress.org/browser/github-gist-shortcode/tags/0.2/github-gist-shortcode-plugin.php#L33 |
| sitedin--WP Count Down Timer | The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_countdown_timer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12668 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bcbcad73-ce2a-4eb2-9b7f-91d47a93e16d?source=cve https://wordpress.org/plugins/wp-count-down-timer/ https://plugins.trac.wordpress.org/browser/wp-count-down-timer/tags/1.0.1/wp-count-down-timer.php#L69 |
| mrx3k1--WP-Iconics | The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12671 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90ec6c64-f2c6-483e-9d8b-25e65ccb4a90?source=cve https://wordpress.org/plugins/wp-iconics/ https://plugins.trac.wordpress.org/browser/wp-iconics/tags/0.0.4/wp-iconics.php#L47 |
| nuvuscripts--Flickr Show | The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'div_height' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b792892-25dc-4df0-883d-afd0b47292e0?source=cve https://wordpress.org/plugins/wp-flickrshow/ https://plugins.trac.wordpress.org/browser/wp-flickrshow/tags/1.5/flickrshow.php#L230 |
| pritenhshah--Share to Google Classroom | The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the share_to_google shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12711 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87cc821c-21d5-49b7-9b72-030ca016efd8?source=cve https://plugins.trac.wordpress.org/browser/share-to-google-classroom/tags/1.0/share_to_google_classroom.php#L59 |
| sagortouch--Chart Expert | The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8ed413a9-bf1d-4564-b740-4c92ec2c2249?source=cve https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L1 https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L95 |
| rampantlogic--Geopost | The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 6.4 | CVE-2025-12754 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4c38ca9a-895b-4d59-94c9-c7d5ba3b1b7d?source=cve https://plugins.trac.wordpress.org/browser/geopost/tags/1.2/geopost.php#L15 https://plugins.trac.wordpress.org/browser/geopost/tags/1.2/geopost.php#L20 |
| pgadmin.org--pgAdmin 4 | pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input. | 2025-11-13 | 6.8 | CVE-2025-12763 | https://github.com/pgadmin-org/pgadmin4/issues/9323 |
| OpenClinica--Community Edition | A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xml_file results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-10 | 6.3 | CVE-2025-12922 | VDB-331642 | OpenClinica Community Edition CRF Data Import ImportCRFData path traversal VDB-331642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #680873 | OpenClinica OpenClinica Community Edition 3.13, Changeset 74f4df3481b6 (2017-02-28) and 3.12.2, Changeset 347dcfca3d17 (2016-11-21) Unrestricted Upload https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md#raw-requests-abridged |
| SourceCodester--Farm Management System | A weakness has been identified in SourceCodester Farm Management System 1.0. The affected element is an unknown function of the file /review.php. This manipulation of the argument pid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-11-10 | 6.3 | CVE-2025-12926 | VDB-331646 | SourceCodester Farm Management System review.php sql injection VDB-331646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681506 | SourceCodester Farm Management System v1.0 SQL injection https://github.com/R178/cve/issues/1 https://www.sourcecodester.com/ |
| SourceCodester--Food Ordering System | A vulnerability has been found in SourceCodester Food Ordering System 1.0. Affected is an unknown function of the file /view-ticket.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-10 | 6.3 | CVE-2025-12930 | VDB-331650 | SourceCodester Food Ordering System view-ticket.php sql injection VDB-331650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682185 | SOURCECODESTER Food Ordering System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/1 https://www.sourcecodester.com/ |
| SourceCodester--Food Ordering System | A vulnerability was found in SourceCodester Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/edit-orders.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-11-10 | 6.3 | CVE-2025-12931 | VDB-331651 | SourceCodester Food Ordering System edit-orders.php sql injection VDB-331651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682234 | SourceCodester Food Ordering System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/5 https://www.sourcecodester.com/ |
| SourceCodester--Baby Care System | A vulnerability was identified in SourceCodester Baby Care System 1.0. This affects an unknown part of the file /updatewelcome.php?id=siteoptions&action=welcome. Such manipulation of the argument roleid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-10 | 6.3 | CVE-2025-12933 | VDB-331653 | SourceCodester Baby Care System updatewelcome.php sql injection VDB-331653 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682276 | SourceCodester Baby Care System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/8 https://www.sourcecodester.com/ |
| SourceCodester--Interview Management System | A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-10 | 6.3 | CVE-2025-12939 | VDB-331663 | SourceCodester Interview Management System addCandidate.php sql injection VDB-331663 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682314 | SourceCodester Interview Management System V1.0 Information Disclosure + Input Validation https://github.com/puppytgyh/-CVE/issues/10 https://www.sourcecodester.com/ |
| Campcodes--School Fees Payment Management System | A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_student. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-11-12 | 6.3 | CVE-2025-13057 | VDB-332184 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332184 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682367 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/QingqingOK/CVE/issues/1 https://www.campcodes.com/ |
| SourceCodester--Alumni Management System | A weakness has been identified in SourceCodester Alumni Management System 1.0. The impacted element is an unknown function of the file /manage_career.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-11-12 | 6.3 | CVE-2025-13059 | VDB-332186 | SourceCodester Alumni Management System manage_career.php sql injection VDB-332186 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682548 | Sourcecodester Alumni Management System 1.0 SQL Injection https://github.com/CaseyW33/CVE/issues/1 https://www.sourcecodester.com/ |
| itsourcecode--Online Voting System | A vulnerability was detected in itsourcecode Online Voting System 1.0. This impacts an unknown function of the file /index.php?page=manage_voting. Performing manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-12 | 6.3 | CVE-2025-13061 | VDB-332188 | itsourcecode Online Voting System index.php unrestricted upload VDB-332188 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682587 | itsourcecode Online Voting System V1.0 Arbitrary File Upload Vulnerability https://github.com/yihaofuweng/cve/issues/55 https://itsourcecode.com/ |
| macrozheng--mall-swarm | A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13114 | VDB-332319 | macrozheng mall-swarm attr updateAttr improper authorization VDB-332319 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683221 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/5 |
| macrozheng--mall-swarm | A vulnerability was detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this issue is the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderID results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13118 | VDB-332323 | macrozheng mall-swarm/mall paySuccess improper authorization VDB-332323 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683345 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686531 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/9 https://github.com/Hwwg/cve/issues/14 |
| AMTT--Hotel Broadband Operation System | A flaw has been found in AMTT Hotel Broadband Operation System 1.0. The impacted element is an unknown function of the file /user/portal/get_firstdate.php. Executing manipulation of the argument uid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 6.3 | CVE-2025-13123 | VDB-332351 | AMTT Hotel Broadband Operation System get_firstdate.php sql injection VDB-332351 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683824 | Anmei Century (Beijing) Technology Co., Ltd. Anmei Digital Hotel Broadband Operation System v1.0 SQL Injection https://github.com/R178/cve/issues/2 |
| ury-erp--ury | A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overrided_past_order_list of the file ury/ury/api/pos_extend.py. This manipulation of the argument search_term causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. Upgrading to version 0.2.1 is able to mitigate this issue. Patch name: 063384e0dddfd191847cd2d6524c342cc380b058. It is suggested to upgrade the affected component. The vendor replied and reacted very professional. | 2025-11-14 | 6.3 | CVE-2025-13168 | VDB-332456 | ury-erp ury pos_extend.py overrided_past_order_list sql injection VDB-332456 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683984 | ury-erp ury 0.2.0 SQL Injection https://github.com/ictrun/ury-vulns/blob/main/README.md https://github.com/ictrun/ury-vulns/blob/main/README.md#verification-steps https://github.com/ury-erp/ury/commit/063384e0dddfd191847cd2d6524c342cc380b058 https://github.com/ury-erp/ury/releases/tag/v0.2.1 |
| n/a--ZZCMS | A vulnerability was identified in ZZCMS 2023. This impacts an unknown function of the file /admin/wangkan_list.php. Such manipulation of the argument keyword leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-14 | 6.3 | CVE-2025-13171 | VDB-332463 | ZZCMS wangkan_list.php sql injection VDB-332463 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684765 | zzcms 2023 SQL Injection https://github.com/En0t5/vul/blob/main/zzcms/zzcms-sql-inject2.md https://github.com/En0t5/vul/blob/main/zzcms/zzcms-sql-inject2.md#poc |
| CodeAstro--Gym Management System | A security flaw has been discovered in CodeAstro Gym Management System 1.0. Affected is an unknown function of the file /admin/view-member-report.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-14 | 6.3 | CVE-2025-13172 | VDB-332464 | CodeAstro Gym Management System view-member-report.php sql injection VDB-332464 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684785 | codeastro Gym Management System V1.0 SQL Injection https://github.com/Bixintiao/cve/issues/1 https://codeastro.com/ |
| rachelos--WeRSS we-mp-rss | A weakness has been identified in rachelos WeRSS we-mp-rss up to 1.4.7. Affected by this vulnerability is the function do_job of the file /rachelos/we-mp-rss/blob/main/jobs/mps.py of the component Webhook Module. Executing manipulation of the argument web_hook_url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-11-14 | 6.3 | CVE-2025-13174 | VDB-332465 | rachelos WeRSS we-mp-rss Webhook mps.py do_job server-side request forgery VDB-332465 | CTI Indicators (IOB, IOC, IOA) Submit #684803 | rachelos WeRSS WeRSS<=1.4.7 Server-Side Request Forgery https://www.notion.so/SSRF-vulnerability-in-WeRSS-WebHook-module-29bea92a3c4180a192b5caa9078bfb18 |
| FantasticLBP--Hotels Server | A security flaw has been discovered in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. The impacted element is an unknown function of the file controller/api/hotelList.php. The manipulation of the argument subjectId/cityName results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-15 | 6.3 | CVE-2025-13208 | VDB-332527 | FantasticLBP Hotels Server hotelList.php sql injection VDB-332527 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685620 | FantasticLBP Hotels_Server V1.0(Current release) SQL Injection Submit #685622 | FantasticLBP Hotels_Server V1.0(Current release) SQL Injection (Duplicate) https://github.com/naixiao/CVE/issues/1 https://github.com/naixiao/CVE/issues/2 |
| bestfeng--oa_git_free | A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 6.3 | CVE-2025-13209 | VDB-332528 | bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference VDB-332528 | CTI Indicators (IOB, IOC, IOA) Submit #685626 | https://gitee.com/bestfeng/oa_git_free oa_git_free 8.0 XML external entity injection https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md |
| itsourcecode--Inventory Management System | A vulnerability was found in itsourcecode Inventory Management System 1.0. The impacted element is an unknown function of the file /index.php?q=product. Performing manipulation of the argument PROID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2025-11-16 | 6.3 | CVE-2025-13234 | VDB-332560 | itsourcecode Inventory Management System index.php sql injection VDB-332560 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686698 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/pip-in-head/lulucat-VD/issues/1 https://itsourcecode.com/ |
| itsourcecode--Inventory Management System | A vulnerability was identified in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-16 | 6.3 | CVE-2025-13236 | VDB-332562 | itsourcecode Inventory Management System index.php sql injection VDB-332562 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686702 | itsourcecode Inventory Management System v1.0 SQL Injection https://github.com/3169417664/cve/issues/3 https://itsourcecode.com/ |
| Bdtask--Flight Booking Software | A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-16 | 6.3 | CVE-2025-13238 | VDB-332564 | Bdtask Flight Booking Software Edit Profile edit unrestricted upload VDB-332564 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #686895 | Bdtask Bdtask Flight Booking Software B2B Portal v4 Unrestricted File Upload https://github.com/4m3rr0r/PoCVulDb/issues/6 |
| code-projects--Student Information System | A vulnerability was found in code-projects Student Information System 2.0. Impacted is an unknown function of the file /editprofile.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-11-16 | 6.3 | CVE-2025-13243 | VDB-332569 | code-projects Student Information System editprofile.php sql injection VDB-332569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687528 | code-projects Student Information System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL15.md https://code-projects.org/ |
| shsuishang--ShopSuite ModulithShop | A vulnerability was identified in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Impacted is the function JwtAuthenticationFilter of the file src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-11-16 | 6.3 | CVE-2025-13246 | VDB-332580 | shsuishang ShopSuite ModulithShop JwtAuthenticationFilter.java JwtAuthenticationFilter path traversal VDB-332580 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687532 | shsuishang modulithshop 1.0.0 Privilege Escalation https://github.com/shsuishang/modulithshop/issues/1 |
| Jiusi--OA | A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-16 | 6.3 | CVE-2025-13249 | VDB-332583 | Jiusi OA OfficeServer unrestricted upload VDB-332583 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687599 | http://www.jiusi.net/ jiusiOA n/a Arbitrary file upload vulnerability https://github.com/rooboot501/my-project/blob/main/jiousi.md |
| WeiYe-Jing--datax-web | A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-16 | 6.3 | CVE-2025-13250 | VDB-332584 | WeiYe-Jing datax-web Job triggerJob access control VDB-332584 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687604 | WeiYe-Jing DataX-Web <= 2.1.2 Broken Access Control / Horizontal Privilege Escalation https://github.com/Xzzz111/exps/blob/main/archives/datax-web-broken-access-control-1/report.md |
| WeiYe-Jing--datax-web | A flaw has been found in WeiYe-Jing datax-web up to 2.1.2. Affected is an unknown function. Executing manipulation can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-16 | 6.3 | CVE-2025-13251 | VDB-332585 | WeiYe-Jing datax-web sql injection VDB-332585 | CTI Indicators (IOB, IOC, TTP) Submit #687606 | WeiYe-Jing DataX-Web <= 2.1.2 SQL Injection https://github.com/Xzzz111/exps/blob/main/archives/datax-web-sql-injection-1/report.md |
| projectworlds--Advanced Library Management System | A vulnerability was determined in projectworlds Advanced Library Management System 1.0. This affects an unknown part of the file /add_librarian.php. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 6.3 | CVE-2025-13253 | VDB-332588 | projectworlds Advanced Library Management System add_librarian.php sql injection VDB-332588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687853 | projectworlds Advanced Library Management System 1.0 SQL Injection Submit #688779 | projectworlds Advanced Library Management System 1.0 SQL Injection (Duplicate) https://github.com/Wyg2002yx/cve/blob/main/001/report.md |
| n/a--Intel(R) CIP software | Uncontrolled search path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20050 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Display Virtualization for Windows OS software | Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20065 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01303.html |
| Cisco--Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. This vulnerability is due to insufficient validation of user-supplied input in REST API request parameters. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to inject arbitrary commands that would then be executed in a restricted container with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 6.3 | CVE-2025-20349 | cisco-sa-dnac-ci-ZWLQVSwT |
| Cisco--Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | 2025-11-13 | 6.1 | CVE-2025-20353 | cisco-sa-dnac-xss-weXtVZ59 |
| n/a--Intel(R) CIP software | External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-20614 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--SigTest | Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-22391 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01327.html |
| n/a--Intel(R) Rapid Storage Technology Application | Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24327 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01362.html |
| n/a--Intel(R) Killer(TM) Performance Suite software | Uncontrolled search path for some Intel(R) Killer(TM) Performance Suite software before version killer 4.0 40.25.509.1465 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24491 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01377.html |
| n/a--Intel(R) QAT Windows software | Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24519 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--Intel(R) CIP software | Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24834 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) System Support Utility | Uncontrolled search path for the Intel(R) System Support Utility before version 4.1.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24842 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01360.html |
| n/a--Intel(R) CIP software | Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.3 | CVE-2025-24848 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-24863 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software | Improper link resolution before file access ('link following') for some Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-24918 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01400.html |
| n/a--Intel(R) One Boot Flash Update (Intel(R) OFU) software | Uncontrolled search path for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-25059 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01331.html |
| n/a--Intel(R) NPU Drivers | Protection mechanism failure for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-26402 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a--Intel(R) Processor Identification Utility | Incorrect default permissions for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-27246 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| n/a--Intel(R) QAT Windows software | Untrusted pointer dereference for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an information disclosure. System software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-27710 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--Intel(R) One Boot Flash Update (Intel(R) OFU) software | Incorrect default permissions for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-27711 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01331.html |
| n/a--Intel(R) Distribution for Python software installers | Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30182 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01382.html |
| n/a--Intel Driver and Support Assistant | Uncontrolled search path for some Intel Driver and Support Assistant before version 25.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30506 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01361.html |
| n/a--Intel(R) PresentMon | Incorrect default permissions for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-30518 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01392.html |
| Zoom Communications Inc.--Zoom Workplace VDI Plugin macOS Universal installer | Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 6.6 | CVE-2025-30662 | https://www.zoom.com/en/trust/security-bulletin/zsb-25045 |
| n/a--Intel Ethernet Adapter Complete Driver Pack software | Time-of-check time-of-use race condition for some Intel Ethernet Adapter Complete Driver Pack software before version 1.5.1.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.1 | CVE-2025-31146 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01376.html |
| n/a--System Event Log Viewer Utility software | Uncontrolled search path for some System Event Log Viewer Utility software for all versions within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31645 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01380.html |
| n/a--Intel(R) Graphics Software | Uncontrolled search path for some Intel(R) Graphics Software before version 25.22.1502.2 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31647 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a--Instrumentation and Tracing Technology API (ITT API) software | Uncontrolled search path for the Instrumentation and Tracing Technology API (ITT API) software before version 3.25.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31931 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01337.html |
| n/a--Intel(R) Thread Director Visualizer software | Incorrect default permissions for some Intel(R) Thread Director Visualizer software before version 1.1.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-31940 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01375.html |
| n/a--Intel(R) Processor Identification Utility | Uncontrolled search path for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32001 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01334.html |
| n/a--Intel oneAPI DPC++C++ Compiler software | Uncontrolled search path for some FPGA Support Package for the Intel oneAPI DPC++C++ Compiler software before version 2025.0.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32038 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01364.html |
| n/a--Intel QuickAssist Technology software | Untrusted pointer dereference for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.5 | CVE-2025-32446 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--PRI Driver software | Unquoted search path for some PRI Driver software before version 03.03.1002 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-32449 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01394.html |
| n/a--Intel(R) QAT Windows software | Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.6 | CVE-2025-32732 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| IBM--QRadar Security Information and Event Management | IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user. | 2025-11-12 | 6.5 | CVE-2025-33119 | https://www.ibm.com/support/pages/node/7250932 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where an attacker could cause a stack overflow by sending extra-large payloads. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-11 | 6.5 | CVE-2025-33202 | https://nvd.nist.gov/vuln/detail/CVE-2025-33202 https://www.cve.org/CVERecord?id=CVE-2025-33202 https://nvidia.custhelp.com/app/answers/detail/a_id/5723 |
| n/a--Slim Bootloader | Protection mechanism failure in the UEFI firmware for the Slim Bootloader within firmware may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.4 | CVE-2025-35968 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01395.html |
| n/a--Intel MPI Library | Uncontrolled search path for the Intel MPI Library before version 2021.16 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 6.7 | CVE-2025-35972 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01386.html |
| Siemens--LOGO! 12/24RCE | A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to change time of the device, which means the device could behave differently. | 2025-11-11 | 6.5 | CVE-2025-40817 | https://cert-portal.siemens.com/productcert/html/ssa-267056.html |
| SAP_SE--SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability. | 2025-11-11 | 6.5 | CVE-2025-42884 | https://me.sap.com/notes/3660969 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim accesses this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser context. This could allow the attacker to access or modify information within the victim�s browser scope, impacting confidentiality and integrity, while availability remains unaffected | 2025-11-11 | 6.1 | CVE-2025-42886 | https://me.sap.com/notes/3665907 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2025-11-11 | 6.8 | CVE-2025-42892 | https://me.sap.com/notes/3665900 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to an Open Redirect vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site displayed within an embedded frame. Successful exploitation could allow the attacker to steal sensitive information and perform unauthorized actions, impacting the confidentiality and integrity of web client data. There is no impact to system availability resulting from this vulnerability. | 2025-11-11 | 6.1 | CVE-2025-42893 | https://me.sap.com/notes/3662000 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to a Path Traversal vulnerability in SAP Business Connector, an attacker authenticated as an administrator with adjacent access could read, write, overwrite, and delete arbitrary files on the host system. Successful exploitation could enable the attacker to execute arbitrary operating system commands on the server, resulting in a complete compromise of the confidentiality, integrity, and availability of the affected system. | 2025-11-11 | 6.8 | CVE-2025-42894 | https://me.sap.com/notes/3666038 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP HANA JDBC Client | Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application. | 2025-11-11 | 6.9 | CVE-2025-42895 | https://me.sap.com/notes/3643385 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA landscape (SAP E-Recruiting BSP) | SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on availability. | 2025-11-11 | 6.1 | CVE-2025-42924 | https://me.sap.com/notes/3642398 https://url.sap/sapsecuritypatchday |
| Qualys Inc--Qualys Agent | The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges. | 2025-11-10 | 6.3 | CVE-2025-43079 | https://www.qualys.com/security-advisories/cve-2025-43079 |
| Dell--Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2025-11-13 | 6.6 | CVE-2025-46362 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Dell--Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2025-11-13 | 6.6 | CVE-2025-46368 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| Axis Communications AB--AXIS OS | An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-4645 | https://www.axis.com/dam/public/69/47/ff/cve-2025-4645pdf-en-US-504211.pdf |
| Microsoft--Microsoft Configuration Manager | Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | 2025-11-11 | 6.7 | CVE-2025-47179 | Configuration Manager Elevation of Privilege Vulnerability |
| Axis Communications AB--AXIS OS | A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.6 | CVE-2025-5452 | https://www.axis.com/dam/public/39/ba/8b/cve-2025-5452pdf-en-US-504212.pdf |
| Axis Communications AB--AXIS OS | An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.4 | CVE-2025-5454 | https://www.axis.com/dam/public/48/ab/82/cve-2025-5454pdf-en-US-504213.pdf |
| Mattermost--Mattermost | Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events | 2025-11-14 | 6.5 | CVE-2025-55070 | https://mattermost.com/security-updates |
| Axis Communications AB--AXIS OS | The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.8 | CVE-2025-5718 | https://www.axis.com/dam/public/3c/a4/6a/cve-2025-5718pdf-en-US-504214.pdf |
| Mattermost--Mattermost | Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses | 2025-11-13 | 6.1 | CVE-2025-59480 | https://mattermost.com/security-updates |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally. | 2025-11-11 | 6.5 | CVE-2025-60708 | Storvsp.sys Driver Denial of Service Vulnerability |
| Microsoft--OneDrive for Android | Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network. | 2025-11-11 | 6.5 | CVE-2025-60722 | Microsoft OneDrive for Android Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to deny service over a network. | 2025-11-11 | 6.3 | CVE-2025-60723 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft--Microsoft Dynamics 365 (on-premises) version 9.1 | Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 6.5 | CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
| Microsoft--Microsoft Visual Studio 2022 version 17.14 | Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code locally. | 2025-11-11 | 6.7 | CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability |
| Microsoft--Microsoft Visual Studio Code CoPilot Chat Extension | Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally. | 2025-11-11 | 6.8 | CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability |
| Axis Communications AB--AXIS OS | ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-6298 | https://www.axis.com/dam/public/ef/91/c3/cve-2025-6298pdf-en-US-504215.pdf |
| Brightpick AI--Brightpick Mission Control / Internal Logic Control | The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes. | 2025-11-14 | 6.5 | CVE-2025-64307 | https://brightpick.ai/contact-us/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json |
| withastro--astro | Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch. | 2025-11-13 | 6.5 | CVE-2025-64525 | https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767 https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4 https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121 https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97 |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue. | 2025-11-13 | 6.3 | CVE-2025-64703 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-qwvm-x4xh-g2qq |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue. | 2025-11-13 | 6.5 | CVE-2025-64748 | https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204 |
| gristlabs--grist-core | grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials. | 2025-11-13 | 6.8 | CVE-2025-64752 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3 https://github.com/gristlabs/grist-core/releases/tag/v1.7.7 |
| Axis Communications AB--AXIS OS | A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it. | 2025-11-11 | 6 | CVE-2025-6571 | https://www.axis.com/dam/public/1f/f8/f0/cve-2025-6571pdf-en-US-504216.pdf |
| Axis Communications AB--AXIS OS | An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-6779 | https://www.axis.com/dam/public/92/9a/13/cve-2025-6779pdf-en-US-504217.pdf |
| Axis Communications AB--AXIS OS | An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-11-11 | 6.7 | CVE-2025-8108 | https://www.axis.com/dam/public/38/20/aa/cve-2025-8108pdf-en-US-504218.pdf |
| AVEVA--Application Server | The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected. | 2025-11-14 | 6.9 | CVE-2025-8386 | https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin-AVEVA-2025-005.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-02.json |
| restpack--Save as PDF Button | The Save as PDF Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's restpackpdfbutton shortcode in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-13 | 6.4 | CVE-2025-8397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c648fca-c36f-41a0-9d29-3f669f3669d9?source=cve https://plugins.svn.wordpress.org/save-as-pdf/trunk/save-as-pdf.php https://wordpress.org/plugins/save-as-pdf/#developers |
| Lenovo--Dock Manager | An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges. | 2025-11-12 | 6.6 | CVE-2025-8421 | https://support.lenovo.com/us/en/product_security/LEN-198729 |
| wedevs--Project Management & Task Manager with Kanban Board & Gantt Chart WP Project Manager | The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More - WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the 'completed_at_operator' parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-15 | 6.5 | CVE-2025-8994 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74984cc6-06b1-4c3a-a3e6-9e104c71e9c5?source=cve https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.24/src/Task/Helper/Task.php#L1484 https://plugins.trac.wordpress.org/changeset/3386164/ |
| Axis Communications AB--AXIS OS | The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account. | 2025-11-11 | 6.4 | CVE-2025-9055 | https://www.axis.com/dam/public/23/a3/00/cve-2025-9055pdf-en-US-504219.pdf |
| Zohocorp--ManageEngine OpManager | Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor. | 2025-11-11 | 6.5 | CVE-2025-9227 | https://www.manageengine.com/itom/advisory/cve-2025-9227.html |
| mintty--mintty | Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue. | 2025-11-12 | 5.3 | CVE-2024-45301 | https://github.com/mintty/mintty/security/advisories/GHSA-jf4m-m6rv-p6c5 |
| benmoody--WP Headless CMS Framework | The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to. | 2025-11-13 | 5.3 | CVE-2025-11260 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6a99806-cb8f-4c12-86ed-2cdbb45ba873?source=cve https://wordpress.org/plugins/wp-rest-headless/ |
| softivus--Wisly | The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists. | 2025-11-11 | 5.3 | CVE-2025-11532 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve https://wordpress.org/plugins/wisly/ |
| mitegvg--Slippy Slider Responsive Touch Navigation Slider | The Slippy Slider - Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slippy-slider' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-11 | 5.4 | CVE-2025-11874 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21b6748a-43fb-4326-ac1f-d3ae2a6700f2?source=cve https://plugins.trac.wordpress.org/browser/slippy-slider-responsive-touch-navigation-slider/tags/2.0/slippy-slider.php#L46 |
| shelfplanner--Shelf Planner | The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | 2025-11-11 | 5.3 | CVE-2025-11891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17f17cae-f444-4fa1-9090-ec6ea267ef2e?source=cve https://wordpress.org/plugins/shelf-planner/ |
| shelfplanner--Shelf Planner | The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey. | 2025-11-11 | 5.3 | CVE-2025-11894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/107031b3-5071-490a-a8f7-060212b1724c?source=cve https://wordpress.org/plugins/shelf-planner/ |
| odude--Crypto Tool | The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table. | 2025-11-11 | 5.3 | CVE-2025-11986 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95 |
| odude--Crypto Tool | The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts. | 2025-11-11 | 5.3 | CVE-2025-11988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3281d6eb-9f14-43d4-a4d4-532993039e53?source=cve https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9 https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L137 |
| toastwebsites--Find Unused Images | The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments. | 2025-11-11 | 5.3 | CVE-2025-11996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44 https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53 https://wordpress.org/plugins/find-unused-images/ |
| ngothoai--Document Pro Elementor Documentation & Knowledge Base | The Document Pro Elementor - Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service. | 2025-11-11 | 5.3 | CVE-2025-11997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ac7455a-0c89-4f5b-84eb-b7cc87bce8d4?source=cve https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L85 https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L71 |
| krishaweb--Add Multiple Marker | The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to update the map API and reset maps. | 2025-11-11 | 5.3 | CVE-2025-11999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4f1467d-1f66-4e99-af44-9329cfe1efac?source=cve https://plugins.trac.wordpress.org/browser/add-multiple-marker/tags/1.2/functions.php https://tinyurl.com/2bcmmpxb |
| Lenovo--Scanner Pro | A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the application. | 2025-11-12 | 5.3 | CVE-2025-12047 | https://iknow.lenovo.com.cn/detail/434327 |
| ryanmoyer--The Total Book Project | The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them. | 2025-11-11 | 5.4 | CVE-2025-12126 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve https://wordpress.org/plugins/the-total-book-project/ |
| smub--Gallery Plugin for WordPress Envira Photo Gallery | The Gallery Plugin for WordPress - Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0. | 2025-11-13 | 5.3 | CVE-2025-12377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/69a0d985-cc85-45ba-889d-1ed30d06f9ce?source=cve https://drive.google.com/file/d/1AgsJeff1x4pQAFVGmoSwwU75iiH4-H_p/view?usp=sharing https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/admin/ajax.php https://research.cleantalk.org/cve-2025-12377/ https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/admin/ajax.php?old=3133202&old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fadmin%2Fajax.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394455%40envira-gallery-lite&old=3387243%40envira-gallery-lite&sfp_email=&sfph_mail= |
| brainstormforce--SureForms Contact Form, Custom Form Builder, Calculator & More | The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows unauthenticated access to the metadata. This makes it possible for unauthenticated attackers to extract sensitive data including email notification configurations, which frequently contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that can be abused to inject malicious data into downstream systems. | 2025-11-13 | 5.3 | CVE-2025-12536 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9e8e239a-0ddf-479e-b94b-7844ff6e9e81?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/post-types.php#L892 https://plugins.trac.wordpress.org/changeset/3391762/sureforms/trunk/inc/post-types.php |
| loveless--RandomQuotr | The RandomQuotr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 5.5 | CVE-2025-12632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/42308a6e-cb04-42dc-90b0-9b40c264ad53?source=cve https://it.wordpress.org/plugins/randomquotr/ |
| ronalfy--Comment Edit Core Simple Comment Editing | The Comment Edit Core - Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the 'ajax_get_comment' function. This makes it possible for unauthenticated attackers to extract sensitive data including user IDs, IP addresses, and email addresses. | 2025-11-13 | 5.3 | CVE-2025-12681 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4f954b02-b636-438b-a4b1-9b74df153c47?source=cve https://plugins.trac.wordpress.org/browser/simple-comment-editing/trunk/includes/Ajax.php#L230 https://plugins.trac.wordpress.org/changeset/3392054/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition. | 2025-11-11 | 5.5 | CVE-2025-12748 | https://access.redhat.com/security/cve/CVE-2025-12748 RHBZ#2413801 |
| themefic--Hydra Booking Appointment Scheduling & Booking Calendar | The Hydra Booking - Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint. | 2025-11-11 | 5.3 | CVE-2025-12787 | https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03?source=cve https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php |
| themefic--Hydra Booking Appointment Scheduling & Booking Calendar | The Hydra Booking - Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring. | 2025-11-11 | 5.3 | CVE-2025-12788 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49ce4a2-52ad-4824-86fc-5edd2e33802d?source=cve https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php |
| n/a--PostgreSQL | Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | 2025-11-13 | 5.9 | CVE-2025-12818 | https://www.postgresql.org/support/security/CVE-2025-12818/ |
| contest-gallery--Contest Gallery Upload, Vote & Sell with PayPal and Stripe | The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files. | 2025-11-15 | 5.3 | CVE-2025-12849 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e000c4ad-43ec-4ad0-89f9-74e9e6d8b917?source=cve https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L42 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L47 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L64 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L15 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L173 https://wordpress.org/plugins/contest-gallery/#developers |
| aEnrich--a+HRD | The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tricked into visiting a specific URL. | 2025-11-12 | 5.4 | CVE-2025-12872 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| jobayer534--Progress Bar Blocks for Gutenberg | The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-11 | 5.4 | CVE-2025-12880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3bc48d4d-eeee-47f7-be5e-0d6a43473aa0?source=cve https://wordpress.org/plugins/progressmatify-blocks/ |
| ays-pro--Survey Maker | The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions. | 2025-11-13 | 5.3 | CVE-2025-12891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/835353e7-871d-4daf-9ed4-86321daf2366?source=cve https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php |
| ays-pro--Survey Maker | The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the ays_survey_maker_upgrade_plugin option. | 2025-11-13 | 5.3 | CVE-2025-12892 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6abc7605-2daa-44a9-8f2f-cbaacbea9348?source=cve https://plugins.trac.wordpress.org/changeset/3394078/survey-maker/tags/5.1.9.5/admin/class-survey-maker-admin.php?old=3389474&old_path=survey-maker%2Ftags%2F5.1.9.4%2Fadmin%2Fclass-survey-maker-admin.php |
| uscnanbu--Welcart e-Commerce | The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store. | 2025-11-13 | 5.3 | CVE-2025-12979 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26255cd9-2361-4d17-8d1b-9bdadcc69043?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394001%40usc-e-shop&new=3394001%40usc-e-shop&sfp_email=&sfph_mail= |
| macrozheng--mall-swarm | A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 5.4 | CVE-2025-13116 | VDB-332321 | macrozheng mall-swarm/mall cancelUserOrder improper authorization VDB-332321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683339 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686530 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/8 https://github.com/Hwwg/cve/issues/13 |
| macrozheng--mall-swarm | A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 5.4 | CVE-2025-13117 | VDB-332322 | macrozheng mall-swarm/mall cancelOrder improper authorization VDB-332322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683340 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686529 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/7 https://github.com/Hwwg/cve/issues/12 |
| n/a--mruby | A vulnerability has been found in mruby up to 3.4.0. This vulnerability affects the function sort_cmp of the file src/array.c. Such manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable to implement a patch to correct this issue. | 2025-11-13 | 5.3 | CVE-2025-13120 | VDB-332325 | mruby array.c sort_cmp use after free VDB-332325 | CTI Indicators (IOB, IOC, IOA) Submit #683435 | mruby 3.4.0 Use After Free https://github.com/mruby/mruby/issues/6649 https://github.com/makesoftwaresafe/mruby/pull/263 https://github.com/mruby/mruby/issues/6649#issue-3534393003 https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc |
| IQ Service International--IQ-Support | IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network. | 2025-11-14 | 5.3 | CVE-2025-13160 | https://www.twcert.org.tw/en/cp-139-10502-11c6d-2.html https://www.twcert.org.tw/tw/cp-132-10501-a25a6-1.html |
| Intelbras--ICIP | A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-14 | 5.3 | CVE-2025-13187 | VDB-332475 | Intelbras ICIP acessodeusuario.xml credentials storage VDB-332475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685522 | Intelbras ICIP 2.0.20 Unprotected Storage of Credentials https://www.notion.so/eldruin/Intelbras-ICIP-Plaintext-Admin-Credentials-Disclosure-29b27474cccb80ff943ff2776d03d7cd |
| code-projects--Email Logging Interface | A vulnerability was found in code-projects Email Logging Interface 2.0. Affected is an unknown function of the file signup.cpp. The manipulation of the argument Username results in path traversal: '../filedir'. The attack is only possible with local access. The exploit has been made public and could be used. | 2025-11-15 | 5.3 | CVE-2025-13199 | VDB-332497 | code-projects Email Logging Interface signup.cpp path traversal VDB-332497 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685549 | code-projects Email Logging Interface 2.0 Path Traversal: '../filedir' https://github.com/asd1238525/cve/blob/main/Dir1c.md https://github.com/asd1238525/cve/blob/main/Dir1c.md#poc https://code-projects.org/ |
| SourceCodester--Farm Management System | A vulnerability was determined in SourceCodester Farm Management System 1.0. Affected by this vulnerability is an unknown functionality. This manipulation causes exposure of information through directory listing. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-15 | 5.3 | CVE-2025-13200 | VDB-332498 | SourceCodester Farm Management System exposure of information through directory listing VDB-332498 | CTI Indicators (IOB, IOC, TTP) Submit #685615 | SourceCodester Farm Management System v1.0 Directory traversal https://github.com/Shaker-Chen/cve/issues/1 https://www.sourcecodester.com/ |
| Intelbras--UnniTI | A weakness has been identified in Intelbras UnniTI 24.07.11. The affected element is an unknown function of the file /xml/sistema/usuarios.xml. Executing manipulation of the argument Usuario/Senha can lead to unprotected storage of credentials. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-15 | 5.3 | CVE-2025-13221 | VDB-332537 | Intelbras UnniTI usuarios.xml credentials storage VDB-332537 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685825 | Intelbras UnniTI 24.07.11 Unprotected Storage of Credentials https://www.notion.so/eldruin/Intelbras-UnniTI-Plaintext-Admin-Credentials-Disclosure-29c27474cccb8008b2d7ea60affdf86e?source=copy_link |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Authorized adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts. | 2025-11-11 | 5.6 | CVE-2025-24512 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html |
| Omnissa--Omnissa Workspace ONE UEM | Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks. | 2025-11-12 | 5.3 | CVE-2025-25236 | https://static.omnissa.com/sites/default/files/OMSA-2025-0005.pdf https://www.omnissa.com/omnissa-security-response/ |
| n/a--Intel(R) NPU Drivers | Improper control of dynamically-managed code resources for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.9 | CVE-2025-26405 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a--Intel(R) QAT Windows software | Null pointer dereference for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.5 | CVE-2025-26694 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--Gaudi software | Uncontrolled resource consumption for some Gaudi software before version 1.21.0 within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.5 | CVE-2025-27249 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01374.html |
| n/a--Intel(R) Neural Compressor software | Improper neutralization for some Intel(R) Neural Compressor software before version v3.4 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.7 | CVE-2025-27712 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01365.html |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T750/T765/T760/T770/T820/S8000/T8300/T9300 | In TEE EcDSA algorithm, there is a possible memory consistency issue. This could lead to generated incorrect signature results with low probability. | 2025-11-11 | 5.1 | CVE-2025-31719 | https://www.unisoc.com/en/support/announcement/1987692028719517698 |
| n/a--Intel(R) QAT Windows software | Out-of-bounds read for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 5.6 | CVE-2025-31937 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| IBM--Cognos Analytics Certified Containers | IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages. | 2025-11-10 | 5.3 | CVE-2025-33150 | https://www.ibm.com/support/pages/node/7250395 |
| NVIDIA--AuthN component of NVIDIA AIStore | NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. A successful exploit of this vulnerability may lead to information disclosure. | 2025-11-11 | 5.3 | CVE-2025-33185 | https://nvd.nist.gov/vuln/detail/CVE-2025-33185 https://www.cve.org/CVERecord?id=CVE-2025-33185 https://nvidia.custhelp.com/app/answers/detail/a_id/5724 |
| IBM--OpenPages | IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2025-11-12 | 5.4 | CVE-2025-36223 | https://www.ibm.com/support/pages/node/7250239 |
| Siemens--Altair Grid Engine | A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly handle error messages and discloses sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks. | 2025-11-11 | 5.5 | CVE-2025-40760 | https://cert-portal.siemens.com/productcert/html/ssa-514895.html |
| SAP_SE--SAP HANA 2.0 (hdbrss) | Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information. As a result, it has a low impact on the confidentiality but no impact on the integrity and availability of the system. | 2025-11-11 | 5.8 | CVE-2025-42885 | https://me.sap.com/notes/3639264 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP GUI for Windows | SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime. This vulnerability has a high impact on confidentiality, with no impact on integrity and availability. | 2025-11-11 | 5.5 | CVE-2025-42888 | https://me.sap.com/notes/3651097 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Starter Solution (PL SAFT) | SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application's confidentiality and integrity but no impact on its availability. | 2025-11-11 | 5.4 | CVE-2025-42889 | https://me.sap.com/notes/2886616 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business One (SLD) | Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability. | 2025-11-11 | 5.3 | CVE-2025-42897 | https://me.sap.com/notes/3652901 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Application Server Java | Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server. | 2025-11-11 | 5.3 | CVE-2025-42919 | https://me.sap.com/notes/3643603 https://url.sap/sapsecuritypatchday |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.10.1.3 and versions 9.11.0.0 through 9.12.0.0, contains a use of a broken or risky cryptographic algorithm vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2025-11-10 | 5.9 | CVE-2025-43723 | https://www.dell.com/support/kbdoc/en-us/000390206/dsa-2025-381-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Zscaler--Zscaler Client Connector | A health check port on Zscaler Client Connector on Windows, versions 4.6 < 4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls. | 2025-11-12 | 5.2 | CVE-2025-54983 | https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL. | 2025-11-14 | 5.4 | CVE-2025-55073 | https://mattermost.com/security-updates |
| Red Hat--Red Hat Enterprise Linux 10 | If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients. | 2025-11-12 | 5.9 | CVE-2025-59089 | RHSA-2025:21138 RHSA-2025:21139 RHSA-2025:21140 RHSA-2025:21141 RHSA-2025:21142 RHSA-2025:21448 https://access.redhat.com/security/cve/CVE-2025-59089 RHBZ#2393958 https://github.com/latchset/kdcproxy/pull/68 |
| Microsoft--Microsoft Office LTSC 2021 | Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59240 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59509 | Windows Speech Recognition Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | 2025-11-11 | 5.5 | CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-60706 | Windows Hyper-V Information Disclosure Vulnerability |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. | 2025-11-15 | 5.3 | CVE-2025-6171 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #549730 HackerOne Bug Bounty Report #3183740 |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61840 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61841 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by a Use After Free vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61842 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61843 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61844 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Adobe--Format Plugins | Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-11-11 | 5.5 | CVE-2025-61845 | https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html |
| Microsoft--Windows 10 Version 1809 | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-62208 | Windows License Manager Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | 2025-11-11 | 5.5 | CVE-2025-62209 | Windows License Manager Information Disclosure Vulnerability |
| Microsoft--Visual Studio Code | Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | 2025-11-11 | 5 | CVE-2025-62453 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability |
| Zoom Communications Inc.--Zoom Clients | Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 5.3 | CVE-2025-62483 | https://www.zoom.com/en/trust/security-bulletin/zsb-25047 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on the same Langfuse instance could enumerate names and email addresses of users in another organization if they knew the target organization's ID. Disclosure is limited to names and email addresses of members/invitees. No customer data such as traces, prompts, or evaluations is exposed or accessible. For Langfuse Cloud, the maintainers ran a thorough investigation of access logs of the last 30 days and could not find any evidence that this vulnerability was exploited. For most self-hosting deployments, the attack surface is significantly reduced given an SSO provider is configured and email/password sign-up is disabled. In these cases, only users who authenticate via the Enterprise SSO IdP (e.g. Okta) would be able to exploit this vulnerability to access the member list, i.e. internal users getting access to a list of other internal users. In order to exploit the vulnerability, the actor must have a valid Langfuse user account within the same instance, know the target orgId, and use the request made to the API that powers the frontend membership tables, including their project/user authentication token, while changing the orgId to the target organization. Langfuse Cloud (EU, US, HIPAA) were affected until fix deployment on November 1, 2025. The maintainers reviewed the Langfuse Cloud access logs from the past 30 days and found no evidence that this vulnerability was exploited. Self-Hosted versions which contain patches include v2.95.11 for major version 2 and v3.124.1 for major version 3. There are no known workarounds. Upgrading is required to fully mitigate this issue. | 2025-11-10 | 5 | CVE-2025-64504 | https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69 https://github.com/langfuse/langfuse/commit/67990ebfdcf0f0c32a6710efa7ddbda073812ab4 https://github.com/langfuse/langfuse/commit/6c2529049a4c962928c435984c81a547a497e3e5 https://github.com/langfuse/langfuse/releases/tag/v2.70.0 https://github.com/langfuse/langfuse/releases/tag/v2.95.11 https://github.com/langfuse/langfuse/releases/tag/v3.124.1 |
| JetBrains--Hub | In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API | 2025-11-10 | 5.3 | CVE-2025-64683 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic | 2025-11-10 | 5.4 | CVE-2025-64687 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes | 2025-11-10 | 5.4 | CVE-2025-64690 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| baptisteArno--typebot.io | Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue. | 2025-11-13 | 5 | CVE-2025-64706 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp |
| PrivateBin--PrivateBin | PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, an unauthenticated Local File Inclusion exists in the template-switching feature. If `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain remote code execution. The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropriate privilege checking, those might execute or leak information. The issue has been patched in version 2.0.3. As a workaround, set `templateselection = false` (which is the default) in `cfg/conf.php` or remove it entirely | 2025-11-13 | 5.8 | CVE-2025-64714 | https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82 https://github.com/PrivateBin/PrivateBin/commit/4434dbf73ac53217fda0f90d8cf9b6110f8acc4f |
| nodeca--js-yaml | js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). | 2025-11-13 | 5.3 | CVE-2025-64718 | https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879 |
| Zoom Communications Inc.--Zoom Workplace for macOS | External control of file name or path in Zoom Workplace for macOS before version 6.5.10 may allow an authenticated user to conduct a disclosure of information via local access. | 2025-11-13 | 5 | CVE-2025-64738 | https://www.zoom.com/en/trust/security-bulletin/zsb-25040 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue. | 2025-11-13 | 5.5 | CVE-2025-64747 | https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e |
| gristlabs--grist-core | grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint. | 2025-11-13 | 5.3 | CVE-2025-64753 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685 https://github.com/gristlabs/grist-core/releases/tag/v1.7.7 |
| SMCI--SYS-111C-NR | Supermicro BMC Insyde SMASH shell program has a stacked-based overflow vulnerability | 2025-11-13 | 5.4 | CVE-2025-7704 | https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2025 |
| Siemens--Spectrum Power 4 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to alter the local database which contains the application credentials. This allows an attacker to gain administrative application privileges. | 2025-11-11 | 4.7 | CVE-2024-32014 | https://cert-portal.siemens.com/productcert/html/ssa-339694.html |
| Avast--Free Antivirus | Collision in MiniFilter driver in Avast Software Avast Free Antivirus before 25.9 on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms. | 2025-11-11 | 4.4 | CVE-2025-10905 | https://www.gendigital.com/us/en/contact-us/security-advisories/) |
| Mattermost--Mattermost | Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | 2025-11-14 | 4.3 | CVE-2025-11776 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | 2025-11-14 | 4.9 | CVE-2025-11794 | https://mattermost.com/security-updates |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | 2025-11-15 | 4.3 | CVE-2025-11865 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #561399 |
| codethislab--CTL Arcade Lite | The CTL Arcade Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'ctl_arcade_lite_page_manage_games' page. This makes it possible for unauthenticated attackers to deactivate and activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-11886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/44bca8c2-1591-484c-ac40-8c968d5d1cad?source=cve https://wordpress.org/plugins/ctl-arcade-lite/ |
| jdsofttech--School Management System WPSchoolPress | The School Management System - WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-14 | 4.9 | CVE-2025-11981 | https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc4a20-0136-4fb4-9489-07140b2b86aa?source=cve https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.9/lib/wpsp-ajaxworks.php#L1872 https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.9/lib/wpsp-ajaxworks.php#L1844 https://plugins.trac.wordpress.org/changeset/3389346#file62 |
| sanderkah--Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed | The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto | 2025-11-13 | 4.3 | CVE-2025-12015 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09f01dcc-685b-485b-8572-cdf73d0157dc?source=cve https://wordpress.org/plugins/quicq/ |
| sourcefound--MembershipWorks Membership, Events & Directory | The MembershipWorks - Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-12 | 4.4 | CVE-2025-12018 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve https://wordpress.org/plugins/memberfindme/ https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103 https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail= |
| mervinpraison--Featured Image | The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fa16605a-12bd-48a8-b9a9-db53bf3c2c39?source=cve https://wordpress.org/plugins/featured-image/ https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/featured-image/stored-xss.md https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L26 https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L35 https://plugins.trac.wordpress.org/browser/featured-image/tags/2.1/featured-image.php#L65 |
| kanwei_doublethedonation--Double the Donation A workplace giving tool | The Double the Donation - A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.9 | CVE-2025-12020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba2d29-26dc-4c5f-9d9d-9a13e25c44b9?source=cve https://wordpress.org/plugins/double-the-donation/ https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L59 https://plugins.trac.wordpress.org/browser/double-the-donation/tags/2.0.0/doublethedonation.php#L79 |
| acowebs--Wishlist and Save for later for Woocommerce | The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists. | 2025-11-12 | 4.3 | CVE-2025-12087 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/ |
| webtoffee--Alt Text Generator AI Auto Generate & Bulk Update Alt Texts For Images | The Alt Text Generator AI - Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site. | 2025-11-12 | 4.3 | CVE-2025-12113 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5309e891-ced1-496f-8ee5-c089a91a7666?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390619%40alt-text-generator&new=3390619%40alt-text-generator&sfp_email=&sfph_mail= |
| larsactionhero--WP Custom Admin Login Page Logo | The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4. This is due to missing or incorrect nonce validation on the wpclpl_save functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-12132 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6164b272-aa12-4ee3-a73a-64882ff5a899?source=cve https://wordpress.org/plugins/wp-custom-login-page-logo/ |
| qodeinteractive--Qi Blocks | The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images. | 2025-11-15 | 4.3 | CVE-2025-12182 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41b0b12f-ff52-4913-aa54-3fbaf0839959?source=cve https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/media/class-qi-blocks-media.php#L138 https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/media/class-qi-blocks-media.php |
| softaculous--Page Builder: Pagelayer Drag and Drop website builder | The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | 2025-11-13 | 4.3 | CVE-2025-12366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2216d82c-29ae-4355-8118-6ebc49726c12?source=cve https://plugins.trac.wordpress.org/browser/pagelayer/tags/2.0.4/main/replace-media.php#L31 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394407%40pagelayer%2Ftrunk&old=3384061%40pagelayer%2Ftrunk&sfp_email=&sfph_mail= |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Image Gallery - Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server. | 2025-11-15 | 4.3 | CVE-2025-12494 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca423309-d8bd-46a4-9e88-9534d9c60b4a?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L554 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L567 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L589 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L597 https://research.cleantalk.org/cve-2025-12494/ https://plugins.trac.wordpress.org/changeset/3391790/modula-best-grid-gallery/trunk?contextall=1&old=3390878&old_path=%2Fmodula-best-grid-gallery%2Ftrunk |
| michielve--Private Google Calendars | The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | 2025-11-11 | 4.3 | CVE-2025-12526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/900294ef-dedb-49d3-b544-eae64399ea03?source=cve https://wordpress.org/plugins/private-google-calendars/ |
| iworks--Fleet Manager | The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12538 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e72644c-138d-4733-bcca-a8305273d1a0?source=cve https://it.wordpress.org/plugins/fleet/ |
| behzadrohizadeh--USB Qr Code Scanner For Woocommerce | The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-11 | 4.3 | CVE-2025-12588 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e02d105-0f1e-479e-a537-7a7fdbbd7804?source=cve https://plugins.trac.wordpress.org/browser/usb-qr-code-scanner-for-woocommerce/tags/1.0.0/usb-qrcode-scanner-for-woocommerce.php#L410 https://plugins.trac.wordpress.org/browser/usb-qr-code-scanner-for-woocommerce/tags/1.0.0/usb-qrcode-scanner-for-woocommerce.php#L149 |
| ays-pro--Poll Maker Versus Polls, Anonymous Polls, Image Polls | The Poll Maker - Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the 'filterbyauthor' parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-13 | 4.9 | CVE-2025-12620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/56e0efba-4913-4772-8a5b-5cb5c84b5d48?source=cve https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2033 https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2053 |
| spokanetony--Squirrels Auto Inventory | The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-11 | 4.4 | CVE-2025-12631 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f93ee42-c21d-47cf-b140-65809da75653?source=cve https://wordpress.org/plugins/squirrels-auto-inventory/ |
| lovelightplugins--Ninja Countdown | Fastest Countdown Builder | The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns. | 2025-11-11 | 4.3 | CVE-2025-12665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0b6433-5651-4a9d-8356-5d02d51830f4?source=cve https://wordpress.org/plugins/ninja-countdown/ |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface. | 2025-11-12 | 4.3 | CVE-2025-12732 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42 https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72 https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php |
| paoltaia--GeoDirectory WP Business Directory Plugin and Classified Listings Directory | The GeoDirectory - WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places. | 2025-11-12 | 4.3 | CVE-2025-12833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/408f0c2a-ef3c-4592-8722-d56afce92e24?source=cve https://wordpress.org/plugins/geodirectory/ https://github.com/AyeCode/geodirectory/commit/db655b04be32a160c0abf73217faf0a50585aa92 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393024%40geodirectory&new=3393024%40geodirectory&sfp_email=&sfph_mail= |
| smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs. | 2025-11-15 | 4.3 | CVE-2025-12847 | https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192 https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387 |
| aEnrich--a+HRD | The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load. | 2025-11-12 | 4.8 | CVE-2025-12869 | https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html |
| asgaros--Asgaros Forum | The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2025-11-12 | 4.3 | CVE-2025-12901 | https://www.wordfence.com/threat-intel/vulnerabilities/id/75625e6e-f75b-4e11-acd8-7388efb12b29?source=cve https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L606 https://plugins.trac.wordpress.org/browser/asgaros-forum/tags/3.2.1/includes/forum-notifications.php#L605 https://github.com/Asgaros/asgaros-forum/commit/92305fb8ba4ec0a6c65256915d0a32e5553b74f3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392004%40asgaros-forum&new=3392004%40asgaros-forum&sfp_email=&sfph_mail= |
| rymcu--forest | A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2025-11-10 | 4.3 | CVE-2025-12924 | VDB-331644 | rymcu forest BankController.java GlobalResult authorization VDB-331644 | CTI Indicators (IOB, IOC, IOA) Submit #681079 | RYMCU forest V1.0 Missing Authentication https://github.com/rymcu/forest/issues/198 |
| n/a--DedeBIZ | A security vulnerability has been detected in DedeBIZ up to 6.3.2. The impacted element is an unknown function of the file /admin/archives_add.php. Such manipulation of the argument flags[] leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-10 | 4.7 | CVE-2025-12927 | VDB-331647 | DedeBIZ archives_add.php sql injection VDB-331647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681507 | DedeBIZ CMS v6.3.2 archives_add.php SQL Injection https://github.com/ZZCTD/zz_test/issues/4 |
| SourceCodester--Baby Care System | A vulnerability was determined in SourceCodester Baby Care System 1.0. Affected by this issue is some unknown functionality of the file /admin.php?id=inbox. This manipulation of the argument msgid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-10 | 4.7 | CVE-2025-12932 | VDB-331652 | SourceCodester Baby Care System admin.php sql injection VDB-331652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682272 | SourceCodester Baby Care System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/7 https://www.sourcecodester.com/ |
| techlabpro1--Classified Listing AI-Powered Classified ads & Business Directory Plugin | The Classified Listing - AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types. | 2025-11-11 | 4.3 | CVE-2025-12953 | https://www.wordfence.com/threat-intel/vulnerabilities/id/811f147e-5829-4f7e-91d8-9dba780950d5?source=cve https://plugins.trac.wordpress.org/changeset/3389342/classified-listing/trunk/app/Controllers/Ajax/AjaxListingType.php |
| code-projects--Responsive Hotel Site | A vulnerability was detected in code-projects Responsive Hotel Site 1.0. Impacted is an unknown function of the file /admin/usersettingdel.php. Performing manipulation of the argument eid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-12 | 4.7 | CVE-2025-13075 | VDB-332206 | code-projects Responsive Hotel Site usersettingdel.php sql injection VDB-332206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682856 | code-projects Responsive Hotel Site 1.0 SQL Injection https://github.com/zhizi1234/cve/blob/main/tmp69/tmp69/report.md https://code-projects.org/ |
| code-projects--Responsive Hotel Site | A flaw has been found in code-projects Responsive Hotel Site 1.0. The affected element is an unknown function of the file /admin/usersetting.php. Executing manipulation of the argument usname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-12 | 4.7 | CVE-2025-13076 | VDB-332207 | code-projects Responsive Hotel Site usersetting.php sql injection VDB-332207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #682867 | code-projects Responsive Hotel Site 1.0 SQL Injection https://github.com/zhizi1234/cve/blob/main/tmp70/report.md https://code-projects.org/ |
| macrozheng--mall-swarm | A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3. This impacts the function detail of the file /order/detail/ of the component Order Details Handler. Performing manipulation of the argument orderId results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-13 | 4.3 | CVE-2025-13115 | VDB-332320 | macrozheng mall-swarm/mall Order Details detail improper authorization VDB-332320 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #683222 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers Submit #686528 | mall <=1.0.3 Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/6 https://github.com/Hwwg/cve/issues/11 |
| Fabian Ros--Simple E-Banking System | A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-13 | 4.3 | CVE-2025-13119 | VDB-332324 | Fabian Ros/SourceCodester Simple E-Banking System cross-site request forgery VDB-332324 | CTI Indicators (IOB, IOC) Submit #683335 | Fabian Ros Simple E-Banking System In PHP With Source Code October 11, 2025 Cross-Site Request Forgery https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-CSRF-Forced-Withdrawal |
| Bdtask--SalesERP | A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.3 | CVE-2025-13177 | VDB-332467 | Bdtask/CodeCanyon SalesERP cross-site request forgery VDB-332467 | CTI Indicators (IOB, IOC) Submit #684819 | Bdtask Sales ERP Software Latest version as of 2025-10-16 Cross-Site Request Forgery (CSRF) https://github.com/4m3rr0r/PoCVulDb/issues/1 |
| Bdtask--Wholesale Inventory Control and Inventory Management System | A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.3 | CVE-2025-13179 | VDB-332469 | Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System cross-site request forgery VDB-332469 | CTI Indicators (IOB, IOC) Submit #684823 | Bdtask Wholesale Management System Latest version as of 2025-10-16 Cross-Site Request Forgery (CSRF) https://github.com/4m3rr0r/PoCVulDb/issues/3 |
| Bdtask--News365 | A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 4.7 | CVE-2025-13185 | VDB-332473 | Bdtask/CodeCanyon News365 profile unrestricted upload VDB-332473 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685028 | Bdtask News365 – PHP Newspaper Script Magazine Blog with Video Newspaper 7.0.3 Unrestricted File Upload https://github.com/4m3rr0r/PoCVulDb/issues/5 |
| n/a--DouPHP | A vulnerability has been found in DouPHP up to 1.8 Release 20251022. This impacts an unknown function of the file upload/include/file.class.php. The manipulation of the argument File leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-15 | 4.7 | CVE-2025-13198 | VDB-332496 | DouPHP file.class.php unrestricted upload VDB-332496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685544 | Douke Network Technology Co., Ltd. DouPHP DouPHP v1.8 Release 20251022 Arbitrary File Upload https://github.com/electroN1chahaha/My-CVE/issues/1 |
| itsourcecode--Inventory Management System | A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=add. Such manipulation of the argument PROMODEL leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-11-15 | 4.7 | CVE-2025-13210 | VDB-332529 | itsourcecode Inventory Management System index.php sql injection VDB-332529 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685702 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/56 https://itsourcecode.com/ |
| Bdtask--Isshue Multi Store eCommerce Shopping Cart Solution | A security vulnerability has been detected in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/cart_total_amount leads to enforcement of behavioral workflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-16 | 4.3 | CVE-2025-13239 | VDB-332565 | Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution submit_checkout behavioral workflow VDB-332565 | CTI Indicators (IOB, IOC, IOA) Submit #686896 | Bdtask Isshue - Multi Store eCommerce Shopping Cart Solution With POS v5 Business Logic Flaw https://github.com/4m3rr0r/PoCVulDb/issues/7 |
| code-projects--Student Information System | A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-16 | 4.3 | CVE-2025-13244 | VDB-332570 | code-projects Student Information System register.php cross site scripting VDB-332570 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687529 | code-projects Student Information System 2.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss6.md https://code-projects.org/ |
| n/a--Intel VTune Profiler | Improper input validation for some Intel VTune Profiler before version 2025.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.4 | CVE-2025-20056 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01355.html |
| Cisco--Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. The attacker would need valid read-only user credentials. This vulnerability is due to improper role-based access control (RBAC). An attacker could exploit this vulnerability by logging in to an affected system and modifying certain policy configurations. A successful exploit could allow the attacker to modify policy configurations that are reserved for the Administrator role. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer. | 2025-11-13 | 4.3 | CVE-2025-20346 | cisco-sa-privesc-catc-rYjReeLU |
| Cisco--Cisco Digital Network Architecture Center (DNA Center) | A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. | 2025-11-13 | 4.7 | CVE-2025-20355 | cisco-sa-catc-open-redirect-3W5Bk3Je |
| n/a--Intel(R) CIP software | Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.5 | CVE-2025-24516 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) CIP software | Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.5 | CVE-2025-24847 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. | 2025-11-15 | 4.3 | CVE-2025-2615 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #526360 HackerOne Bug Bounty Report #3049150 |
| IBM--OpenPages | IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view. | 2025-11-12 | 4.3 | CVE-2025-27368 | https://www.ibm.com/support/pages/node/7250238 |
| n/a--ACAT | Time-of-check time-of-use race condition for some ACAT before version 3.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 4.4 | CVE-2025-27725 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01388.html |
| Zoom Communications Inc.--Zoom Workplace Clients | Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access. | 2025-11-13 | 4.8 | CVE-2025-30669 | https://www.zoom.com/en/trust/security-bulletin/zsb-25044 |
| Elastic--Kibana | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | 2025-11-12 | 4.3 | CVE-2025-37734 | https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381 |
| SAP_SE--SAP NetWeaver Application Server for ABAP | Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment details of the system could further assist this attacker to plan subsequent attacks. As a result, this vulnerability has a low impact on confidentiality, with no impact on the integrity or availability of the application. | 2025-11-11 | 4.3 | CVE-2025-42882 | https://me.sap.com/notes/3643337 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S4CORE (Manage Journal Entries) | SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application. | 2025-11-11 | 4.3 | CVE-2025-42899 | https://me.sap.com/notes/3530544 https://url.sap/sapsecuritypatchday |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue. | 2025-11-10 | 4.3 | CVE-2025-48878 | https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556 |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | 2025-11-11 | 4.3 | CVE-2025-60728 | Microsoft Excel Information Disclosure Vulnerability |
| Zoom Communications Inc.--Zoom Workplace | Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access. | 2025-11-13 | 4.3 | CVE-2025-62482 | https://www.zoom.com/en/trust/security-bulletin/zsb-25046 |
| Enalean--tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in the management of SVN commit rules and immutable tags. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8 contain a fix for the issue. | 2025-11-12 | 4.6 | CVE-2025-64117 | https://github.com/Enalean/tuleap/security/advisories/GHSA-p2f7-qw8p-f2p7 https://github.com/Enalean/tuleap/commit/f49419f63edbbaa31ce8417b737431d944827404 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=f49419f63edbbaa31ce8417b737431d944827404 https://tuleap.net/plugins/tracker/?aid=45251 |
| Enalean--tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file release system. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1762267347, Tuleap Enterprise Edition 17.0-1, Tuleap Enterprise Edition 16.13-6, and Tuleap Enterprise Edition 16.12-9 fix the issue. | 2025-11-12 | 4.6 | CVE-2025-64482 | https://github.com/Enalean/tuleap/security/advisories/GHSA-w7h4-9vf6-q7rc https://github.com/Enalean/tuleap/commit/899b5c1693324211947b72f2810ae8944e1bd0d5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=899b5c1693324211947b72f2810ae8944e1bd0d5 https://tuleap.net/plugins/tracker/?aid=45259 |
| OpenPrinting--cups-filters | cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x's `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large. Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18. | 2025-11-12 | 4 | CVE-2025-64503 | https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9 https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865 https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1620 https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1880 https://github.com/OpenPrinting/libcupsfilters/blob/1dd86d835b27ed149b66aee1a4853d1db8a1f44c/cupsfilters/pdftoraster.cxx#L1790 |
| trifectatechfoundation--sudo-rs | sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user's UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`. | 2025-11-12 | 4.4 | CVE-2025-64517 | https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form | 2025-11-10 | 4.5 | CVE-2025-64684 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Zoom Communications Inc.--Zoom Clients | External control of file name or path in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via network access. | 2025-11-13 | 4.3 | CVE-2025-64739 | https://www.zoom.com/en/trust/security-bulletin/zsb-25041 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue. | 2025-11-13 | 4.6 | CVE-2025-64746 | https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2 https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue. | 2025-11-13 | 4.3 | CVE-2025-64749 | https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests. | 2025-11-15 | 4.3 | CVE-2025-7000 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #553129 HackerOne Bug Bounty Report #3214025 |
| Arista Networks--EOS | On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153 | 2025-11-14 | 4.9 | CVE-2025-8870 | https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125 |
| Axis Communications AB--AXIS OS | The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account. | 2025-11-11 | 4.3 | CVE-2025-9524 | https://www.axis.com/dam/public/f1/f0/1e/cve-2025-9524pdf-en-US-504220.pdf |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | 2025-11-13 | 3.1 | CVE-2025-11777 | https://mattermost.com/security-updates |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | 2025-11-15 | 3.1 | CVE-2025-11990 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #577850 HackerOne Bug Bounty Report #3257843 |
| n/a--PostgreSQL | Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | 2025-11-13 | 3.1 | CVE-2025-12817 | https://www.postgresql.org/support/security/CVE-2025-12817/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns. | 2025-11-15 | 3.5 | CVE-2025-12983 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #296257 HackerOne Bug Bounty Report #3419588 |
| soerennb--eXtplorer | A security flaw has been discovered in soerennb eXtplorer up to 2.1.15. The affected element is an unknown function of the component Filename Handler. The manipulation results in cross site scripting. The attack may be launched remotely. The patch is identified as 002def70b985f7012586df2c44368845bf405ab3. Applying a patch is advised to resolve this issue. | 2025-11-12 | 3.5 | CVE-2025-13058 | VDB-332185 | soerennb eXtplorer Filename cross site scripting VDB-332185 | CTI Indicators (IOB, IOC, TTP) Submit #682370 | eXtplorer eXtplorer (PHP file manager) 2.1.15 Cross-Site Scripting (Stored) https://github.com/soerennb/extplorer/issues/33 https://github.com/soerennb/extplorer/commit/002def70b985f7012586df2c44368845bf405ab3 |
| Bdtask--SalesERP | A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728. This vulnerability affects unknown code of the file /edit_profile of the component User Profile Handler. This manipulation of the argument first_name/last_name causes basic cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 3.5 | CVE-2025-13178 | VDB-332468 | Bdtask/CodeCanyon SalesERP User Profile edit_profile cross site scripting VDB-332468 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684820 | bdtask Sales ERP Software Latest version as of 2025-10-24 Stored HTML Injection https://github.com/4m3rr0r/PoCVulDb/issues/2 |
| Bdtask--Wholesale Inventory Control and Inventory Management System | A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /edit_profile. Performing manipulation of the argument first_name/last_name results in basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 3.5 | CVE-2025-13180 | VDB-332470 | Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System edit_profile cross site scripting VDB-332470 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684824 | Bdtask Wholesale Management System Latest version as of 2025-10-16 Stored HTML Injection https://github.com/4m3rr0r/PoCVulDb/issues/4 |
| pojoin--h3blog | A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-14 | 3.5 | CVE-2025-13181 | VDB-332471 | pojoin h3blog add cross site scripting VDB-332471 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #684887 | https://gitee.com/pojoin/h3blog h3blog 1.0 Cross-site Scripting https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md#vulnerability-reproduction |
| pojoin--h3blog | A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-11-14 | 3.5 | CVE-2025-13182 | VDB-332472 | pojoin h3blog addtitle cross site scripting VDB-332472 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685520 | https://gitee.com/pojoin/h3blog h3blog 1.0 Cross-site Scripting https://github.com/caigo8/CVE-md/blob/main/h3blog/xss3.md https://github.com/caigo8/CVE-md/blob/main/h3blog/xss3.md#vulnerability-reproduction |
| code-projects--Simple Cafe Ordering System | A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-15 | 3.5 | CVE-2025-13202 | VDB-332500 | code-projects Simple Cafe Ordering System add_to_cart cross site scripting VDB-332500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685729 | code-projects Simple Cafe Ordering System published October 30, 2025 Cross Site Scripting https://github.com/shenxianyuguitian/cafeorder_vuln_XSS/blob/main/README.md https://code-projects.org/ |
| n/a--projectsend | A flaw has been found in projectsend up to r1720. Impacted is an unknown function of the component File Editor/Custom Download Aliases. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version r1945 is recommended to address this issue. Patch name: 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845. It is advisable to upgrade the affected component. | 2025-11-16 | 3.5 | CVE-2025-13232 | VDB-332558 | projectsend File Editor/Custom Download Aliases cross site scripting VDB-332558 | CTI Indicators (IOB, IOC, TTP) Submit #686533 | projectsend web r1720 Cross Site Scripting https://github.com/projectsend/projectsend/pull/1450 https://github.com/projectsend/projectsend/commit/334da1ea39cb12f6b6e98dd2f80bb033e0c7b845 https://github.com/projectsend/projectsend/releases/tag/r1945 |
| code-projects--Student Information System | A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-11-16 | 3.5 | CVE-2025-13245 | VDB-332571 | code-projects Student Information System editprofile.php cross site scripting VDB-332571 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687531 | code-projects Student Information System 2.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss7.md https://code-projects.org/ |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will. | 2025-11-12 | 3.1 | CVE-2025-20378 | https://advisory.splunk.com/advisories/SVD-2025-1101 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the "/services/streams/search" endpoint through its "q" parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2025-11-12 | 3.5 | CVE-2025-20379 | https://advisory.splunk.com/advisories/SVD-2025-1102 |
| n/a--Intel(R) NPU Drivers for Windows | Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.8 | CVE-2025-20622 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html |
| n/a--Intel(R) Graphics Drivers and Intel LTS kernels | Improper input validation in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-25216 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01356.html |
| n/a--Intel QuickAssist Technology software | Improper input validation for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.8 | CVE-2025-30509 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| n/a--Intel(R) oneAPI Math Kernel Library | Improper input validation for some Intel(R) oneAPI Math Kernel Library before version 2025.2 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-31948 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01366.html |
| n/a--Intel(R) QAT Windows software | Improper conditions check for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 3.3 | CVE-2025-32088 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html |
| Mattermost--Mattermost | Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | 2025-11-14 | 3.1 | CVE-2025-41436 | https://mattermost.com/security-updates |
| Dell--Alienware Command Center 6.x (AWCC) | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Process Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Disclosure. | 2025-11-13 | 3.3 | CVE-2025-46370 | https://www.dell.com/support/kbdoc/en-us/000379467/dsa-2025-392 |
| OpenPrinting--libcupsfilters | CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa. | 2025-11-12 | 3.7 | CVE-2025-57812 | https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4 https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/cupsfilters/image-tiff.c#L34 https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/filter/imagetoraster.c#L613 https://github.com/OpenPrinting/libcupsfilters/blob/33421982e10f6a14bc0bab03b80c9cf4660e8d7d/cupsfilters/image-tiff.c#L32 |
| dgtlmoon--changedetection.io | changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue. | 2025-11-10 | 3.5 | CVE-2025-62780 | https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9 |
| trifectatechfoundation--sudo-rs | sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue. | 2025-11-12 | 3.8 | CVE-2025-64170 | https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context | 2025-11-10 | 3.1 | CVE-2025-64686 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| PrivateBin--PrivateBin | PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue. | 2025-11-13 | 3.9 | CVE-2025-64711 | https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-r9x7-7ggj-fx9f https://github.com/PrivateBin/PrivateBin/commit/f9550e513381208b36595ee2404e968144bba78b |
| openobserve--openobserve | OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available. | 2025-11-13 | 3.5 | CVE-2025-64744 | https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments. | 2025-11-15 | 3.5 | CVE-2025-6945 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #552611 HackerOne Bug Bounty Report #3173458 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. | 2025-11-15 | 3.1 | CVE-2025-7736 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #556098 HackerOne Bug Bounty Report #3250156 |
| Axis Communications AB--AXIS OS | It was possible to upload files with a specific name to a temporary directory, which may result in process crashes and impact usability. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. | 2025-11-11 | 3.1 | CVE-2025-8998 | https://www.axis.com/dam/public/f5/62/80/cve-2025-8998pdf-en-US-504374.pdf |
| liweiyi--ChestnutCMS | A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function resourceDownload of the file /dev-api/common/download. Executing manipulation of the argument path can lead to path traversal. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-10 | 2.7 | CVE-2025-12923 | VDB-331643 | liweiyi ChestnutCMS download resourceDownload path traversal VDB-331643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #681032 | liweiyi ChestnutCMS 1.5.8 Path Traversal https://github.com/Huu1j/CVE/blob/main/chestnutcms%20Arbitrary%20File%20Read.md |
| Bdtask--Isshue Multi Store eCommerce Shopping Cart Solution | A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0. This impacts an unknown function of the file /dashboard/Ccustomer/manage_customer. This manipulation of the argument Search causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-14 | 2.4 | CVE-2025-13186 | VDB-332474 | Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution manage_customer cross site scripting VDB-332474 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #685036 | Bdtask Isshue — Multi Store eCommerce Shopping Cart Solution With POS 4.0 Reflected Cross-Site Scripting (XSS) https://github.com/4m3rr0r/PoCVulDb/blob/main/README18.md |
| n/a--Intel(R) CIP software | Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24307 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) CIP software | Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24314 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) CIP software | Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data manipulation. This result may potentially occur via network access when attack requirements are present with special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-24862 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01328.html |
| n/a--Intel(R) PresentMon | Improper access control for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow a denial of service. Network adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2025-11-11 | 2 | CVE-2025-32037 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01392.html |
| SAP_SE--SAP NetWeaver Application Server for ABAP (Migration Workbench) | Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. | 2025-11-11 | 2.7 | CVE-2025-42883 | https://me.sap.com/notes/3634053 https://url.sap/sapsecuritypatchday |
| JetBrains--Hub | In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations | 2025-11-10 | 2.7 | CVE-2025-64681 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--Hub | In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit | 2025-11-10 | 2.7 | CVE-2025-64682 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| withastro--astro | Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue. | 2025-11-13 | 2.7 | CVE-2025-64745 | https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7 https://github.com/withastro/astro/pull/12994 https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91 https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit | 2025-11-11 | 2.7 | CVE-2025-64773 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| bytecodealliance--wasmtime | Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. | 2025-11-12 | 1.8 | CVE-2025-64345 | https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10 https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new https://docs.wasmtime.dev/stability-release.html https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| IRAI--AUTOMGEN | AUTOMGEN versions up to and including 8.0.0.7 (also referenced as 8.022) contain a vulnerability in that project file handling frees an object and subsequently dereferences the stale pointer when processing certain malformed fields. The dangling-pointer use enables an attacker to influence an indirect call through attacker-controlled memory, resulting in denial-of-service. In some conditions, remote code execution may be possible. | 2025-11-12 | not yet calculated | CVE-2011-10034 | https://www.exploit-db.com/exploits/17964 https://en.iraifrance.com/automgen https://www.vulncheck.com/advisories/irai-automgen-use-after-free-remote-dos |
| JVC (JVCKENWOOD)--IP-Camera (VN-T216VPRU) | JVC VN-T IP-camera models firmware versions up to 2016-08-22 (confirmed on the VN-T216VPRU model) contain a directory traversal vulnerability in the checkcgi endpoint that accepts a user-controlled file parameter. An unauthenticated remote attacker can leverage this vulnerability to read arbitrary files on the device. | 2025-11-12 | not yet calculated | CVE-2016-15055 | https://www.exploit-db.com/exploits/40282 https://web.archive.org/web/20170713051843/http://www.black-rose.ml/2016/08/analyzing-security-cameras-products.html http://pro.jvc.com/prof/attributes/tech_desc.jsp?model_id=MDL102145&feature_id=02 https://www.vulncheck.com/advisories/jvc-vnt-ip-camera-directory-traversal-via-check-cgi |
| Ubee Interactive--Ubee EVW3226 | Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request 'Configuration_file.cfg' directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device. | 2025-11-14 | not yet calculated | CVE-2016-15056 | https://www.exploit-db.com/exploits/40156 https://seclists.org/fulldisclosure/2016/Jul/66 https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities https://web.archive.org/web/20160403014231/http://www.ubeeinteractive.com/products/cable/evw3226 https://www.vulncheck.com/advisories/ubee-evw3226-unauthenticated-backup-file-disclosure |
| QNAP Systems Inc.--Photo Station | Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research. | 2025-11-11 | not yet calculated | CVE-2017-20210 | https://www.qnap.com/en-in/security-advisory/nas-201705-04 |
| UCanCode.Net Software--E-XD++ Visualization Enterprise Suite | UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control. This is because it exposes a RotateShape method that dereferences a user-supplied pointer without sufficient validation. A crafted input may cause the control to dereference an attacker-controlled pointer, enabling remote code execution in the context of the hosting process. The vulnerability requires user interaction (instantiation of the ActiveX control via a web page or a file). | 2025-11-12 | not yet calculated | CVE-2017-20211 | https://www.zerodayinitiative.com/advisories/ZDI-17-422/ https://www.ucancode.net/ https://www.vulncheck.com/advisories/ucancode-e-xd-visualization-enterprise-suite-untrusted-pointer-dereference-rce |
| RainbowFish Software--PacsOne Server | PacsOne Server version 6.6.2 (prior versions are likely affected) contains a directory traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker to read arbitrary files via the 'nocache.php' endpoint with a crafted 'path' parameter. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC. | 2025-11-10 | not yet calculated | CVE-2018-25124 | https://www.exploit-db.com/exploits/43907 https://pacsone.net/download.htm https://www.vulncheck.com/advisories/pacsone-server-dicom-web-viewer-directory-traversal-lfi |
| Netis Systems Co., Ltd.--DL4322D | Netis ADSL Router DL4322D firmware RTK 2.1.1 contains a buffer overflow vulnerability in the embedded FTP service that allows an authenticated remote user to trigger a denial of service. After logging in to the FTP service, sending an FTP command such as ABOR with an excessively long argument causes the service, and in practice the router, to crash or become unresponsive, resulting in a loss of availability for the device and connected users. | 2025-11-14 | not yet calculated | CVE-2018-25125 | https://www.exploit-db.com/exploits/45424 https://web.archive.org/web/20180731191918/http://www.netis-systems.com/Home/detail/id/74.html https://www.netis-systems.com/ https://www.vulncheck.com/advisories/netis-dl4322d-ftp-service-dos |
| Employee Records System--Employee Records System | Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation. | 2025-11-10 | not yet calculated | CVE-2021-4462 | https://www.sourcecodester.com/php/11393/employee-records-system.html https://www.exploit-db.com/exploits/49596 https://www.vulncheck.com/advisories/employees-records-system-arbitrary-file-upload-rce |
| Shenzhen Longjing Technology Co. Ltd.--BEMS API | Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory. | 2025-11-12 | not yet calculated | CVE-2021-4463 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php https://www.exploit-db.com/exploits/50163 https://packetstormsecurity.com/files/163702 https://cxsecurity.com/issue/WLB-2021070173 https://exchange.xforce.ibmcloud.com/vulnerabilities/206477 https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/ https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download |
| FiberHome--AN5506-04-FA | FiberHome AN5506-04-FA firmware versions up to and including RP2631 and HG6245D prior to RP2602 contain a stack-based buffer overflow, as the HTTP service ('webs') fails to enforce maximum lengths for Cookie header values. When a cookie longer than 511 bytes is processed, a stack buffer is overrun, leading to a crash or potential control of execution flow. | 2025-11-12 | not yet calculated | CVE-2021-4464 | https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#misc-remote-stack-overflow-an5506 https://pierrekim.github.io/advisories/2021-fiberhome-0x00-ont.txt https://www.vulncheck.com/advisories/fiberhome-routers-remote-stack-overflow |
| ReQuest Serious Play LLC--ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing remote interruption of service availability. | 2025-11-14 | not yet calculated | CVE-2021-4465 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php https://www.exploit-db.com/exploits/48951 https://packetstorm.news/files/id/159602 https://cxsecurity.com/issue/WLB-2020100122 https://exchange.xforce.ibmcloud.com/vulnerabilities/190031 http://www.request.com/ https://www.vulncheck.com/advisories/request-serious-play-f3-media-server-remote-dos |
| IPCop Project--IPCop | IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise. | 2025-11-14 | not yet calculated | CVE-2021-4466 | https://www.exploit-db.com/exploits/50183 https://www.ipcop.org/ https://sourceforge.net/projects/ipcop/ https://www.vulncheck.com/advisories/ipcop-authenticated-rce |
| Positive Technologies--MaxPatrol 8 (Server) | Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption. | 2025-11-14 | not yet calculated | CVE-2021-4467 | https://vulners.com/zdt/1337DAY-ID-36775 https://cxsecurity.com/issue/WLB-2021090114 https://www.ptsecurity.com/ https://www.vulncheck.com/advisories/positive-technologies-maxpatrol-8-and-xspider-remote-dos |
| PLANEX COMMUNICATIONS Inc.--CS-QP50F-ING2 | PLANEX CS-QP50F-ING2 smart cameras expose a configuration backup interface over HTTP that does not require authentication. A remote, unauthenticated attacker can directly retrieve a compressed configuration backup file from the device. The backup contains sensitive configuration information, including credentials, allowing an attacker to obtain administrative access to the camera and compromise the confidentiality of the monitored environment. | 2025-11-14 | not yet calculated | CVE-2021-4468 | https://packetstorm.news/files/id/160805/ https://cxsecurity.com/issue/WLB-2021010050 https://www.planex.co.jp/products/cs-qp50f/ https://www.vulncheck.com/advisories/planex-cs-qp50f-ing2-smart-camera-remote-configuration-disclosure |
| Denver--SHO-110 | Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a '/snapshot' endpoint without authentication. While the primary web interface on port 80 enforces authentication, the backdoor service allows any remote attacker to retrieve image snapshots by directly requesting the 'snapshot' endpoint. An attacker can repeatedly collect snapshots and reconstruct the camera stream, compromising the confidentiality of the monitored environment. | 2025-11-14 | not yet calculated | CVE-2021-4469 | https://www.exploit-db.com/exploits/50162 http://old.denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 https://www.vulncheck.com/advisories/denver-sho-110-ip-camera-unauthenticated-snapshot-access |
| TG8--TG8 Firewall | TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. The syscmd POST parameter is passed directly to a system command without validation and executed with root privileges. A remote, unauthenticated attacker can supply crafted values to execute arbitrary operating system commands as root, resulting in full device compromise. | 2025-11-14 | not yet calculated | CVE-2021-4470 | https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/ https://web.archive.org/web/20211024224240/http://www.tg8security.com/ https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-rce-via-runphpcmd-php |
| TG8--TG8 Firewall | TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access. | 2025-11-14 | not yet calculated | CVE-2021-4471 | https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/ https://web.archive.org/web/20211024224240/http://www.tg8security.com/ https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-user-password-disclosure |
| DBL Technology (DBLTek)--GoIP-1 | DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sidebar`) which is not properly validated or canonicalized. An attacker can supply directory-traversal sequences to cause the server to read and return arbitrary filesystem files that the webserver user can access. Other GoIP models and firmware versions are likely affected. Exploitation evidence was observed by the Shadowserver Foundation on 2024-03-21 UTC. | 2025-11-12 | not yet calculated | CVE-2022-4982 | https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/ https://www.exploit-db.com/exploits/50775 http://www.dbltek.com/ https://www.vulncheck.com/advisories/dbltek-goip-unauthenticated-lfi |
| TEC-IT Datenverarbeitung GmbH, Austria--TEC-IT TBarCode | TEC-IT TBarCode version 11.15 contains a vulnerability in the TBarCode11.ocx ActiveX/OCX control's licensing handling (INI-file based) that can be abused to cause remote creation of files on the host filesystem. Depending on where files can be created and which filenames are allowed, this can allow attackers to write files that lead to code execution or persistence under the context of the hosting process. | 2025-11-12 | not yet calculated | CVE-2022-4983 | https://www.tec-it.com/en/software/barcode-software/tbarcode/history/v10/Default.aspx https://www.vulncheck.com/advisories/tec-it-tbarcode-sdk-remote-file-create |
| Qingdao Esoft Tianchuang Network Technology Co., Ltd.--ZenTao Biz | ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC. | 2025-11-13 | not yet calculated | CVE-2022-4984 | https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853 https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login |
| Vodacom--Vodafone H500s | Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems. | 2025-11-14 | not yet calculated | CVE-2022-4985 | https://www.exploit-db.com/exploits/50636 https://cxsecurity.com/issue/WLB-2022010024 https://help.vodacom.co.za/personal/home/61/9493/1023659/Vodafone-H500s-WiFi-router https://www.vulncheck.com/advisories/vodafone-h500s-wifi-password-disclosure-via-activation-json |
| Seiko Epson--Epson Stylus SX510W | The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition. | 2025-11-12 | not yet calculated | CVE-2023-7326 | https://www.exploit-db.com/exploits/51441 https://www.epson.eu/en_EU/support/sc/epson-stylus-sx510w/s/s837 https://www.vulncheck.com/advisories/epson-stylus-printer-remote-power-off-dos |
| Ozeki Ltd.--Ozeki SMS Gateway | Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability. Successful exploitation allows an unauthenticated attacker to use URL-encoded traversal sequences to read arbitrary files from the underlying filesystem with the privileges of the gateway service, leading to disclosure of sensitive information. | 2025-11-12 | not yet calculated | CVE-2023-7327 | https://www.exploit-db.com/exploits/51646 https://ozeki-sms-gateway.com/ https://www.vulncheck.com/advisories/ozeki-sms-gateway-unauthenticated-arbitrary-file-read |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values. | 2025-11-14 | not yet calculated | CVE-2023-7328 | https://www.exploit-db.com/exploits/51460 https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php https://packetstormsecurity.com/files/172332/ https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure |
| tinycontrol--Lan Controller | Tinycontrol LAN Controller v3 (LK3) firmware versions up to 1.58a (hardware v3.8) contain a missing authentication vulnerability in the stm.cgi endpoint. A remote, unauthenticated attacker can send crafted requests to forcibly reboot the device or restore factory settings, leading to a denial of service and configuration loss. | 2025-11-12 | not yet calculated | CVE-2023-7329 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php https://packetstormsecurity.com/files/174455/ https://www.exploit-db.com/exploits/51730 https://exchange.xforce.ibmcloud.com/vulnerabilities/275810 https://tinycontrol.pl/en/archives/lan-controller-35/ https://www.vulncheck.com/advisories/tinycontrol-lan-controller-v3-remote-dos |
| Google--Chrome | Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2024-11919 | |
| Google--Chrome | Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-11-14 | not yet calculated | CVE-2024-11920 | |
| Google--Chrome | Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-13178 | |
| Google--Chrome | Inappropriate implementation in Lens in Google Chrome on iOS prior to 136.0.7103.59 allowed a remote attacker to perform UI spoofing via a crafted QR code. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2024-13983 | |
| usememos--memos | Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn't available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. One can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password. | 2025-11-14 | not yet calculated | CVE-2024-21635 | https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2 |
| n/a--n/a | Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script. | 2025-11-14 | not yet calculated | CVE-2024-42749 | https://github.com/altocms/altocms https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-42749.md |
| n/a--PHPGurukul | Multiple parameters in register.php in PHPGurukul Student Record System 3.20 are vulnerable to SQL injection. These include: c-full, fname, mname,lname, gname, ocp, nation, mobno, email, board1, roll1, pyear1, board2, roll2, pyear2, sub1,marks1, sub2, course-short, income, category, ph, country, state, city, padd, cadd, and gender. | 2025-11-14 | not yet calculated | CVE-2024-44630 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44630.md |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the id and emailid parameters in password-recovery.php. | 2025-11-14 | not yet calculated | CVE-2024-44632 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44632.md |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the currentpassword parameter in change-password.php. | 2025-11-14 | not yet calculated | CVE-2024-44633 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44633.md |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to Cross Site Scripting (XSS) via adminname and aemailid parameters in /admin-profile.php. | 2025-11-14 | not yet calculated | CVE-2024-44635 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44635.md |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the adminname and aemailid parameters in /admin-profile.php. | 2025-11-14 | not yet calculated | CVE-2024-44636 | https://phpgurukul.com/student-record-system-php CVE Record: CVE-2024-44636 |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the sub1, sub2, sub3, sub4, and course-short parameters in add-subject.php. | 2025-11-14 | not yet calculated | CVE-2024-44639 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44639.md |
| n/a--PHPGurukul | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the course-short, course-full, and cdate parameters in add-course.php. | 2025-11-14 | not yet calculated | CVE-2024-44640 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44640.md |
| n/a--PHPGurukul | PHPGurukul Student Record Management System 3.20 is vulnerable to SQL Injection via the id and password parameters in login.php. | 2025-11-14 | not yet calculated | CVE-2024-55016 | https://phpgurukul.com/student-record-system-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-55016.md |
| n/a--PHPGurukul | An issue in Agnitum Outpost Security Suite 7.5.3 (3942.608.1810) and 7.6 (3984.693.1842) allows a local attacker to execute arbitrary code via the lock function. The manufacturer fixed the vulnerability in version 8.0 (4164.652.1856) from December 17, 2012. | 2025-11-11 | not yet calculated | CVE-2024-57695 | https://www.youtube.com/watch?v=fvgD884wCX8 https://habr.com/en/articles/161393/ |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2025-11-14 | not yet calculated | CVE-2024-7017 | |
| Google--Chrome | Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-7021 | |
| Google--Chrome | Use after free in Internals in Google Chrome on iOS prior to 127.0.6533.88 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a series of curated UI gestures. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2024-9126 | |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-14 | not yet calculated | CVE-2025-10018 | https://cert.pl/posts/2025/11/CVE-2025-9982 https://opensolution.org/cms-system-quick-cms.html |
| Unknown--Creta Testimonial Showcase | The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. | 2025-11-14 | not yet calculated | CVE-2025-10686 | https://wpscan.com/vulnerability/27d58c5a-ab87-41aa-a806-53fa96d4351c/ |
| Rockwell Automation--FactoryTalk DataMosaix Private Cloud | A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | 2025-11-11 | not yet calculated | CVE-2025-11084 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html |
| Rockwell Automation--FactoryTalk DataMosaix Private Cloud | A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website. | 2025-11-11 | not yet calculated | CVE-2025-11085 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html |
| Unknown--Make Email Customizer for WooCommerce | The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options. | 2025-11-11 | not yet calculated | CVE-2025-11237 | https://wpscan.com/vulnerability/88b46752-051b-4468-9e2b-cc81a9ce1075/ |
| Unknown--WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped. | 2025-11-11 | not yet calculated | CVE-2025-11307 | https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/ |
| N-able--N-central | N-central < 2025.4 is vulnerable to authentication bypass via path traversal | 2025-11-12 | not yet calculated | CVE-2025-11366 | https://me.n-able.com/s/security-advisory/aArVy0000000rcDKAQ/cve202511366-ncentral-authentication-bypass-via-path-traversal |
| N-able--N-central | The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization | 2025-11-12 | not yet calculated | CVE-2025-11367 | https://me.n-able.com/s/security-advisory/aArVy0000000rfRKAQ/cve202511367-ncentral-windows-software-probe-remote-code-execution |
| Unknown--Team Members Showcase | The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins. | 2025-11-12 | not yet calculated | CVE-2025-11560 | https://wpscan.com/vulnerability/64d7a074-3f1d-4b09-8e96-d76b9fb3c41e/ |
| Schneider Electric--PowerChute Serial Shutdown | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload. | 2025-11-12 | not yet calculated | CVE-2025-11565 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| Schneider Electric--PowerChute Serial Shutdown | CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint. | 2025-11-12 | not yet calculated | CVE-2025-11566 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| Schneider Electric--PowerChute Serial Shutdown | CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured. | 2025-11-12 | not yet calculated | CVE-2025-11567 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf |
| GitHub--Enterprise Server | A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user's authorized keys-thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program. | 2025-11-10 | not yet calculated | CVE-2025-11578 | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 |
| Rockwell Automation--Studio 5000 Simulation Interface | A local server-side request forgery (SSRF) security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes. | 2025-11-11 | not yet calculated | CVE-2025-11696 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.html |
| Rockwell Automation--Studio 5000 Simulation Interface | A local code execution security issue exists within Studio 5000® Simulation Interface™ via the API. This vulnerability allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot. | 2025-11-11 | not yet calculated | CVE-2025-11697 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.html |
| N-able--N-central | N-central versions < 2025.4 are vulnerable to an XML External Entities injection leading to information disclosure | 2025-11-12 | not yet calculated | CVE-2025-11700 | https://me.n-able.com/s/security-advisory/aArVy0000000rabKAA/cve202511700-ncentral-importservicefromfile-xxe-injection |
| Unknown--age-restriction | The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. | 2025-11-11 | not yet calculated | CVE-2025-11855 | https://wpscan.com/vulnerability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/ |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | 2025-11-11 | not yet calculated | CVE-2025-11862 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1759.html |
| GitHub--Enterprise Server | An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19. | 2025-11-10 | not yet calculated | CVE-2025-11892 | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 |
| Rockwell Automation--Arena Simulation | Rockwell Automation Arena® suffers from a stack-based buffer overflow vulnerability. The specific flaw exists within the parsing of DOE files. Local attackers are able to exploit this issue to potentially execute arbitrary code on affected installations of Arena®. Exploiting the vulnerability requires opening a malicious DOE file. | 2025-11-14 | not yet calculated | CVE-2025-11918 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1763.html |
| NetScaler--ADC | Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | 2025-11-11 | not yet calculated | CVE-2025-12101 | https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695486 |
| floragunn--Search Guard FLX | In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. | 2025-11-14 | not yet calculated | CVE-2025-12149 | https://search-guard.com/cve-advisory/ https://docs.search-guard.com/latest/changelog-searchguard-flx-3_1_3 https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_0 |
| Google Cloud--Looker | A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.192+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ | 2025-11-10 | not yet calculated | CVE-2025-12155 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| AlgoSec--Firewall Analyzer | Improper Limitation of a Pathname 'Path Traversal') vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection. This issue affects Algosec Firewall Analyzer: A33.0 (up to build 320), A33.10 (up to build 210). | 2025-11-12 | not yet calculated | CVE-2025-12382 | https://techdocs.algosec.com/en/cves/Content/tech-notes/cves/cve-2025-12382.htm |
| Google Cloud--Looker Studio | A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source. This vulnerability was patched on 21 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12397 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-28 |
| Google Cloud--Looker Studio | An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report. This vulnerability was patched on 21 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12405 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-29 |
| Google Cloud--Looker Studio | A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery. This vulnerability was patched on 07 July 2025, and no customer action is needed. | 2025-11-10 | not yet calculated | CVE-2025-12409 | https://cloud.google.com/support/bulletins#gcp-2025-053 https://www.tenable.com/security/research/tra-2025-27 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12428 | |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12429 | |
| Google--Chrome | Object lifecycle issue in Media in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12430 | |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12431 | |
| Google--Chrome | Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12432 | |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12433 | |
| Google--Chrome | Race in Storage in Google Chrome on Windows prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12434 | |
| Google--Chrome | Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12435 | |
| Google--Chrome | Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12436 | |
| Google--Chrome | Use after free in PageInfo in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12437 | |
| Google--Chrome | Use after free in Ozone in Google Chrome on Linux and ChromeOS prior to 142.0.7444.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12438 | |
| Google--Chrome | Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12439 | |
| Google--Chrome | Inappropriate implementation in Autofill in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12440 | |
| Google--Chrome | Out of bounds read in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12441 | |
| Google--Chrome | Out of bounds read in WebXR in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12443 | |
| Google--Chrome | Incorrect security UI in Fullscreen UI in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12444 | |
| Google--Chrome | Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12445 | |
| Google--Chrome | Incorrect security UI in SplitView in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12446 | |
| Google--Chrome | Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-10 | not yet calculated | CVE-2025-12447 | |
| Google--Chrome | Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12725 | |
| Google--Chrome | Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12726 | |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-10 | not yet calculated | CVE-2025-12727 | |
| Google--Chrome | Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12728 | |
| Google--Chrome | Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-10 | not yet calculated | CVE-2025-12729 | |
| HP Inc--HP Color LaserJet MFP M478-M479 series | Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server. | 2025-11-13 | not yet calculated | CVE-2025-12784 | https://support.hp.com/us-en/document/ish_13229161-13229183-16/hpsbpi04074 |
| HP Inc--HP Color LaserJet MFP M478-M479 series | Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server. | 2025-11-13 | not yet calculated | CVE-2025-12785 | https://support.hp.com/us-en/document/ish_13229161-13229183-16/hpsbpi04074 |
| NETGEAR--WAX610 | Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points). An user having access to the syslog server can read the logs containing these credentials. This issue affects WAX610: before 10.8.11.4; WAX610Y: before 10.8.11.4. Devices managed with Insight get automatic updates. If not, please check the firmware version and update to the latest. Fixed in: WAX610 firmware 11.8.0.10 or later. WAX610Y firmware 11.8.0.10 or later. | 2025-11-11 | not yet calculated | CVE-2025-12940 | https://www.netgear.com/support/product/wax610 https://www.netgear.com/support/product/wax610y https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR--R6260 | Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R6260: through 1.1.0.86; R6850: through 1.1.0.86. | 2025-11-11 | not yet calculated | CVE-2025-12942 | https://www.netgear.com/support/product/r6850 https://www.netgear.com/support/product/r6260 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR--RAX30 | Improper certificate validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router) allows attackers with the ability to intercept and tamper traffic destined to the device to execute arbitrary commands on the device. Devices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update to the latest. Fixed in: RAX30 firmware 1.0.14.108 or later. RAXE300 firmware 1.0.9.82 or later | 2025-11-11 | not yet calculated | CVE-2025-12943 | https://www.netgear.com/support/product/rax30 https://www.netgear.com/support/product/raxe300 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| NETGEAR--DGN2200v4 | Improper input validation in NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with direct network access to the device to potentially execute code on the device. Please check the firmware version and update to the latest. Fixed in: DGN2200v4 firmware 1.0.0.132 or later | 2025-11-11 | not yet calculated | CVE-2025-12944 | https://www.netgear.com/support/product/dgn2200v4 https://kb.netgear.com/000070355/NETGEAR-Security-Advisories-November-2025 |
| TYPO3--Extension "Modules" | Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | 2025-11-12 | not yet calculated | CVE-2025-12998 | https://typo3.org/security/advisory/typo3-ext-sa-2025-015 |
| Mozilla--Firefox | Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13012 | https://bugzilla.mozilla.org/show_bug.cgi?id=1991458 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla--Firefox | Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13013 | https://bugzilla.mozilla.org/show_bug.cgi?id=1991945 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla--Firefox | Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13014 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994241 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla--Firefox | Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. | 2025-11-11 | not yet calculated | CVE-2025-13015 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994164 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ https://www.mozilla.org/security/advisories/mfsa2025-89/ |
| Mozilla--Firefox | Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13016 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992130 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla--Firefox | Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13017 | https://bugzilla.mozilla.org/show_bug.cgi?id=1980904 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13018 | https://bugzilla.mozilla.org/show_bug.cgi?id=1984940 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla--Firefox | Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13019 | https://bugzilla.mozilla.org/show_bug.cgi?id=1988412 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla--Firefox | Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. | 2025-11-11 | not yet calculated | CVE-2025-13020 | https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 https://www.mozilla.org/security/advisories/mfsa2025-87/ https://www.mozilla.org/security/advisories/mfsa2025-88/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13021 | https://bugzilla.mozilla.org/show_bug.cgi?id=1986431 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13022 | https://bugzilla.mozilla.org/show_bug.cgi?id=1988488 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13023 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992032 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13024 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992902 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13025 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994022 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13026 | https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145. | 2025-11-11 | not yet calculated | CVE-2025-13027 | Memory safety bugs fixed in Firefox 145 and Thunderbird 145 https://www.mozilla.org/security/advisories/mfsa2025-87/ |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-12 | not yet calculated | CVE-2025-13042 | |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2025-13097 | |
| Google--Chrome | Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2025-13102 | |
| Google--Chrome | Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-11-14 | not yet calculated | CVE-2025-13107 | |
| silentmatt--expr-eval | npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue. | 2025-11-14 | not yet calculated | CVE-2025-13204 | https://www.npmjs.com/package/expr-eval-fork https://github.com/silentmatt/expr-eval https://github.com/jorenbroekema/expr-eval https://www.huntr.dev/bounties/1-npm-expr-eval/ https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py https://github.com/silentmatt/expr-eval/pull/252/files https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py |
| Grafana Labs--Grafana Snowflake Datasource Plugin | When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Snowflake Datasource Plugin: from 1.5.0 before 1.14.1. | 2025-11-11 | not yet calculated | CVE-2025-3717 | https://grafana.com/security/security-advisories/cve-2025-3717/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surface", unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to handle null objects. Make sure that we validate not only the identifier (via the vmw_cmd_res_check) but also check that the actual resource exists before trying to do something with it. Fixes unchecked null-ptr reference in the snooping code. | 2025-11-12 | not yet calculated | CVE-2025-40110 | https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523 https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964 https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely. | 2025-11-12 | not yet calculated | CVE-2025-40111 | https://git.kernel.org/stable/c/1822e5287b7dfa59d0af966756ebf1dc652b60ee https://git.kernel.org/stable/c/fb7165e5f3b3b10721ff70553583ad12e90e447a https://git.kernel.org/stable/c/4c918f9d1ccccc0e092f43dcb2d8266f54d7340b https://git.kernel.org/stable/c/9a8eaca539708ca532747f606d231f70e684e8ca https://git.kernel.org/stable/c/867bda5d95d36f10da398fd4409e21c7002b2332 https://git.kernel.org/stable/c/655a2f29bfc21105c80bf8a7d7aafa6eca8b4496 https://git.kernel.org/stable/c/65608e991c2d771c13404e5c7ae122ac3c3357a4 https://git.kernel.org/stable/c/dfe1323ab3c8a4dd5625ebfdba44dc47df84512a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations and a broken epilogue in the exception handlers. This will prevent crashes and ensure correct return values of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40112 | https://git.kernel.org/stable/c/05440320ea3e249d5f984918f2bf51210c1a7c03 https://git.kernel.org/stable/c/7823fc4d8ab5e57f8db7806ff2530c03c166c4bb https://git.kernel.org/stable/c/37547d8e6eba87507279ee3dfddfd9dc46335454 https://git.kernel.org/stable/c/a365ee556e45f780ee322b349a06efdad0c1458f https://git.kernel.org/stable/c/8cdeb5e482d3fdce7e825444b6ca3865e24c0228 https://git.kernel.org/stable/c/a90ce516a73dbe087f9bf3dbf311301a58d125c6 https://git.kernel.org/stable/c/088c5098ec6d6b0396edfbf3dad3e81de8469c1c https://git.kernel.org/stable/c/0b67c8fc10b13a9090340c5f8a37d308f4e1571c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware and the DTB. The same applies for the "lite" firmware loaded by the boot firmware. When preparing to load the new ADSP firmware we shutdown the lite_pas_id for the main firmware, but we don't shutdown the corresponding lite pas_id for the DTB. The fact that we're leaving it "running" forever becomes obvious if you try to reuse (or just access) the memory region used by the "lite" firmware: The &adsp_boot_mem is accessible, but accessing the &adsp_boot_dtb_mem results in a crash. We don't support reusing the memory regions currently, but nevertheless we should not keep part of the lite firmware running. Fix this by adding the lite_dtb_pas_id and shutting it down as well. We don't have a way to detect if the lite firmware is actually running yet, so ignore the return status of qcom_scm_pas_shutdown() for now. This was already the case before, the assignment to "ret" is not used anywhere. | 2025-11-12 | not yet calculated | CVE-2025-40113 | https://git.kernel.org/stable/c/ee150acd273aded01a726ce39b1f6128200799e6 https://git.kernel.org/stable/c/142964960c7c35de5c5f7bdd61c32699de693630 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device. Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal. [83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] <TASK> [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2025-11-12 | not yet calculated | CVE-2025-40115 | https://git.kernel.org/stable/c/b3a6d153861d0f29b80882470d14aafb8d687dc2 https://git.kernel.org/stable/c/4e1442bae50ed633c2fe8058f47cd79b4ad88b9b https://git.kernel.org/stable/c/a89253eb4e648deace48a4e38996afd182eb95e3 https://git.kernel.org/stable/c/fa153fb40c61f8ca01237427c97a0b93ba32c403 https://git.kernel.org/stable/c/6459dba4f35017448535a799cf699d5205eb5489 https://git.kernel.org/stable/c/1fd39e14d47d9b4965dd5c9cff16e64ba3e71a62 https://git.kernel.org/stable/c/970ceb1bdc3d6c2af9245d6eca38606e74fcb6b8 https://git.kernel.org/stable/c/1703fe4f8ae50d1fb6449854e1fcaed1053e3a14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it. | 2025-11-12 | not yet calculated | CVE-2025-40116 | https://git.kernel.org/stable/c/89838fe5c6c010ff8d3924f22afd9c18c5c95310 https://git.kernel.org/stable/c/3facf69a735e730ae36387f18780fe420708aa91 https://git.kernel.org/stable/c/e0e0ce06f3571be9b26790e4df56ba37b1de8543 https://git.kernel.org/stable/c/3723c3dda1cc82c9bbca08fcbd46705a361bfd56 https://git.kernel.org/stable/c/b0439e3762ac9ea580f714e1504a1827d1ad32f5 https://git.kernel.org/stable/c/e68ea6de1d0551f90d7a2c75f82cb3ebe5e397dc https://git.kernel.org/stable/c/b682ce44bf20ada752a2f6ce70d5a575c56f6a35 https://git.kernel.org/stable/c/186e8f2bdba551f3ae23396caccd452d985c23e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() Commit eefb83790a0d ("misc: pci_endpoint_test: Add doorbell test case") added NO_BAR (-1) to the pci_barno enum which, in practical terms, changes the enum from an unsigned int to a signed int. If the user passes a negative number in pci_endpoint_test_ioctl() then it results in an array underflow in pci_endpoint_test_bar(). | 2025-11-12 | not yet calculated | CVE-2025-40117 | https://git.kernel.org/stable/c/6df3687922570f753574c40b35e83b26b32292d0 https://git.kernel.org/stable/c/1ad82f9db13d85667366044acdfb02009d576c5a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached. | 2025-11-12 | not yet calculated | CVE-2025-40118 | https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493 https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566 https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582 https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628 https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585 https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy(). | 2025-11-12 | not yet calculated | CVE-2025-40119 | https://git.kernel.org/stable/c/00110f3cfc9b34b2dfee2a6c9e55a0ae6df125ae https://git.kernel.org/stable/c/3c3fac6bc0a9c00dbe65d8dc0d3a282afe4d3188 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before. | 2025-11-12 | not yet calculated | CVE-2025-40120 | https://git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010c https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e https://git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64 https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11 https://git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4 https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is, which may lead to unepxected results like OOB access. This patch adds the sanity check and corrects the input mapping to the certain default value if an invalid value is passed. | 2025-11-12 | not yet calculated | CVE-2025-40121 | https://git.kernel.org/stable/c/bff827b0d507e52b23efab9f67c232a4f037ab2c https://git.kernel.org/stable/c/64a36a7032082b4c330ce081acb6efb99246020e https://git.kernel.org/stable/c/95e29db33b5f73218ae08ebb48c61c9a8d28e2ff https://git.kernel.org/stable/c/2204e582b4eea872e1e7a5c90edcb84b928c68b0 https://git.kernel.org/stable/c/f197894de2f4ef46c7d53827d9df294b75c35e13 https://git.kernel.org/stable/c/fdf99978a6480e14405212472b6c747e0fa43bed https://git.kernel.org/stable/c/c60f269c123210a6846d6d1367de0eaa402c10b0 https://git.kernel.org/stable/c/4336efb59ef364e691ef829a73d9dbd4d5ed7c7b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access error" is seen when accessing IA32_PMC_x_CFG_B MSRs. [ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30) [ 55.611280] Call Trace: [ 55.611282] <TASK> [ 55.611284] ? intel_pmu_config_acr+0x87/0x160 [ 55.611289] intel_pmu_enable_acr+0x6d/0x80 [ 55.611291] intel_pmu_enable_event+0xce/0x460 [ 55.611293] x86_pmu_start+0x78/0xb0 [ 55.611297] x86_pmu_enable+0x218/0x3a0 [ 55.611300] ? x86_pmu_enable+0x121/0x3a0 [ 55.611302] perf_pmu_enable+0x40/0x50 [ 55.611307] ctx_resched+0x19d/0x220 [ 55.611309] __perf_install_in_context+0x284/0x2f0 [ 55.611311] ? __pfx_remote_function+0x10/0x10 [ 55.611314] remote_function+0x52/0x70 [ 55.611317] ? __pfx_remote_function+0x10/0x10 [ 55.611319] generic_exec_single+0x84/0x150 [ 55.611323] smp_call_function_single+0xc5/0x1a0 [ 55.611326] ? __pfx_remote_function+0x10/0x10 [ 55.611329] perf_install_in_context+0xd1/0x1e0 [ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10 [ 55.611333] __do_sys_perf_event_open+0xa76/0x1040 [ 55.611336] __x64_sys_perf_event_open+0x26/0x30 [ 55.611337] x64_sys_call+0x1d8e/0x20c0 [ 55.611339] do_syscall_64+0x4f/0x120 [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e On PTL, GP counter 0 and 1 doesn't support auto counter reload feature, thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR which requires to enable auto counter reload on GP counter 0. The root cause of causing this issue is the check for auto counter reload (ACR) counter mask from user space is incorrect in intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter mask from user space could be set into hw.config1 and then written into CFG_B MSRs and trigger the MSR access warning. e.g., User may create a perf event with ACR counter mask (config2=0xcb), and there is only 1 event created, so "cpuc->n_events" is 1. The correct check condition should be "i + idx >= cpuc->n_events" instead of "i + idx > cpuc->n_events" (it looks a typo). Otherwise, the counter mask would traverse twice and an invalid "cpuc->assign[1]" bit (bit 0) is set into hw.config1 and cause MSR accessing error. Besides, also check if the ACR counter mask corresponding events are ACR events. If not, filter out these counter mask. If a event is not a ACR event, it could be scheduled to an HW counter which doesn't support ACR. It's invalid to add their counter index in ACR counter mask. Furthermore, remove the WARN_ON_ONCE() since it's easily triggered as user could set any invalid ACR counter mask and the warning message could mislead users. | 2025-11-12 | not yet calculated | CVE-2025-40122 | https://git.kernel.org/stable/c/c6cca4213b618c92e4972919ee568f0fb87313b1 https://git.kernel.org/stable/c/43796f30507802d93ead2dc44fc9637f34671a89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md's egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls. The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs' expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT. In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible(). Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue. | 2025-11-12 | not yet calculated | CVE-2025-40123 | https://git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8 https://git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32 https://git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a https://git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923ad https://git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled resulted from copy_from_user() returning impossibly large values greater than the size to be copied. This lead to __copy_from_iter() returning impossible values instead of the actual number of bytes it was able to copy. The BUG_ON has been reported in https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. The exception handlers expect that %o2 has already been masked during the bulk copy loop, but the masking was performed after that loop. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40124 | https://git.kernel.org/stable/c/fdd43fe6d286f27b826572457a89c926f97e2d3a https://git.kernel.org/stable/c/1198077606aeffb102587c6ea079ce99641c99d4 https://git.kernel.org/stable/c/1857cdca12c4aff58bf26a7005a4d02850c29927 https://git.kernel.org/stable/c/91eda032eb16e5d2be27c95584665bc555bb5a90 https://git.kernel.org/stable/c/dc766c4830a7e1e1ee9d7f77d4ab344f2eb23c8e https://git.kernel.org/stable/c/5ef9c94d7110e90260c06868cf1dcf899b9f25ee https://git.kernel.org/stable/c/e50377c6b3f278c9f3ef017ffce17f5fcc9dace4 https://git.kernel.org/stable/c/47b49c06eb62504075f0f2e2227aee2e2c2a58b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it. | 2025-11-12 | not yet calculated | CVE-2025-40125 | https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898 https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6 https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911 https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731 https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032 https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy_from_user and copy_to_user. These handlers return from the respective function and calculate the remaining bytes left to copy using the current register contents. This commit fixes a couple of bad calculations. This will fix the return value of copy_from_user and copy_to_user in the faulting case. The behaviour of memcpy stays unchanged. | 2025-11-12 | not yet calculated | CVE-2025-40126 | https://git.kernel.org/stable/c/0bf3dc3a2156f1c5ddaba4b85d09767874634114 https://git.kernel.org/stable/c/41c18baee66134e6ef786eb075c1b6adb22432b0 https://git.kernel.org/stable/c/59424dc0d0e044b2eb007686a4724ddd91d57db5 https://git.kernel.org/stable/c/9b137f277cc3297044aabd950f589e505d30104c https://git.kernel.org/stable/c/674ff598148a28bae0b5372339de56f2abf0b1d1 https://git.kernel.org/stable/c/7de3a75bbc8465d816336c74d50109e73501efab https://git.kernel.org/stable/c/57c278500fce3cd4e1c540700c0b05426a958393 https://git.kernel.org/stable/c/4fba1713001195e59cfc001ff1f2837dab877efb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization. The clk_get_rate() call is performed on an uninitialized clk pointer, resulting in division by zero when calculating delay values. Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+) | 2025-11-12 | not yet calculated | CVE-2025-40127 | https://git.kernel.org/stable/c/692a04a1e0cde1d80a33df0078c755cf02cd7268 https://git.kernel.org/stable/c/d76b099011fa056950f63d05ebb6160991242f6a https://git.kernel.org/stable/c/eec7e0e19c1fa75dc65e25aa6a21ef24a03849af https://git.kernel.org/stable/c/f4238064379a91e71a9c258996acac43c50c2094 https://git.kernel.org/stable/c/2b6bcce32cb5aff84588a844a4d3f6dd5353b8e2 https://git.kernel.org/stable/c/55a70e1de75e5ff5f961c79a2cdc6a4468cc2bf2 https://git.kernel.org/stable/c/612b1dfeb414dfa780a6316014ceddf9a74ff5c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. | 2025-11-12 | not yet calculated | CVE-2025-40129 | https://git.kernel.org/stable/c/81cec07d303186d0d8c623ef8b5ecd3b81e94cf6 https://git.kernel.org/stable/c/affc03d44921f493deaae1d33151e3067a6f9f8f https://git.kernel.org/stable/c/ab9a70cd2386a0d70c164b0905dd66bc9af52e77 https://git.kernel.org/stable/c/6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A typical race condition call trace is: [Thread A] ufshcd_pm_qos_exit() --> cpu_latency_qos_remove_request() --> cpu_latency_qos_apply(); --> pm_qos_update_target() --> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pm_qos_enabled = false; [Thread B] ufshcd_devfreq_target --> ufshcd_devfreq_scale --> ufshcd_scale_clks --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request --> pm_qos_update_target --> plist_del <--(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads. | 2025-11-12 | not yet calculated | CVE-2025-40130 | https://git.kernel.org/stable/c/d9df61afb8d23c475f1be3c714da2c34c156ab01 https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because rxcb->peer_id is not updated with a valid value. This is expected in monitor mode, where RX frames bypass the regular RX descriptor path that typically sets rxcb->peer_id. As a result, the peer is NULL, and link_id and link_valid fields in the RX status are not populated. This leads to a WARN_ON in mac80211 when it receives data frame from an associated station with invalid link_id. Fix this potential issue by using ppduinfo->peer_id, which holds the correct peer id for the received frame. This ensures that the peer is correctly found and the associated link metadata is updated accordingly. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-11-12 | not yet calculated | CVE-2025-40131 | https://git.kernel.org/stable/c/da64eb2da76ce5626238a951fdf3e81810454427 https://git.kernel.org/stable/c/7ca61ed8b3f3fc9a7decd68039cb1d7d1238c566 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar is not NULL before calling it. The original code assumed that if include_sidecar is true, the codec on that link has an add_sidecar callback. But there could be other codecs on the same link that do not have an add_sidecar callback. | 2025-11-12 | not yet calculated | CVE-2025-40132 | https://git.kernel.org/stable/c/aea038062edfca9c6e5ddcecd4611d5a80113b4e https://git.kernel.org/stable/c/a5416c0fc9e77b69f853dfb1e78bc05a7c06a789 https://git.kernel.org/stable/c/87cab86925b7fa4c1c977bc191ac549a3b23f0ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). mptcp_active_enable() is called from subflow_finish_connect(), which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). | 2025-11-12 | not yet calculated | CVE-2025-40133 | https://git.kernel.org/stable/c/ad16235c9d3ef7ec17c109ff39b7504f49d17072 https://git.kernel.org/stable/c/cc976ec9e38bb79409de3261ba1dbb6868e2a53e https://git.kernel.org/stable/c/893c49a78d9f85e4b8081b908fb7c407d018106a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences. | 2025-11-12 | not yet calculated | CVE-2025-40134 | https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98 https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6 https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4 https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. | 2025-11-12 | not yet calculated | CVE-2025-40135 | https://git.kernel.org/stable/c/f7f9e924f23684b4b23cd9f976cceab24a968e34 https://git.kernel.org/stable/c/9085e56501d93af9f2d7bd16f7fcfacdde47b99c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for physical function and a reserved interrupt for virtual function. However, the driver has not registered the reserved interrupt for virtual function. When allocating interrupts, the number of interrupts is allocated based on powers of two, which includes this interrupt. When the system enables GICv4 and the virtual function passthrough to the virtual machine, releasing the interrupt in the driver triggers a warning. The WARNING report is: WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4 Therefore, register a reserved interrupt for VF and set the IRQF_NO_AUTOEN flag to avoid that warning. | 2025-11-12 | not yet calculated | CVE-2025-40136 | https://git.kernel.org/stable/c/854da2b0df1654d63963d587b12fec6068d89643 https://git.kernel.org/stable/c/9228facb308157ac0bdd264b873187896f7a9c7a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ------------[ cut here ]------------ kernel BUG at fs/inode.c:753! RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753 Call Trace: <TASK> evict+0x504/0x9c0 fs/inode.c:810 f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692 vfs_get_tree+0x8f/0x2b0 fs/super.c:1815 do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f During f2fs_evict_inode(), clear_inode() detects that we missed to truncate all page cache before destorying inode, that is because in below path, we will create page #0 in cache, but missed to drop it in error path, let's fix it. - evict - f2fs_evict_inode - f2fs_truncate - f2fs_convert_inline_inode - f2fs_grab_cache_folio : create page #0 in cache - f2fs_convert_inline_folio : sanity check failed, return -EFSCORRUPTED - clear_inode detects that inode->i_data.nrpages is not zero | 2025-11-12 | not yet calculated | CVE-2025-40137 | https://git.kernel.org/stable/c/83a8e4efea022506a0e049e7206bdf8be9f78148 https://git.kernel.org/stable/c/a7b7ebdd7045a36454b3e388a2ecf50344fad9e6 https://git.kernel.org/stable/c/3b0c8908faa18cded84d64822882a830ab1f4d26 https://git.kernel.org/stable/c/9251a9e6e871cb03c4714a18efa8f5d4a8818450 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() syzbot reported a f2fs bug as below: Oops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)} RIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284 Call Trace: <TASK> f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline] f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436 __f2fs_remount fs/f2fs/super.c:2653 [inline] f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297 reconfigure_super+0x224/0x890 fs/super.c:1077 do_remount fs/namespace.c:3314 [inline] path_mount+0xd18/0xfe0 fs/namespace.c:4112 do_mount fs/namespace.c:4133 [inline] __do_sys_mount fs/namespace.c:4344 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4321 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref issue in strcmp(). The bug can be reproduced w/ below scripts: mkfs.f2fs -f /dev/vdb mount -t f2fs -o usrquota /dev/vdb /mnt/f2fs quotacheck -uc /mnt/f2fs/ umount /mnt/f2fs mount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs mount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs umount /mnt/f2fs So, before old_qname and new_qname comparison, we need to check whether they are all valid pointers, fix it. | 2025-11-12 | not yet calculated | CVE-2025-40138 | https://git.kernel.org/stable/c/3f3458852bbfe79c60f2412b8b04677b96688b6e https://git.kernel.org/stable/c/930a9a6ee8e7ffa20af4bffbfc2bbd21d83bf81c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst there. | 2025-11-12 | not yet calculated | CVE-2025-40139 | https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1 https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb. This is the sequence of events that leads to the warning: rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); } rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <-- wakes up TX queue before URB is done } rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); <-- double submission } rtl8150_set_multicast being the ndo_set_rx_mode callback should not be calling netif_stop_queue and notif_start_queue as these handle TX queue synchronization. The net core function dev_set_rx_mode handles the synchronization for rtl8150_set_multicast making it safe to remove these locks. | 2025-11-12 | not yet calculated | CVE-2025-40140 | https://git.kernel.org/stable/c/cce3c0e21cdd15bcba5c35d3af1700186de8f187 https://git.kernel.org/stable/c/1a08a37ac03d07a1608a1592791041cac979fbc3 https://git.kernel.org/stable/c/54f8ef1a970a8376e5846ed90854decf7c00555d https://git.kernel.org/stable/c/114e05344763a102a8844efd96ec06ba99293ccd https://git.kernel.org/stable/c/6394bade9daab8e318c165fe43bba012bf13cd8e https://git.kernel.org/stable/c/6053e47bbf212b93c051beb4261d7d5a409d0ce3 https://git.kernel.org/stable/c/9d72df7f5eac946f853bf49c428c4e87a17d91da https://git.kernel.org/stable/c/958baf5eaee394e5fd976979b0791a875f14a179 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. | 2025-11-12 | not yet calculated | CVE-2025-40141 | https://git.kernel.org/stable/c/eba6d787ec117a5d2c60f9644e0a39c18542b6be https://git.kernel.org/stable/c/5319145a07d8bf5b0782b25cb3115825689d42bb https://git.kernel.org/stable/c/80689777919f02328eb873769de4647c9dd3e371 https://git.kernel.org/stable/c/c92ad1a155ccfa38b87bd1d998287e1c0a24248d https://git.kernel.org/stable/c/9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock. The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired. Disable softirqs before the lock is acquired on PREEMPT_RT. | 2025-11-12 | not yet calculated | CVE-2025-40142 | https://git.kernel.org/stable/c/63ee96c7f47df239ee0a6e8108b6bfd8c98334ae https://git.kernel.org/stable/c/3969b6193cb7a45aa5fb4ec68f215e9e7f93d39a https://git.kernel.org/stable/c/9fc4a3da9a0259a0500848b5d8657918efde176b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a verifier_bug() call in maybe_exit_scc(). maybe_exit_scc() assumes that, when called for a state with insn_idx in some SCC, there should be an instance of struct bpf_scc_visit allocated for that SCC. Turns out the assumption does not hold for speculative execution paths. See example in the next patch. maybe_scc_exit() is called from update_branch_counts() for states that reach branch count of zero, meaning that path exploration for a particular path is finished. Path exploration can finish in one of three ways: a. Verification error is found. In this case, update_branch_counts() is called only for non-speculative paths. b. Top level BPF_EXIT is reached. Such instructions are never a part of an SCC, so compute_scc_callchain() in maybe_scc_exit() will return false, and maybe_scc_exit() will return early. c. A checkpoint is reached and matched. Checkpoints are created by is_state_visited(), which calls maybe_enter_scc(), which allocates bpf_scc_visit instances for checkpoints within SCCs. Hence, for non-speculative symbolic execution paths, the assumption still holds: if maybe_scc_exit() is called for a state within an SCC, bpf_scc_visit instance must exist. This patch removes the verifier_bug() call for speculative paths. | 2025-11-12 | not yet calculated | CVE-2025-40143 | https://git.kernel.org/stable/c/3861e7c4324aa20a632fb74eb3904114f6afdb57 https://git.kernel.org/stable/c/a3c73d629ea1373af3c0c954d41fd1af555492e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails, jumping to the common error path. Do not emit an extra error message since the allocator already warns on allocation failure. | 2025-11-12 | not yet calculated | CVE-2025-40144 | https://git.kernel.org/stable/c/972cbba5cd384bacdc2eb589776e1d0a9f42714f https://git.kernel.org/stable/c/bc8b56317ff83ef4bba89bda356b93978604694f https://git.kernel.org/stable/c/b808a3590c2884ca91316dbadbfcc1924f5893c7 https://git.kernel.org/stable/c/e4a1e3e88160f7d7a2c33e3db8844073ed6eaf97 https://git.kernel.org/stable/c/8aea9d512c65eed0dad98b8d65ce74fe77c01b34 https://git.kernel.org/stable/c/a9e6aa994917ee602798bbb03180a194b37865bb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure When devm_add_action_or_reset() fails, it calls the passed cleanup function. Hence the caller must not repeat that cleanup. Replace the "goto err_regulator_free" by the actual freeing, as there will never be a need again for a second user of this label. | 2025-11-12 | not yet calculated | CVE-2025-40145 | https://git.kernel.org/stable/c/77732c58fef6247b71493dc3997af0ec0aaad5c7 https://git.kernel.org/stable/c/ab81f2f79c683c94bac622aafafbe8232e547159 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is a long term problem, hence allocate memory before freezing queue and free memory after queue is unfreezed. [1] https://lore.kernel.org/all/0659ea8d-a463-47c8-9180-43c719e106eb@linux.ibm.com/ | 2025-11-12 | not yet calculated | CVE-2025-40146 | https://git.kernel.org/stable/c/8d26acf8477174d8ef690eb6affe13a630f586ae https://git.kernel.org/stable/c/b86433721f46d934940528f28d49c1dedb690df1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-throttle: fix access race during throttle policy activation On repeated cold boots we occasionally hit a NULL pointer crash in blk_should_throtl() when throttling is consulted before the throttle policy is fully enabled for the queue. Checking only q->td != NULL is insufficient during early initialization, so blkg_to_pd() for the throttle policy can still return NULL and blkg_to_tg() becomes NULL, which later gets dereferenced. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000156 ... pc : submit_bio_noacct+0x14c/0x4c8 lr : submit_bio_noacct+0x48/0x4c8 sp : ffff800087f0b690 x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0 x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70 x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60 x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002 x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500 x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a Call trace: submit_bio_noacct+0x14c/0x4c8 verity_map+0x178/0x2c8 __map_bio+0x228/0x250 dm_submit_bio+0x1c4/0x678 __submit_bio+0x170/0x230 submit_bio_noacct_nocheck+0x16c/0x388 submit_bio_noacct+0x16c/0x4c8 submit_bio+0xb4/0x210 f2fs_submit_read_bio+0x4c/0xf0 f2fs_mpage_readpages+0x3b0/0x5f0 f2fs_readahead+0x90/0xe8 Tighten blk_throtl_activated() to also require that the throttle policy bit is set on the queue: return q->td != NULL && test_bit(blkcg_policy_throtl.plid, q->blkcg_pols); This prevents blk_should_throtl() from accessing throttle group state until policy data has been attached to blkgs. | 2025-11-12 | not yet calculated | CVE-2025-40147 | https://git.kernel.org/stable/c/6a0c394300a7b0c05504596685de8a46707171fc https://git.kernel.org/stable/c/bd9fd5be6bc0836820500f68fff144609fbd85a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions The function dc_stream_set_cursor_attributes() currently dereferences the `stream` pointer and nested members `stream->ctx->dc->current_state` without checking for NULL. All callers of these functions, such as in `dcn30_apply_idle_power_optimizations()` and `amdgpu_dm_plane_handle_cursor_update()`, already perform NULL checks before calling these functions. Fixes below: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes() error: we previously assumed 'stream' could be null (see line 334) drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 327 bool dc_stream_program_cursor_attributes( 328 struct dc_stream_state *stream, 329 const struct dc_cursor_attributes *attributes) 330 { 331 struct dc *dc; 332 bool reset_idle_optimizations = false; 333 334 dc = stream ? stream->ctx->dc : NULL; ^^^^^^ The old code assumed stream could be NULL. 335 --> 336 if (dc_stream_set_cursor_attributes(stream, attributes)) { ^^^^^^ The refactor added an unchecked dereference. drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 313 bool dc_stream_set_cursor_attributes( 314 struct dc_stream_state *stream, 315 const struct dc_cursor_attributes *attributes) 316 { 317 bool result = false; 318 319 if (dc_stream_check_cursor_attributes(stream, stream->ctx->dc->current_state, attributes)) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here. This function used to check for if stream as NULL and return false at the start. Probably we should add that back. | 2025-11-12 | not yet calculated | CVE-2025-40148 | https://git.kernel.org/stable/c/01e793e7d4d402c473f1a61ca5824f086693be65 https://git.kernel.org/stable/c/bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. | 2025-11-12 | not yet calculated | CVE-2025-40149 | https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407 https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4 Thread A Thread B - f2fs_expand_inode_data - f2fs_allocate_pinning_section - f2fs_gc_range - do_garbage_collect w/ segno #x - writepage - f2fs_allocate_data_block - new_curseg - allocate segno #x The root cause is: fallocate on pinning file may race w/ block allocation as above, result in do_garbage_collect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem. In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA). Change as below to fix this issue: - check whether current section is empty before gc - add sanity checks on do_garbage_collect() to avoid any race case, result in migrating segment used by log. - btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA". | 2025-11-12 | not yet calculated | CVE-2025-40150 | https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. This causes a oops when running bpf selftest: $ ./test_progs -a tracing_struct Oops[#1]: CPU -1 Unable to handle kernel paging request at virtual address 0000000000000018, era == 9000000085bef268, ra == 90000000844f3938 rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: 1-...0: (19 ticks this GP) idle=1094/1/0x4000000000000000 softirq=1380/1382 fqs=801 rcu: (detected by 0, t=5252 jiffies, g=1197, q=52 ncpus=4) Sending NMI from CPU 0 to CPUs 1: rcu: rcu_preempt kthread starved for 2495 jiffies! g1197 f0x0 RCU_GP_DOING_FQS(6) ->state=0x0 ->cpu=2 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 task_flags:0x208040 flags:0x00000800 Stack : 9000000100423e80 0000000000000402 0000000000000010 90000001003b0680 9000000085d88000 0000000000000000 0000000000000040 9000000087159350 9000000085c2b9b0 0000000000000001 900000008704a000 0000000000000005 00000000ffff355b 00000000ffff355b 0000000000000000 0000000000000004 9000000085d90510 0000000000000000 0000000000000002 7b5d998f8281e86e 00000000ffff355c 7b5d998f8281e86e 000000000000003f 9000000087159350 900000008715bf98 0000000000000005 9000000087036000 900000008704a000 9000000100407c98 90000001003aff80 900000008715c4c0 9000000085c2b9b0 00000000ffff355b 9000000085c33d3c 00000000000000b4 0000000000000000 9000000007002150 00000000ffff355b 9000000084615480 0000000007000002 ... Call Trace: [<9000000085c2a868>] __schedule+0x410/0x1520 [<9000000085c2b9ac>] schedule+0x34/0x190 [<9000000085c33d38>] schedule_timeout+0x98/0x140 [<90000000845e9120>] rcu_gp_fqs_loop+0x5f8/0x868 [<90000000845ed538>] rcu_gp_kthread+0x260/0x2e0 [<900000008454e8a4>] kthread+0x144/0x238 [<9000000085c26b60>] ret_from_kernel_thread+0x28/0xc8 [<90000000844f20e4>] ret_from_kernel_thread_asm+0xc/0x88 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 2: NMI backtrace for cpu 2 skipped: idling at idle_exit+0x0/0x4 Reject it for now. | 2025-11-12 | not yet calculated | CVE-2025-40151 | https://git.kernel.org/stable/c/d1158559315143e11bfaabcd4b2bea98c7ed1be9 https://git.kernel.org/stable/c/e82406c7cbdd368c5459b8a45e118811d2ba0794 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses drm_gem_obj.gpuva.list, which is not initialized when the drm driver does not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms drm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam is set: [ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0 [ 9.523160] Mem abort info: [ 9.523161] ESR = 0x0000000096000006 [ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits [ 9.523165] SET = 0, FnV = 0 [ 9.523166] EA = 0, S1PTW = 0 [ 9.523167] FSC = 0x06: level 2 translation fault [ 9.523169] Data abort info: [ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000 [ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000 [ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP [ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT [ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024 [ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 9.592973] pc : lookup_vma+0x28/0xe0 [msm] [ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm] [ 9.763632] sp : ffff800082dab460 [ 9.763666] Call trace: [ 9.763668] lookup_vma+0x28/0xe0 [msm] (P) [ 9.763688] get_vma_locked+0x2c/0x128 [msm] [ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm] [ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm] [ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm] [ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper] [ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper] [ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib] [ 9.763782] drm_client_register+0x58/0x9c [drm] [ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib] [ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib] [ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm] [ 9.763830] msm_drm_init+0x1a8/0x22c [msm] [ 9.763848] msm_drm_bind+0x30/0x3c [msm] [ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4 [ 9.919283] __component_add+0xa4/0x170 [ 9.919286] component_add+0x14/0x20 [ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm] [ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm] [ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus] [ 9.919341] really_probe+0xbc/0x298 [ 9.919345] __driver_probe_device+0x78/0x12c [ 9.919348] driver_probe_device+0x40/0x160 [ 9.919350] __driver_attach+0x94/0x19c [ 9.919353] bus_for_each_dev+0x74/0xd4 [ 9.919355] driver_attach+0x24/0x30 [ 9.919358] bus_add_driver+0xe4/0x208 [ 9.919360] driver_register+0x60/0x128 [ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus] [ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20] [ 9.919370] do_one_initcall+0x6c/0x1b0 [ 9.919374] do_init_module+0x58/0x234 [ 9.919377] load_module+0x19cc/0x1bd4 [ 9.919380] init_module_from_file+0x84/0xc4 [ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc [ 9.919384] invoke_syscall+0x48/0x110 [ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8 [ 9.919393] do_el0_svc+0x20/0x2c [ 9.919396] el0_svc+0x34/0xf0 [ 9.919401] el0t_64_sync_handler+0xa0/0xe4 [ 9.919403] el0t_64_sync+0x198/0x19c [ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44) [ 9.919410] ---[ end trace 0000000000000000 ]--- Patchwork: https://patchwork.freedesktop.org/pa ---truncated--- | 2025-11-12 | not yet calculated | CVE-2025-40152 | https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9 https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace: mte_clear_page_tags+0x14/0x24 set_huge_pte_at+0x25c/0x280 hugetlb_change_protection+0x220/0x430 change_protection+0x5c/0x8c mprotect_fixup+0x10c/0x294 do_mprotect_pkey.constprop.0+0x2e0/0x3d4 __arm64_sys_mprotect+0x24/0x44 invoke_syscall+0x50/0x160 el0_svc_common+0x48/0x144 do_el0_svc+0x30/0xe0 el0_svc+0x30/0xf0 el0t_64_sync_handler+0xc4/0x148 el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup. | 2025-11-12 | not yet calculated | CVE-2025-40153 | https://git.kernel.org/stable/c/30498c44c2a0b20f6833ed7d8fc3df901507f760 https://git.kernel.org/stable/c/5783485ab2be06be5312b26c8793526edc09123d https://git.kernel.org/stable/c/547e123e9d342a44c756446640ed847a8aeec611 https://git.kernel.org/stable/c/957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859 https://git.kernel.org/stable/c/964598e6f70a1be9fe675280bf16b4f96b0a6809 https://git.kernel.org/stable/c/4975c975ed9457a77953a26aeef85fdba7cf5498 https://git.kernel.org/stable/c/c6096f3947f68f96defedb8764b3b1ca4cf3469f https://git.kernel.org/stable/c/f52ce0ea90c83a28904c7cc203a70e6434adfecb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if an invalid value is passed. | 2025-11-12 | not yet calculated | CVE-2025-40154 | https://git.kernel.org/stable/c/2c27e047bdcba457ec953f7e90e4ed6d5f8aeb01 https://git.kernel.org/stable/c/a97b4d18ecb012c5624cdf2cab2ce5e1312fdd5d https://git.kernel.org/stable/c/dea9c8c9028c9374761224a7f9d824e845a2aa2e https://git.kernel.org/stable/c/f58fca15f3bf8b982e799c31e4afa8923788aa40 https://git.kernel.org/stable/c/29a41bf6422688f0c5a09b18222e1a64b2629fa4 https://git.kernel.org/stable/c/5c03ea2ef4ebba75c69c90929d8590eb3d3797a9 https://git.kernel.org/stable/c/48880f3cdf2b6d8dcd91219c5b5c8a7526411322 https://git.kernel.org/stable/c/fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtable_walk_level+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: <TASK> pgtable_walk_level+0x88/0x150 domain_translation_struct_show.isra.0+0x2d9/0x300 dev_domain_translation_struct_show+0x20/0x40 seq_read_iter+0x12d/0x490 ... Avoid walking the page table if TT is not 00b or 01b. | 2025-11-12 | not yet calculated | CVE-2025-40155 | https://git.kernel.org/stable/c/d8cf7b59c49f9118fa875462e18686cb6b131bb5 https://git.kernel.org/stable/c/df2bf759a0bdb71f13e327d7527260d09facc055 https://git.kernel.org/stable/c/fbe6070c73badca726e4ff7877320e6c62339917 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which would lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check that the pointer is valid. | 2025-11-12 | not yet calculated | CVE-2025-40156 | https://git.kernel.org/stable/c/9cc23e221f392304b7b8aad213812564ddf6517e https://git.kernel.org/stable/c/80eab6a9df7e1107dc334434dbacd05297703377 https://git.kernel.org/stable/c/44e32104cf7e670e3d683c97b52350d8fac23322 https://git.kernel.org/stable/c/24d61b6e23d2c7291c528dd43a0bf76b5c05c8f0 https://git.kernel.org/stable/c/fc33bf0e097c6834646b98a7b3da0ae5b617f0f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nm_edac driver on some Intel Granite Rapids servers, a call trace may appear as follows: UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16 shift exponent -66 is negative ... __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common] i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac] skx_register_mci+0x159/0x220 [skx_edac_common] i10nm_init+0xcb0/0x1ff0 [i10nm_edac] ... This occurs because some BIOS may disable a memory controller if there aren't any memory DIMMs populated on this memory controller. The DIMMMTR register of this disabled memory controller contains the invalid value ~0, resulting in the call trace above. Fix this call trace by skipping DIMM enumeration on a disabled memory controller. | 2025-11-12 | not yet calculated | CVE-2025-40157 | https://git.kernel.org/stable/c/8100b6c0f9089d5b156642b81270ce27fff17490 https://git.kernel.org/stable/c/1652f14cf3bef5a4baa232de954fc22bdcaa78fe https://git.kernel.org/stable/c/c20da24272f1ac79e9f9083bba577d049cd02bbb https://git.kernel.org/stable/c/2e6fe1bbefd9c059c3787d1c620fe67343a94dff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2(). | 2025-11-12 | not yet calculated | CVE-2025-40158 | https://git.kernel.org/stable/c/0393f85c3241c19ba8550f04a812e7d19f6b3082 https://git.kernel.org/stable/c/11709573cc4e48dc34c80fc7ab9ce5b159e29695 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit. desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks. Always promote desc->len to ``u64`` first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is ``u64`` already). bloat-o-meter reports a little growth of the code size: add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16 but hopefully this doesn't hurt the performance much. | 2025-11-12 | not yet calculated | CVE-2025-40159 | https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980 https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. | 2025-11-12 | not yet calculated | CVE-2025-40160 | https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7 https://git.kernel.org/stable/c/a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa https://git.kernel.org/stable/c/f81db055a793eca9d05f79658ff62adafb41d664 https://git.kernel.org/stable/c/07ce121d93a5e5fb2440a24da3dbf408fcee978e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix SGI cleanup on unbind The driver incorrectly determines SGI vs SPI interrupts by checking IRQ number < 16, which fails with dynamic IRQ allocation. During unbind, this causes improper SGI cleanup leading to kernel crash. Add explicit irq_type field to pdata for reliable identification of SGI interrupts (type-2) and only clean up SGI resources when appropriate. | 2025-11-12 | not yet calculated | CVE-2025-40161 | https://git.kernel.org/stable/c/1ee147efee68be00203b1fee6479911debb1edb2 https://git.kernel.org/stable/c/32bf7c6e01f5ba17a53ba236a770bd0274cefdf4 https://git.kernel.org/stable/c/bb160e791ab15b89188a7a19589b8e11f681bef3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference. | 2025-11-12 | not yet calculated | CVE-2025-40162 | https://git.kernel.org/stable/c/095d692e5997ece300c89f10d903d5230090e6a0 https://git.kernel.org/stable/c/a1cccbd19676fc36854535a7118ba2c27d0b84b3 https://git.kernel.org/stable/c/5726b68473f7153a7f6294185e5998b7e2a230a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e "drmgr -c cpu -r -q 1" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it] | 2025-11-12 | not yet calculated | CVE-2025-40163 | https://git.kernel.org/stable/c/ab6c0f158508bb16d483add70b73a73f95651c33 https://git.kernel.org/stable/c/ee6e44dfe6e50b4a5df853d933a96bdff5309e6e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx(). | 2025-11-12 | not yet calculated | CVE-2025-40164 | https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255 https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers. | 2025-11-12 | not yet calculated | CVE-2025-40165 | https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302 https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847 https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: " [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] " v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea) | 2025-11-12 | not yet calculated | CVE-2025-40166 | https://git.kernel.org/stable/c/2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6 https://git.kernel.org/stable/c/fa708415566bbe5361c935645107319f8edc8dc1 https://git.kernel.org/stable/c/9f64b3cd051b825de0a2a9f145c8e003200cedd5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode. | 2025-11-12 | not yet calculated | CVE-2025-40167 | https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3 https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217 https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5 https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23 https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34 https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717 https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. | 2025-11-12 | not yet calculated | CVE-2025-40168 | https://git.kernel.org/stable/c/d26e80f7fb62d77757b67a1b94e4ac756bc9c658 https://git.kernel.org/stable/c/235f81045c008169cc4e1955b4a64e118eebe61b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer. The existing check 'insn->off > 1' was intended to ensure the offset is either 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is signed, this check incorrectly accepts all negative values (e.g., -1). This commit tightens the validation by changing the condition to '(insn->off != 0 && insn->off != 1)'. This ensures that any value other than the explicitly permitted 0 and 1 is rejected, hardening the verifier against malformed BPF programs. | 2025-11-12 | not yet calculated | CVE-2025-40169 | https://git.kernel.org/stable/c/3bce44b344040e5eef3d64d38b157c15304c0aab https://git.kernel.org/stable/c/5017c302ca4b2a45149ad64e058fa2d5623c068f https://git.kernel.org/stable/c/21167bf70dbe400563e189ac632258d35eda38b5 https://git.kernel.org/stable/c/55c0ced59fe17dee34e9dfd5f7be63cbab207758 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). | 2025-11-12 | not yet calculated | CVE-2025-40170 | https://git.kernel.org/stable/c/a805729c0091073d8f0415cfa96c7acd1bc17a48 https://git.kernel.org/stable/c/99a2ace61b211b0be861b07fbaa062fca4b58879 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It's possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. | 2025-11-12 | not yet calculated | CVE-2025-40171 | https://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0 https://git.kernel.org/stable/c/a28112cc55013cd8cbd5d36b5115a5b851151bd9 https://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c https://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850 https://git.kernel.org/stable/c/7a619f8c869117ffed08365b377f66b7e1d941b4 https://git.kernel.org/stable/c/db5a5406fb7e5337a074385c7a3e53c77f2c1bd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred. | 2025-11-12 | not yet calculated | CVE-2025-40172 | https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725 https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6 https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer. | 2025-11-12 | not yet calculated | CVE-2025-40173 | https://git.kernel.org/stable/c/566f8d5c8a443f2dd69c5460fdec43ed1c870c65 https://git.kernel.org/stable/c/11f6066af3bfb8149aa16c42c0b0c5ea5b199a94 https://git.kernel.org/stable/c/402b6985e872b4cf394bbbf33b503947a326a6cb https://git.kernel.org/stable/c/10fe967efe73c610e526ff7460581610633dee9c https://git.kernel.org/stable/c/48294a67863c9cfa367abb66bbf0ef6548ae124f https://git.kernel.org/stable/c/eeb4345488672584db4f8c20a1ae13a212ce31c4 https://git.kernel.org/stable/c/b6eb25d870f1a8ae571fd3da2244b71df547824b https://git.kernel.org/stable/c/21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ] | 2025-11-12 | not yet calculated | CVE-2025-40174 | https://git.kernel.org/stable/c/0fe5e3f5fb75c5d88dad24dece3ee75e9d87adeb https://git.kernel.org/stable/c/83b0177a6c4889b3a6e865da5e21b2c9d97d0551 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs. | 2025-11-12 | not yet calculated | CVE-2025-40175 | https://git.kernel.org/stable/c/2c84e91ef831d4fedb0b94670b3cfd1cc5f966a5 https://git.kernel.org/stable/c/a3f8c0a273120fd2638f03403e786c3de2382e72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. | 2025-11-12 | not yet calculated | CVE-2025-40176 | https://git.kernel.org/stable/c/9f83fd0c179e0f458e824e417f9d5ad53443f685 https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a https://git.kernel.org/stable/c/39dec4ea3daf77f684308576baf483b55ca7f160 https://git.kernel.org/stable/c/4fc109d0ab196bd943b7451276690fb6bb48c2e0 https://git.kernel.org/stable/c/b8a6ff84abbcbbc445463de58704686011edc8e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race. | 2025-11-12 | not yet calculated | CVE-2025-40177 | https://git.kernel.org/stable/c/646868e6962b14e25ae7462fdd1fb061b40c1f16 https://git.kernel.org/stable/c/48814afc7372f96a9584125c8508dffc88d1d378 https://git.kernel.org/stable/c/fd6e385528d8f85993b7bfc6430576136bb14c65 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __task_pid_nr_ns+0x74/0xd0 lr : __task_pid_nr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __task_pid_nr_ns+0x74/0xd0 ... __handle_irq_event_percpu+0xd4/0x284 handle_irq_event+0x48/0xb0 handle_fasteoi_irq+0x160/0x2d8 generic_handle_domain_irq+0x44/0x60 gic_handle_irq+0x4c/0x114 call_on_irq_stack+0x3c/0x74 do_interrupt_handler+0x4c/0x84 el1_interrupt+0x34/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c account_kernel_stack+0x60/0x144 exit_task_stack_account+0x1c/0x80 do_exit+0x7e4/0xaf8 ... get_signal+0x7bc/0x8d8 do_notify_resume+0x128/0x828 el0_svc+0x6c/0x70 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt | 2025-11-12 | not yet calculated | CVE-2025-40178 | https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776 https://git.kernel.org/stable/c/c2d09d724856b6f82ab688f65fc1ce833bb56333 https://git.kernel.org/stable/c/c3b654021931dc806ba086c549e8756c3f204a67 https://git.kernel.org/stable/c/e10c36a771c5cc910abd9fe4aa9033ee32a47c38 https://git.kernel.org/stable/c/09d227c59d97efda7d5cc878a4335a6b2bb224c2 https://git.kernel.org/stable/c/2076b916bf41be48799d1443df0f8fc75d12ccd0 https://git.kernel.org/stable/c/a0212978af1825b37da0b453b94d9b0e5af11478 https://git.kernel.org/stable/c/006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files. | 2025-11-12 | not yet calculated | CVE-2025-40179 | https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995 https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107 https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9 https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921 https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859 https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access. Start the loop at the correct index for zero-indexed arrays to prevent accessing memory beyond the allocated array bounds. | 2025-11-12 | not yet calculated | CVE-2025-40180 | https://git.kernel.org/stable/c/cd0cbf2713f6e027ebba867cb7409ae345a31312 https://git.kernel.org/stable/c/ab96f08ecedd263ecaab9df8455bfb23b07fdcc2 https://git.kernel.org/stable/c/0aead8197fc1a85b0a89646e418feb49a564b029 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC via a forced variable MTRR range. In most KVM-based setups, legacy devices such as the HPET and TPM are enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and optionally a SystemMemory descriptor for an OperationRegion, e.g. if the device needs to be accessed via a Control Method. If a SystemMemory entry is present, then the kernel's ACPI driver will auto-ioremap the region so that it can be accessed at will. However, the ACPI spec doesn't provide a way to enumerate the memory type of SystemMemory regions, i.e. there's no way to tell software that a region must be mapped as UC vs. WB, etc. As a result, Linux's ACPI driver always maps SystemMemory regions using ioremap_cache(), i.e. as WB on x86. The dedicated device drivers however, e.g. the HPET driver and TPM driver, want to map their associated memory as UC or WC, as accessing PCI devices using WB is unsupported. On bare metal and non-CoCO, the conflicting requirements "work" as firmware configures the PCI hole (and other device memory) to be UC in the MTRRs. So even though the ACPI mappings request WB, they are forced to UC- in the kernel's tracking due to the kernel properly handling the MTRR overrides, and thus are compatible with the drivers' requested WC/UC-. With force WB MTRRs on SNP and TDX guests, the ACPI mappings get their requested WB if the ACPI mappings are established before the dedicated driver code attempts to initialize the device. E.g. if acpi_init() runs before the corresponding device driver is probed, ACPI's WB mapping will "win", and result in the driver's ioremap() failing because the existing WB mapping isn't compatible with the requested WC/UC-. E.g. when a TPM is emulated by the hypervisor (ignoring the security implications of relying on what is allegedly an untrusted entity to store measurements), the TPM driver will request UC and fail: [ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0 [ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12 Note, the '0x2' and '0x0' values refer to "enum page_cache_mode", not x86's memtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC). E.g. tracing mapping requests for TPM TIS yields: Mapping TPM TIS with req_type = 0 WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460 Modules linked in: CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025 RIP: 0010:memtype_reserve+0x2ab/0x460 __ioremap_caller+0x16d/0x3d0 ioremap_cache+0x17/0x30 x86_acpi_os_ioremap+0xe/0x20 acpi_os_map_iomem+0x1f3/0x240 acpi_os_map_memory+0xe/0x20 acpi_ex_system_memory_space_handler+0x273/0x440 acpi_ev_address_space_dispatch+0x176/0x4c0 acpi_ex_access_region+0x2ad/0x530 acpi_ex_field_datum_io+0xa2/0x4f0 acpi_ex_extract_from_field+0x296/0x3e0 acpi_ex_read_data_from_field+0xd1/0x460 acpi_ex_resolve_node_to_value+0x2ee/0x530 acpi_ex_resolve_to_value+0x1f2/0x540 acpi_ds_evaluate_name_path+0x11b/0x190 acpi_ds_exec_end_op+0x456/0x960 acpi_ps_parse_loop+0x27a/0xa50 acpi_ps_parse_aml+0x226/0x600 acpi_ps_execute_method+0x172/0x3e0 acpi_ns_evaluate+0x175/0x5f0 acpi_evaluate_object+0x213/0x490 acpi_evaluate_integer+0x6d/0x140 acpi_bus_get_status+0x93/0x150 acpi_add_single_object+0x43a/0x7c0 acpi_bus_check_add+0x149/0x3a0 acpi_bus_check_add_1+0x16/0x30 acpi_ns_walk_namespace+0x22c/0x360 acpi_walk_namespace+0x15c/0x170 acpi_bus_scan+0x1dd/0x200 acpi_scan_init+0xe5/0x2b0 acpi_init+0x264/0x5b0 do_one_i ---truncated--- | 2025-11-12 | not yet calculated | CVE-2025-40181 | https://git.kernel.org/stable/c/34ff466f74d0fe1db8956f9c245e2bb2c67f67bf https://git.kernel.org/stable/c/91ab8a21bda2d2d2842b6159ac060d9100433a3c https://git.kernel.org/stable/c/0dccbc75e18df85399a71933d60b97494110f559 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: skcipher - Fix reqsize handling Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs [1] instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in skcipher algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [2] Add proper set_reqsize calls in the skcipher init function to properly initialize reqsize for these algorithms in the framework. [1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/ [2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b | 2025-11-12 | not yet calculated | CVE-2025-40182 | https://git.kernel.org/stable/c/f041339d6b9a5a46437f0c48fc7279c92af7a513 https://git.kernel.org/stable/c/229c586b5e86979badb7cb0d38717b88a9e95ddd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gateways which then SNAT the traffic in order to interact with stable IPs outside the cluster. The traffic is directed to the gateway via vxlan tunnel in collect md mode. A recent BPF change utilized the bpf_redirect_neigh() helper to forward packets after the arrival and decap on vxlan, which turned out over time that the kmalloc-256 slab usage in kernel was ever-increasing. The issue was that vxlan allocates the metadata_dst object and attaches it through a fake dst entry to the skb. The latter was never released though given bpf_redirect_neigh() was merely setting the new dst entry via skb_dst_set() without dropping an existing one first. | 2025-11-12 | not yet calculated | CVE-2025-40183 | https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79 https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598 https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09 https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89 https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8 https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix debug checking for np-guests using huge mappings When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then the debug checking in assert_host_shared_guest() fails on the launch of an np-guest. This WARN_ON() causes a panic and generates the stack below. In __pkvm_host_relax_perms_guest() the debug checking assumes the mapping is a single page but it may be a block map. Update the checking so that the size is not checked and just assumes the correct size. While we're here make the same fix in __pkvm_host_mkyoung_guest(). Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128 Info: Removed ghost socket file "/.lkvm//guest-128.sock". [ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088! [ 1406.521804] kvm [141]: nVHE call trace: [ 1406.521828] kvm [141]: [<ffff8000811676b4>] __kvm_nvhe_hyp_panic+0xb4/0xe8 [ 1406.521946] kvm [141]: [<ffff80008116d12c>] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c [ 1406.522049] kvm [141]: [<ffff80008116f068>] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104 [ 1406.522157] kvm [141]: [<ffff800081169df8>] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c [ 1406.522250] kvm [141]: [<ffff800081169f0c>] __kvm_nvhe_handle_trap+0x8c/0x1a8 [ 1406.522333] kvm [141]: [<ffff8000811680fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4 [ 1406.522454] kvm [141]: ---[ end nVHE call trace ]--- [ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000 [ 1406.522554] Kernel panic - not syncing: HYP panic: [ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 [ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 [ 1406.522554] VCPU:0000000000000000 [ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT [ 1406.523485] Hardware name: FVP Base RevC (DT) [ 1406.523566] Call trace: [ 1406.523629] show_stack+0x18/0x24 (C) [ 1406.523753] dump_stack_lvl+0xd4/0x108 [ 1406.523899] dump_stack+0x18/0x24 [ 1406.524040] panic+0x3d8/0x448 [ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c [ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c [ 1406.524500] handle_exit+0x60/0x17c [ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0 [ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc [ 1406.524919] __arm64_sys_ioctl+0xac/0x104 [ 1406.525067] invoke_syscall+0x48/0x10c [ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0 [ 1406.525322] do_el0_svc+0x1c/0x28 [ 1406.525441] el0_svc+0x38/0x120 [ 1406.525588] el0t_64_sync_handler+0x10c/0x138 [ 1406.525750] el0t_64_sync+0x1ac/0x1b0 [ 1406.525876] SMP: stopping secondary CPUs [ 1406.525965] Kernel Offset: disabled [ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f [ 1406.526130] Memory Limit: none [ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic: [ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 [ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 [ 1406.959099] VCPU:0000000000000000 ] | 2025-11-12 | not yet calculated | CVE-2025-40184 | https://git.kernel.org/stable/c/4f7af3d8a1177c807d1f2563c7c171700b020656 https://git.kernel.org/stable/c/2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: ice_adapter: release xa entry on adapter allocation failure When ice_adapter_new() fails, the reserved XArray entry created by xa_insert() is not released. This causes subsequent insertions at the same index to return -EBUSY, potentially leading to NULL pointer dereferences. Reorder the operations as suggested by Przemek Kitszel: 1. Check if adapter already exists (xa_load) 2. Reserve the XArray slot (xa_reserve) 3. Allocate the adapter (ice_adapter_new) 4. Store the adapter (xa_store) | 2025-11-12 | not yet calculated | CVE-2025-40185 | https://git.kernel.org/stable/c/7b9269de9815fc34d93dab90bd5169bacbe78e70 https://git.kernel.org/stable/c/794abb265de3e792167fe3ea0440c064c722bb84 https://git.kernel.org/stable/c/2db687f3469dbc5c59bc53d55acafd75d530b497 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let's remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ> | 2025-11-12 | not yet calculated | CVE-2025-40186 | https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7 https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32 https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. | 2025-11-12 | not yet calculated | CVE-2025-40187 | https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62 https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928 https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447 https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73 https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035 https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. | 2025-11-12 | not yet calculated | CVE-2025-40188 | https://git.kernel.org/stable/c/da3cadb8b0f35d845b3e2fbb7d978cf6473fd221 https://git.kernel.org/stable/c/5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444 https://git.kernel.org/stable/c/9ee5eb3d09217f115f63b7c102d110ccdb1b26af https://git.kernel.org/stable/c/fd017aabd4273216ed4223f17991fc087163771f https://git.kernel.org/stable/c/dc3a1c6237e7f8046e6d4109bcf1998452ccafad https://git.kernel.org/stable/c/d9457e6258750692c3b27f80880a613178053c25 https://git.kernel.org/stable/c/6cef9e4425143b19742044c8a675335821fa1994 https://git.kernel.org/stable/c/3a4b9d027e4061766f618292df91760ea64a1fcc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Syzbot reported read of uninitialized variable BUG with following call stack. lan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout ===================================================== BUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] BUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] BUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766 lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707 Local variable sig.i.i created at: lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766 The function lan78xx_read_raw_eeprom failed to properly propagate EEPROM read timeout errors (-ETIMEDOUT). In the fallthrough path, it first attempted to restore the pin configuration for LED outputs and then returned only the status of that restore operation, discarding the original timeout error. As a result, callers could mistakenly treat the data buffer as valid even though the EEPROM read had actually timed out with no data or partial data. To fix this, handle errors in restoring the LED pin configuration separately. If the restore succeeds, return any prior EEPROM timeout error correctly to the caller. | 2025-11-12 | not yet calculated | CVE-2025-40189 | https://git.kernel.org/stable/c/a72a7c4f675080a324d4c2167bd2314d968279f1 https://git.kernel.org/stable/c/49bdb63ff64469a6de8ea901aef123c75be9bbe7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn. | 2025-11-12 | not yet calculated | CVE-2025-40190 | https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002 https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8 https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631 https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278 https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943 https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd process ref leaking when userptr unmapping kfd_lookup_process_by_pid hold the kfd process reference to ensure it doesn't get destroyed while sending the segfault event to user space. Calling kfd_lookup_process_by_pid as function parameter leaks the kfd process refcount and miss the NULL pointer check if app process is already destroyed. | 2025-11-12 | not yet calculated | CVE-2025-40191 | https://git.kernel.org/stable/c/60f6112fc9b3ba0eae519f10702c0c13bab45742 https://git.kernel.org/stable/c/58e6fc2fb94f0f409447e5d46cf6a417b6397fbc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "ipmi: fix msg stack when IPMI is disconnected" This reverts commit c608966f3f9c2dca596967501d00753282b395fc. This patch has a subtle bug that can cause the IPMI driver to go into an infinite loop if the BMC misbehaves in a certain way. Apparently certain BMCs do misbehave this way because several reports have come in recently about this. | 2025-11-12 | not yet calculated | CVE-2025-40192 | https://git.kernel.org/stable/c/f4aab940ae9eb3ba32e5332b35703673f00d7f37 https://git.kernel.org/stable/c/b9cc7155e65f6feca51bfedd543b9bd300e2be2b https://git.kernel.org/stable/c/8cf5c24533b8058910fcb83a25a9cf0306383780 https://git.kernel.org/stable/c/5d09ee1bec870263f4ace439402ea840503b503b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()") | 2025-11-12 | not yet calculated | CVE-2025-40193 | https://git.kernel.org/stable/c/f40405ccfb87b71175f2d5d004c0b8a0aebcc2cf https://git.kernel.org/stable/c/151bd88859474cdaccc1e4c8b21fbf72dbba2ab4 https://git.kernel.org/stable/c/d381de7fd4cdc928ede96987dc64b133e6480dd6 https://git.kernel.org/stable/c/a0c2c36d864ef3676b05cfd8c58b72ee3214cb1a https://git.kernel.org/stable/c/5d5f08fd0cd970184376bee07d59f635c8403f63 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later. | 2025-11-12 | not yet calculated | CVE-2025-40194 | https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3a8efc1029732ef9 https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6eb394041ec2f2851 https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7f313bf59bdcc3b4 https://git.kernel.org/stable/c/0a58d3e77b22b087a57831c87cafd360e144a5bd https://git.kernel.org/stable/c/69a18ff6c60e8e113420f15355fad862cb45d38e https://git.kernel.org/stable/c/ba63d4e9857a72a89e71a4eff9f2cc8c283e94c3 https://git.kernel.org/stable/c/57e4a6aadf12578b96a038373cffd54b3a58b092 https://git.kernel.org/stable/c/69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. | 2025-11-12 | not yet calculated | CVE-2025-40195 | https://git.kernel.org/stable/c/2d68f8a7379d9c61005e982600c61948d4d019bd https://git.kernel.org/stable/c/99ae3e70a293834d0274c46a37120c71a24a4995 https://git.kernel.org/stable/c/6c7ca6a02f8f9549a438a08a23c6327580ecf3d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: quota: create dedicated workqueue for quota_release_work There is a kernel panic due to WARN_ONCE when panic_on_warn is set. This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to "events_unbound" queue which does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback" workqueue tries to flush quota_release_work causing kernel panic due to MEM_RECLAIM flag mismatch errors. This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag for work quota_release_work. ------------[ cut here ]------------ WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148 Call trace: check_flush_dependency+0x13c/0x148 __flush_work+0xd0/0x398 flush_delayed_work+0x44/0x5c dquot_writeback_dquots+0x54/0x318 f2fs_do_quota_sync+0xb8/0x1a8 f2fs_write_checkpoint+0x3cc/0x99c f2fs_gc+0x190/0x750 f2fs_balance_fs+0x110/0x168 f2fs_write_single_data_page+0x474/0x7dc f2fs_write_data_pages+0x7d0/0xd0c do_writepages+0xe0/0x2f4 __writeback_single_inode+0x44/0x4ac writeback_sb_inodes+0x30c/0x538 wb_writeback+0xf4/0x440 wb_workfn+0x128/0x5d4 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1b0 ret_from_fork+0x10/0x20 Kernel panic - not syncing: kernel: panic_on_warn set ... | 2025-11-12 | not yet calculated | CVE-2025-40196 | https://git.kernel.org/stable/c/f846eacde280ecc3daedfe001580e3033565179e https://git.kernel.org/stable/c/f12039df1515d5daf7d92e586ece5cefeb39561b https://git.kernel.org/stable/c/8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0 https://git.kernel.org/stable/c/72b7ceca857f38a8ca7c5629feffc63769638974 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released. | 2025-11-12 | not yet calculated | CVE-2025-40197 | https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002 https://git.kernel.org/stable/c/64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d https://git.kernel.org/stable/c/5d327391f9fafeb0938be4fc538dd0bd54a0b2ef https://git.kernel.org/stable/c/8f52c7f38f0f2ee2afc331e6b873acba5e9490a8 https://git.kernel.org/stable/c/7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa https://git.kernel.org/stable/c/7db47e737128b3585ae679b709b85f3f44cd8750 https://git.kernel.org/stable/c/ac01416d477c2dc6016782635ae022f8cc634a29 https://git.kernel.org/stable/c/8cfc8cec1b4da88a47c243a11f384baefd092a50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. | 2025-11-12 | not yet calculated | CVE-2025-40198 | https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4 https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502 https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934 https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412 https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages. The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives. Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages. v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap | 2025-11-12 | not yet calculated | CVE-2025-40199 | https://git.kernel.org/stable/c/15b8a5b4cdc16e9a8bb2a548e12a0fd92997605a https://git.kernel.org/stable/c/f62934cea32c8f7b11b747975d69bf5afe4264cf https://git.kernel.org/stable/c/95920c2ed02bde551ab654e9749c2ca7bc3100e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] | 2025-11-12 | not yet calculated | CVE-2025-40200 | https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7 https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408 https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66 https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321 https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810 https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812 https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4 https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. | 2025-11-12 | not yet calculated | CVE-2025-40201 | https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18 https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342 https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75 https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143 https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer. | 2025-11-12 | not yet calculated | CVE-2025-40202 | https://git.kernel.org/stable/c/f63723ca7d7623f9dae1990973cd158671f03c56 https://git.kernel.org/stable/c/348121b29594d42d1635648fd3ed31dfa25351d5 https://git.kernel.org/stable/c/53d6e403affbf6df2c859a0ea00ccfc1e72090ca https://git.kernel.org/stable/c/0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5 https://git.kernel.org/stable/c/b52da4054ee0bf9ecb44996f2c83236ff50b3812 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. | 2025-11-12 | not yet calculated | CVE-2025-40203 | https://git.kernel.org/stable/c/659874b7ee4976ad9ce476e07fd36bc67b3537f1 https://git.kernel.org/stable/c/9c80da26fda2fdcaac7f92b5908875b3108830ff https://git.kernel.org/stable/c/c1f86d0ac322c7e77f6f8dbd216c65d39358ffc0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2025-11-12 | not yet calculated | CVE-2025-40204 | https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617 https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77 https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209 https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0 https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405 https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data. | 2025-11-12 | not yet calculated | CVE-2025-40205 | https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3 https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47 https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224 https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip6_route+0x23/0x50 synproxy_send_tcp_ipv6+0x106/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 nft_synproxy_do_eval+0x263/0x310 nft_do_chain+0x5a8/0x5f0 [nf_tables nft_do_chain_inet+0x98/0x110 nf_hook_slow+0x43/0xc0 __ip6_local_out+0xf0/0x170 ip6_local_out+0x17/0x70 synproxy_send_tcp_ipv6+0x1a2/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 [...] Implement objref and objrefmap expression validate functions. Currently, only NFT_OBJECT_SYNPROXY object type requires validation. This will also handle a jump to a chain using a synproxy object from the OUTPUT hook. Now when trying to reference a synproxy object in the OUTPUT hook, nft will produce the following error: synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^ | 2025-11-12 | not yet calculated | CVE-2025-40206 | https://git.kernel.org/stable/c/0028e0134c64d9ed21728341a74fcfc59cd0f944 https://git.kernel.org/stable/c/7ea55a44493a5a36c3b3293b88bbe4841f9dbaf0 https://git.kernel.org/stable/c/4c1cf72ec10be5a9ad264650cadffa1fbce6fabd https://git.kernel.org/stable/c/f359b809d54c6e3dd1d039b97e0b68390b0e53e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). | 2025-11-12 | not yet calculated | CVE-2025-40207 | https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711 https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7 https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857 https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00 https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa00000.video-codec: firmware download failed qcom-iris aa00000.video-codec: core init failed then: $ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind Triggers: genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow! ------------[ cut here ]------------ video_cc_mvs0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542 <snip> pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac <snip> Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ video_cc_mvs0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542 <snip> pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110 <snip> Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> ---[ end trace 0000000000000000 ]--- genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow! ------------[ cut here ]------------ gcc_video_axi0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542 <snip> pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac <snip> Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> ------------[ cut here ]------------ gcc_video_axi0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542 <snip> pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110 <snip> Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80 <snip> ---[ end trace 0000000000000000 ]--- Skip deinit if initialization never succeeded. | 2025-11-12 | not yet calculated | CVE-2025-40208 | https://git.kernel.org/stable/c/7a0a77b936ff28f59c271172e81cefebf7b2b7a6 https://git.kernel.org/stable/c/fde38008fc4f43db8c17869491870df24b501543 |
| xCally--Omnichannel | Cross-site Scripting (XSS) vulnerability reflected in xCally's Omnichannel v3.30.1. This vulnerability allowsan attacker to executed JavaScript code in the victim's browser by sending them a malicious URL using the 'failureMessage' parameter in '/login'. This vulnerability can be exploited to steal sentitive user data, such as session cookies , or to perform actions on behalf of the user. | 2025-11-13 | not yet calculated | CVE-2025-40681 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-xcally-omnichannel |
| SOPlanning--SOPlanning | Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/options.php'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-10 | not yet calculated | CVE-2025-41001 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-soplanning |
| T-Innova DeporSite--DSuite 2025 | Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the 'idUsuario' parameter in '/ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos', which could lead to the exposure or alteration os confidential data. | 2025-11-13 | not yet calculated | CVE-2025-41069 | https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-references-idor-deporsite-t-innova-deporsite |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'. | 2025-11-11 | not yet calculated | CVE-2025-41101 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'. | 2025-11-11 | not yet calculated | CVE-2025-41102 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/reply'. | 2025-11-11 | not yet calculated | CVE-2025-41103 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_requests/save_estimate_request'. | 2025-11-11 | not yet calculated | CVE-2025-41104 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'. | 2025-11-11 | not yet calculated | CVE-2025-41105 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| Fairsketch--RISE CRM Framework | HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_contact/'. | 2025-11-11 | not yet calculated | CVE-2025-41106 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fairsketchs-rise-crm-framework |
| QDOCS--Smart Schoo | Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details. | 2025-11-10 | not yet calculated | CVE-2025-41107 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-smart-school |
| Grafana Labs--Grafana Databricks Datasource Plugin | When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is not authorized being returned. This issue affects Grafana Databricks Datasource Plugin: from 1.12.1 before 1.12.0 | 2025-11-11 | not yet calculated | CVE-2025-41116 | https://grafana.com/security/security-advisories/cve-2025-41116/ |
| Apple--watchOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in watchOS 11.4, tvOS 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4. An app may be able to bypass ASLR. | 2025-11-12 | not yet calculated | CVE-2025-43205 | https://support.apple.com/en-us/122376 https://support.apple.com/en-us/122377 https://support.apple.com/en-us/122371 https://support.apple.com/en-us/122378 |
| Apple--Compressor | The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code. | 2025-11-13 | not yet calculated | CVE-2025-43515 | https://support.apple.com/en-us/125693 |
| Palo Alto Networks--Prisma Browser | An insufficient validation of an untrusted input vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to revert the browser's security controls. | 2025-11-14 | not yet calculated | CVE-2025-4616 | https://security.paloaltonetworks.com/CVE-2025-4616 |
| Palo Alto Networks--Prisma Browser | An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin user to bypass the screenshot control feature of the browser. Browser self-protection should be enabled to mitigate this issue. | 2025-11-14 | not yet calculated | CVE-2025-4617 | https://security.paloaltonetworks.com/CVE-2025-4617 |
| Palo Alto Networks--Prisma Browser | A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser. Browser self-protection should be enabled to mitigate this issue. | 2025-11-14 | not yet calculated | CVE-2025-4618 | https://security.paloaltonetworks.com/CVE-2025-4618 |
| Palo Alto Networks--Cloud NGFW | A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. This issue is applicable to the PAN-OS software versions listed below on PA-Series firewalls, VM-Series firewalls, and Prisma® Access software. This issue does not affect Cloud NGFW. We have successfully completed the Prisma Access upgrade for all customers, with the exception of those facing issues such as conflicting maintenance windows. Remaining customers will be promptly scheduled for an upgrade through our standard upgrade process. | 2025-11-13 | not yet calculated | CVE-2025-4619 | https://security.paloaltonetworks.com/CVE-2025-4619 |
| n/a--n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 1 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47220 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| n/a--n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 2 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47221 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| n/a--n/a | Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 3 of 3. | 2025-11-13 | not yet calculated | CVE-2025-47222 | https://support.keyfactor.com https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes |
| Combodo--iTop | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it. | 2025-11-10 | not yet calculated | CVE-2025-47286 | https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | 2025-11-13 | not yet calculated | CVE-2025-47913 | https://go.dev/cl/700295 https://go.dev/issue/75178 https://github.com/advisories/GHSA-hcg3-q754-cr77 https://pkg.go.dev/vuln/GO-2025-4116 |
| n/a--n/a | Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs | 2025-11-13 | not yet calculated | CVE-2025-52186 | https://hackerone.com/reports/3165242 https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c |
| n/a--n/a | Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report. | 2025-11-12 | not yet calculated | CVE-2025-52331 | https://www.rarlab.com/rarnew.htm https://gist.github.com/MarcinB44/2150484497c4b34aedf682c9091b14fa https://www.win-rar.com/whatsnew.html |
| Bitdefender--Endpoint Security Tools for Mac | An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | 2025-11-11 | not yet calculated | CVE-2025-5317 | https://www.bitdefender.com/support/security-advisories/improper-access-restriction-to-critical-folder-in-bitdefender-endpoint-security-tools-for-mac/ |
| n/a--n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | 2025-11-14 | not yet calculated | CVE-2025-54339 | https://desktopalert.net https://desktopalert.net/cve-2025-54339/ |
| n/a--n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is a Broken or Risky Cryptographic Algorithm. | 2025-11-14 | not yet calculated | CVE-2025-54340 | https://desktopalert.net https://desktopalert.net/cve-2025-54340/ |
| n/a--n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies. | 2025-11-14 | not yet calculated | CVE-2025-54342 | https://desktopalert.net https://desktopalert.net/cve-2025-54342/ |
| n/a--n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | 2025-11-14 | not yet calculated | CVE-2025-54343 | https://desktopalert.net https://desktopalert.net/CVE-2025-54343/ |
| n/a--n/a | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. Sensitive Information is exposed to an Unauthorized Actor. | 2025-11-14 | not yet calculated | CVE-2025-54345 | https://desktopalert.net https://desktopalert.net/cve-2025-54345/ |
| n/a--n/a | A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user's browser, capturing sensitive information. | 2025-11-14 | not yet calculated | CVE-2025-54346 | https://desktopalert.net https://desktopalert.net/cve-2025-54346/ |
| n/a--n/a | A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user's browser, capturing sensitive information. | 2025-11-14 | not yet calculated | CVE-2025-54348 | https://desktopalert.net https://desktopalert.net/cve-2025-54348/ |
| n/a--n/a | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content. | 2025-11-14 | not yet calculated | CVE-2025-54559 | https://desktopalert.net https://desktopalert.net/cve-2025-54559/ |
| n/a--n/a | A Server-side Request Forgery vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Probing of internal infrastructure. | 2025-11-14 | not yet calculated | CVE-2025-54560 | https://desktopalert.net https://desktopalert.net/cve-2025-54560/ |
| n/a--n/a | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | 2025-11-14 | not yet calculated | CVE-2025-54561 | https://desktopalert.net https://desktopalert.net/cve-2025-54561/ |
| n/a--n/a | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace. | 2025-11-14 | not yet calculated | CVE-2025-54562 | https://desktopalert.net https://desktopalert.net/cve-2025-54562/ |
| n/a--n/a | A vulnerability was found in Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) with hardware version V03 and firmware version 1.4.2, which allows physical attackers to execute commands as root via script file with a specific name on a SD card. | 2025-11-13 | not yet calculated | CVE-2025-55810 | https://www.alagaai.com/ https://www.mgm-sp.com/privilege-escalation-vulnerability-in-alaga-home-security-wifi-camera |
| n/a--n/a | A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents. | 2025-11-12 | not yet calculated | CVE-2025-56385 | http://harmony.com http://wellsky.com https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection |
| n/a--n/a | A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | 2025-11-12 | not yet calculated | CVE-2025-57310 | https://gist.github.com/MMAKINGDOM/a6c2c8c70145cbea4e119525651e9a8d https://github.com/MMAKINGDOM/CVE-2025-57310 |
| Apache Software Foundation--Apache OFBiz | Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-59118 | https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-24.09.03.html https://issues.apache.org/jira/browse/OFBIZ-13292 https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt |
| ASUS--DSL-AC51 | An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the 'Security Update for DSL Series Router' section on the ASUS Security Advisory for more information. | 2025-11-13 | not yet calculated | CVE-2025-59367 | https://www.asus.com/security-advisory |
| n/a--n/a | Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields. | 2025-11-12 | not yet calculated | CVE-2025-59491 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| GNU Project--GNU libbmicrohttpd | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | 2025-11-10 | not yet calculated | CVE-2025-59777 | https://www.gnu.org/software/libmicrohttpd/ https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b https://jvn.jp/en/jp/JVN76719218/ |
| n/a--n/a | A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request. | 2025-11-12 | not yet calculated | CVE-2025-60645 | https://github.com/xuxueli/xxl-api/issues/64 https://gist.github.com/LockeTom/77fb982a49dee956101810bbefa09fb4 |
| n/a--n/a | A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2025-11-12 | not yet calculated | CVE-2025-60646 | https://github.com/xuxueli/xxl-api/issues/65 https://gist.github.com/LockeTom/0a02c0b2e2011abfbdf4e5fdbcc9b371 |
| n/a--n/a | A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit file. The vulnerability occurs because content read from this file is only partially validated for a prefix and then formatted using vsnprintf() before being executed with system(), allowing an attacker with write access to /var/system/linux_vlan_reinit to execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60671 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-823G/CVE-2025-60671.md |
| n/a--n/a | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60672 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60672.md |
| n/a--n/a | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60673 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60673.md |
| D-Link--DIR-878A1 | A stack buffer overflow vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin in the rc binary's USB storage handling module. The vulnerability occurs when the "Serial Number" field from a USB device is read via sscanf into a 64-byte stack buffer, while fgets reads up to 127 bytes, causing a stack overflow. An attacker with physical access or control over a USB device can exploit this vulnerability to potentially execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60674 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60674.md |
| D-Link-- DIR-823G | A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60675 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-823G/CVE-2025-60675.md |
| D-Link--DIR-878 | An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetNetworkSettings' functionality of prog.cgi, where the 'IPAddress' and 'SubnetMask' parameters are directly concatenated into shell commands executed via system(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device. | 2025-11-13 | not yet calculated | CVE-2025-60676 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60676.md |
| D-Link--DIR-816A2 | A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information. The vulnerability occurs because /proc/version is read into a 512-byte buffer and then concatenated using sprintf() into another 512-byte buffer containing a 29-byte constant. Input exceeding 481 bytes triggers a stack buffer overflow, allowing an attacker who can control /proc/version content to potentially execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60679 | http://d-link.com https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/en https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-816/CVE-2025-60679.md |
| ToToLink--A720R Router | A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters. User-supplied 'magicid' and 'url' values are directly concatenated into shell commands and executed via system() without any sanitization or escaping. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60682 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60682.md |
| ToToLink--A720R Router | A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface reinitialization from '/var/system/linux_vlan_reinit'. Input is only partially validated by checking the prefix of interface names, and is concatenated into shell commands executed via system() without escaping. An attacker with write access to this file can execute arbitrary commands on the device. | 2025-11-13 | not yet calculated | CVE-2025-60683 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60683.md |
| ToToLink--A1200GB Router | A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function). The web interface reads the "lang" parameter and constructs Help URL strings using sprintf() into fixed-size stack buffers without proper length validation. Maliciously crafted input can overflow these buffers, potentially leading to arbitrary code execution or memory corruption, without requiring authentication. | 2025-11-13 | not yet calculated | CVE-2025-60684 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60684.md |
| ToToLink--A720R Router | A stack buffer overflow exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary (sub_401EE0 function). The binary reads the /proc/stat file using fgets() into a local buffer and subsequently parses the line using sscanf() into a single-byte variable with the %s format specifier. Maliciously crafted /proc/stat content can overwrite adjacent stack memory, potentially allowing an attacker with filesystem write privileges to execute arbitrary code on the device. | 2025-11-13 | not yet calculated | CVE-2025-60685 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60685.md |
| ToToLink--A720R Router | A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, and NR1800X V9.1.0u.6681_B20230703). Both programs parse the contents of /proc/net/arp using sscanf() with "%s" format specifiers into fixed-size stack buffers without length validation. Specifically, one function writes user-controlled data into a single-byte buffer, and the other into adjacent small arrays without bounds checking. An attacker who controls the contents of /proc/net/arp can trigger memory corruption, leading to denial of service or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60686 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60686.md |
| ToToLink--LR1200GB Router | An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the "imei" parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60687 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60687.md |
| ToToLink--LR1200GB Router | A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (setDefResponse function). The binary reads the "IpAddress" parameter from a web request and copies it into a fixed-size stack buffer using strcpy() without any length validation. Maliciously crafted input can overflow the buffer, leading to potential arbitrary code execution or memory corruption, without requiring authentication. | 2025-11-13 | not yet calculated | CVE-2025-60688 | http://totolink.com https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60688.md |
| Linksys--Linksys E1200 v2 | An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The vulnerability occurs because user-supplied CGI parameters (wl_ant, wl_ssid, wl_rate, ttcp_num, ttcp_ip, ttcp_size) are concatenated into system command strings without proper sanitization and executed via wl_exec_cmd. Successful exploitation allows remote attackers to execute arbitrary commands on the device without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60689 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60689.md |
| Linksys--Linksys E1200 v2 | A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to four user-supplied CGI parameters matching <parameter>_0~3 into a fixed-size buffer (a2) without bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60690 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60690.md |
| Linksys--Linksys E1200 v2 | A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The apply_cgi and block_cgi functions copy user-supplied input from the "url" CGI parameter into stack buffers (v36, v29) using sprintf without bounds checking. Because these buffers are allocated as single-byte variables, any non-empty input will trigger a buffer overflow. Remote attackers can exploit this vulnerability via crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60691 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60691.md |
| Linksys--Linksys E1200 v2 | A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The functions get_mac_from_ip and get_ip_from_mac use sscanf with overly permissive "%100s" format specifiers to parse entries from /proc/net/arp into fixed-size buffers (v6: 50 bytes, v7 sub-arrays: 50 bytes). This allows local attackers controlling the contents of /proc/net/arp to overflow stack buffers, leading to memory corruption, denial of service, or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60692 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60692.md |
| Linksys--Linksys E1200 v2 | A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60693 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60693.md |
| Linksys--Linksys E1200 v2 | A stack-based buffer overflow exists in the validate_static_route function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function improperly concatenates user-supplied CGI parameters (route_ipaddr_0~3, route_netmask_0~3, route_gateway_0~3) into fixed-size buffers (v6, v10, v14) without proper bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication. | 2025-11-13 | not yet calculated | CVE-2025-60694 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E1200/CVE-2025-60694.md |
| Linksys--Linksys E7350 | A stack-based buffer overflow vulnerability exists in the mtk_dut binary of Linksys E7350 routers (Firmware 1.1.00.032). The function sub_4045A8 reads up to 256 bytes from /sys/class/net/%s/address into a local buffer and then copies it into caller-provided buffer a1 using strcpy without boundary checks. Since a1 is often allocated with significantly smaller sizes (20-32 bytes), local attackers controlling the contents of /sys/class/net/%s/address can trigger buffer overflows, leading to memory corruption, denial of service, or potential arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60695 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-E7350/CVE-2025-60695.md |
| Linksys--Linksys RE7000 | A stack-based buffer overflow vulnerability exists in the makeRequest.cgi binary of Linksys RE7000 routers (Firmware FW_v2.0.15_211230_1012). The arplookup function parses lines from /proc/net/arp using sscanf("%16s ... %18s ..."), storing results into buffers v6 (12 bytes) and v7 (20 bytes). Since the format specifiers allow up to 16 and 18 bytes respectively, oversized input can overflow the buffers, resulting in stack corruption. Local attackers controlling /proc/net/arp contents can exploit this issue to cause denial of service or potentially execute arbitrary code. | 2025-11-13 | not yet calculated | CVE-2025-60696 | http://linksys.com https://www.linksys.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/Linksys/Linksys-RE700/CVE-2025-60696.md |
| D-Link--DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_4438A4` function in `prog.cgi` stores user-supplied DDNS parameters (`ServerAddress` and `Hostname`) in NVRAM via `nvram_safe_set`. These values are later retrieved in the `start_DDNS_ipv4` function of `rc` using `nvram_safe_get` and concatenated into DDNS shell commands executed via `twsystem()` without proper sanitization. Partial string comparison is performed but is insufficient to prevent command injection. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface. | 2025-11-13 | not yet calculated | CVE-2025-60697 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/4.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60697.md |
| D-Link--DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_432F60` function in `prog.cgi` stores user-supplied `SetSysLogSettings/IPAddress` values in NVRAM via `nvram_safe_set("SysLogRemote_IPAddress", ...)`. These values are later retrieved in the `sub_448DCC` function of `rc` using `nvram_safe_get` and concatenated into a shell command executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface. | 2025-11-13 | not yet calculated | CVE-2025-60698 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/2.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60698.md |
| TOTOLINK--A950RG Router | A buffer overflow vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `global.so` binary. The `getSaveConfig` function retrieves the `http_host` parameter from user input via `websGetVar` and copies it into a fixed-size stack buffer (`v13`) using `strcpy()` without performing any length checks. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router's web interface, potentially leading to arbitrary code execution. | 2025-11-13 | not yet calculated | CVE-2025-60699 | https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/2.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/CVE-2025-60699.md |
| D-Link--DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries. The `sub_4455BC` function in `prog.cgi` stores user-supplied `SetDMZSettings/IPAddress` values in NVRAM via `nvram_safe_set("dmz_ipaddr", ...)`. These values are later retrieved in the `DMZ_run` function of `librcm.so` using `nvram_safe_get` and concatenated into `iptables` shell commands executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface. | 2025-11-13 | not yet calculated | CVE-2025-60700 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/3.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60700.md |
| D-Link--DIR-882 Router | A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. The `sub_433188` function in `prog.cgi` stores user-supplied email configuration parameters (`EmailFrom`, `EmailTo`, `SMTPServerAddress`, `SMTPServerPort`, `AccountName`) in NVRAM via `nvram_safe_set`. These values are later retrieved in the `sub_448FDC` function of `rc` using `nvram_safe_get` and concatenated into shell commands executed via `twsystem()` without sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface. | 2025-11-13 | not yet calculated | CVE-2025-60701 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/1.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60701.md |
| TOTOLINK--A950RG Router | A command injection vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `system.so` binary. The `setDiagnosisCfg` function retrieves the `ipDoamin` parameter from user input via `websGetVar` and concatenates it directly into a `ping` system command executed via `CsteSystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface. | 2025-11-13 | not yet calculated | CVE-2025-60702 | https://www.totolink.net/ https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/1.md https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A950RG/CVE-2025-60702.md |
| n/a--BusyBox 1.3.7 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | 2025-11-10 | not yet calculated | CVE-2025-60876 | https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092 |
| Apache Software Foundation--Apache OFBiz | Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-61623 | https://issues.apache.org/jira/browse/OFBIZ-13295 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-24.09.03.html https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y |
| DataDog--datadog-agent | The Datadog Agent collects events and metrics from hosts and sends them to Datadog. A vulnerability within the Datadog Linux Host Agent versions 7.65.0 through 7.70.2 exists due to insufficient permissions being set on the `opt/datadog-agent/python-scripts/__pycache__` directory during installation. Code in this directory is only run by the Agent during Agent install/upgrades. This could allow an attacker with local access to modify files in this directory, which would then subsequently be run when the Agent is upgraded, resulting in local privilege escalation. This issue requires local access to the host and a valid low privilege account to be vulnerable. Note that this vulnerability only impacts the Linux Host Agent. Other variations of the Agent including the container, kubernetes, windows host and other agents are not impacted. Version 7.71.0 contains a patch for the issue. | 2025-11-12 | not yet calculated | CVE-2025-61667 | https://github.com/DataDog/datadog-agent/security/advisories/GHSA-6852-76c5-6cmg |
| GNU Project--GNU libbmicrohttpd | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | 2025-11-10 | not yet calculated | CVE-2025-62689 | https://www.gnu.org/software/libmicrohttpd/ https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b https://jvn.jp/en/jp/JVN76719218/ |
| SUSE--openSUSE | A Execution with Unnecessary Privileges vulnerability in lightdm-kde-greeter allows escalation from the service user to root.This issue affects lightdm-kde-greeter. before 6.0.4. | 2025-11-12 | not yet calculated | CVE-2025-62876 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62876 |
| Tenda--n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63147 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/5/1.md |
| Tenda--n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63149 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/3/1.md |
| Tenda--n/a | Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63152 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/4/1.md |
| TOTOLink--A7000R | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63153 | https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/A7000/6/1.md |
| TOTOLink--A7000R | TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the addEffect parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2025-11-10 | not yet calculated | CVE-2025-63154 | https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/A7000/4/1.md |
| n/a--Open5GS 2.7.6 | In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service. | 2025-11-10 | not yet calculated | CVE-2025-63288 | https://github.com/open5gs/open5gs/issues/4087 https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5 |
| n/a--n/a | Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file | 2025-11-12 | not yet calculated | CVE-2025-63289 | https://www.linkedin.com/in/umanhonlengabriel https://medium.com/@sudosu01/information-disclosure-hardcoded-encryption-keys-fc375abf68a3 |
| n/a--Alteryx server 2022.1.1.42654 | When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys. | 2025-11-14 | not yet calculated | CVE-2025-63291 | https://help.alteryx.com/current/en/server/api-overview/alteryx-server-api-v3/server-api-configuration-and-authorization.html https://help.alteryx.com/current/en/server/api-overview.html https://aleksazatezalo.medium.com/alteryx-server-idor-advisory-782e3013ee38 |
| n/a--Tuya Smart Security Camera firmware v33.53.87 | KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD cards and, if /mnt/update.nor.sh is present, copies it to /tmp/net.sh and executes it as root. | 2025-11-10 | not yet calculated | CVE-2025-63296 | https://gist.github.com/t4e-3/082cdd0b7ee6b650c7aaae97fd4e016c https://github.com/t4e-3/CVE-2025-63296 |
| n/a--FiberHome | A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction. | 2025-11-12 | not yet calculated | CVE-2025-63353 | https://github.com/hanianis/CVE-2025-63353 https://medium.com/@hanianis.bouzid/fiberhome-gpon-onu-model-hg6145f1-router-predictable-wifi-passwords-and-real-risks-d8e54da385d3 |
| n/a--n/a | A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor's privilege level. Instead of downgrading from Machine-mode (M-mode) to Supervisor-mode (S-mode) as specified by the sstatus.SPP bit, the processor incorrectly remains in M-mode, leading to a critical privilege retention vulnerability. | 2025-11-10 | not yet calculated | CVE-2025-63384 | https://github.com/chipsalliance/rocket-chip.git https://github.com/107040503/RISC-V-Vulnerability-Disclosure_SRET |
| n/a--PyTorch v2.5, v2.7.1 | An issue was discovered in PyTorch v2.5 and v2.7.1. Omission of profiler.stop() can cause torch.profiler.profile (PythonTracer) to crash or hang during finalization, leading to a Denial of Service (DoS). | 2025-11-12 | not yet calculated | CVE-2025-63396 | https://github.com/Daisy2ang http://pytorch.com https://github.com/pytorch/pytorch https://github.com/pytorch/pytorch/issues/156563 |
| n/a--OneFlow v0.9.0 | Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. | 2025-11-10 | not yet calculated | CVE-2025-63397 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10666 |
| n/a--GroupOffice | An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php | 2025-11-13 | not yet calculated | CVE-2025-63406 | https://noahheraud.com/posts/CVE-2025-63406/ |
| n/a--CrushFTP 11.3.6 | Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. | 2025-11-12 | not yet calculated | CVE-2025-63419 | https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851 https://github.com/MMAKINGDOM/CVE-2025-63419/ |
| Tenda --AX-3 v16.03.12.10 | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63455 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/6/1.md |
| Tenda --AX-1803 v1.0.0.1 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63456 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/3/1.md |
| Tenda --AX-1803 v1.0.0.1 | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2025-11-10 | not yet calculated | CVE-2025-63457 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/1/1.md |
| n/a--n/a | The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability. The pat_number GET parameter is directly concatenated into SQL queries without proper sanitization, allowing authenticated attackers (doctor role) to execute arbitrary SQL queries. | 2025-11-10 | not yet calculated | CVE-2025-63497 | https://github.com/cristibtz/security-research/tree/main/rickxy-Hospital-Management-System https://github.com/cristibtz/security-research/blob/main/CVE-2025-63497/report.md |
| n/a--n/a | ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. | 2025-11-10 | not yet calculated | CVE-2025-63617 | https://github.com/ChangeYourWay/post/blob/main/ktg-mes.md https://gist.github.com/ChangeYourWay/8651679a2155269bccf520fcb34fc661 |
| n/a--n/a | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware encoding. As a result, attacker-controlled content executes in the recipient's browser context when the Inbox message is viewed. | 2025-11-12 | not yet calculated | CVE-2025-63645 | https://drive.google.com/drive/folders/1u2o2NWHzClSjsNzhtkk1QvaDGisAXs2v https://medium.com/@rudranshsinghrajpurohit/cve-2025-63645-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-8073ac4be5be |
| n/a--n/a | Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources. | 2025-11-12 | not yet calculated | CVE-2025-63666 | https://github.com/Remenis/CVE-2025-63666 |
| n/a--n/a | Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication. | 2025-11-12 | not yet calculated | CVE-2025-63667 | https://github.com/Remenis/Vatilon_evidence/releases/download/Evidence/Vatilon_vulnerability_evidence_2025.zip https://github.com/Remenis/CVE-2025-63667 |
| n/a--n/a | An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file. | 2025-11-10 | not yet calculated | CVE-2025-63678 | https://github.com/kasiasok/raports/blob/main/CMSMS%202.2.22%20_%20Raport%20092025.pdf |
| n/a--n/a | free5gc v4.1.0 and before is vulnerable to Buffer Overflow. When AMF receives an UplinkRANConfigurationTransfer NGAP message from a gNB, the AMF process crashes. | 2025-11-12 | not yet calculated | CVE-2025-63679 | https://github.com/free5gc/free5gc/issues/725 https://gist.github.com/DDGod2025/5483d94b028d7a0c111ca23844e8a94d |
| n/a--n/a | Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affects recent Nero BackItUp product lines (2019-2025 and earlier) and has been acknowledged by the vendor. | 2025-11-14 | not yet calculated | CVE-2025-63680 | https://github.com/PotatoHamm/Nero-Productline-Vulnerability |
| n/a--n/a | A heap corruption vulnerability exists in the Advantech TP-3250 printer driver's DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes the output buffer size matches the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause denial of service through application crashes and potentially lead to code execution in user space. Local access is required to exploit this vulnerability. | 2025-11-14 | not yet calculated | CVE-2025-63701 | https://neurowinter.com/security/2025/10/08/Heap-Corruption-in-Advantech-TP-3250-Printer-Driver/ |
| n/a--n/a | A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser. | 2025-11-10 | not yet calculated | CVE-2025-63709 | https://www.sourcecodester.com/php/17897/simple-do-list-system-using-php.html https://github.com/floccocam-cpu/CVE-Research-2025/tree/main/CVE-2025-63709 |
| n/a--n/a | The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room. | 2025-11-10 | not yet calculated | CVE-2025-63710 | https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md |
| n/a--n/a | A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts. | 2025-11-10 | not yet calculated | CVE-2025-63711 | https://www.sourcecodester.com/php/17514/client-database-management-system.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63711/README3.md |
| n/a--n/a | Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection. | 2025-11-10 | not yet calculated | CVE-2025-63712 | https://www.sourcecodester.com/php/17883/web-based-product-alert-system.html https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63712/README4.md |
| n/a--n/a | SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | 2025-11-14 | not yet calculated | CVE-2025-63724 | https://deepstrike.io/blog/sql-injection-in-svx-portal-v-2-7A |
| n/a--n/a | Reflected Cross-Site Scripting (XSS) vulnerability in SVX Portal 2.7A via the id parameter to Recivers.php. | 2025-11-14 | not yet calculated | CVE-2025-63725 | https://deepstrike.io/blog/sql-injection-in-svx-portal-v-2-7A https://deepstrike.io/blog/reflected-xss-via-unescaped-attribute-context-in-svx-portal |
| n/a--n/a | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program. | 2025-11-14 | not yet calculated | CVE-2025-63744 | https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_dyldcache.md https://github.com/radareorg/radare2/issues/24661 https://github.com/radareorg/radare2/commit/e37e15d10fd8a19c3e57b3d7735a2cfe0082ec79 https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-002-radare2-nullptr-deref-bin_dyldcache.md |
| n/a--n/a | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data. | 2025-11-14 | not yet calculated | CVE-2025-63745 | https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_ne.md https://github.com/radareorg/radare2/issues/24660 https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-001-radare2-nullptr-deref-bin_ne.md |
| n/a--n/a | An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio. | 2025-11-12 | not yet calculated | CVE-2025-63811 | https://github.com/dvsekhvalnov/jose2go/issues/33 |
| n/a--n/a | CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function. An attacker can upload a crafted SVG containing active content. | 2025-11-14 | not yet calculated | CVE-2025-63830 | https://ckeditor.com/ckfinder/changelog/ https://github.com/Shubham03007/CVE-2025-63830/blob/main/README.md |
| Tenda--AC18 v15.03.05.05 | A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | 2025-11-10 | not yet calculated | CVE-2025-63834 | https://github.com/babraink/cve_report/blob/main/cve_report/tenda/tendaAC18/wifiset_ssid_xss/README.md |
| Tenda--AC18 v15.03.05.05 | A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can exploit this vulnerability by sending oversized data to the guestSsid parameter, leading to denial of service (device crash) or potential remote code execution. | 2025-11-10 | not yet calculated | CVE-2025-63835 | https://github.com/babraink/cve_report/blob/main/cve_report/tenda/tendaAC18/2_wifiguest_guestssid_overflow/README.md |
| n/a--n/a | Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql. | 2025-11-14 | not yet calculated | CVE-2025-63891 | http://simple.com http://sourcecodester.com https://github.com/lucascdsm/CVEs/blob/main/CVE-2025-63891.md |
| n/a--n/a | A heap-use-after-free vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08). During multi-threaded client execution, the function Iec10x_Scheduled can access memory that has already been freed, potentially causing program crashes or undefined behavior. This may be exploited to trigger a denial-of-service or memory corruption. | 2025-11-12 | not yet calculated | CVE-2025-63927 | https://github.com/airpig2011/IEC104/issues/20 https://songsong.host/mybugs/CVE-2025-63927.html |
| n/a--n/a | A null pointer dereference vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08). When multiple threads enqueue elements concurrently via IEC10X_PrioEnQueue, the function may dereference a null or freed queue pointer, resulting in a segmentation fault and potential denial-of-service. | 2025-11-12 | not yet calculated | CVE-2025-63929 | https://github.com/airpig2011/IEC104/issues/21 https://songsong.host/mybugs/CVE-2025-63929.html |
| n/a--n/a | An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authenticated attacker to execute arbitrary SQL commands by injecting a malicious payload, which is then concatenated directly into a raw SQL query in the vucc_qso_details function. | 2025-11-14 | not yet calculated | CVE-2025-64084 | https://github.com/magicbug/Cloudlog/commit/72a8c3d705c8629f60f64da9f37968417c980242 https://github.com/magicbug/Cloudlog/releases/tag/2.7.6 https://github.com/XY20130630/Cloudlog/security/advisories/GHSA-4r9r-3r3q-jg44 |
| OpenIdentityPlatform--OpenAM | Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64099 | https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-39hr-239p-fhqc |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue. | 2025-11-10 | not yet calculated | CVE-2025-64181 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq https://github.com/user-attachments/files/23024726/archive0.zip https://github.com/user-attachments/files/23024736/archive1.zip https://github.com/user-attachments/files/23024740/archive2.zip https://github.com/user-attachments/files/23024744/archive3.zip https://github.com/user-attachments/files/23024746/archive4.zip |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue. | 2025-11-10 | not yet calculated | CVE-2025-64182 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue. | 2025-11-10 | not yet calculated | CVE-2025-64183 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115 |
| Jeroen Schmit--Theater for WordPress | Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8. | 2025-11-13 | not yet calculated | CVE-2025-64259 | https://vdp.patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-18-8-broken-access-control-vulnerability?_s_id=cve |
| codepeople--Appointment Booking Calendar | Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95. | 2025-11-13 | not yet calculated | CVE-2025-64261 | https://vdp.patchstack.com/database/Wordpress/Plugin/appointment-booking-calendar/vulnerability/wordpress-appointment-booking-calendar-plugin-1-3-95-broken-access-control-vulnerability?_s_id=cve |
| ramon fincken--Auto Prune Posts | Cross-Site Request Forgery (CSRF) vulnerability in ramon fincken Auto Prune Posts auto-prune-posts allows Cross Site Request Forgery.This issue affects Auto Prune Posts: from n/a through <= 3.0.0. | 2025-11-13 | not yet calculated | CVE-2025-64262 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-prune-posts/vulnerability/wordpress-auto-prune-posts-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| PluginEver--WP Content Pilot | Missing Authorization vulnerability in PluginEver WP Content Pilot wp-content-pilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Content Pilot: from n/a through <= 2.1.7. | 2025-11-13 | not yet calculated | CVE-2025-64263 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-content-pilot/vulnerability/wordpress-wp-content-pilot-plugin-2-1-7-broken-access-control-vulnerability?_s_id=cve |
| Aman--Popup addon for Ninja Forms | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows Stored XSS.This issue affects Popup addon for Ninja Forms: from n/a through <= 3.5.1. | 2025-11-13 | not yet calculated | CVE-2025-64264 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-addon-for-ninja-forms/vulnerability/wordpress-popup-addon-for-ninja-forms-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| N-Media--Frontend File Manager | Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.2. | 2025-11-13 | not yet calculated | CVE-2025-64265 | https://vdp.patchstack.com/database/Wordpress/Plugin/nmedia-user-file-uploader/vulnerability/wordpress-frontend-file-manager-plugin-23-2-broken-access-control-vulnerability-2?_s_id=cve |
| WPSwings--WooCommerce Ultimate Points And Rewards | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2. | 2025-11-13 | not yet calculated | CVE-2025-64267 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-ultimate-points-and-rewards/vulnerability/wordpress-woocommerce-ultimate-points-and-rewards-plugin-2-10-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| EDGARROJAS--WooCommerce PDF Invoice Builder | Missing Authorization vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoice Builder: from n/a through <= 1.2.150. | 2025-11-13 | not yet calculated | CVE-2025-64269 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-pdf-invoice-builder/vulnerability/wordpress-woocommerce-pdf-invoice-builder-plugin-1-2-150-broken-access-control-vulnerability?_s_id=cve |
| HasThemes--WP Plugin Manager | Cross-Site Request Forgery (CSRF) vulnerability in HasThemes WP Plugin Manager wp-plugin-manager allows Cross Site Request Forgery.This issue affects WP Plugin Manager: from n/a through <= 1.4.7. | 2025-11-13 | not yet calculated | CVE-2025-64271 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-plugin-manager/vulnerability/wordpress-wp-plugin-manager-plugin-1-4-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpkoithemes--WPKoi Templates for Elementor | Missing Authorization vulnerability in wpkoithemes WPKoi Templates for Elementor wpkoi-templates-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPKoi Templates for Elementor: from n/a through <= 3.4.4. | 2025-11-13 | not yet calculated | CVE-2025-64274 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpkoi-templates-for-elementor/vulnerability/wordpress-wpkoi-templates-for-elementor-plugin-3-4-4-broken-access-control-vulnerability?_s_id=cve |
| wpdevelop--Booking Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.17. | 2025-11-13 | not yet calculated | CVE-2025-64275 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-manager/vulnerability/wordpress-booking-manager-plugin-2-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro--Survey Maker | Missing Authorization vulnerability in Ays Pro Survey Maker survey-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through <= 5.1.9.4. | 2025-11-13 | not yet calculated | CVE-2025-64276 | https://vdp.patchstack.com/database/Wordpress/Plugin/survey-maker/vulnerability/wordpress-survey-maker-plugin-5-1-9-4-broken-access-control-vulnerability?_s_id=cve |
| QuantumCloud--ChatBot | Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9. | 2025-11-13 | not yet calculated | CVE-2025-64277 | https://vdp.patchstack.com/database/Wordpress/Plugin/chatbot/vulnerability/wordpress-chatbot-plugin-7-3-9-broken-access-control-vulnerability?_s_id=cve |
| n/a--CentralSquare Community Development 19.5.7 | A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field. | 2025-11-12 | not yet calculated | CVE-2025-64280 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| n/a--CentralSquare Community Development 19.5.7 | An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials. | 2025-11-12 | not yet calculated | CVE-2025-64281 | https://centralsquare.com https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr |
| PascalBajorat--Analytics Germanized for Google Analytics | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PascalBajorat Analytics Germanized for Google Analytics ga-germanized allows DOM-Based XSS.This issue affects Analytics Germanized for Google Analytics: from n/a through <= 1.6.2. | 2025-11-13 | not yet calculated | CVE-2025-64292 | https://vdp.patchstack.com/database/Wordpress/Plugin/ga-germanized/vulnerability/wordpress-analytics-germanized-for-google-analytics-plugin-1-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| codepeople--Contact Form Email | Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58. | 2025-11-13 | not yet calculated | CVE-2025-64369 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-58-broken-access-control-vulnerability?_s_id=cve |
| YOP--YOP Poll | Missing Authorization vulnerability in YOP YOP Poll yop-poll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YOP Poll: from n/a through <= 6.5.38. | 2025-11-13 | not yet calculated | CVE-2025-64370 | https://vdp.patchstack.com/database/Wordpress/Plugin/yop-poll/vulnerability/wordpress-yop-poll-plugin-6-5-38-broken-access-control-vulnerability?_s_id=cve |
| Pluggabl--Booster for WooCommerce | Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0. | 2025-11-13 | not yet calculated | CVE-2025-64379 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-4-0-broken-access-control-vulnerability?_s_id=cve |
| Pluggabl--Booster for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Stored XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.3.2. | 2025-11-13 | not yet calculated | CVE-2025-64380 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-jetpack/vulnerability/wordpress-booster-for-woocommerce-plugin-7-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpdevelop--Booking Calendar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7. | 2025-11-13 | not yet calculated | CVE-2025-64381 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking/vulnerability/wordpress-booking-calendar-plugin-10-14-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebToffee--Order Export & Order Import for WooCommerce | Missing Authorization vulnerability in WebToffee Order Export & Order Import for WooCommerce order-import-export-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Export & Order Import for WooCommerce: from n/a through <= 2.6.7. | 2025-11-13 | not yet calculated | CVE-2025-64382 | https://vdp.patchstack.com/database/Wordpress/Plugin/order-import-export-for-woocommerce/vulnerability/wordpress-order-export-order-import-for-woocommerce-plugin-2-6-7-broken-access-control-vulnerability?_s_id=cve |
| Qode--Qi Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Qode Qi Blocks qi-blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through <= 1.4.3. | 2025-11-13 | not yet calculated | CVE-2025-64383 | https://vdp.patchstack.com/database/Wordpress/Plugin/qi-blocks/vulnerability/wordpress-qi-blocks-plugin-1-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jetmonsters--JetFormBuilder | Missing Authorization vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetFormBuilder: from n/a through <= 3.5.3. | 2025-11-13 | not yet calculated | CVE-2025-64384 | https://vdp.patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "floating frames" linked to external files would load the contents of those frames without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. The LibreOffice suite reported this issue as CVE-2023-2255 | 2025-11-12 | not yet calculated | CVE-2025-64401 | https://www.openoffice.org/security/cves/CVE-2025-64401.html https://lists.apache.org/thread/o00dtgvhr9tx8r4y8vf6y2mg7nn6mx6c |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE objects" linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64402 | https://www.openoffice.org/security/cves/CVE-2025-64402.html https://lists.apache.org/thread/tssrl88tygjsgk6csllm6p2fb6tlv8d8 |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause such links to be loaded without prompt. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64403 | https://www.openoffice.org/security/cves/CVE-2025-64403.html https://lists.apache.org/thread/t7c6jhvdb00xtgd9vvn7h5sq9f4h5trt |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used background fill images, or bullet images, linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64404 | https://www.openoffice.org/security/cves/CVE-2025-64404.html https://lists.apache.org/thread/08n4mdx0pnhqsllnkc63d27sdgq3tygc |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet containing DDE links to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64405 | https://www.openoffice.org/security/cves/CVE-2025-64405.html https://lists.apache.org/thread/0jjftxkcc4l9kt7jjn630hfrh2ygfcbk |
| Apache Software Foundation--Apache OpenOffice | An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. | 2025-11-12 | not yet calculated | CVE-2025-64406 | https://www.openoffice.org/security/cves/CVE-2025-64406.html https://lists.apache.org/thread/py89gpogxfb2yo9c5vwv2h9x3m85pfmm |
| Apache Software Foundation--Apache OpenOffice | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variables or configuration settings. In the affected versions of Apache OpenOffice, documents that used a certain URI scheme linking to external files would load the contents of such files without prompting the user for permission to do so. Such URI scheme allows to include system configuration data, that is not supposed to be transmitted externally. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue. The LibreOffice suite reported this issue as CVE-2024-12426. | 2025-11-12 | not yet calculated | CVE-2025-64407 | https://www.openoffice.org/security/cves/CVE-2025-64407.html https://lists.apache.org/thread/4yg1gv71f14fw4ky4ds50o6xjq49594g |
| duckdb--duckdb | DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator (pcg32) to generate cryptographic keys or IVs. When clearing keys from memory, the compiler may remove the memset() and leave sensitive data on the heap. By modifying the database header, an attacker could downgrade the encryption mode from GCM to CTR to bypass integrity checks. There may be a failure to check return value on call to OpenSSL `rand_bytes()`. An attacker could use public IVs to compromise the internal state of RNG and determine the randomly generated key used to encrypt temporary files, get access to cryptographic keys if they have access to process memory (e.g. through memory leak),circumvent GCM integrity checks, and/or influence the OpenSSL random number generator and DuckDB would not be able to detect a failure of the generator. Version 1.4.2 has disabled the insecure random number generator by no longer using the fallback to write to or create databases. Instead, DuckDB will now attempt to install and load the OpenSSL implementation in the `httpfs` extension. DuckDB now uses secure MbedTLS primitive to clear memory as recommended and requires explicit specification of ciphers without integrity checks like CTR on `ATTACH`. Additionally, DuckDB now checks the return code. | 2025-11-12 | not yet calculated | CVE-2025-64429 | https://github.com/duckdb/duckdb/security/advisories/GHSA-vmp8-hg63-v2hp https://github.com/duckdb/duckdb/pull/17275 https://duckdb.org/2025/09/16/announcing-duckdb-140.html https://github.com/duckdb/duckdb/blob/029a5b87ff5b1cd22f7f9717d48cd8830d00807c/src/common/random_engine.cpp#L20 |
| Sony Network Communications Inc.--NCP-HG100/Cellular model | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges. | 2025-11-14 | not yet calculated | CVE-2025-64444 | https://support.sonynetwork.co.jp/faqsupport/manoma/web/knowledge11157.html https://jvn.jp/en/jp/JVN49899607/ |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments. | 2025-11-10 | not yet calculated | CVE-2025-64502 | https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq https://github.com/parse-community/parse-server/pull/9890 https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452 |
| lxc--incus | Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user. The most common case for this would be systems using `incus-user` with the less privileged `incus` group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges. A patch for this issue is expected in versions 6.0.6 and 6.19.0. As a workaround, permissions can be manually restricted until a patched version of Incus is deployed. | 2025-11-10 | not yet calculated | CVE-2025-64507 | https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf https://github.com/lxc/incus/issues/2641 https://github.com/lxc/incus/pull/2642 |
| milvus-io--milvus | Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. This issue has been fixed in Milvus 2.4.24, 2.5.21, and 2.6.5. If immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass behavior. | 2025-11-10 | not yet calculated | CVE-2025-64513 | https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p https://github.com/milvus-io/milvus/pull/45379 https://github.com/milvus-io/milvus/pull/45383 https://github.com/milvus-io/milvus/pull/45391 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. Version 2.45.1 contains a fix for the issue. | 2025-11-12 | not yet calculated | CVE-2025-64523 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4 |
| authzed--spicedb | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`. | 2025-11-10 | not yet calculated | CVE-2025-64529 | https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7 |
| frappe--lms | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL. | 2025-11-12 | not yet calculated | CVE-2025-64705 | https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8 |
| frappe--lms | Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated. | 2025-11-12 | not yet calculated | CVE-2025-64707 | https://github.com/frappe/lms/security/advisories/GHSA-w2gf-rchw-x6vm |
| bitfoundation--bitplatform | Bitplatform Boilerplate is a Visual studio and .NET project template. Versions prior to 9.11.3 are affected by a cross-site scripting (XSS) vulnerability in the WebInteropApp/WebAppInterop, potentially allowing attackers to inject malicious scripts that compromise the security and integrity of web applications. Applications based on this Bitplatform Boilerplate might also be vulnerable. Version 9.11.3 fixes the issue. | 2025-11-13 | not yet calculated | CVE-2025-64710 | https://github.com/bitfoundation/bitplatform/security/advisories/GHSA-rv95-xj37-7c3w |
| TecharoHQ--anubis | Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a fix for the issue. | 2025-11-13 | not yet calculated | CVE-2025-64716 | https://github.com/TecharoHQ/anubis/security/advisories/GHSA-cf57-c578-7jvv https://github.com/TecharoHQ/anubis/commit/7ed1753fcced351c81961bf520a7bfb2caac6e88 https://pkg.go.dev/vuln/GO-2025-4086 |
| zitadel--zitadel | ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization's login policy before auto-linking an external user. No known workarounds are available aside from upgrading. | 2025-11-13 | not yet calculated | CVE-2025-64717 | https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px https://github.com/zitadel/zitadel/releases/tag/v2.71.19 https://github.com/zitadel/zitadel/releases/tag/v3.4.4 https://github.com/zitadel/zitadel/releases/tag/v4.6.6 |
| SocketDev--firewall-release | Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious `.sfw.config` file in a project directory. When a developer runs Socket Firewall commands (e.g., `sfw npm install`) in that directory, the tool loads the `.sfw.config` file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting `NODE_OPTIONS` with a `--require` directive to execute malicious JavaScript code before Socket Firewall's security controls are initialized, effectively bypassing the tool's malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at `sfw --version` for version information. If users rely on the recommended installation mechanism (e.g. global installation via `npm install -g sfw`) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect `.sfw.config` and `.env.local` files for suspicious `NODE_OPTIONS` or other environment variable definitions that reference local files. | 2025-11-13 | not yet calculated | CVE-2025-64726 | https://github.com/SocketDev/firewall-release/security/advisories/GHSA-6c5p-vqrh-h6fp https://bsky.app/profile/evilpacket.net/post/3m4iylwxtns2t |
| jitsi--jitsi-meet | Jitsi Meet is an open source video conferencing application. A vulnerability present in versions prior to 2.0.10532 allows attackers to hijack the OAuth authentication window for Microsoft accounts. This is fixed in version 2.0.10532. No known workarounds are available. | 2025-11-13 | not yet calculated | CVE-2025-64754 | https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-5fx7-wgcr-fj78 |
| N-able--N-central | N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4. | 2025-11-12 | not yet calculated | CVE-2025-9316 | https://me.n-able.com/s/security-advisory/aArVy0000000rdpKAA/cve20259316-ncentral-unauthenticated-sessionid-generation |
| Google--Chrome | Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-11-14 | not yet calculated | CVE-2025-9479 | |
| OpenSolution--QuickCMS | A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-14 | not yet calculated | CVE-2025-9982 | https://cert.pl/posts/2025/11/CVE-2025-9982 https://opensolution.org/cms-system-quick-cms.html |
Vulnerability Summary for the Week of September 22, 2025
Posted on Monday September 29, 2025
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs with full Node.js runtime privileges, it can access dangerous modules such as child_process and fs. This issue has been patched in version 3.0.6. | 2025-09-22 | 10 | CVE-2025-59528 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L132 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L220 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L262-L270 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/nodes/index.ts#L57-L78 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/routes/node-load-methods/index.ts#L5 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/nodes/index.ts#L91-L94 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 |
| HaruTheme--WooCommerce Designer Pro | Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro allows Upload a Web Shell to a Web Server. This issue affects WooCommerce Designer Pro: from n/a through 1.9.24. | 2025-09-26 | 10 | CVE-2025-60219 | https://patchstack.com/database/wordpress/plugin/wc-designer-pro/vulnerability/wordpress-woocommerce-designer-pro-plugin-1-9-24-arbitrary-file-upload-vulnerability?_s_id=cve |
| Iron Mountain Archiving Services Inc.--enVision | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563. | 2025-09-23 | 10 | CVE-2025-9588 | https://www.usom.gov.tr/bildirim/tr-25-0285 |
| TalentSys Consulting Information Technology Industry Inc.--Inka.Net | Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1. | 2025-09-23 | 10 | CVE-2025-9846 | https://www.usom.gov.tr/bildirim/tr-25-0288 |
| eteubert--Podlove Podcast Publisher | The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-09-23 | 9.8 | CVE-2025-10147 | https://www.wordfence.com/threat-intel/vulnerabilities/id/093058f1-c717-424f-9bd5-4838df8d20a1?source=cve https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.6/lib/model/image.php#L465 https://plugins.trac.wordpress.org/changeset/3364994/ |
| MooMoo--Product Options and Price Calculation Formulas for WooCommerce Uni CPO (Premium) | The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-09-23 | 9.8 | CVE-2025-10412 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0c6a45-2c4a-4a23-84e6-7a9759796824?source=cve https://builderius.io/cpo/ |
| Red Hat --Ver. 20.12 and 21.8 | Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts. | 2025-09-24 | 9.6 | CVE-2025-10894 | https://access.redhat.com/security/cve/CVE-2025-10894 https://access.redhat.com/security/supply-chain-attacks-NPM-packages RHBZ#2396282 https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware https://www.wiz.io/blog/s1ngularity-supply-chain-attack |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. | 2025-09-25 | 9.9 | CVE-2025-20333 | cisco-sa-asaftd-webvpn-z5xP8EUB |
| Cisco--IOS | A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory. | 2025-09-25 | 9 | CVE-2025-20363 | cisco-sa-http-code-exec-WmfP3h3O |
| Qualcomm, Inc.--Snapdragon | Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs. | 2025-09-24 | 9.8 | CVE-2025-21483 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. | 2025-09-23 | 9.8 | CVE-2025-26399 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm |
| Qualcomm, Inc.--Snapdragon | Memory corruption while selecting the PLMN from SOR failed list. | 2025-09-24 | 9.8 | CVE-2025-27034 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Airship AI--Acropolis | Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.21, and 11.1.9. | 2025-09-22 | 9.8 | CVE-2025-35042 | url url |
| WAGO--Device Sphere | The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. | 2025-09-24 | 9.8 | CVE-2025-41715 | https://certvde.com/de/advisories/VDE-2025-087 |
| yonisink--Custom Post Type Images | Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images allows Code Injection. This issue affects Custom Post Type Images: from n/a through 0.5. | 2025-09-22 | 9.6 | CVE-2025-58255 | https://patchstack.com/database/wordpress/plugin/custom-post-types-image/vulnerability/wordpress-custom-post-type-images-plugin-0-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScript Function node. This includes secrets such as OpenAI API keys, AWS credentials, Supabase tokens, and Google Cloud secrets - resulting in a full cross-tenant data exposure. This issue has been patched in the August 2025 Cloud-Hosted Flowise. | 2025-09-22 | 9.6 | CVE-2025-59434 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-435c-mg9p-fv22 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). This issue has been patched in version 10.1.0. | 2025-09-23 | 9.1 | CVE-2025-59545 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2qxc-mf4x-wr29 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin's browser, exfiltrate the admin's cookies/CSRF token, and hijack their session. This issue has been patched in version 1.4.0. | 2025-09-25 | 9.9 | CVE-2025-59832 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-8x78-6q9g-hv2h https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59832/2025-08-Horilla_Vulnerability_1.pdf |
| srmorete--adb-mcp | ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c. | 2025-09-25 | 9.8 | CVE-2025-59834 | https://github.com/srmorete/adb-mcp/security/advisories/GHSA-54j7-grvr-9xwg https://github.com/srmorete/adb-mcp/commit/041729c0b25432df3199ff71b3163a307cf4c28c https://github.com/srmorete/adb-mcp/blob/master/src/index.ts#L334-L355 |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1. | 2025-09-25 | 9.8 | CVE-2025-59841 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-h6pr-4cwv-6cjg https://github.com/FlagForgeCTF/flagForge/commit/304b6c82a4f76871b336404b91e5cdd8a7d7d5bd |
| formbricks--formbricks | Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the token's signature, expiration, issuer, or audience. If an attacker learns the victim's actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victim's password. This issue has been patched in version 4.0.1. | 2025-09-26 | 9.4 | CVE-2025-59934 | https://github.com/formbricks/formbricks/security/advisories/GHSA-7229-q9pv-j6p4 https://github.com/formbricks/formbricks/pull/6596 https://github.com/formbricks/formbricks/commit/eb1349f205189d5b2d4a95ec42245ca98cf68c82 https://github.com/formbricks/formbricks/blob/843110b0d6c37b5c0da54291616f84c91c55c4fc/apps/web/lib/jwt.ts#L114-L117 |
| webandprint--AR For WordPress | Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server. This issue affects AR For WordPress: from n/a through 7.98. | 2025-09-26 | 9.6 | CVE-2025-60156 | https://patchstack.com/database/wordpress/plugin/ar-for-wordpress/vulnerability/wordpress-ar-for-wordpress-plugin-7-98-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Techspawn--MultiLoca - WooCommerce Multi Locations Inventory Management | The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | 2025-09-24 | 9.8 | CVE-2025-9054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6a04e6ad-9365-4cb5-a0a0-82e047647d6b?source=cve https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586#item-description__changelog |
| wpsight--WPCasa | The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code. | 2025-09-23 | 9.8 | CVE-2025-9321 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48 https://plugins.trac.wordpress.org/changeset/3365172/ |
| Autodesk--Fusion | A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2025-09-23 | 8.7 | CVE-2025-10244 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0020 |
| wplakeorg--Advanced Views Display Posts, Custom Fields, and More | The Advanced Views - Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server. | 2025-09-23 | 8.8 | CVE-2025-10380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/52b04517-f0be-4bbf-818c-70a12d76bfec?source=cve https://plugins.trac.wordpress.org/browser/acf-views/tags/3.7.19/src/Template_Engines/Twig.php#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364566%40acf-views&new=3364566%40acf-views&sfp_email=&sfph_mail= |
| Yordam Information Technology Consulting Education and Electrical Systems Industry Trade Inc.--Yordam Katalog | Path Traversal: 'dir/../../filename' vulnerability in Yordam Information Technology Consulting Education and Electrical Systems Industry Trade Inc. Yordam Katalog allows Path Traversal.This issue affects Yordam Katalog: before 21.7. | 2025-09-25 | 8.6 | CVE-2025-10438 | https://www.usom.gov.tr/bildirim/tr-25-0296 |
| Saysis Computer Systems Trade Ltd. Co.--Saysis Web Portal | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saysis Computer Systems Trade Ltd. Co. Saysis Web Portal allows Path Traversal.This issue affects Saysis Web Portal: from 3.1.9 & 3.2.0 before 3.2.1. | 2025-09-25 | 8.6 | CVE-2025-10449 | https://www.usom.gov.tr/bildirim/tr-25-0297 |
| PROLIZ Computer Software Hardware Service Trade Ltd. Co.--OBS (Student Affairs Information System) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Stored XSS.This issue affects OBS (Student Affairs Information System): before v25.0401. | 2025-09-25 | 8.9 | CVE-2025-10467 | https://www.usom.gov.tr/bildirim/tr-25-0298 |
| B-Link--BL-AC2100 | A security flaw has been discovered in B-Link BL-AC2100 up to 1.0.3. Affected by this issue is the function delshrpath of the file /goform/set_delshrpath_cfg of the component Web Management Interface. The manipulation of the argument Type results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-22 | 8.8 | CVE-2025-10773 | VDB-325129 | B-Link BL-AC2100 Web Management set_delshrpath_cfg delshrpath stack-based overflow VDB-325129 | CTI Indicators (IOB, IOC, IOA) Submit #649901 | LB-LINK AC2100 V1.0.3 Stack-based Buffer Overflow https://github.com/maximdevere/CVE2/blob/main/README.md |
| D-Link--DCS-935L | A vulnerability was found in D-Link DCS-935L up to 1.13.01. The impacted element is the function sub_402280 of the file /HNAP1/. The manipulation of the argument HNAP_AUTH/SOAPAction results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-22 | 8.8 | CVE-2025-10779 | VDB-325135 | D-Link DCS-935L HNAP1 sub_402280 stack-based overflow VDB-325135 | CTI Indicators (IOB, IOC, IOA) Submit #653690 | D-Link DCS-935L DCS-935L_A1_FW_1.13.01 Stack-based Buffer Overflow Submit #653691 | D-Link DCS-935L DCS-935L_A1_FW_1.13.01 Stack-based Buffer Overflow (Duplicate) https://github.com/scanleale/IOT_sec/blob/main/DCS-935L-1.pdf https://github.com/scanleale/IOT_sec/blob/main/DCS-935L-2.pdf https://www.dlink.com/ |
| D-Link--DIR-513 | A security vulnerability has been detected in D-Link DIR-513 A1FW110. Affected is an unknown function of the file /goform/formWPS. Such manipulation of the argument webpage leads to buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-22 | 8.8 | CVE-2025-10792 | VDB-325149 | D-Link DIR-513 formWPS buffer overflow VDB-325149 | CTI Indicators (IOB, IOC, IOA) Submit #654049 | D-Link DIR-513 A1FW110 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dir-513/formWPS.md https://github.com/panda666-888/vuls/blob/main/d-link/dir-513/formWPS.md#poc https://www.dlink.com/ |
| Tenda--AC23 | A vulnerability has been found in Tenda AC23 up to 16.03.07.52. Affected by this vulnerability is the function sscanf of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-09-22 | 8.8 | CVE-2025-10803 | VDB-325161 | Tenda AC23 HTTP POST Request SetPptpServerCfg sscanf buffer overflow VDB-325161 | CTI Indicators (IOB, IOC, IOA) Submit #654237 | Tenda AC23 <= V16.03.07.52 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC23-3/Tenda%20AC23%20Buffer%20overflow.md https://www.tenda.com.cn/ |
| Tenda--AC20 | A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this issue is the function strcpy of the file /goform/SetPptpServerCfg of the component HTTP POST Request Handler. Such manipulation of the argument startIp leads to buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-09-22 | 8.8 | CVE-2025-10815 | VDB-325173 | Tenda AC20 HTTP POST Request SetPptpServerCfg strcpy buffer overflow VDB-325173 | CTI Indicators (IOB, IOC, IOA) Submit #654460 | tenda AC20 <= V16.03.08.12 (latest) Buffer Overflow https://github.com/Juana-2u/Tenda-AC20 https://www.tenda.com.cn/ |
| Tenda--AC21 | A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function sub_45BB10 of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-09-23 | 8.8 | CVE-2025-10838 | VDB-325200 | Tenda AC21 WifiExtraSet sub_45BB10 buffer overflow VDB-325200 | CTI Indicators (IOB, IOC, IOA) Submit #657126 | Tenda AC21 ≤V16.03.08.16 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC21/Tenda%20AC21%20Buffer%20overflow.md https://github.com/lin-3-start/lin-cve/blob/main/Tenda%20AC21/Tenda%20AC21%20Buffer%20overflow.md#poc https://www.tenda.com.cn/ |
| Python - - txtai arbitrary file write ver. 0 thru 9.0 | The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices | 2025-09-22 | 8.1 | CVE-2025-10854 | https://github.com/neuml/txtai/issues/965 https://research.jfrog.com/vulnerabilities/txtai-arbitrary-file-write-jfsa-2025-001471363/ |
| Magnetism Studios--Endurance | A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used. | 2025-09-24 | 8.4 | CVE-2025-10906 | VDB-325691 | Magnetism Studios Endurance NSXPC com.MagnetismStudios.endurance.helper loadModuleNamed:WithReply missing authentication VDB-325691 | CTI Indicators (IOB, IOC, IOA) Submit #653994 | Magnetism Studios Endurance 3.3.0 Local Privilege Escalation https://github.com/SwayZGl1tZyyy/n-days/blob/main/Endurance/README.md https://github.com/SwayZGl1tZyyy/n-days/blob/main/Endurance/README.md#proof-of-concept |
| H3C--Magic B3 | A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 8.8 | CVE-2025-10942 | VDB-325812 | H3C Magic B3 aspForm AddMacList buffer overflow VDB-325812 | CTI Indicators (IOB, IOC, IOA) Submit #651813 | H3C Magic B3 <=100R002 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md https://github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md#poc |
| MikroTik--RouterOS | A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 8.8 | CVE-2025-10948 | VDB-325818 | MikroTik RouterOS libjson.so print parse_json_element buffer overflow VDB-325818 | CTI Indicators (IOB, IOC, IOA) Submit #652387 | MikroTik RouterOS 7 Memory Corruption https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc#technical-proof-of-concept |
| UTT--1200GW | A security vulnerability has been detected in UTT 1200GW and 1250GW up to 3.0.0-170831/3.2.2-200710. This vulnerability affects unknown code of the file /goform/formApMail. The manipulation of the argument senderEmail leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 8.8 | CVE-2025-10953 | VDB-325824 | UTT 1200GW/1250GW formApMail buffer overflow VDB-325824 | CTI Indicators (IOB, IOC, IOA) Submit #652687 | UTT 进取 1200GW <=v3.0.0-170831 Buffer Overflow Submit #652688 | UTT 进取 1250GW <=v2v3.2.2-200710 Buffer Overflow (Duplicate) https://github.com/cymiao1978/cve/blob/main/8.md https://github.com/cymiao1978/cve/blob/main/9.md |
| Tenda--AC21 | A security flaw has been discovered in Tenda AC21 up to 16.03.08.16. Affected by this vulnerability is the function sscanf of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-28 | 8.8 | CVE-2025-11091 | VDB-326173 | Tenda AC21 SetStaticRouteCfg sscanf buffer overflow VDB-326173 | CTI Indicators (IOB, IOC, IOA) Submit #661806 | Shenzhen Tenda Technology Co.,Ltd. AC21 <= V16.03.08.16 Buffer Overflow https://github.com/maximdevere/CVE2/issues/2 https://www.tenda.com.cn/ |
| Tenda--CH22 | A vulnerability was determined in Tenda CH22 1.0.0.1. This vulnerability affects the function formWrlExtraGet of the file /goform/GstDhcpSetSer. This manipulation of the argument dips causes buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-28 | 8.8 | CVE-2025-11117 | VDB-326198 | Tenda CH22 GstDhcpSetSer formWrlExtraGet buffer overflow VDB-326198 | CTI Indicators (IOB, IOC, IOA) Submit #662927 | Tenda CH22 V1.0.0.1 Buffer overflow vulnerability https://github.com/zhaoyinshan/CVE/issues/2 https://www.tenda.com.cn/ |
| Tenda--AC8 | A weakness has been identified in Tenda AC8 16.03.34.06. The affected element is the function formSetServerConfig of the file /goform/SetServerConfig. Executing manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-09-28 | 8.8 | CVE-2025-11120 | VDB-326201 | Tenda AC8 SetServerConfig formSetServerConfig buffer overflow VDB-326201 | CTI Indicators (IOB, IOC, IOA) Submit #664065 | Shenzhen Tenda Technology Co., Ltd. Tenda AC8v4 Router Tenda AC8v4 (V16.03.34.06) Buffer Overflow https://github.com/alc9700jmo/CVE/issues/19 https://www.tenda.com.cn/ |
| Tenda--AC18 | A vulnerability was detected in Tenda AC18 15.03.05.19. This affects an unknown function of the file /goform/WizardHandle. The manipulation of the argument WANT/mtuvalue results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. | 2025-09-28 | 8.8 | CVE-2025-11122 | VDB-326203 | Tenda AC18 WizardHandle stack-based overflow VDB-326203 | CTI Indicators (IOB, IOC, IOA) Submit #664194 | Tenda AC18 V15.03.05.19(6318) Buffer Overflow Submit #664195 | Tenda AC18 V15.03.05.19(6318) Buffer Overflow (Duplicate) https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/WizardHandle.md https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/WizardHandle2.md https://www.tenda.com.cn/ |
| Tenda--AC18 | A flaw has been found in Tenda AC18 15.03.05.19. This impacts an unknown function of the file /goform/saveAutoQos. This manipulation of the argument enable causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-09-28 | 8.8 | CVE-2025-11123 | VDB-326204 | Tenda AC18 saveAutoQos stack-based overflow VDB-326204 | CTI Indicators (IOB, IOC, IOA) Submit #664197 | Tenda AC18 V15.03.05.19(6318) Buffer Overflow https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/saveAutoQos.md https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/saveAutoQos.md#poc https://www.tenda.com.cn/ |
| Cisco--IOS | A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass authentication. This vulnerability exists because the system does not properly check whether the required TACACS+ shared secret is configured. A machine-in-the-middle attacker could exploit this vulnerability by intercepting and reading unencrypted TACACS+ messages or impersonating the TACACS+ server and falsely accepting arbitrary authentication requests. A successful exploit could allow the attacker to view sensitive information in a TACACS+ message or bypass authentication and gain access to the affected device. | 2025-09-24 | 8.1 | CVE-2025-20160 | cisco-sa-ios-tacacs-hdB7thJw |
| Cisco--Cisco IOS XE Software | A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, causing a denial of service (DoS) condition. This vulnerability is due to improper handling of malformed Control and Provisioning of Wireless Access Points (CAPWAP) packets. An attacker could exploit this vulnerability by sending malformed CAPWAP packets through an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. | 2025-09-24 | 8.6 | CVE-2025-20315 | cisco-sa-nbar-dos-LAvwTmeT |
| Cisco--Cisco IOS XE Software | A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by authenticating to an affected system and performing an API call with crafted input. Alternatively, an unauthenticated attacker could persuade a legitimate user with administrative privileges who is currently logged in to the system to click a crafted link. A successful exploit could allow the attacker to execute arbitrary commands as the root user. | 2025-09-24 | 8.8 | CVE-2025-20334 | cisco-sa-ios-xe-cmd-inject-rPJM8BGL |
| Qualcomm, Inc.--Snapdragon | Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet. | 2025-09-24 | 8.2 | CVE-2025-21484 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length. | 2025-09-24 | 8.2 | CVE-2025-21487 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure while decoding this RTP packet headers received by UE from the network when the padding bit is set. | 2025-09-24 | 8.2 | CVE-2025-21488 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| gopiplus@hotmail.com--Wp tabber widget | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus@hotmail.com Wp tabber widget allows SQL Injection. This issue affects Wp tabber widget: from n/a through 4.0. | 2025-09-22 | 8.5 | CVE-2025-53468 | https://patchstack.com/database/wordpress/plugin/wp-tabber-widget/vulnerability/wordpress-wp-tabber-widget-plugin-4-0-sql-injection-vulnerability?_s_id=cve |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | A predictable seed in pseudo-random number generator vulnerability has been discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software implements a predictable seed for its pseudo-random number generator, which compromises the security of the generated private keys. | 2025-09-23 | 8.3 | CVE-2025-55069 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| pebas--CouponXxL | Cross-Site Request Forgery (CSRF) vulnerability in pebas CouponXxL allows Privilege Escalation. This issue affects CouponXxL: from n/a through 4.5.0. | 2025-09-22 | 8.8 | CVE-2025-58013 | https://patchstack.com/database/wordpress/theme/couponxxl/vulnerability/wordpress-couponxxl-theme-4-5-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Anps--Constructo | Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo allows Object Injection. This issue affects Constructo: from n/a through 4.3.9. | 2025-09-22 | 8.8 | CVE-2025-58244 | https://patchstack.com/database/wordpress/theme/constructo/vulnerability/wordpress-constructo-theme-4-3-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ApusTheme--Findgo | Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo allows Authentication Bypass. This issue affects Findgo: from n/a through 1.3.55. | 2025-09-22 | 8.8 | CVE-2025-58250 | https://patchstack.com/database/wordpress/theme/fingo/vulnerability/wordpress-findgo-theme-1-3-55-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| quadlayers--Perfect Brands for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quadlayers Perfect Brands for WooCommerce allows SQL Injection. This issue affects Perfect Brands for WooCommerce: from n/a through 3.6.0. | 2025-09-22 | 8.5 | CVE-2025-58686 | https://patchstack.com/database/wordpress/plugin/perfect-woocommerce-brands/vulnerability/wordpress-perfect-brands-for-woocommerce-plugin-3-6-0-sql-injection-vulnerability?_s_id=cve |
| FrontFin--mesh-web-sdk | Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2. | 2025-09-22 | 8.2 | CVE-2025-59430 | https://github.com/FrontFin/mesh-web-sdk/security/advisories/GHSA-vh3f-qppr-j97f https://github.com/FrontFin/mesh-web-sdk/pull/124 https://github.com/FrontFin/mesh-web-sdk/commit/7f22148516d58e21a8b7670dde927d614c0d15c2 https://github.com/FrontFin/mesh-web-sdk/blob/cf013b85ab95d64c63cbe46d6cb14695474924e7/packages/link/src/Link.ts#L441 |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | The use of a broken or risky cryptographic algorithm was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software uses an insecure implementation of the RSA encryption algorithm. | 2025-09-23 | 8.3 | CVE-2025-59484 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| purethemes--WorkScout-Core | Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core allows Cross Site Request Forgery. This issue affects WorkScout-Core: from n/a through n/a. | 2025-09-22 | 8.8 | CVE-2025-59572 | https://patchstack.com/database/wordpress/plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Zenitel--ICX500 | This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database. | 2025-09-25 | 8.8 | CVE-2025-59814 | Zenitel Zenitel |
| Zenitel--ICX500 | This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device's availability, confidentiality, and integrity. | 2025-09-25 | 8.4 | CVE-2025-59815 | Zenitel Zenitel |
| Zenitel--TCIS-3+ | This vulnerability allows attackers to execute arbitrary commands on the underlying system. Because the web portal runs with root privileges, successful exploitation grants full control over the device, potentially compromising its availability, confidentiality, and integrity. | 2025-09-25 | 8.4 | CVE-2025-59817 | Zenitel |
| StarCitizenWiki--mediawiki-extensions-EmbedVideo | The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3. | 2025-09-25 | 8.6 | CVE-2025-59839 | https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-4j5h-mvj3-m48v https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/4e075d3dc9a15a3ee53f449a684d5ab847e52f01 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155 |
| apollographql--embeddable-explorer | Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim's browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim's cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3. | 2025-09-26 | 8.2 | CVE-2025-59845 | https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to create, modify, or delete resources on the platform. The issue has been fixed in FlagForge version 2.3.1. | 2025-09-27 | 8.6 | CVE-2025-59932 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-v8rh-25rf-gfqw |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to version 3.5.0, WeGIA is vulnerable to SQL Injection attacks in the control.php endpoint with the following parameters: nomeClasse=ProdutoControle&metodo=excluir&id_produto=[malicious command]. It is necessary to apply prepared statements methods, sanitization, and validations on theid_produto parameter. This issue has been patched in version 3.5.0. | 2025-09-27 | 8.8 | CVE-2025-59939 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jx9m-pgf8-v489 |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and delete pentesting projects they are not members of and are therefore not supposed to access. This issue has been patched in version 2025.83. | 2025-09-27 | 8.1 | CVE-2025-59945 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-r6hm-59cq-gjg6 https://github.com/Syslifters/sysreptor/commit/de8b5d89d0644479ee0da0a113c6bcc2436ba7f4 |
| Unitree--Go2 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 allow root OS command injection via the hostapd_restart.sh wifi_ssid or wifi_pass parameter (within restart_wifi_ap and restart_wifi_sta). | 2025-09-26 | 8.2 | CVE-2025-60017 | https://spectrum.ieee.org/unitree-robot-exploit https://github.com/Bin4ry/UniPwn https://news.ycombinator.com/item?id=45381590 |
| LambertGroup--LambertGroup - AllInOne - Banner with Playlist | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist allows Blind SQL Injection. This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through 3.8. | 2025-09-26 | 8.5 | CVE-2025-60107 | https://patchstack.com/database/wordpress/plugin/all-in-one-bannerwithplaylist/vulnerability/wordpress-lambertgroup-allinone-banner-with-playlist-plugin-3-8-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--LambertGroup - AllInOne - Banner with Thumbnails | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails allows Blind SQL Injection. This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through 3.8. | 2025-09-26 | 8.5 | CVE-2025-60108 | https://patchstack.com/database/wordpress/plugin/all-in-one-thumbnailsbanner/vulnerability/wordpress-lambertgroup-allinone-banner-with-thumbnails-plugin-3-8-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--LambertGroup - AllInOne - Content Slider | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider allows Blind SQL Injection. This issue affects LambertGroup - AllInOne - Content Slider: from n/a through 3.8. | 2025-09-26 | 8.5 | CVE-2025-60109 | https://patchstack.com/database/wordpress/plugin/all-in-one-contentslider/vulnerability/wordpress-lambertgroup-allinone-content-slider-plugin-3-8-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--AllInOne - Banner Rotator | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection. This issue affects AllInOne - Banner Rotator: from n/a through 3.8. | 2025-09-26 | 8.5 | CVE-2025-60110 | https://patchstack.com/database/wordpress/plugin/all-in-one-bannerrotator/vulnerability/wordpress-allinone-banner-rotator-plugin-3-8-sql-injection-vulnerability?_s_id=cve |
| javothemes--Javo Core | Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266. | 2025-09-26 | 8.8 | CVE-2025-60111 | https://patchstack.com/database/wordpress/plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Potenzaglobalsolutions--PGS Core | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0. | 2025-09-26 | 8.5 | CVE-2025-60118 | https://patchstack.com/database/wordpress/plugin/pgs-core/vulnerability/wordpress-pgs-core-plugin-5-9-0-sql-injection-vulnerability?_s_id=cve |
| PluginOps--Testimonial Slider | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider allows PHP Local File Inclusion. This issue affects Testimonial Slider: from n/a through 3.5.8.6. | 2025-09-26 | 8.8 | CVE-2025-60126 | https://patchstack.com/database/wordpress/plugin/testimonial-add/vulnerability/wordpress-testimonial-slider-plugin-3-5-8-6-local-file-inclusion-vulnerability?_s_id=cve |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover. | 2025-09-26 | 8.7 | CVE-2025-9642 | GitLab Issue #566505 HackerOne Bug Bounty Report #3297413 |
| Netcad Software Inc.--Netigma | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows Stored XSS.This issue affects Netigma: from 6.3.3 before 6.3.5 V8. | 2025-09-23 | 8.9 | CVE-2025-9798 | https://www.usom.gov.tr/bildirim/tr-25-0286 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. | 2025-09-23 | 8.8 | CVE-2025-9900 | https://access.redhat.com/security/cve/CVE-2025-9900 RHBZ#2392784 https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file |
| Dell--BSAFE Micro Edition Suite | Dell BSAFE Micro Edition Suite, versions prior to 5.0.2.3 contain an Out-of-bounds Write vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service. | 2025-09-25 | 7.5 | CVE-2024-48014 | https://www.dell.com/support/kbdoc/en-us/000256131/dsa-2024-459-dell-bsafe-micro-edition-suite-security-update |
| gamerz--WP-DownloadManager | The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-09-26 | 7.2 | CVE-2025-10747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c535cea-dad6-440f-b37f-6d196b469214?source=cve https://wordpress.org/plugins/wp-downloadmanager/ https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-add.php#L35 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364847%40wp-downloadmanager&new=3364847%40wp-downloadmanager&sfp_email=&sfph_mail= |
| Campcodes--Online Learning Management System | A vulnerability was identified in Campcodes Online Learning Management System 1.0. This impacts an unknown function of the file /admin/edit_class.php. Such manipulation of the argument class_name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-09-22 | 7.3 | CVE-2025-10781 | VDB-325137 | Campcodes Online Learning Management System edit_class.php sql injection VDB-325137 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653780 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/zzb1388/cve/issues/88 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Affected is an unknown function of the file /admin/class.php. Performing manipulation of the argument class_name results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-09-22 | 7.3 | CVE-2025-10782 | VDB-325138 | Campcodes Online Learning Management System class.php sql injection VDB-325138 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653781 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/zzb1388/cve/issues/87 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A weakness has been identified in Campcodes Online Learning Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_subject.php. Executing manipulation of the argument subject_code can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-09-22 | 7.3 | CVE-2025-10783 | VDB-325139 | Campcodes Online Learning Management System add_subject.php sql injection VDB-325139 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653782 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/zzb1388/cve/issues/86 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A security vulnerability has been detected in Campcodes Online Learning Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_subject.php. The manipulation of the argument subject_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-09-22 | 7.3 | CVE-2025-10784 | VDB-325140 | Campcodes Online Learning Management System edit_subject.php sql injection VDB-325140 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653783 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/zzb1388/cve/issues/85 https://www.campcodes.com/ |
| Campcodes--Grocery Sales and Inventory System | A vulnerability was detected in Campcodes Grocery Sales and Inventory System 1.0. This affects an unknown part of the file /manage_user.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-09-22 | 7.3 | CVE-2025-10785 | VDB-325141 | Campcodes Grocery Sales and Inventory System manage_user.php sql injection VDB-325141 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653784 | campcodes Grocery Sales and Inventory System V1.0 SQL injection Submit #653786 | campcodes Grocery Sales and Inventory System V1.0 SQL injection (Duplicate) https://github.com/zzb1388/cve/issues/84 https://github.com/zzb1388/cve/issues/89 https://www.campcodes.com/ |
| Campcodes--Grocery Sales and Inventory System | A flaw has been found in Campcodes Grocery Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=delete_user. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-09-22 | 7.3 | CVE-2025-10786 | VDB-325142 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-325142 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653785 | campcodes Grocery Sales and Inventory System V1.0 SQL injection https://github.com/zzb1388/cve/issues/83 https://www.campcodes.com/ |
| SourceCodester--Online Hotel Reservation System | A vulnerability was determined in SourceCodester Online Hotel Reservation System 1.0. The affected element is an unknown function of the file deleteroominventory.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-22 | 7.3 | CVE-2025-10788 | VDB-325145 | SourceCodester Online Hotel Reservation System deleteroominventory.php sql injection VDB-325145 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653877 | SourceCodester Online Hotel Reservation System 1.0 SQL Injection https://github.com/peri0d/my_cve/blob/main/Online-Hotel-Reservation-System-In-PHP-With-Source-Code-deleteroominventory.php-sql-injection.md https://www.sourcecodester.com/ |
| SourceCodester--Online Hotel Reservation System | A vulnerability was identified in SourceCodester Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteslide.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-09-22 | 7.3 | CVE-2025-10789 | VDB-325146 | SourceCodester Online Hotel Reservation System deleteslide.php sql injection VDB-325146 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653881 | SourceCodester Online Hotel Reservation System V1.0 SQL Injection https://gold-textbook-8ff.notion.site/Online-Hotel-Reservation-System-In-PHP-With-Source-Code-deleteslide-php-sql-injection-26d85e97f353807585d7e600b31d339e https://www.sourcecodester.com/ |
| code-projects--Online Bidding System | A weakness has been identified in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/index.php. This manipulation of the argument aduser causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-09-22 | 7.3 | CVE-2025-10791 | VDB-325148 | code-projects Online Bidding System index.php sql injection VDB-325148 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654046 | code-projects Online Bidding System 1.0 SQL Injection https://github.com/K1nakoo/cve/blob/main/26/report.md https://code-projects.org/ |
| code-projects--E-Commerce Website | A vulnerability was detected in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/admin_account_delete.php. Performing manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-09-22 | 7.3 | CVE-2025-10793 | VDB-325150 | code-projects E-Commerce Website admin_account_delete.php sql injection VDB-325150 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654058 | code-projects E-Commerce Website 1.0 SQL Injection https://github.com/K1nakoo/cve/blob/main/31/report.md https://code-projects.org/ |
| code-projects--Online Bidding System | A vulnerability has been found in code-projects Online Bidding System 1.0. This affects an unknown part of the file /administrator/bidupdate.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-09-22 | 7.3 | CVE-2025-10795 | VDB-325152 | code-projects Online Bidding System bidupdate.php sql injection VDB-325152 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654077 | code-projects Online Bidding System 1.0 SQL Injection https://github.com/jackhong1236/cve_0/blob/main/12/tmp25/report.md https://code-projects.org/ |
| code-projects--Hostel Management System | A vulnerability was found in code-projects Hostel Management System 1.0. This vulnerability affects unknown code of the file /justines/admin/login.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-09-22 | 7.3 | CVE-2025-10796 | VDB-325153 | code-projects Hostel Management System login.php sql injection VDB-325153 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654090 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/lishuyuan12138/CVE/issues/1 https://code-projects.org/ |
| code-projects--Hostel Management System | A vulnerability was determined in code-projects Hostel Management System 1.0. This issue affects some unknown processing of the file /justines/index.php. This manipulation of the argument log_email causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-22 | 7.3 | CVE-2025-10797 | VDB-325154 | code-projects Hostel Management System index.php sql injection VDB-325154 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654091 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/Waibibabo1239/CVE/issues/1 https://code-projects.org/ |
| code-projects--Hostel Management System | A vulnerability was identified in code-projects Hostel Management System 1.0. Impacted is an unknown function of the file /justines/admin/mod_roomtype/index.php?view=view. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-09-22 | 7.3 | CVE-2025-10798 | VDB-325155 | code-projects Hostel Management System index.php sql injection VDB-325155 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654092 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/598600/CVE/issues/1 https://code-projects.org/ |
| code-projects--Hostel Management System | A security flaw has been discovered in code-projects Hostel Management System 1.0. The affected element is an unknown function of the file /justines/admin/mod_reservation/index.php?view=view. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-09-22 | 7.3 | CVE-2025-10799 | VDB-325156 | code-projects Hostel Management System index.php sql injection VDB-325156 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654104 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/yangzhenyu6/CVE/issues/1 https://code-projects.org/ |
| itsourcecode--Online Discussion Forum | A weakness has been identified in itsourcecode Online Discussion Forum 1.0. The impacted element is an unknown function of the file /index.php. Executing manipulation of the argument email/password can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-09-22 | 7.3 | CVE-2025-10800 | VDB-325157 | itsourcecode Online Discussion Forum index.php sql injection VDB-325157 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654152 | Itsourcecode Online Discussion Forum Project V1.0 SQL injection Submit #654153 | Itsourcecode Online Discussion Forum Project V1.0 SQL injection (Duplicate) https://github.com/JunGu-W/cve/issues/14 https://github.com/JunGu-W/cve/issues/15 https://itsourcecode.com/ |
| SourceCodester--Pet Grooming Management Software | A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown function of the file /admin/edit_tax.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2025-09-22 | 7.3 | CVE-2025-10801 | VDB-325158 | SourceCodester Pet Grooming Management Software edit_tax.php sql injection VDB-325158 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654161 | SourceCodester Pet Grooming Management Software 1.0 SQL Injection Submit #655882 | SourceCodester Pet Grooming Management Software 1.0 SQL Injection (Duplicate) https://github.com/YunyiLiu31/sql-injection-vulnerability https://www.sourcecodester.com/ |
| code-projects--Online Bidding System | A flaw has been found in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/remove.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-09-22 | 7.3 | CVE-2025-10802 | VDB-325160 | code-projects Online Bidding System remove.php sql injection VDB-325160 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654164 | code-projects Online Bidding System 1.0 SQL injection https://github.com/peri0d/my_cve/blob/main/ONLINE-BIDDING-SYSTEM-Project-V1.0-remove.php-SQL-injection.md https://code-projects.org/ |
| Campcodes--Farm Management System | A weakness has been identified in Campcodes Farm Management System 1.0. Impacted is an unknown function of the file /uploadProduct.php. This manipulation of the argument Type causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-09-22 | 7.3 | CVE-2025-10808 | VDB-325166 | Campcodes Farm Management System uploadProduct.php sql injection VDB-325166 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654382 | Campcodes Farm Management System v1.0 SQL Injection https://github.com/EvnYeung/cve/issues/1 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A security vulnerability has been detected in Campcodes Online Learning Management System 1.0. The affected element is an unknown function of the file /admin/department.php. Such manipulation of the argument d leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-09-22 | 7.3 | CVE-2025-10809 | VDB-325167 | Campcodes Online Learning Management System department.php sql injection VDB-325167 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654434 | campcodes Online Learning Management System V1.0 SQL injection Submit #657034 | campcodes Online Learning Management System V1.0 SQL injection (Duplicate) https://github.com/luyisi-7/CVE/issues/2 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A vulnerability was detected in Campcodes Online Learning Management System 1.0. The impacted element is an unknown function of the file /admin/edit_user.php. Performing manipulation of the argument firstname results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-09-22 | 7.3 | CVE-2025-10810 | VDB-325168 | Campcodes Online Learning Management System edit_user.php sql injection VDB-325168 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654435 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/luyisi-7/CVE/issues/1 https://www.campcodes.com/ |
| code-projects--Hostel Management System | A flaw has been found in code-projects Hostel Management System 1.0. This affects an unknown function of the file /justines/admin/mod_comments/index.php?view=view. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-09-22 | 7.3 | CVE-2025-10811 | VDB-325169 | code-projects Hostel Management System index.php sql injection VDB-325169 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654436 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/27 https://code-projects.org/ |
| code-projects--Hostel Management System | A vulnerability has been found in code-projects Hostel Management System 1.0. This impacts an unknown function of the file /justines/admin/mod_amenities/index.php?view=view. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-09-22 | 7.3 | CVE-2025-10812 | VDB-325170 | code-projects Hostel Management System index.php sql injection VDB-325170 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654437 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/28 https://code-projects.org/ |
| code-projects--Hostel Management System | A vulnerability was found in code-projects Hostel Management System 1.0. Affected is an unknown function of the file /justines/admin/mod_reports/index.php. The manipulation of the argument Home results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-09-22 | 7.3 | CVE-2025-10813 | VDB-325171 | code-projects Hostel Management System index.php sql injection VDB-325171 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654438 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/29 https://code-projects.org/ |
| Jinher--OA | A security flaw has been discovered in Jinher OA 2.0. This affects an unknown part of the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add of the component XML Handler. Performing manipulation results in xml external entity reference. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-22 | 7.3 | CVE-2025-10816 | VDB-325174 | Jinher OA XML text xml external entity reference VDB-325174 | CTI Indicators (IOB, IOC, IOA) Submit #654466 | Jinher OA V2.0 XML External Entity Reference https://github.com/1296299554/CVE/issues/1 |
| Campcodes--Online Learning Management System | A weakness has been identified in Campcodes Online Learning Management System 1.0. This vulnerability affects unknown code of the file /admin/admin_user.php. Executing manipulation of the argument firstname can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-22 | 7.3 | CVE-2025-10817 | VDB-325175 | Campcodes Online Learning Management System admin_user.php sql injection VDB-325175 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654545 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/244556089/cve/issues/1 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A vulnerability was detected in Campcodes Computer Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/sup_edit1.php. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-09-23 | 7.3 | CVE-2025-10829 | VDB-325186 | Campcodes Computer Sales and Inventory System sup_edit1.php sql injection VDB-325186 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #655906 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/Michsta/CVE/issues/1 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A flaw has been found in Campcodes Computer Sales and Inventory System 1.0. This issue affects some unknown processing of the file /pages/inv_edit1.php. Executing manipulation of the argument idd can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-09-23 | 7.3 | CVE-2025-10830 | VDB-325187 | Campcodes Computer Sales and Inventory System inv_edit1.php sql injection VDB-325187 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #655993 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/Michsta/CVE/issues/2 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A vulnerability has been found in Campcodes Computer Sales and Inventory System 1.0. Impacted is an unknown function of the file /pages/pro_edit1.php. The manipulation of the argument prodcode leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-09-23 | 7.3 | CVE-2025-10831 | VDB-325188 | Campcodes Computer Sales and Inventory System pro_edit1.php sql injection VDB-325188 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656016 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/Michsta/CVE/issues/3 https://www.campcodes.com/ |
| SourceCodester--Pet Grooming Management Software | A vulnerability was found in SourceCodester Pet Grooming Management Software 1.0. The affected element is an unknown function of the file /admin/fetch_product_details.php. The manipulation of the argument barcode results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-09-23 | 7.3 | CVE-2025-10832 | VDB-325189 | SourceCodester Pet Grooming Management Software fetch_product_details.php sql injection VDB-325189 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656004 | SourceCodester Pet grooming management 1.0 SQL Injection https://github.com/lalalalalalala555/Pet-grooming-management-v1.0-sql-injection/blob/main/report.md https://www.sourcecodester.com/ |
| 1000projects--Bookstore Management System | A vulnerability was determined in 1000projects Bookstore Management System 1.0. The impacted element is an unknown function of the file /login.php. This manipulation of the argument unm causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-23 | 7.3 | CVE-2025-10833 | VDB-325190 | 1000projects Bookstore Management System login.php sql injection VDB-325190 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656419 | 1000Projects.org Bookstore Management System PHP MySQL Project 1 SQL Injection https://github.com/xingrenlvke/cve/issues/1 |
| itsourcecode--Open Source Job Portal | A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. This affects an unknown function of the file /jobportal/admin/login.php. Such manipulation of the argument user_email leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-09-23 | 7.3 | CVE-2025-10834 | VDB-325191 | itsourcecode Open Source Job Portal login.php sql injection VDB-325191 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656829 | itsourcecode Open Source Job Portal V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/30 https://itsourcecode.com/ |
| SourceCodester--Pet Grooming Management Software | A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/print1.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-23 | 7.3 | CVE-2025-10836 | VDB-325193 | SourceCodester Pet Grooming Management Software print1.php sql injection VDB-325193 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656889 | SourceCodester Pet grooming management 1.0 SQL Injection https://github.com/xiaoliyu-1/Pet-grooming-management-print1.php-v.1.0-sql-injection/blob/main/report.md https://www.sourcecodester.com/ |
| code-projects--Online Bidding System | A security vulnerability has been detected in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/weweee.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-23 | 7.3 | CVE-2025-10841 | VDB-325203 | code-projects Online Bidding System weweee.php sql injection VDB-325203 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657195 | code-projects Online Bidding System V1.0 SQL injection https://github.com/fengzipan/cve/blob/master/tmp30/tmp30/report.md https://code-projects.org/ |
| code-projects--Online Bidding System | A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-09-23 | 7.3 | CVE-2025-10842 | VDB-325204 | code-projects Online Bidding System wew.php sql injection VDB-325204 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657196 | code-projects Online Bidding System - V1.0 SQL injection https://github.com/fengzipan/cve/blob/main/tmp29/tmp29/report.md https://code-projects.org/ |
| Reservation--Online Hotel Reservation System | A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-09-23 | 7.3 | CVE-2025-10843 | VDB-325205 | Reservation Online Hotel Reservation System paypalpayout.php sql injection VDB-325205 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657389 | code-projects Online Hotel Reservation System 1 SQL Injection https://github.com/xingrenlvke/cve/issues/10 |
| Campcodes--Gym Management System | A security flaw has been discovered in Campcodes Gym Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-23 | 7.3 | CVE-2025-10851 | VDB-325210 | Campcodes Gym Management System ajax.php sql injection VDB-325210 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657939 | https://www.campcodes.com gym-management-system 1.0 SQL Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/esau5fkdf0upv8s6?singleDoc https://www.campcodes.com/ |
| Campcodes--Point of Sale System POS | A security flaw has been discovered in Campcodes Point of Sale System POS 1.0. Affected by this issue is some unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-09-23 | 7.3 | CVE-2025-10857 | VDB-325228 | Campcodes Point of Sale System POS login.php sql injection VDB-325228 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657940 | https://www.campcodes.com complete-point-of-sale-system-pos-using-php-mysql-source-code 1.0 SQL Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/un2cmghguhg4aogn?singleDoc https://www.campcodes.com/ |
| GitLab--GitLab | An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition while uploading specifically crafted large JSON files. | 2025-09-26 | 7.5 | CVE-2025-10858 | GitLab Issue #570034 |
| Topaz--SERVCore Teller | A vulnerability was determined in Topaz SERVCore Teller 2.14.0-RC2/2.14.1. Affected by this issue is some unknown functionality of the file SERVCoreTeller_2.0.40D.msi of the component Installer. Executing manipulation can lead to permission issues. The attack needs to be launched locally. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 7.8 | CVE-2025-10941 | VDB-325811 | Topaz SERVCore Teller Installer SERVCoreTeller_2.0.40D.msi permission VDB-325811 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651434 | Topaz SERVCore® Teller Installer V2.14.0-RC2 [2.14.1] Local Privilege Escalation https://raw.githubusercontent.com/securityadvisories/Security-Advisories/refs/heads/main/Advisories/Blaze%20Information%20Security%20-%20Local%20Privilege%20Escalation%20via%20Insecure%20Directory%20Permissions%20in%20SERVCore%20Teller%20Installer.txt |
| geyang--ml-logger | A vulnerability was identified in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this vulnerability is the function log_handler of the file ml_logger/server.py. Such manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-09-25 | 7.3 | CVE-2025-10951 | VDB-325821 | geyang ml-logger server.py log_handler path traversal VDB-325821 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652462 | geyang ml-logger latest Unrestricted Upload https://github.com/geyang/ml-logger/issues/73 |
| MuFen-mker--PHP-Usermm | A vulnerability was detected in MuFen-mker PHP-Usermm up to 37f2d24e51b04346dfc565b93fc2fc6b37bdaea9. This affects an unknown part of the file /chkuser.php. Performing manipulation of the argument Username results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 7.3 | CVE-2025-10967 | VDB-325834 | MuFen-mker PHP-Usermm chkuser.php sql injection VDB-325834 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653138 | github.com PHP User Management System V1.0 SQL Injection https://github.com/Miker132/CVE-/issues/3 |
| JackieDYH--Resume-management-system | A flaw has been found in JackieDYH Resume-management-system up to fb6b857d852dd796e748ce30c606fe5e61c18273. Affected by this issue is some unknown functionality of the file /admin/show.php. This manipulation of the argument userid causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 7.3 | CVE-2025-10973 | VDB-325844 | JackieDYH Resume-management-system show.php sql injection VDB-325844 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653139 | github.com PHP Resume Management System V1.0 SQL Injection https://github.com/Miker132/CVE-/issues/5 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup. | 2025-09-26 | 7.5 | CVE-2025-11021 | https://access.redhat.com/security/cve/CVE-2025-11021 RHBZ#2399627 |
| Tutorials-Website--Employee Management System | A vulnerability was detected in Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60. Impacted is an unknown function of the file /admin/all-applied-leave.php of the component HTTP Request Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-09-26 | 7.3 | CVE-2025-11030 | VDB-325969 | Tutorials-Website Employee Management System HTTP Request all-applied-leave.php improper authorization VDB-325969 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657210 | https://github.com/tutorials-website Employee Management System(EMS Version-1.0) 1.0 broken access control https://drive.google.com/file/d/1N5ApKiYw-yKNhVERr4m3ruooiANgpFRo/view?usp=sharing |
| kidaze--CourseSelectionSystem | A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This issue affects some unknown processing of the file /Profilers/PriProfile/COUNT3s6.php. Executing manipulation of the argument CPU can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-09-26 | 7.3 | CVE-2025-11032 | VDB-325979 | kidaze CourseSelectionSystem COUNT3s6.php sql injection VDB-325979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657950 | github.com Course Selection System v1.0 SQL Injection https://github.com/limingserverll-wq/cve/issues/3 |
| kidaze--CourseSelectionSystem | A vulnerability has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Impacted is an unknown function of the file /Profilers/PriProfile/COUNT3s7.php. The manipulation of the argument cbe leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-09-26 | 7.3 | CVE-2025-11033 | VDB-325980 | kidaze CourseSelectionSystem COUNT3s7.php sql injection VDB-325980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657951 | github.com Course Selection System v1.0 SQL Injection https://github.com/limingserverll-wq/cve/issues/4 |
| code-projects--E-Commerce Website | A vulnerability was identified in code-projects E-Commerce Website 1.0. This affects an unknown function of the file /pages/admin_account_update.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-09-26 | 7.3 | CVE-2025-11036 | VDB-325983 | code-projects E-Commerce Website admin_account_update.php sql injection VDB-325983 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658274 | code-projects E-Commerce Website 1.0 SQL Injection https://github.com/aCas1o/cve_report03/blob/main/report.md https://code-projects.org/ |
| code-projects--E-Commerce Website | A security flaw has been discovered in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/admin_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-26 | 7.3 | CVE-2025-11037 | VDB-325984 | code-projects E-Commerce Website admin_index_search.php sql injection VDB-325984 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658275 | code-projects E-Commerce Website 1.0 SQL Injection https://github.com/aCas1o/cve_report04/blob/main/report.md https://code-projects.org/ |
| Campcodes--Computer Sales and Inventory System | A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/us_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-09-26 | 7.3 | CVE-2025-11039 | VDB-325986 | Campcodes Computer Sales and Inventory System us_edit1.php sql injection VDB-325986 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658678 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/DavCloudz/cve/issues/1 https://www.campcodes.com/ |
| code-projects--Hostel Management System | A vulnerability was detected in code-projects Hostel Management System 1.0. Affected by this issue is some unknown functionality of the file /justines/admin/mod_users/index.php?view=view. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-09-26 | 7.3 | CVE-2025-11040 | VDB-325987 | code-projects Hostel Management System index.php sql injection VDB-325987 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658744 | itsourcecode Hostel Management System V1.0 SQL Injection https://github.com/iflame28/CVE/issues/3 https://code-projects.org/ |
| WAYOS--LQ_04 | A vulnerability was identified in WAYOS LQ_04, LQ_05, LQ_06, LQ_07 and LQ_09 22.03.17. This affects an unknown function of the file /usb_paswd.asp. The manipulation of the argument Name leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-09-26 | 7.3 | CVE-2025-11045 | VDB-326082 | WAYOS LQ_04/LQ_05/LQ_06/LQ_07/LQ_09 usb_paswd.asp command injection VDB-326082 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658913 | https://web.wayos.com/ WayOS LQ-09-22.23.17v LQ-09-22.03.17 Command Injection Submit #661153 | https://web.wayos.com Wayos LQ_07_A2-22.03.17V LQ_07_A2-22.03.17V Command Injection (Duplicate) Submit #661168 | https://web.wayos.com/ Wayos LQ-05_A2-22.03.17V LQ-05_A2-22.03.17V Integer Overflow to Buffer Overflow (Duplicate) Submit #661177 | https://web.wayos.com/ Wayos LQ_06-22.03.17V LQ_06-22.03.17V Command Injection (Duplicate) Submit #661178 | https://web.wayos.com/ Wayos LQ_04-22.03.17V LQ_04-22.03.17V Command Injection (Duplicate) https://www.yuque.com/yuqueyonghuexlgkz/zepczx/py3shgm1z88g9xp2?singleDoc https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ogyduynf84q89x99?singleDoc |
| Tencent--WeKnora | A security flaw has been discovered in Tencent WeKnora 0.1.0. This impacts the function testEmbeddingModel of the file /api/v1/initialization/embedding/test. The manipulation of the argument baseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. It is advisable to upgrade the affected component. The vendor responds: "We have confirmed that the issue mentioned in the report does not exist in the latest releases". | 2025-09-26 | 7.3 | CVE-2025-11046 | VDB-326083 | Tencent WeKnora test testEmbeddingModel server-side request forgery VDB-326083 | CTI Indicators (IOB, IOC, IOA) Submit #658926 | Tencent WeKnora v0.1.0 Server-Side Request Forgery https://github.com/Hebing123/cve/issues/90 |
| kidaze--CourseSelectionSystem | A security flaw has been discovered in kidaze CourseSelectionSystem 1.0/5.php. The impacted element is an unknown function of the file /Profilers/PriProfile/COUNT3s5.php. Performing manipulation of the argument csslc results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-27 | 7.3 | CVE-2025-11052 | VDB-326092 | kidaze CourseSelectionSystem COUNT3s5.php sql injection VDB-326092 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659370 | GitHub CourseSelectionSystem V1.0 SQL Injection https://github.com/xxxmingyue/cve/issues/1 |
| PHPGurukul--Small CRM | A weakness has been identified in PHPGurukul Small CRM 4.0. This affects an unknown function of the file /forgot-password.php. Executing manipulation of the argument email can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-27 | 7.3 | CVE-2025-11053 | VDB-326093 | PHPGurukul Small CRM forgot-password.php sql injection VDB-326093 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659439 | phpgurukul Small CRM 4.0 SQL Injection https://github.com/underatted/CVE/issues/2 https://phpgurukul.com/ |
| SourceCodester--Online Hotel Reservation System | A vulnerability was detected in SourceCodester Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/updateaddress.php. The manipulation of the argument address results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-09-27 | 7.3 | CVE-2025-11055 | VDB-326095 | SourceCodester Online Hotel Reservation System updateaddress.php sql injection VDB-326095 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659456 | SourceCodester Online Hotel Reservation System V1.0 SQL injection https://github.com/diy777/cve/issues/4 https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/print_inv.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-09-27 | 7.3 | CVE-2025-11057 | VDB-326097 | SourceCodester Pet Grooming Management Software print_inv.php sql injection VDB-326097 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659479 | sourcecodester Pet grooming management software 1.0 SQL Injection https://github.com/underatted/CVE/issues/4 https://www.sourcecodester.com/ |
| Campcodes--Online Learning Management System | A vulnerability was found in Campcodes Online Learning Management System 1.0. This affects an unknown part of the file /admin/edit_student.php. Performing manipulation of the argument cys results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-09-27 | 7.3 | CVE-2025-11061 | VDB-326098 | Campcodes Online Learning Management System edit_student.php sql injection VDB-326098 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659638 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/luyisi-7/CVE/issues/5 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A vulnerability was determined in Campcodes Online Learning Management System 1.0. This vulnerability affects unknown code of the file /admin/save_student.php. Executing manipulation of the argument class_id can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-09-27 | 7.3 | CVE-2025-11062 | VDB-326099 | Campcodes Online Learning Management System save_student.php sql injection VDB-326099 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659639 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/luyisi-7/CVE/issues/4 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A vulnerability was identified in Campcodes Online Learning Management System 1.0. This issue affects some unknown processing of the file /admin/edit_department.php. The manipulation of the argument d leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-09-27 | 7.3 | CVE-2025-11063 | VDB-326100 | Campcodes Online Learning Management System edit_department.php sql injection VDB-326100 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659640 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/luyisi-7/CVE/issues/3 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Impacted is an unknown function of the file /admin/teachers.php. The manipulation of the argument department results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-27 | 7.3 | CVE-2025-11064 | VDB-326101 | Campcodes Online Learning Management System teachers.php sql injection VDB-326101 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659668 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/luyisi-7/CVE/issues/6 https://www.campcodes.com/ |
| code-projects--Online Bidding System | A flaw has been found in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/bidlist.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-09-27 | 7.3 | CVE-2025-11066 | VDB-326105 | code-projects Online Bidding System bidlist.php sql injection VDB-326105 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659642 | code-projects Online Bidding System 1.0 SQL Injection https://github.com/Edenchen321/-/blob/main/report.md https://code-projects.org/ |
| Projectworlds--Online Shopping System | A vulnerability was identified in Projectworlds Online Shopping System 1.0. This affects an unknown part of the file /store/cart_add.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-09-27 | 7.3 | CVE-2025-11070 | VDB-326109 | Projectworlds Online Shopping System cart_add.php sql injection VDB-326109 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659660 | projectworlds Online Shopping System 1.0 SQL Injection https://github.com/underatted/CVE/issues/5 |
| code-projects--Project Monitoring System | A flaw has been found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /login.php. This manipulation of the argument username/password causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-09-27 | 7.3 | CVE-2025-11074 | VDB-326114 | code-projects Project Monitoring System login.php sql injection VDB-326114 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659993 | code-projects Project Monitoring System 1.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL5.md https://code-projects.org/ |
| Campcodes--Online Learning Management System | A vulnerability has been found in Campcodes Online Learning Management System 1.0. This affects an unknown function of the file /admin/de_activate.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-09-27 | 7.3 | CVE-2025-11075 | VDB-326115 | Campcodes Online Learning Management System de_activate.php sql injection VDB-326115 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #660854 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/xiaolonr/cve/issues/2 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A vulnerability was found in Campcodes Online Learning Management System 1.0. This impacts an unknown function of the file /admin/edit_teacher.php. Performing manipulation of the argument department results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-09-27 | 7.3 | CVE-2025-11076 | VDB-326116 | Campcodes Online Learning Management System edit_teacher.php sql injection VDB-326116 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #660855 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/xiaolonr/cve/issues/1 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A vulnerability was determined in Campcodes Online Learning Management System 1.0. Affected is an unknown function of the file /admin/add_content.php. Executing manipulation of the argument Title can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-27 | 7.3 | CVE-2025-11077 | VDB-326117 | Campcodes Online Learning Management System add_content.php sql injection VDB-326117 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661155 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/AbcDzfq/testdeom/issues/1 https://www.campcodes.com/ |
| kidaze--CourseSelectionSystem | A vulnerability was determined in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This impacts an unknown function of the file /Profilers/PriProfile/COUNT3s4.php. Executing manipulation of the argument cbranch can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-09-28 | 7.3 | CVE-2025-11089 | VDB-326171 | kidaze CourseSelectionSystem COUNT3s4.php sql injection VDB-326171 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661282 | github.com CourseSelectionSystem V1.0 SQL Injection https://github.com/evilthan9/cve/issues/2 |
| code-projects--E-Commerce Website | A security vulnerability has been detected in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/admin_product_details.php. Such manipulation of the argument prod_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-28 | 7.3 | CVE-2025-11094 | VDB-326175 | code-projects E-Commerce Website admin_product_details.php sql injection VDB-326175 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659820 | code-projects E-Commerce Website V1.0 SQL Injection https://github.com/wolfsecurity2/CVE/tree/main/tmp34 https://code-projects.org/ |
| itsourcecode--Open Source Job Portal | A security flaw has been discovered in itsourcecode Open Source Job Portal 1.0. This impacts an unknown function of the file /jobportal/admin/company/index.php?view=edit. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-28 | 7.3 | CVE-2025-11101 | VDB-326182 | itsourcecode Open Source Job Portal index.php sql injection VDB-326182 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662326 | itsourcecode Open Source Job Portal V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/37 https://itsourcecode.com/ |
| Campcodes--Online Learning Management System | A weakness has been identified in Campcodes Online Learning Management System 1.0. Affected is an unknown function of the file /admin/edit_content.php. Executing manipulation of the argument Title can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-28 | 7.3 | CVE-2025-11102 | VDB-326183 | Campcodes Online Learning Management System edit_content.php sql injection VDB-326183 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662352 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/hbesljx/vul/issues/1 https://www.campcodes.com/ |
| code-projects--Simple Scheduling System | A flaw has been found in code-projects Simple Scheduling System 1.0. This affects an unknown part of the file /schedulingsystem/addsubject.php. This manipulation of the argument subcode causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-09-28 | 7.3 | CVE-2025-11105 | VDB-326186 | code-projects Simple Scheduling System addsubject.php sql injection VDB-326186 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662442 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/2 https://code-projects.org/ |
| code-projects--Simple Scheduling System | A vulnerability has been found in code-projects Simple Scheduling System 1.0. This vulnerability affects unknown code of the file /schedulingsystem/addfaculty.php. Such manipulation of the argument falname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-09-28 | 7.3 | CVE-2025-11106 | VDB-326187 | code-projects Simple Scheduling System addfaculty.php sql injection VDB-326187 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662443 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/3 https://code-projects.org/ |
| code-projects--Simple Scheduling System | A vulnerability was found in code-projects Simple Scheduling System 1.0. This issue affects some unknown processing of the file /schedulingsystem/addcourse.php. Performing manipulation of the argument corcode results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-09-28 | 7.3 | CVE-2025-11107 | VDB-326188 | code-projects Simple Scheduling System addcourse.php sql injection VDB-326188 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662444 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/4 https://code-projects.org/ |
| code-projects--Simple Scheduling System | A vulnerability was determined in code-projects Simple Scheduling System 1.0. Impacted is an unknown function of the file /schedulingsystem/addroom.php. Executing manipulation of the argument room can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-09-28 | 7.3 | CVE-2025-11108 | VDB-326189 | code-projects Simple Scheduling System addroom.php sql injection VDB-326189 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662445 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/5 https://code-projects.org/ |
| Campcodes--Computer Sales and Inventory System | A vulnerability was identified in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/us_edit.php?action=edit. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-09-28 | 7.3 | CVE-2025-11109 | VDB-326190 | Campcodes Computer Sales and Inventory System us_edit.php sql injection VDB-326190 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662455 | Computer Sales and Inventory System V1.0 SQL Injection https://github.com/DrNbnonono/CVE/issues/1 https://www.campcodes.com/ |
| Campcodes--Online Learning Management System | A security flaw has been discovered in Campcodes Online Learning Management System 1.0. The impacted element is an unknown function of the file /admin/school_year.php. The manipulation of the argument school_year results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-28 | 7.3 | CVE-2025-11110 | VDB-326191 | Campcodes Online Learning Management System school_year.php sql injection VDB-326191 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662467 | campcodes Online Learning Management System V1.0 SQL injection https://github.com/JKyukino/cve/issues/1 https://www.campcodes.com/ |
| Campcodes--Advanced Online Voting Management System | A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This affects an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-28 | 7.3 | CVE-2025-11111 | VDB-326192 | Campcodes Advanced Online Voting Management System candidates_edit.php sql injection VDB-326192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662468 | Campcodes Advanced Online Voting Management System 1.0 SQL Injection https://github.com/Clw309/CVE/issues/1 https://www.campcodes.com/ |
| code-projects--Simple Scheduling System | A vulnerability has been found in code-projects Simple Scheduling System 1.0. Affected by this issue is some unknown functionality of the file /addtime.php. The manipulation of the argument starttime/endtime leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-09-28 | 7.3 | CVE-2025-11115 | VDB-326196 | code-projects Simple Scheduling System addtime.php sql injection VDB-326196 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662700 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/41 https://code-projects.org/ |
| code-projects--Simple Scheduling System | A vulnerability was found in code-projects Simple Scheduling System 1.0. This affects an unknown part of the file /add.home.php. The manipulation of the argument faculty results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. Other parameters might be affected as well. | 2025-09-28 | 7.3 | CVE-2025-11116 | VDB-326197 | code-projects Simple Scheduling System add.home.php sql injection VDB-326197 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662701 | code-projects Simple Scheduling System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/42 https://code-projects.org/ |
| CodeAstro--Student Grading System | A vulnerability was identified in CodeAstro Student Grading System 1.0. This issue affects some unknown processing of the file /adminLogin.php. Such manipulation of the argument staffId leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-09-28 | 7.3 | CVE-2025-11118 | VDB-326199 | CodeAstro Student Grading System adminLogin.php sql injection VDB-326199 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #663115 | CodeAstro Student Grading System Project 1.0 SQL Injection https://github.com/Clw309/CVE/issues/2 https://codeastro.com/ |
| Cisco--Cisco IOS XE Software | A vulnerability in the handling of certain Ethernet frames in Cisco IOS XE Software for Catalyst 9000 Series Switches could allow an unauthenticated, adjacent attacker to cause an egress port to become blocked and drop all outbound traffic. This vulnerability is due to improper handling of crafted Ethernet frames. An attacker could exploit this vulnerability by sending crafted Ethernet frames through an affected switch. A successful exploit could allow the attacker to cause the egress port to which the crafted frame is forwarded to start dropping all frames, resulting in a denial of service (DoS) condition. | 2025-09-24 | 7.4 | CVE-2025-20311 | cisco-sa-cat9k-PtmD7bgy |
| Cisco--Cisco IOS XE Software | A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when parsing a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. | 2025-09-24 | 7.7 | CVE-2025-20312 | cisco-sa-snmpwred-x3MJyf5M |
| Cisco--IOS | A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted URL in an HTTP request. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | 2025-09-24 | 7.7 | CVE-2025-20327 | cisco-sa-ios-invalid-url-dos-Nvxszf6u |
| Cisco--IOS | A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP. | 2025-09-24 | 7.7 | CVE-2025-20352 | cisco-sa-snmp-x4LPhte |
| Qualcomm, Inc.--Snapdragon | Memory corruption when passing parameters to the Trusted Virtual Machine during the handshake. | 2025-09-24 | 7.8 | CVE-2025-21476 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while performing private key encryption in trusted application. | 2025-09-24 | 7.8 | CVE-2025-21481 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue while performing RSA PKCS padding decoding. | 2025-09-24 | 7.1 | CVE-2025-21482 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-09-24 | 7.8 | CVE-2025-23348 | https://nvd.nist.gov/vuln/detail/CVE-2025-23348 https://www.cve.org/CVERecord?id=CVE-2025-23348 https://nvidia.custhelp.com/app/answers/detail/a_id/5698 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-09-24 | 7.8 | CVE-2025-23349 | https://nvd.nist.gov/vuln/detail/CVE-2025-23349 https://www.cve.org/CVERecord?id=CVE-2025-23349 https://nvidia.custhelp.com/app/answers/detail/a_id/5698 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering. | 2025-09-24 | 7.8 | CVE-2025-23353 | https://nvd.nist.gov/vuln/detail/CVE-2025-23353 https://www.cve.org/CVERecord?id=CVE-2025-23353 https://nvidia.custhelp.com/app/answers/detail/a_id/5698 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering. | 2025-09-24 | 7.8 | CVE-2025-23354 | https://nvd.nist.gov/vuln/detail/CVE-2025-23354 https://www.cve.org/CVERecord?id=CVE-2025-23354 https://nvidia.custhelp.com/app/answers/detail/a_id/5698 |
| Qualcomm, Inc.--Snapdragon | memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency. | 2025-09-24 | 7.8 | CVE-2025-27032 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers. | 2025-09-24 | 7.8 | CVE-2025-27037 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing message in guest VM. | 2025-09-24 | 7.8 | CVE-2025-27077 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Unitree--Go2 | Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches. | 2025-09-26 | 7.3 | CVE-2025-35027 | https://takeonme.org/cves/cve-2025-35027 https://github.com/Bin4ry/UniPwn https://spectrum.ieee.org/unitree-robot-exploit https://x.com/committeeonccp/status/1971250635548033311 https://www.cve.org/cverecord?id=CVE-2025-60017 https://www.cve.org/cverecord?id=CVE-2025-60250 |
| Airship AI--Acropolis | Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9. | 2025-09-22 | 7.5 | CVE-2025-35041 | url url |
| IBM--webMethods Integration | IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source. | 2025-09-22 | 7.5 | CVE-2025-36202 | https://www.ibm.com/support/pages/node/7245720 |
| IBM--Aspera HTTP Gateway | IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. | 2025-09-26 | 7.5 | CVE-2025-36274 | https://www.ibm.com/support/pages/node/7246284 |
| Dell--Wireless 5932e | Dell Wireless 5932e and Qualcomm Snapdragon X62 Firmware and GNSS/GPS Driver, versions prior to 3.2.0.22 contain an Unquoted Search Path or Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code Execution. | 2025-09-25 | 7.8 | CVE-2025-43993 | https://www.dell.com/support/kbdoc/en-us/000372605/dsa-2025-363 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing data sent by FE driver. | 2025-09-24 | 7.8 | CVE-2025-47314 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling repeated memory unmap requests from guest VM. | 2025-09-24 | 7.8 | CVE-2025-47315 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption due to double free when multiple threads race to set the timestamp store. | 2025-09-24 | 7.8 | CVE-2025-47316 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption due to global buffer overflow when a test command uses an invalid payload type. | 2025-09-24 | 7.8 | CVE-2025-47317 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while parsing the EPTM test control message to get the test pattern. | 2025-09-24 | 7.5 | CVE-2025-47318 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while handling command data during power control processing. | 2025-09-24 | 7.5 | CVE-2025-47326 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while encoding the image data. | 2025-09-24 | 7.8 | CVE-2025-47327 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing power control requests with invalid antenna or stream values. | 2025-09-24 | 7.5 | CVE-2025-47328 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling invalid inputs in application info setup. | 2025-09-24 | 7.8 | CVE-2025-47329 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| undsgn--Uncode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in undsgn Uncode allows Reflected XSS. This issue affects Uncode: from n/a through n/a. | 2025-09-26 | 7.1 | CVE-2025-48107 | https://patchstack.com/database/wordpress/theme/uncode/vulnerability/wordpress-uncode-theme-2-9-4-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python's eval() function on a user-controlled query parameter in the project_bulk_archive view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django's DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1. | 2025-09-24 | 7.2 | CVE-2025-48868 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-h6qj-pwmx-wjhw https://github.com/horilla-opensource/horilla/commit/b0aab62b3a5fe6b7114b5c58db129b3744b4d8cc https://drive.google.com/file/d/1XQAJilt77QxkjGEa94CsZRqZIZXa3ET9/view?usp=sharing https://drive.google.com/file/d/1hnI9AK3fnpVrTlTRF7aRJsKhZCDIm2Ve/view?usp=sharing |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch. | 2025-09-24 | 7.5 | CVE-2025-48869 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99h5-x29f-727w |
| Metagauss--ProfileGrid | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid allows Reflected XSS. This issue affects ProfileGrid : from n/a through 5.9.5.7. | 2025-09-26 | 7.1 | CVE-2025-4957 | https://patchstack.com/database/wordpress/plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Pluginwale--Easy Pricing Table WP | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pluginwale Easy Pricing Table WP allows PHP Local File Inclusion. This issue affects Easy Pricing Table WP: from n/a through 1.1.3. | 2025-09-22 | 7.5 | CVE-2025-53450 | https://patchstack.com/database/wordpress/plugin/easy-pricing-table-wp/vulnerability/wordpress-easy-pricing-table-wp-plugin-1-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| raoinfotech--GSheets Connector | Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection. This issue affects GSheets Connector: from n/a through 1.1.1. | 2025-09-22 | 7.2 | CVE-2025-53465 | https://patchstack.com/database/wordpress/plugin/sheetlink/vulnerability/wordpress-gsheets-connector-plugin-1-1-1-php-object-injection-vulnerability?_s_id=cve |
| Microsoft--OmniParser | Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network. | 2025-09-24 | 7.3 | CVE-2025-55322 | OmniParser Remote Code Execution Vulnerability |
| ERA404--LinkedInclude | Cross-Site Request Forgery (CSRF) vulnerability in ERA404 LinkedInclude allows Stored XSS. This issue affects LinkedInclude: from n/a through 3.0.4. | 2025-09-22 | 7.1 | CVE-2025-57918 | https://patchstack.com/database/wordpress/plugin/linkedinclude/vulnerability/wordpress-linkedinclude-plugin-3-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ConveyThis--Language Translate Widget for WordPress ConveyThis | Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. This issue affects Language Translate Widget for WordPress - ConveyThis: from n/a through 264. | 2025-09-22 | 7.2 | CVE-2025-57919 | https://patchstack.com/database/wordpress/plugin/conveythis-translate/vulnerability/wordpress-language-translate-widget-for-wordpress-conveythis-plugin-264-php-object-injection-vulnerability?_s_id=cve |
| immonex--immonex Kickstart Team | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in immonex immonex Kickstart Team allows PHP Local File Inclusion. This issue affects immonex Kickstart Team: from n/a through 1.6.9. | 2025-09-22 | 7.5 | CVE-2025-57925 | https://patchstack.com/database/wordpress/plugin/immonex-kickstart-team/vulnerability/wordpress-immonex-kickstart-team-plugin-1-6-9-local-file-inclusion-vulnerability?_s_id=cve |
| e4jvikwp--VikRestaurants Table Reservations and Take-Away | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Reflected XSS. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.4. | 2025-09-22 | 7.1 | CVE-2025-57968 | https://patchstack.com/database/wordpress/plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-table-reservations-and-take-away-plugin-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpdesk--Flexible PDF Invoices for WooCommerce & WordPress | Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through 6.0.13. | 2025-09-22 | 7.1 | CVE-2025-57977 | https://patchstack.com/database/wordpress/plugin/flexible-invoices/vulnerability/wordpress-flexible-pdf-invoices-for-woocommerce-wordpress-plugin-6-0-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| scriptsbundle--Nokri | Cross-Site Request Forgery (CSRF) vulnerability in scriptsbundle Nokri allows Cross Site Request Forgery. This issue affects Nokri: from n/a through 1.6.4. | 2025-09-22 | 7.1 | CVE-2025-58259 | https://patchstack.com/database/wordpress/theme/nokri/vulnerability/wordpress-nokri-theme-1-6-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| PressPage Entertainment Inc--Mavis HTTPS to HTTP Redirection | Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc Mavis HTTPS to HTTP Redirection allows Stored XSS. This issue affects Mavis HTTPS to HTTP Redirection: from n/a through 1.4.3. | 2025-09-22 | 7.1 | CVE-2025-58261 | https://patchstack.com/database/wordpress/plugin/mavis-https-to-http-redirect/vulnerability/wordpress-mavis-https-to-http-redirection-plugin-1-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpdirectorykit--Sweet Energy Efficiency | Cross-Site Request Forgery (CSRF) vulnerability in wpdirectorykit Sweet Energy Efficiency allows Stored XSS. This issue affects Sweet Energy Efficiency: from n/a through 1.0.6. | 2025-09-22 | 7.1 | CVE-2025-58262 | https://patchstack.com/database/wordpress/plugin/sweet-energy-efficiency/vulnerability/wordpress-sweet-energy-efficiency-plugin-1-0-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Aftabul Islam--Stock Message | Cross-Site Request Forgery (CSRF) vulnerability in Aftabul Islam Stock Message allows Stored XSS. This issue affects Stock Message: from n/a through 1.1.0. | 2025-09-22 | 7.1 | CVE-2025-58267 | https://patchstack.com/database/wordpress/plugin/stock-message/vulnerability/wordpress-stock-message-plugin-1-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WPMK--WPMK PDF Generator | Cross-Site Request Forgery (CSRF) vulnerability in WPMK WPMK PDF Generator allows Stored XSS. This issue affects WPMK PDF Generator: from n/a through 1.0.1. | 2025-09-22 | 7.1 | CVE-2025-58268 | https://patchstack.com/database/wordpress/plugin/wpmk-pdf-generator/vulnerability/wordpress-wpmk-pdf-generator-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| NIX Solutions Ltd--NIX Anti-Spam Light | Cross-Site Request Forgery (CSRF) vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Cross Site Request Forgery. This issue affects NIX Anti-Spam Light: from n/a through 0.0.4. | 2025-09-22 | 7.1 | CVE-2025-58270 | https://patchstack.com/database/wordpress/plugin/nix-anti-spam-light/vulnerability/wordpress-nix-anti-spam-light-plugin-0-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Delta Electronics--CNCSoft-G2 | Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process. | 2025-09-24 | 7.8 | CVE-2025-58317 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00017_CNCSoft-G2_File%20Parsing%20Stack-based%20Buffer%20Overflow%20Vulnerability.pdf |
| Delta Electronics--CNCSoft-G2 | Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process. | 2025-09-24 | 7.8 | CVE-2025-58319 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00017_CNCSoft-G2_File%20Parsing%20Stack-based%20Buffer%20Overflow%20Vulnerability.pdf |
| EdwardBock--Grid | Cross-Site Request Forgery (CSRF) vulnerability in EdwardBock Grid allows Stored XSS. This issue affects Grid: from n/a through 2.3.1. | 2025-09-22 | 7.1 | CVE-2025-58657 | https://patchstack.com/database/wordpress/plugin/grid/vulnerability/wordpress-grid-plugin-2-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| awesomesupport--Awesome Support | Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection. This issue affects Awesome Support: from n/a through 6.3.4. | 2025-09-22 | 7.2 | CVE-2025-58662 | https://patchstack.com/database/wordpress/plugin/awesome-support/vulnerability/wordpress-awesome-support-plugin-6-3-4-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| Shankaranand Maurya--WP Content Protection | Cross-Site Request Forgery (CSRF) vulnerability in Shankaranand Maurya WP Content Protection allows Stored XSS. This issue affects WP Content Protection: from n/a through 1.3. | 2025-09-22 | 7.1 | CVE-2025-58670 | https://patchstack.com/database/wordpress/plugin/wp-content-protection/vulnerability/wordpress-wp-content-protection-plugin-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| morganrichards--Auction Feed | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed allows Stored XSS. This issue affects Auction Feed: from n/a through 1.1.3. | 2025-09-22 | 7.1 | CVE-2025-58671 | https://patchstack.com/database/wordpress/plugin/auction-feed/vulnerability/wordpress-auction-feed-plugin-1-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| extendyourweb--HORIZONTAL SLIDER | Cross-Site Request Forgery (CSRF) vulnerability in extendyourweb HORIZONTAL SLIDER allows Stored XSS. This issue affects HORIZONTAL SLIDER: from n/a through 2.4. | 2025-09-22 | 7.1 | CVE-2025-58676 | https://patchstack.com/database/wordpress/plugin/horizontal-slider/vulnerability/wordpress-horizontal-slider-plugin-2-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| puravida1976--ShrinkTheWeb (STW) Website Previews | Cross-Site Request Forgery (CSRF) vulnerability in puravida1976 ShrinkTheWeb (STW) Website Previews allows Stored XSS. This issue affects ShrinkTheWeb (STW) Website Previews: from n/a through 2.8.5. | 2025-09-22 | 7.1 | CVE-2025-58677 | https://patchstack.com/database/wordpress/plugin/shrinktheweb-website-preview-plugin/vulnerability/wordpress-shrinktheweb-stw-website-previews-plugin-2-8-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WP CMS Ninja--Current Age Plugin | Cross-Site Request Forgery (CSRF) vulnerability in WP CMS Ninja Current Age Plugin allows Stored XSS. This issue affects Current Age Plugin: from n/a through 1.6. | 2025-09-22 | 7.1 | CVE-2025-58687 | https://patchstack.com/database/wordpress/plugin/current-age/vulnerability/wordpress-current-age-plugin-plugin-1-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Casengo--Casengo Live Chat Support | Cross-Site Request Forgery (CSRF) vulnerability in Casengo Casengo Live Chat Support allows Stored XSS. This issue affects Casengo Live Chat Support: from n/a through 2.1.4. | 2025-09-22 | 7.1 | CVE-2025-58688 | https://patchstack.com/database/wordpress/plugin/the-casengo-chat-widget/vulnerability/wordpress-casengo-live-chat-support-plugin-2-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ptibogxiv--Doliconnect | Cross-Site Request Forgery (CSRF) vulnerability in ptibogxiv Doliconnect allows Stored XSS. This issue affects Doliconnect: from n/a through 9.5.7. | 2025-09-22 | 7.1 | CVE-2025-58690 | https://patchstack.com/database/wordpress/plugin/doliconnect/vulnerability/wordpress-doliconnect-plugin-9-5-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| loopus--WP Attractive Donations System | Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System allows Stored XSS. This issue affects WP Attractive Donations System: from n/a through n/a. | 2025-09-22 | 7.1 | CVE-2025-58956 | https://patchstack.com/database/wordpress/plugin/wp-attractive-donations-system-easy-stripe-paypal-donations/vulnerability/wordpress-wp-attractive-donations-system-plugin-1-29-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| hashthemes--Easy Elementor Addons | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion. This issue affects Easy Elementor Addons: from n/a through 2.2.8. | 2025-09-22 | 7.5 | CVE-2025-58973 | https://patchstack.com/database/wordpress/plugin/easy-elementor-addons/vulnerability/wordpress-easy-elementor-addons-plugin-2-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| SeaTheme--BM Content Builder | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. This issue affects BM Content Builder: from n/a through n/a. | 2025-09-26 | 7.7 | CVE-2025-59002 | https://patchstack.com/database/wordpress/plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-3-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Maciej Bis--Permalink Manager Lite | Insertion of Sensitive Information Into Sent Data vulnerability in Maciej Bis Permalink Manager Lite allows Retrieve Embedded Sensitive Data. This issue affects Permalink Manager Lite: from n/a through 2.5.1.3. | 2025-09-26 | 7.5 | CVE-2025-59010 | https://patchstack.com/database/wordpress/plugin/permalink-manager/vulnerability/wordpress-permalink-manager-lite-plugin-2-5-1-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| shinetheme--Traveler | Missing Authorization vulnerability in shinetheme Traveler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Traveler: from n/a through n/a. | 2025-09-26 | 7.5 | CVE-2025-59011 | https://patchstack.com/database/wordpress/theme/traveler/vulnerability/wordpress-traveler-theme-3-2-3-arbitrary-content-deletion-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. This issue affects Traveler: from n/a through n/a. | 2025-09-26 | 7.1 | CVE-2025-59012 | https://patchstack.com/database/wordpress/theme/traveler/vulnerability/wordpress-traveler-theme-3-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | 2025-09-24 | 7.6 | CVE-2025-59251 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
| cubecart--v6 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker's access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11. | 2025-09-22 | 7.1 | CVE-2025-59335 | https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52 https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26 |
| authlib--authlib | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib's JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 "must‑understand" semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4. | 2025-09-22 | 7.5 | CVE-2025-59420 | https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32 https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. This issue has been patched in version 3.0.6. | 2025-09-22 | 7.5 | CVE-2025-59527 | https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hr92-4q35-4j3m https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/components/src/utils.ts#L474-L478 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/controllers/fetch-links/index.ts#L6-L24 https://github.com/FlowiseAI/Flowise/blob/5930f1119c655bcf8d2200ae827a1f5b9fec81d0/packages/server/src/services/fetch-links/index.ts#L8-L18 https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.6 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.2, there is a command Injection vulnerability in initialize_kerberos_keytab_file_login(). The vulnerability exists because the code directly interpolates user-controlled input into a shell command and executes it via system() without any sanitization or validation. This issue has been patched in version 1.4.2. | 2025-09-23 | 7.3 | CVE-2025-59534 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-jw5c-58hr-m3v3 https://github.com/nasa/CryptoLib/commit/3ccb1b306026bb20a028fbfdcf18935f7345ed2f |
| WPFunnels--Mail Mint | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFunnels Mail Mint allows SQL Injection. This issue affects Mail Mint: from n/a through 1.18.6. | 2025-09-22 | 7.6 | CVE-2025-59570 | https://patchstack.com/database/wordpress/plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-18-6-sql-injection-vulnerability?_s_id=cve |
| PenciDesign--Soledad | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion. This issue affects Soledad: from n/a through 8.6.8. | 2025-09-22 | 7.5 | CVE-2025-59588 | https://patchstack.com/database/wordpress/theme/soledad/vulnerability/wordpress-soledad-theme-8-6-8-local-file-inclusion-vulnerability?_s_id=cve |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering. | 2025-09-22 | 7.7 | CVE-2025-5962 | RHSA-2025:16345 RHSA-2025:16346 https://access.redhat.com/security/cve/CVE-2025-5962 RHBZ#2371363 |
| Zenitel--ICX500 | This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue. | 2025-09-25 | 7.3 | CVE-2025-59816 | Zenitel Zenitel |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0. | 2025-09-23 | 7.6 | CVE-2025-59826 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-q7pg-qchv-3pc5 |
| rack--rack | Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18. | 2025-09-25 | 7.5 | CVE-2025-59830 | https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71 |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0. | 2025-09-24 | 7.5 | CVE-2025-59833 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-hm85-2j65-j8j2 |
| wpshuffle--Subscribe to Download | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download allows PHP Local File Inclusion. This issue affects Subscribe to Download: from n/a through 2.0.9. | 2025-09-26 | 7.5 | CVE-2025-60150 | https://patchstack.com/database/wordpress/plugin/subscribe-to-download/vulnerability/wordpress-subscribe-to-download-plugin-2-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| wpshuffle--Subscribe To Unlock | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe To Unlock allows PHP Local File Inclusion. This issue affects Subscribe To Unlock: from n/a through 1.1.5. | 2025-09-26 | 7.5 | CVE-2025-60153 | https://patchstack.com/database/wordpress/plugin/subscribe-to-unlock/vulnerability/wordpress-subscribe-to-unlock-plugin-1-1-5-local-file-inclusion-vulnerability?_s_id=cve |
| NewsMAN--NewsmanApp | Cross-Site Request Forgery (CSRF) vulnerability in NewsMAN NewsmanApp allows Stored XSS. This issue affects NewsmanApp: from n/a through 2.7.7. | 2025-09-26 | 7.1 | CVE-2025-60164 | https://patchstack.com/database/wordpress/plugin/newsmanapp/vulnerability/wordpress-newsmanapp-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| W3S Cloud Technology--W3SCloud Contact Form 7 to Zoho CRM | Cross-Site Request Forgery (CSRF) vulnerability in W3S Cloud Technology W3SCloud Contact Form 7 to Zoho CRM allows Stored XSS. This issue affects W3SCloud Contact Form 7 to Zoho CRM: from n/a through 3.0. | 2025-09-26 | 7.1 | CVE-2025-60169 | https://patchstack.com/database/wordpress/plugin/w3s-cf7-zoho/vulnerability/wordpress-w3scloud-contact-form-7-to-zoho-crm-plugin-3-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Taraprasad Swain--HTACCESS IP Blocker | Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0. | 2025-09-26 | 7.1 | CVE-2025-60170 | https://patchstack.com/database/wordpress/plugin/htaccess-ip-blocker/vulnerability/wordpress-htaccess-ip-blocker-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| yourplugins--Conditional Cart Messages for WooCommerce – YourPlugins.com | Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through 1.2.10. | 2025-09-26 | 7.1 | CVE-2025-60171 | https://patchstack.com/database/wordpress/plugin/yourplugins-wc-conditional-cart-notices/vulnerability/wordpress-conditional-cart-messages-for-woocommerce-yourplugins-com-plugin-1-2-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| flytedesk--Flytedesk Digital | Cross-Site Request Forgery (CSRF) vulnerability in flytedesk Flytedesk Digital allows Stored XSS. This issue affects Flytedesk Digital: from n/a through 20181101. | 2025-09-26 | 7.1 | CVE-2025-60172 | https://patchstack.com/database/wordpress/plugin/flytedesk-digital/vulnerability/wordpress-flytedesk-digital-plugin-20181101-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Ashwani kumar--GST for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Ashwani kumar GST for WooCommerce allows Stored XSS. This issue affects GST for WooCommerce: from n/a through 2.0. | 2025-09-26 | 7.1 | CVE-2025-60173 | https://patchstack.com/database/wordpress/plugin/gst-for-woocommerce/vulnerability/wordpress-gst-for-woocommerce-plugin-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| GitLab--GitLab | Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption. | 2025-09-27 | 7.5 | CVE-2025-8014 | GitLab Issue #556838 HackerOne Bug Bounty Report #3228134 |
| Autodesk--Revit | A maliciously crafted RFA file, when parsed through Autodesk Revit, can force a Type Confusion vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-09-23 | 7.8 | CVE-2025-8354 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0019 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-09-22 | 7.8 | CVE-2025-8892 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0019 |
| veronalabs--WP Statistics Simple, privacy-friendly Google Analytics alternative | The WP Statistics - The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-27 | 7.2 | CVE-2025-9816 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d8351204-da6d-443a-98b5-0608bfb1e9d0?source=cve https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.15.3/includes/admin/templates/pages/devices/models.php#L31 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| IBM--Storage TS4500 Library | IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2025-09-27 | 6.5 | CVE-2024-43192 | https://www.ibm.com/support/pages/node/7246245 |
| WSO2--WSO2 API Manager | An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows. | 2025-09-23 | 6.5 | CVE-2024-4598 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/ |
| WSO2--WSO2 Identity Server | A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking. | 2025-09-23 | 6.1 | CVE-2025-0209 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3902/ |
| WSO2--WSO2 Open Banking IAM | A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled. | 2025-09-23 | 6.8 | CVE-2025-0663 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3864/ |
| douglaskarr--TweetThis Shortcode | The TweetThis Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tweetthis' shortcode in all versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-10136 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e45e0ff1-3e74-4eee-a4ff-8ec033599bc3?source=cve https://plugins.svn.wordpress.org/tweetthis-shortcode/tags/1.8.0/dkts.php |
| creativemindssolutions--CM Business Directory Optimise and showcase local business | The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-10178 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1ecd71-57ed-44ba-a007-3b96b98d3bf7?source=cve https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/frontend/cm-business-directory-business-page-sc.php#L289 https://wordpress.org/plugins/cm-business-directory/ https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/frontend/cm-business-directory-business-page-sc.php?rev=3364840#L280 https://plugins.trac.wordpress.org/browser/cm-business-directory/tags/1.5.2/frontend/cm-business-directory-business-page-sc.php#L289 |
| jhoppe--Markdown Shortcode | The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-10180 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e9563b8-7e1b-4e87-8b56-17b75adb66c3?source=cve https://plugins.trac.wordpress.org/browser/markdown-shortcode/trunk/markdown-shortcode.php#L40 https://github.com/JohannesHoppe/markdown-shortcode/releases/tag/v0.2.3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365425%40markdown-shortcode&new=3365425%40markdown-shortcode&sfp_email=&sfph_mail= |
| softaculous--Backuply Backup, Restore, Migrate and Clone | The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-09-26 | 6.5 | CVE-2025-10307 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0dd53fad-1bd7-41ed-95cb-205a9b421724?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363283%40backuply&new=3363283%40backuply&sfp_email=&sfph_mail= |
| JSC R7--R7-Office Document Server | A flaw has been found in JSC R7 R7-Office Document Server up to 20250820. Impacted is an unknown function of the file /downloadas/. Executing manipulation of the argument cmd can lead to path traversal. The attack can be launched remotely. Upgrading to version 2025.3.1.923 is recommended to address this issue. The affected component should be upgraded. R7-Office is a fork of OpenOffice and at the moment it remains unclear if OpenOffice is affected as well. The OpenOffice team was not able to reproduce the issue in their codebase. The vendor replied: "We confirm that this vulnerability has been verified and patched in release 2025.3.1.923. During our security testing, it was not possible to exploit the issue - the server consistently returns proper error responses to the provided scenarios." | 2025-09-22 | 6.3 | CVE-2025-10777 | VDB-325133 | JSC R7 R7-Office Document Server downloadas path traversal VDB-325133 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #638446 | OnlyOffice document server ?-2024.1.1-375-?/<2025.3.1.923 Path Traversal: 'dir/../../filename' |
| CodeAstro--Simple Pharmacy Management | A vulnerability was determined in CodeAstro Simple Pharmacy Management 1.0. This affects an unknown function of the file /view.php. This manipulation of the argument bar_code causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-09-22 | 6.3 | CVE-2025-10780 | VDB-325136 | CodeAstro Simple Pharmacy Management view.php sql injection VDB-325136 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653704 | CodeAstro Simple Pharmacy Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/26 https://codeastro.com/ |
| n/a--MuYuCMS | A vulnerability was found in MuYuCMS up to 2.7. Impacted is an unknown function of the file /index/index.html of the component Add Fiend Link Handler. Performing manipulation of the argument Link URL results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-09-22 | 6.3 | CVE-2025-10787 | VDB-325144 | MuYuCMS Add Fiend Link index.html server-side request forgery VDB-325144 | CTI Indicators (IOB, IOC, IOA) Submit #653888 | MuYuCMS 2.7 ssrf https://gitee.com/MuYuCMS/MuYuCMS/issues/ICXV34 |
| SourceCodester--Simple Forum Discussion System | A security flaw has been discovered in SourceCodester Simple Forum Discussion System 1.0. This affects an unknown function of the file /ajax.php?action=save_category. The manipulation of the argument Description results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-09-22 | 6.3 | CVE-2025-10790 | VDB-325147 | SourceCodester Simple Forum Discussion System ajax.php sql injection VDB-325147 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653991 | SourceCodester Simple Forum/Discussion System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/26 https://www.sourcecodester.com/ |
| Campcodes--Online Beauty Parlor Management System | A vulnerability was found in Campcodes Online Beauty Parlor Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add-customer.php. Performing manipulation of the argument mobilenum results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-09-22 | 6.3 | CVE-2025-10804 | VDB-325162 | Campcodes Online Beauty Parlor Management System add-customer.php sql injection VDB-325162 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654373 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20add-customer.php.md https://www.campcodes.com/ |
| Campcodes--Online Beauty Parlor Management System | A vulnerability was determined in Campcodes Online Beauty Parlor Management System 1.0. This affects an unknown part of the file /admin/add-services.php. Executing manipulation of the argument sername can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-22 | 6.3 | CVE-2025-10805 | VDB-325163 | Campcodes Online Beauty Parlor Management System add-services.php sql injection VDB-325163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654374 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20add-services.php.md https://www.campcodes.com/ |
| Campcodes--Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-09-22 | 6.3 | CVE-2025-10806 | VDB-325164 | Campcodes Online Beauty Parlor Management System bwdates-reports-details.php sql injection VDB-325164 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654375 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20bwdates-reports-details.php%20.md https://www.campcodes.com/ |
| Campcodes--Online Beauty Parlor Management System | A security flaw has been discovered in Campcodes Online Beauty Parlor Management System 1.0. This issue affects some unknown processing of the file /admin/edit-customer-detailed.php. The manipulation of the argument editid results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-22 | 6.3 | CVE-2025-10807 | VDB-325165 | Campcodes Online Beauty Parlor Management System edit-customer-detailed.php sql injection VDB-325165 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654376 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20edit-customer-detailed.php%20.md https://www.campcodes.com/ |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 240126/240802/250416. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/goahead. This manipulation of the argument port causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-22 | 6.3 | CVE-2025-10814 | VDB-325172 | D-Link DIR-823X goahead command injection VDB-325172 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654452 | Dlink DIR-823x DIR-823x 250416, 240802, 240126 Command Injection https://github.com/W1ngyu/cve/blob/main/DIink-DIR-823xgoformset_server_settings_command_execution_vulnerability.md https://www.dlink.com/ |
| Campcodes--Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Online Beauty Parlor Management System 1.0. Affected is an unknown function of the file /admin/view-appointment.php. The manipulation of the argument viewid leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-09-23 | 6.3 | CVE-2025-10825 | VDB-325182 | Campcodes Online Beauty Parlor Management System view-appointment.php sql injection VDB-325182 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654379 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20view-appointment.php.md https://www.campcodes.com/ |
| Campcodes--Online Beauty Parlor Management System | A security flaw has been discovered in Campcodes Online Beauty Parlor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/sales-reports-detail.php. The manipulation of the argument fromdate/todate results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-23 | 6.3 | CVE-2025-10826 | VDB-325183 | Campcodes Online Beauty Parlor Management System sales-reports-detail.php sql injection VDB-325183 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654384 | Campcodes Online Beauty Parlor Management System 1.0 SQL Injection https://github.com/fubxx/CVE/blob/main/Online%20Beauty%20Parlor%20Management%20System%20SQL%20Injection%20on%20sales-reports-detail.php.md https://www.campcodes.com/ |
| SourceCodester--Pet Grooming Management Software | A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown part of the file /admin/edit.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-23 | 6.3 | CVE-2025-10828 | VDB-325185 | SourceCodester Pet Grooming Management Software edit.php sql injection VDB-325185 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #655902 | SourceCodester Pet Grooming Management Software 1.0 SQL Injection https://github.com/para-paradise/webray.com.cn/blob/main/Pet%20Grooming%20Management/SourceCodester%20Pet%20Grooming%20Management%20Software%20edit.php%20sql%20injection%20Vulnerability.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. This impacts an unknown function of the file /admin/view_payorder.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-23 | 6.3 | CVE-2025-10835 | VDB-325192 | SourceCodester Pet Grooming Management Software view_payorder.php sql injection VDB-325192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #656865 | SourceCodester Pet grooming management 1.0 SQL Injection https://github.com/xiaoliyu-1/Pet-grooming-management-view_payorder.php-v.1.0-sql-injection/blob/main/report.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. The impacted element is an unknown function of the file /admin/inv-print.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-23 | 6.3 | CVE-2025-10839 | VDB-325201 | SourceCodester Pet Grooming Management Software inv-print.php sql injection VDB-325201 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657156 | SourceCodester Pet Grooming Management Software 1.0 SQL Injection https://github.com/para-paradise/webray.com.cn/blob/main/Pet%20Grooming%20Management/SourceCodester%20Pet%20Grooming%20Management%20Software%20inv-print.php%20sql%20injection%20Vulnerability.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown function of the file /admin/print-payment.php. This manipulation of the argument sql111 causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-23 | 6.3 | CVE-2025-10840 | VDB-325202 | SourceCodester Pet Grooming Management Software print-payment.php sql injection VDB-325202 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657158 | SourceCodester Pet grooming management 1.0 SQL Injection https://github.com/xiaoliyu-1/Pet-grooming-management-print-payment.php-v.1.0-Unauthorized-sql-injection/blob/main/report.md https://www.sourcecodester.com/ |
| Portabilis--i-Educar | A vulnerability has been found in Portabilis i-Educar up to 2.10. Affected by this issue is some unknown functionality of the file /module/Cadastro/aluno. The manipulation of the argument is leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-09-23 | 6.3 | CVE-2025-10844 | VDB-325206 | Portabilis i-Educar aluno sql injection VDB-325206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657687 | Portabilis i-Educar 2.10 SQL Injection https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/24.md https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/24.md#poc |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/ComponenteCurricular/view. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-09-23 | 6.3 | CVE-2025-10845 | VDB-325207 | Portabilis i-Educar view sql injection VDB-325207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657688 | Portabilis i-Educar 2.10 SQL Injection https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/26.md https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/26.md#poc |
| Portabilis--i-Educar | A vulnerability was determined in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /module/ComponenteCurricular/edit. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-23 | 6.3 | CVE-2025-10846 | VDB-325208 | Portabilis i-Educar edit sql injection VDB-325208 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657691 | Portabilis i-Educar 2.10 SQL Injection https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/27.md https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/27.md#poc |
| Campcodes--Society Membership Information System | A vulnerability was identified in Campcodes Society Membership Information System 1.0. This issue affects some unknown processing of the file /check_student.php. Such manipulation of the argument student_id leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-09-23 | 6.3 | CVE-2025-10848 | VDB-325209 | Campcodes Society Membership Information System check_student.php sql injection VDB-325209 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657937 | https://www.campcodes.com society-membership-information-system-using-php-mysqli-source-code 1.0 SQL Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/mri9nrk1lh7ev7r6?singleDoc https://www.campcodes.com/ |
| geyang--ml-logger | A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected is the function log_handler of the file ml_logger/server.py of the component Ping Handler. This manipulation of the argument data causes deserialization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-09-25 | 6.3 | CVE-2025-10950 | VDB-325820 | geyang ml-logger Ping server.py log_handler deserialization VDB-325820 | CTI Indicators (IOB, IOC, IOA) Submit #652461 | geyang ml-logger latest Code Injection https://github.com/geyang/ml-logger/issues/72 |
| Wavlink--NU516U1 | A flaw has been found in Wavlink NU516U1 M16U1_V240425. Impacted is the function sub_403010 of the file /cgi-bin/wireless.cgi of the component AddMac Page. This manipulation of the argument macAddr causes command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10958 | VDB-325826 | Wavlink NU516U1 AddMac wireless.cgi sub_403010 command injection VDB-325826 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652768 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/AddMac.md#poc |
| Wavlink--NU516U1 | A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. The affected element is the function sub_401778 of the file /cgi-bin/firewall.cgi. Such manipulation of the argument dmz_flag leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10959 | VDB-325827 | Wavlink NU516U1 firewall.cgi sub_401778 command injection VDB-325827 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652769 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DMZ.md#poc |
| Wavlink--NU516U1 | A vulnerability was found in Wavlink NU516U1 M16U1_V240425. The impacted element is the function sub_402D1C of the file /cgi-bin/wireless.cgi of the component DeleteMac Page. Performing manipulation of the argument delete_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10960 | VDB-325828 | Wavlink NU516U1 DeleteMac wireless.cgi sub_402D1C command injection VDB-325828 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652780 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DeleteMac.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/DeleteMac.md#poc |
| Wavlink--NU516U1 | A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This impacts the function sub_403198 of the file /cgi-bin/wireless.cgi of the component SetName Page. The manipulation of the argument mac_5g leads to command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10962 | VDB-325830 | Wavlink NU516U1 SetName wireless.cgi sub_403198 command injection VDB-325830 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652782 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/SetName.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/SetName.md#poc |
| Wavlink--NU516U1 | A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. Affected is the function sub_4016F0 of the file /cgi-bin/firewall.cgi. The manipulation of the argument del_flag results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10963 | VDB-325831 | Wavlink NU516U1 firewall.cgi sub_4016F0 command injection VDB-325831 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652784 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/singlePortForwardDelete.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/singlePortForwardDelete.md#poc |
| Wavlink--NU516U1 | A weakness has been identified in Wavlink NU516U1. Affected by this vulnerability is the function sub_401B30 of the file /cgi-bin/firewall.cgi. This manipulation of the argument remoteManagementEnabled causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 6.3 | CVE-2025-10964 | VDB-325832 | Wavlink NU516U1 firewall.cgi sub_401B30 command injection VDB-325832 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652785 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/websSysFirewall.md https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/websSysFirewall.md#poc |
| LazyAGI--LazyLLM | A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Affected by this issue is the function lazyllm_call of the file lazyllm/components/deploy/relay/server.py. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-25 | 6.3 | CVE-2025-10965 | VDB-325833 | LazyAGI LazyLLM server.py lazyllm_call deserialization VDB-325833 | CTI Indicators (IOB, IOC, IOA) Submit #652936 | LazyAGI LazyLLM latest Remote Code Execution https://github.com/LazyAGI/LazyLLM/issues/764 |
| giantspatula--SewKinect | A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. This affects the function pickle.loads of the file /calculate of the component Endpoint. Such manipulation of the argument body_parts/point_cloud leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-09-25 | 6.3 | CVE-2025-10974 | VDB-325845 | giantspatula SewKinect Endpoint calculate pickle.loads deserialization VDB-325845 | CTI Indicators (IOB, IOC, IOA) Submit #653270 | SewKinect latest OS Command Injection https://github.com/giantspatula/SewKinect/issues/3 https://github.com/giantspatula/SewKinect/issues/3#issue-3408883003 |
| GuanxingLu--vlarl | A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. This vulnerability affects the function experiments.robot.bridge.reasoning_server::run_reasoning_server of the file experiments/robot/bridge/reasoning_server.py of the component ZeroMQ. Performing manipulation of the argument Message results in deserialization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2025-09-25 | 6.3 | CVE-2025-10975 | VDB-325846 | GuanxingLu vlarl ZeroMQ reasoning_server.py run_reasoning_server deserialization VDB-325846 | CTI Indicators (IOB, IOC, IOA) Submit #653279 | vlarl latest Insecure Deserialization(leads to Remote Code Execution) https://github.com/GuanxingLu/vlarl/issues/18 https://github.com/GuanxingLu/vlarl/issues/18#issue-3408978610 |
| YunaiV--yudao-cloud | A vulnerability was determined in YunaiV yudao-cloud up to 2025.09. Affected by this issue is some unknown functionality of the file /crm/contact/transfer of the component HTTP Request Handler. This manipulation of the argument contactId causes improper authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 6.3 | CVE-2025-10987 | VDB-325910 | YunaiV yudao-cloud HTTP Request transfer improper authorization VDB-325910 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653735 | YunaiV yudao-cloud latest broken function level authorization https://www.cnblogs.com/aibot/p/19063573 |
| YunaiV--ruoyi-vue-pro | A vulnerability was identified in YunaiV ruoyi-vue-pro up to 2025.09. This affects an unknown part of the file /crm/business/transfer. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 6.3 | CVE-2025-10988 | VDB-325911 | YunaiV ruoyi-vue-pro transfer improper authorization VDB-325911 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653736 | YunaiV ruoyi-vue-pro latest broken function level authorization https://www.cnblogs.com/aibot/p/19063563 |
| yangzongzhuan--RuoYi | A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /system/role/authUser/selectAll. Performing manipulation of the argument userIds results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 6.3 | CVE-2025-10989 | VDB-325912 | yangzongzhuan RuoYi selectAll improper authorization VDB-325912 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653737 | yangzongzhuan RuoYi latest broken function level authorization https://www.cnblogs.com/aibot/p/19063507 |
| Jinher--OA | A vulnerability was determined in Jinher OA 2.0. The impacted element is an unknown function of the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl&style=1. This manipulation causes xml external entity reference. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-26 | 6.3 | CVE-2025-11035 | VDB-325982 | Jinher OA text xml external entity reference VDB-325982 | CTI Indicators (IOB, IOC, IOA) Submit #658253 | Jinher OA V2.0 XML External Entity Reference https://github.com/frwfxc123/CVE/issues/1 |
| itsourcecode--Online Clinic Management System | A weakness has been identified in itsourcecode Online Clinic Management System 1.0. Affected is an unknown function of the file /details.php?action=post. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-26 | 6.3 | CVE-2025-11038 | VDB-325985 | itsourcecode Online Clinic Management System details.php sql injection VDB-325985 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658345 | itsourcecode Online Clinic Management System 1.0 SQL Injection https://www.notion.so/inmog/Online-Clinic-Management-System-1-0-Union-Based-SQL-Injection-in-details-php-2727752d1edd8094be5ada02acf49175 https://itsourcecode.com/ |
| itsourcecode--Open Source Job Portal | A vulnerability has been found in itsourcecode Open Source Job Portal 1.0. Affected by this issue is some unknown functionality of the file /admin/user/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-09-26 | 6.3 | CVE-2025-11041 | VDB-325998 | itsourcecode Open Source Job Portal index.php sql injection VDB-325998 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658746 | Open Source Job Portal V1.0 SQL Injection https://github.com/iflame28/CVE/issues/2 https://itsourcecode.com/ |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file /module/Api/aluno. This manipulation of the argument aluno_id causes improper authorization. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-26 | 6.3 | CVE-2025-11047 | VDB-326084 | Portabilis i-Educar aluno improper authorization VDB-326084 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659201 | Portabilis i-educar 2.10 Broken Object Level Authorization https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11047.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken_Object_Level_Authorization_allows_enumeration_of_student_records_via_.module.Api.aluno.md |
| Portabilis--i-Educar | A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /consulta-dispensas. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-26 | 6.3 | CVE-2025-11048 | VDB-326085 | Portabilis i-Educar consulta-dispensas improper authorization VDB-326085 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659202 | Portabilis i-educar 2.10 Broken Access Control https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11048.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20%20in%20%60.consulta-dispensas%60%20Endpoint.md |
| Portabilis--i-Educar | A vulnerability was detected in Portabilis i-Educar up to 2.10. Affected by this issue is some unknown functionality of the file /unificacao-aluno. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-09-27 | 6.3 | CVE-2025-11049 | VDB-326086 | Portabilis i-Educar unificacao-aluno improper authorization VDB-326086 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659203 | Portabilis i-educar 2.10 Broken Access Control https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11049.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20%20in%20%60.unificacao-aluno%60%20Endpoint.md |
| Portabilis--i-Educar | A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may be used. | 2025-09-27 | 6.3 | CVE-2025-11050 | VDB-326087 | Portabilis i-Educar periodo-lancamento improper authorization VDB-326087 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659214 | Portabilis i-educar 2.10 Broken Access Control https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11050.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20%20in%20%60.periodo-lancamento%60%20Endpoint.md |
| itsourcecode--Open Source Job Portal | A security vulnerability has been detected in itsourcecode Open Source Job Portal 1.0. This impacts an unknown function of the file /jobportal/admin/category/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-27 | 6.3 | CVE-2025-11054 | VDB-326094 | itsourcecode Open Source Job Portal index.php sql injection VDB-326094 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659440 | itsourcecode Open Source Job Portal V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/34 https://itsourcecode.com/ |
| ProjectsAndPrograms--School Management System | A flaw has been found in ProjectsAndPrograms School Management System 1.0. Affected by this vulnerability is an unknown functionality of the file owner_panel/fetch-data/select-students.php. This manipulation of the argument select causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-09-27 | 6.3 | CVE-2025-11056 | VDB-326096 | ProjectsAndPrograms School Management System select-students.php sql injection VDB-326096 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659463 | ProjectsAndPrograms school-management-system V1.0 SQL Injection https://gold-textbook-8ff.notion.site/school-management-system-student_panel-Owner-end-select-students-php-delay-SQL-injection-27485e97f35380a1b482c8e079cd6503 |
| itsourcecode--Open Source Job Portal | A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/controller.php?action=photos. The manipulation of the argument photo leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-09-27 | 6.3 | CVE-2025-11078 | VDB-326118 | itsourcecode Open Source Job Portal controller.php unrestricted upload VDB-326118 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #660919 | Itsourcecode Open Source Job Portal V1.0 File upload https://github.com/fengbenjianmo/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--Open Source Job Portal | A weakness has been identified in itsourcecode Open Source Job Portal 1.0. Impacted is an unknown function of the file /admin/vacancy/index.php?view=edit. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-09-27 | 6.3 | CVE-2025-11088 | VDB-326156 | itsourcecode Open Source Job Portal index.php sql injection VDB-326156 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659763 | itsourcecode Open Source Job V1.0 sql https://github.com/yihaofuweng/cve/issues/35 https://itsourcecode.com/ |
| itsourcecode--Open Source Job Portal | A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Affected is an unknown function of the file /admin/employee/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-09-28 | 6.3 | CVE-2025-11090 | VDB-326172 | itsourcecode Open Source Job Portal index.php sql injection VDB-326172 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661761 | itsourcecode Open Source Job Portal V1.0 SQL Injection Submit #662325 | itsourcecode Open Source Job Portal V1.0 SQL Injection (Duplicate) https://github.com/friendddy/cve/issues/1 https://itsourcecode.com/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_switch_settings. This manipulation of the argument port causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-28 | 6.3 | CVE-2025-11092 | VDB-326174 | D-Link DIR-823X set_switch_settings sub_412E7C command injection VDB-326174 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661809 | D-Link DIR-823X V250416 Remote Code Execution https://github.com/maximdevere/CVE2/issues/4 https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was detected in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/delete_offline_device. Performing manipulation of the argument delvalue results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-09-28 | 6.3 | CVE-2025-11095 | VDB-326176 | D-Link DIR-823X delete_offline_device command injection VDB-326176 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661911 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/delete_offline_device.md https://www.dlink.com/ |
| D-Link--DIR-823X | A flaw has been found in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/diag_traceroute. Executing manipulation of the argument target_addr can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-09-28 | 6.3 | CVE-2025-11096 | VDB-326177 | D-Link DIR-823X diag_traceroute command injection VDB-326177 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661912 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/diag_traceroute.md https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability has been found in D-Link DIR-823X 250416. Impacted is an unknown function of the file /goform/set_device_name. The manipulation of the argument mac leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-09-28 | 6.3 | CVE-2025-11097 | VDB-326178 | D-Link DIR-823X set_device_name command injection VDB-326178 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661913 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/set_device_name.md https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was found in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_wifi_blacklists. The manipulation of the argument macList results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-09-28 | 6.3 | CVE-2025-11098 | VDB-326179 | D-Link DIR-823X set_wifi_blacklists command injection VDB-326179 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661915 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/set_wifi_blacklists.md https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. The impacted element is the function uci_del of the file /goform/delete_prohibiting. This manipulation of the argument delvalue causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-28 | 6.3 | CVE-2025-11099 | VDB-326180 | D-Link DIR-823X delete_prohibiting uci_del command injection VDB-326180 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661916 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/uci_del_in_delete_prohibiting.md https://www.dlink.com/ |
| D-Link--DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This affects the function uci_set of the file /goform/set_wifi_blacklists. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-09-28 | 6.3 | CVE-2025-11100 | VDB-326181 | D-Link DIR-823X set_wifi_blacklists uci_set command injection VDB-326181 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661917 | D-Link DIR-823X 250416 Command Injection https://github.com/n1ptune/dink/blob/main/uci_set.md https://www.dlink.com/ |
| CodeAstro--Electricity Billing System | A vulnerability was detected in CodeAstro Electricity Billing System 1.0. Affected by this issue is some unknown functionality of the file /admin/bill.php. The manipulation of the argument uid results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-09-28 | 6.3 | CVE-2025-11104 | VDB-326185 | CodeAstro Electricity Billing System bill.php sql injection VDB-326185 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662441 | codeastro Electricity Billing System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/1 https://codeastro.com/ |
| CodeAstro--Online Leave Application | A vulnerability was detected in CodeAstro Online Leave Application 1.0. Affected is an unknown function of the file /signup.php. Performing manipulation of the argument city results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. Other parameters might be affected as well. | 2025-09-28 | 6.3 | CVE-2025-11113 | VDB-326194 | CodeAstro Online Leave Application signup.php sql injection VDB-326194 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662695 | codeastro Online Leave Application V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/39 https://codeastro.com/ |
| CodeAstro--Online Leave Application | A flaw has been found in CodeAstro Online Leave Application 1.0. Affected by this vulnerability is an unknown functionality of the file /leaveAplicationForm.php. Executing manipulation of the argument absence[] can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-09-28 | 6.3 | CVE-2025-11114 | VDB-326195 | CodeAstro Online Leave Application leaveAplicationForm.php sql injection VDB-326195 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662699 | codeastro Online Leave Application V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/40 https://codeastro.com/ |
| Tenda--AC18 | A security vulnerability has been detected in Tenda AC18 15.03.05.19. The impacted element is an unknown function of the file /goform/AdvSetLanip. The manipulation of the argument lanIp leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-28 | 6.3 | CVE-2025-11121 | VDB-326202 | Tenda AC18 AdvSetLanip command injection VDB-326202 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #664191 | Tenda AC18 V15.03.05.19(6318) Command Injection https://github.com/noahze01/IoT-vulnerable/blob/main/Tenda/AC18/AdvSetLanip.md https://www.tenda.com.cn/ |
| WSO2--WSO2 Enterprise Integrator | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data. | 2025-09-26 | 6.7 | CVE-2025-1862 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3992/ |
| Cisco--IOS | A vulnerability in the CLI of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a buffer overflow. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the CLI prompt. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | 2025-09-24 | 6.5 | CVE-2025-20149 | cisco-sa-ios-cli-EB7cZ6yO |
| Cisco--Cisco IOS XE Software | A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device. | 2025-09-24 | 6.1 | CVE-2025-20240 | cisco-sa-webui-xss-VWyDgjOU |
| Cisco--Cisco IOS XE Software | Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute persistent code at boot time and break the chain of trust. These vulnerabilities are due path traversal and improper image integrity validation. A successful exploit could allow the attacker to execute persistent code on the underlying operating system. Because this allows the attacker to bypass a major security feature of the device, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. ERP | 2025-09-24 | 6.7 | CVE-2025-20313 | cisco-sa-secboot-UqFD8AvC |
| Cisco--Cisco IOS XE Software | A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust. This vulnerability is due to improper validation of software packages. An attacker could exploit this vulnerability by placing a crafted file into a specific location on an affected device. A successful exploit could allow the attacker to execute persistent code on the underlying operating system. Because this vulnerability allows an attacker to bypass a major security feature of a device, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. | 2025-09-24 | 6.7 | CVE-2025-20314 | cisco-sa-secboot-UqFD8AvC |
| Cisco--Cisco IOS XE Software | A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker could exploit this vulnerability by logging in to the device CLI with valid administrative (level 15) credentials and using crafted commands at the CLI prompt. A successful exploit could allow the attacker to execute arbitrary commands as root. | 2025-09-24 | 6 | CVE-2025-20338 | cisco-sa-iosxe-arg-inject-EyDDbh4e |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication. | 2025-09-25 | 6.5 | CVE-2025-20362 | cisco-sa-asaftd-webvpn-YROOTUW |
| Samsung Mobile--Retail Mode | Improper input validation in Retail Mode prior to version 5.59.4 allows self attackers to execute privileged commands on their own devices. | 2025-09-25 | 6.6 | CVE-2025-21056 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=08 |
| themeplugs--Authorsy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeplugs Authorsy allows Stored XSS. This issue affects Authorsy: from n/a through 1.0.5. | 2025-09-26 | 6.5 | CVE-2025-27006 | https://patchstack.com/database/wordpress/plugin/authorsy/vulnerability/wordpress-authorsy-plugin-1-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Qualcomm, Inc.--Snapdragon | information disclosure while invoking calibration data from user space to update firmware size. | 2025-09-24 | 6.1 | CVE-2025-27030 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure while running video usecase having rogue firmware. | 2025-09-24 | 6.1 | CVE-2025-27033 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure when Video engine escape input data is less than expected minimum size. | 2025-09-24 | 6.1 | CVE-2025-27036 | https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html |
| IBM--Storage TS4500 Library | IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-09-27 | 6.1 | CVE-2025-36239 | https://www.ibm.com/support/pages/node/7246246 |
| Dell--Cloud Disaster Recovery | Dell Cloud Disaster Recovery, version(s) prior to 19.20, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges. | 2025-09-25 | 6.7 | CVE-2025-43943 | https://www.dell.com/support/kbdoc/en-us/000372457/dsa-2025-354-security-update-for-dell-cloud-disaster-recovery-rce-vulnerability |
| Acclectic Media--Acclectic Media Organizer | Missing Authorization vulnerability in Acclectic Media Acclectic Media Organizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Acclectic Media Organizer: from n/a through 1.4. | 2025-09-26 | 6.5 | CVE-2025-48326 | https://patchstack.com/database/wordpress/plugin/acclectic-media-organizer/vulnerability/wordpress-acclectic-media-organizer-plugin-1-4-broken-access-control-vulnerability?_s_id=cve |
| Rustaurius--Ultimate WP Mail | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail allows Stored XSS. This issue affects Ultimate WP Mail: from n/a through 1.3.8. | 2025-09-22 | 6.5 | CVE-2025-53454 | https://patchstack.com/database/wordpress/plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-plugin-1-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HT Plugins--HT Mega Absolute Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega - Absolute Addons for WPBakery Page Builder allows DOM-Based XSS. This issue affects HT Mega - Absolute Addons for WPBakery Page Builder: from n/a through 1.0.9. | 2025-09-22 | 6.5 | CVE-2025-53463 | https://patchstack.com/database/wordpress/plugin/ht-mega-for-wpbakery/vulnerability/wordpress-ht-mega-absolute-addons-for-wpbakery-page-builder-plugin-1-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| DELUCKS--DELUCKS SEO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO allows Stored XSS. This issue affects DELUCKS SEO: from n/a through 2.7.0. | 2025-09-22 | 6.5 | CVE-2025-53570 | https://patchstack.com/database/wordpress/plugin/delucks-seo/vulnerability/wordpress-delucks-seo-plugin-2-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LizardByte--Sunshine | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222. | 2025-09-23 | 6.7 | CVE-2025-54081 | https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824 https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222 |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level. | 2025-09-23 | 6.8 | CVE-2025-55038 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| WSO2--WSO2 API Manager | An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server. Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users. | 2025-09-23 | 6.7 | CVE-2025-5717 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4119/ |
| Jose Vega--WP Frontend Admin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jose Vega WP Frontend Admin allows Stored XSS. This issue affects WP Frontend Admin: from n/a through 1.22.6. | 2025-09-22 | 6.5 | CVE-2025-57898 | https://patchstack.com/database/wordpress/plugin/display-admin-page-on-frontend/vulnerability/wordpress-wp-frontend-admin-plugin-1-22-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ataur R--GutenKit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.4.2. | 2025-09-22 | 6.5 | CVE-2025-57900 | https://patchstack.com/database/wordpress/plugin/gutenkit-blocks-addon/vulnerability/wordpress-gutenkit-plugin-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| DAEXT--Import Markdown | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DAEXT Import Markdown allows Stored XSS. This issue affects Import Markdown: from n/a through 1.14. | 2025-09-22 | 6.5 | CVE-2025-57901 | https://patchstack.com/database/wordpress/plugin/import-markdown/vulnerability/wordpress-import-markdown-plugin-1-14-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Md Taufiqur Rahman--RIS Version Switcher – Downgrade or Upgrade WP Versions Easily | Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher – Downgrade or Upgrade WP Versions Easily allows Cross Site Request Forgery. This issue affects RIS Version Switcher – Downgrade or Upgrade WP Versions Easily: from n/a through 1.0. | 2025-09-22 | 6.5 | CVE-2025-57902 | https://patchstack.com/database/wordpress/plugin/ris-version-switcher/vulnerability/wordpress-ris-version-switcher-downgrade-or-upgrade-wp-versions-easily-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Rouergue Cration--Editor Custom Color Palette | Missing Authorization vulnerability in Rouergue Création Editor Custom Color Palette allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Custom Color Palette: from n/a through 3.4.8. | 2025-09-22 | 6.5 | CVE-2025-57909 | https://patchstack.com/database/wordpress/plugin/editor-custom-color-palette/vulnerability/wordpress-editor-custom-color-palette-plugin-3-4-8-broken-access-control-vulnerability?_s_id=cve |
| AnyClip Video Platform--AnyClip Luminous Studio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3. | 2025-09-22 | 6.5 | CVE-2025-57910 | https://patchstack.com/database/wordpress/plugin/anyclip-media/vulnerability/wordpress-anyclip-luminous-studio-plugin-1-3-3-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| WPFactory--Adverts | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Adverts allows DOM-Based XSS. This issue affects Adverts: from n/a through 1.4. | 2025-09-22 | 6.5 | CVE-2025-57911 | https://patchstack.com/database/wordpress/plugin/adverts-click-tracker/vulnerability/wordpress-adverts-plugin-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eleopard--Behance Portfolio Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager allows Stored XSS. This issue affects Behance Portfolio Manager: from n/a through 1.7.4. | 2025-09-22 | 6.5 | CVE-2025-57913 | https://patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Passster | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Passster allows Stored XSS. This issue affects Passster: from n/a through 4.2.18. | 2025-09-22 | 6.5 | CVE-2025-57926 | https://patchstack.com/database/wordpress/plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Diego Pereira--PowerFolio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Diego Pereira PowerFolio allows Stored XSS. This issue affects PowerFolio: from n/a through 3.2.1. | 2025-09-22 | 6.5 | CVE-2025-57932 | https://patchstack.com/database/wordpress/plugin/portfolio-elementor/vulnerability/wordpress-powerfolio-plugin-3-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| themewant--Easy Hotel Booking | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themewant Easy Hotel Booking allows DOM-Based XSS. This issue affects Easy Hotel Booking: from n/a through 1.6.9. | 2025-09-22 | 6.5 | CVE-2025-57938 | https://patchstack.com/database/wordpress/plugin/easy-hotel/vulnerability/wordpress-easy-hotel-booking-plugin-1-6-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro--Photo Gallery by Ays | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Photo Gallery by Ays allows DOM-Based XSS. This issue affects Photo Gallery by Ays: from n/a through 6.3.6. | 2025-09-22 | 6.5 | CVE-2025-57947 | https://patchstack.com/database/wordpress/plugin/gallery-photo-gallery/vulnerability/wordpress-photo-gallery-by-ays-plugin-6-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Directory Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro allows DOM-Based XSS. This issue affects Directory Pro: from n/a through 2.5.5. | 2025-09-22 | 6.5 | CVE-2025-57948 | https://patchstack.com/database/wordpress/plugin/directory-pro/vulnerability/wordpress-directory-pro-plugin-2-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 100plugins--Open User Map | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map allows DOM-Based XSS. This issue affects Open User Map: from n/a through 1.4.14. | 2025-09-22 | 6.5 | CVE-2025-57953 | https://patchstack.com/database/wordpress/plugin/open-user-map/vulnerability/wordpress-open-user-map-plugin-1-4-14-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro--Poll Maker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Poll Maker allows DOM-Based XSS. This issue affects Poll Maker: from n/a through 6.0.1. | 2025-09-22 | 6.5 | CVE-2025-57954 | https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-6-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Plugin Devs--Post Carousel Slider for Elementor | Missing Authorization vulnerability in Plugin Devs Post Carousel Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Carousel Slider for Elementor: from n/a through 1.7.0. | 2025-09-22 | 6.5 | CVE-2025-57955 | https://patchstack.com/database/wordpress/plugin/post-carousel-slider-for-elementor/vulnerability/wordpress-post-carousel-slider-for-elementor-plugin-1-7-0-broken-access-control-vulnerability?_s_id=cve |
| Zoho Subscriptions--Zoho Billing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing allows DOM-Based XSS. This issue affects Zoho Billing: from n/a through 4.1. | 2025-09-22 | 6.5 | CVE-2025-57963 | https://patchstack.com/database/wordpress/plugin/zoho-subscriptions/vulnerability/wordpress-zoho-billing-plugin-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| photonicgnostic--Library Bookshelves | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in photonicgnostic Library Bookshelves allows Stored XSS. This issue affects Library Bookshelves: from n/a through 5.11. | 2025-09-22 | 6.5 | CVE-2025-57964 | https://patchstack.com/database/wordpress/plugin/library-bookshelves/vulnerability/wordpress-library-bookshelves-plugin-5-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP CodeUs--WP Proposals | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3. | 2025-09-22 | 6.5 | CVE-2025-57965 | https://patchstack.com/database/wordpress/plugin/wp-proposals/vulnerability/wordpress-wp-proposals-plugin-2-3-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| GhozyLab--Gallery Lightbox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery Lightbox allows Stored XSS. This issue affects Gallery Lightbox: from n/a through 1.0.0.41. | 2025-09-22 | 6.5 | CVE-2025-57966 | https://patchstack.com/database/wordpress/plugin/gallery-lightbox-slider/vulnerability/wordpress-gallery-lightbox-plugin-1-0-0-41-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPBean--WPB Quick View for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Quick View for WooCommerce allows Stored XSS. This issue affects WPB Quick View for WooCommerce: from n/a through 2.1.8. | 2025-09-22 | 6.5 | CVE-2025-57967 | https://patchstack.com/database/wordpress/plugin/woocommerce-lightbox/vulnerability/wordpress-wpb-quick-view-for-woocommerce-plugin-2-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| catchsquare--WP Social Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3.1. | 2025-09-22 | 6.5 | CVE-2025-57981 | https://patchstack.com/database/wordpress/plugin/wp-social-widget/vulnerability/wordpress-wp-social-widget-plugin-2-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Damian--BP Disable Activation Reloaded | Cross-Site Request Forgery (CSRF) vulnerability in Damian BP Disable Activation Reloaded allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects BP Disable Activation Reloaded: from n/a through 1.2.1. | 2025-09-22 | 6.5 | CVE-2025-57983 | https://patchstack.com/database/wordpress/plugin/bp-disable-activation-reloaded/vulnerability/wordpress-bp-disable-activation-reloaded-plugin-1-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| husani--WP Subtitle | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in husani WP Subtitle allows Stored XSS. This issue affects WP Subtitle: from n/a through 3.4.1. | 2025-09-22 | 6.5 | CVE-2025-57986 | https://patchstack.com/database/wordpress/plugin/wp-subtitle/vulnerability/wordpress-wp-subtitle-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Uncanny Owl--Uncanny Toolkit for LearnDash | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.0.7.3. | 2025-09-22 | 6.5 | CVE-2025-57988 | https://patchstack.com/database/wordpress/plugin/uncanny-learndash-toolkit/vulnerability/wordpress-uncanny-toolkit-for-learndash-plugin-3-0-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brajesh Singh--WordPress Widgets Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brajesh Singh WordPress Widgets Shortcode allows Stored XSS. This issue affects WordPress Widgets Shortcode: from n/a through 1.0.3. | 2025-09-22 | 6.5 | CVE-2025-57989 | https://patchstack.com/database/wordpress/plugin/wp-widgets-shortcode/vulnerability/wordpress-wordpress-widgets-shortcode-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Benjamin Pick--Geolocation IP Detection | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Pick Geolocation IP Detection allows Stored XSS. This issue affects Geolocation IP Detection: from n/a through 5.5.0. | 2025-09-22 | 6.5 | CVE-2025-57993 | https://patchstack.com/database/wordpress/plugin/geoip-detect/vulnerability/wordpress-geolocation-ip-detection-plugin-5-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| matthewordie--Buckets | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matthewordie Buckets allows Stored XSS. This issue affects Buckets: from n/a through 0.3.9. | 2025-09-22 | 6.5 | CVE-2025-57996 | https://patchstack.com/database/wordpress/plugin/buckets/vulnerability/wordpress-buckets-plugin-0-3-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpkoithemes--WPKoi Templates for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpkoithemes WPKoi Templates for Elementor allows DOM-Based XSS. This issue affects WPKoi Templates for Elementor: from n/a through 3.4.1. | 2025-09-22 | 6.5 | CVE-2025-57999 | https://patchstack.com/database/wordpress/plugin/wpkoi-templates-for-elementor/vulnerability/wordpress-wpkoi-templates-for-elementor-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Noumaan Yaqoob--Compact Archives | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noumaan Yaqoob Compact Archives allows Stored XSS. This issue affects Compact Archives: from n/a through 4.1.0. | 2025-09-22 | 6.5 | CVE-2025-58001 | https://patchstack.com/database/wordpress/plugin/compact-archives/vulnerability/wordpress-compact-archives-plugin-4-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Milan Petrovic--GD bbPress Tools | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD bbPress Tools allows DOM-Based XSS. This issue affects GD bbPress Tools: from n/a through 3.5.3. | 2025-09-22 | 6.5 | CVE-2025-58002 | https://patchstack.com/database/wordpress/plugin/gd-bbpress-tools/vulnerability/wordpress-gd-bbpress-tools-plugin-3-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| xnau webdesign--Participants Database | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xnau webdesign Participants Database allows Stored XSS. This issue affects Participants Database: from n/a through 2.7.6.3. | 2025-09-22 | 6.5 | CVE-2025-58008 | https://patchstack.com/database/wordpress/plugin/participants-database/vulnerability/wordpress-participants-database-plugin-2-7-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Alex--Content Mask | Server-Side Request Forgery (SSRF) vulnerability in Alex Content Mask allows Server Side Request Forgery. This issue affects Content Mask: from n/a through 1.8.5.2. | 2025-09-22 | 6.4 | CVE-2025-58011 | https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| bdthemes--Ultimate Store Kit Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Stored XSS. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.8.2. | 2025-09-22 | 6.5 | CVE-2025-58017 | https://patchstack.com/database/wordpress/plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-plugin-2-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Richard Leishman--Mail Subscribe List | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Richard Leishman Mail Subscribe List allows Stored XSS. This issue affects Mail Subscribe List: from n/a through 2.1.10. | 2025-09-22 | 6.5 | CVE-2025-58018 | https://patchstack.com/database/wordpress/plugin/mail-subscribe-list/vulnerability/wordpress-mail-subscribe-list-plugin-2-1-10-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Search Atlas--Search Atlas SEO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Search Atlas Search Atlas SEO allows Stored XSS. This issue affects Search Atlas SEO: from n/a through 2.5.4. | 2025-09-22 | 6.5 | CVE-2025-58019 | https://patchstack.com/database/wordpress/plugin/metasync/vulnerability/wordpress-search-atlas-seo-plugin-2-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jeroen Schmit--Theater for WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress allows Stored XSS. This issue affects Theater for WordPress: from n/a through 0.18.8. | 2025-09-22 | 6.5 | CVE-2025-58020 | https://patchstack.com/database/wordpress/plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-18-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| douglaskarr--List Child Pages Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in douglaskarr List Child Pages Shortcode allows Stored XSS. This issue affects List Child Pages Shortcode: from n/a through 1.3.1. | 2025-09-22 | 6.5 | CVE-2025-58021 | https://patchstack.com/database/wordpress/plugin/list-child-pages-shortcode/vulnerability/wordpress-list-child-pages-shortcode-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| maxpagels--ShortCode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxpagels ShortCode allows Stored XSS. This issue affects ShortCode: from n/a through 0.8.1. | 2025-09-22 | 6.5 | CVE-2025-58022 | https://patchstack.com/database/wordpress/plugin/shortcode/vulnerability/wordpress-shortcode-plugin-0-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| akdevs--Genealogical Tree | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree allows Stored XSS. This issue affects Genealogical Tree: from n/a through 2.2.5. | 2025-09-22 | 6.5 | CVE-2025-58023 | https://patchstack.com/database/wordpress/plugin/genealogical-tree/vulnerability/wordpress-genealogical-tree-plugin-2-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| averta--Master Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider allows Stored XSS. This issue affects Master Slider: from n/a through 3.11.0. | 2025-09-22 | 6.5 | CVE-2025-58025 | https://patchstack.com/database/wordpress/plugin/master-slider/vulnerability/wordpress-master-slider-plugin-3-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| termageddon--Termageddon: Cookie Consent & Privacy Compliance | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in termageddon Termageddon: Cookie Consent & Privacy Compliance allows Stored XSS. This issue affects Termageddon: Cookie Consent & Privacy Compliance: from n/a through 1.8.1. | 2025-09-22 | 6.5 | CVE-2025-58026 | https://patchstack.com/database/wordpress/plugin/termageddon-usercentrics/vulnerability/wordpress-termageddon-cookie-consent-privacy-compliance-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpo-HR--NGG Smart Image Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.4.3. | 2025-09-22 | 6.5 | CVE-2025-58027 | https://patchstack.com/database/wordpress/plugin/ngg-smart-image-search/vulnerability/wordpress-ngg-smart-image-search-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Aum Watcharapon--Designil PDPA Thailand | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aum Watcharapon Designil PDPA Thailand allows Stored XSS. This issue affects Designil PDPA Thailand: from n/a through 2.0. | 2025-09-22 | 6.5 | CVE-2025-58028 | https://patchstack.com/database/wordpress/plugin/pdpa-thailand/vulnerability/wordpress-designil-pdpa-thailand-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| webvitaly--Page-list | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Page-list allows Stored XSS. This issue affects Page-list: from n/a through 5.7. | 2025-09-22 | 6.5 | CVE-2025-58030 | https://patchstack.com/database/wordpress/plugin/page-list/vulnerability/wordpress-page-list-plugin-5-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Nextendweb--Nextend Facebook Connect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nextendweb Nextend Facebook Connect allows Stored XSS. This issue affects Nextend Facebook Connect : from n/a through 3.1.19. | 2025-09-22 | 6.5 | CVE-2025-58031 | https://patchstack.com/database/wordpress/plugin/nextend-facebook-connect/vulnerability/wordpress-nextend-facebook-connect-plugin-3-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Techeshta--Card Elements for WPBakery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Techeshta Card Elements for WPBakery allows DOM-Based XSS. This issue affects Card Elements for WPBakery: from n/a through 1.0.8. | 2025-09-22 | 6.5 | CVE-2025-58220 | https://patchstack.com/database/wordpress/plugin/card-elements-for-wpbakery/vulnerability/wordpress-card-elements-for-wpbakery-plugin-1-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Alexander Lueken--Podlove Subscribe button | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Lueken Podlove Subscribe button allows Stored XSS. This issue affects Podlove Subscribe button: from n/a through 1.3.11. | 2025-09-22 | 6.5 | CVE-2025-58227 | https://patchstack.com/database/wordpress/plugin/podlove-subscribe-button/vulnerability/wordpress-podlove-subscribe-button-plugin-1-3-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ShapedPlugin LLC--Quick View for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC Quick View for WooCommerce allows Stored XSS. This issue affects Quick View for WooCommerce: from n/a through 2.2.16. | 2025-09-22 | 6.5 | CVE-2025-58228 | https://patchstack.com/database/wordpress/plugin/woo-quickview/vulnerability/wordpress-quick-view-for-woocommerce-plugin-2-2-16-cross-site-scripting-xss-vulnerability?_s_id=cve |
| webvitaly--Sitekit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 2.0. | 2025-09-22 | 6.5 | CVE-2025-58229 | https://patchstack.com/database/wordpress/plugin/sitekit/vulnerability/wordpress-sitekit-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bdthemes--ZoloBlocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bdthemes ZoloBlocks allows DOM-Based XSS. This issue affects ZoloBlocks: from n/a through 2.3.9. | 2025-09-22 | 6.5 | CVE-2025-58230 | https://patchstack.com/database/wordpress/plugin/zoloblocks/vulnerability/wordpress-zoloblocks-plugin-2-3-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bitlydeveloper--Bitly | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitlydeveloper Bitly allows Stored XSS. This issue affects Bitly: from n/a through 2.7.4. | 2025-09-22 | 6.5 | CVE-2025-58231 | https://patchstack.com/database/wordpress/plugin/wp-bitly/vulnerability/wordpress-bitly-plugin-2-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ickata--Image Editor by Pixo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo allows DOM-Based XSS. This issue affects Image Editor by Pixo: from n/a through 2.3.8. | 2025-09-22 | 6.5 | CVE-2025-58232 | https://patchstack.com/database/wordpress/plugin/image-editor-by-pixo/vulnerability/wordpress-image-editor-by-pixo-plugin-2-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Guaven Labs--SQL Chart Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Guaven Labs SQL Chart Builder allows DOM-Based XSS. This issue affects SQL Chart Builder: from n/a through 2.3.7.2. | 2025-09-22 | 6.5 | CVE-2025-58233 | https://patchstack.com/database/wordpress/plugin/sql-chart-builder/vulnerability/wordpress-sql-chart-builder-plugin-2-3-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| JoomSky--JS Job Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomSky JS Job Manager allows Stored XSS. This issue affects JS Job Manager: from n/a through 2.0.2. | 2025-09-22 | 6.5 | CVE-2025-58234 | https://patchstack.com/database/wordpress/plugin/js-jobs/vulnerability/wordpress-js-job-manager-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Rustaurius--Front End Users | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.33. | 2025-09-22 | 6.5 | CVE-2025-58235 | https://patchstack.com/database/wordpress/plugin/front-end-only-users/vulnerability/wordpress-front-end-users-plugin-3-2-33-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Niaj Morshed--LC Wizard | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Niaj Morshed LC Wizard allows Stored XSS. This issue affects LC Wizard: from n/a through 1.3.0. | 2025-09-22 | 6.5 | CVE-2025-58237 | https://patchstack.com/database/wordpress/plugin/ghl-wizard/vulnerability/wordpress-lc-wizard-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ONTRAPORT--PilotPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress allows Stored XSS. This issue affects PilotPress: from n/a through 2.0.35. | 2025-09-22 | 6.5 | CVE-2025-58238 | https://patchstack.com/database/wordpress/plugin/pilotpress/vulnerability/wordpress-pilotpress-plugin-2-0-35-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chandrika Sista--WP Category Dropdown | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown allows Stored XSS. This issue affects WP Category Dropdown: from n/a through 1.9. | 2025-09-22 | 6.5 | CVE-2025-58239 | https://patchstack.com/database/wordpress/plugin/wp-category-dropdown/vulnerability/wordpress-wp-category-dropdown-plugin-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Michel - xiligroup dev--xili-tidy-tags | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-tidy-tags allows Stored XSS. This issue affects xili-tidy-tags: from n/a through 1.12.06. | 2025-09-22 | 6.5 | CVE-2025-58240 | https://patchstack.com/database/wordpress/plugin/xili-tidy-tags/vulnerability/wordpress-xili-tidy-tags-plugin-1-12-06-cross-site-scripting-xss-vulnerability?_s_id=cve |
| snapwidget--SnapWidget Social Photo Feed Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget allows DOM-Based XSS. This issue affects SnapWidget Social Photo Feed Widget: from n/a through 1.1.0. | 2025-09-22 | 6.5 | CVE-2025-58241 | https://patchstack.com/database/wordpress/plugin/snapwidget-wp-instagram-widget/vulnerability/wordpress-snapwidget-social-photo-feed-widget-plugin-1-1-0-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| Vadim Bogaiskov--Bg Church Memos | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vadim Bogaiskov Bg Church Memos allows DOM-Based XSS. This issue affects Bg Church Memos: from n/a through 1.1. | 2025-09-22 | 6.5 | CVE-2025-58242 | https://patchstack.com/database/wordpress/plugin/bg-church-memos/vulnerability/wordpress-bg-church-memos-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| codefish--Pinterest Pinboard Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codefish Pinterest Pinboard Widget allows Stored XSS. This issue affects Pinterest Pinboard Widget: from n/a through 1.0.7. | 2025-09-22 | 6.5 | CVE-2025-58248 | https://patchstack.com/database/wordpress/plugin/pinterest-pinboard-widget/vulnerability/wordpress-pinterest-pinboard-widget-plugin-1-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Rameez Iqbal--Real Estate Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rameez Iqbal Real Estate Manager allows DOM-Based XSS. This issue affects Real Estate Manager: from n/a through 7.3. | 2025-09-22 | 6.5 | CVE-2025-58253 | https://patchstack.com/database/wordpress/plugin/real-estate-manager/vulnerability/wordpress-real-estate-manager-plugin-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dtbaker--StylePress for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dtbaker StylePress for Elementor allows Stored XSS. This issue affects StylePress for Elementor: from n/a through 1.2.1. | 2025-09-22 | 6.5 | CVE-2025-58254 | https://patchstack.com/database/wordpress/plugin/full-site-builder-for-elementor/vulnerability/wordpress-stylepress-for-elementor-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Picture-Planet GmbH--Verowa Connect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Picture-Planet GmbH Verowa Connect allows Stored XSS. This issue affects Verowa Connect: from n/a through 3.2.3. | 2025-09-22 | 6.5 | CVE-2025-58257 | https://patchstack.com/database/wordpress/plugin/verowa-connect/vulnerability/wordpress-verowa-connect-plugin-3-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ronald Huereca--Highlight and Share Social Text and Image Sharing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share - Social Text and Image Sharing allows Stored XSS. This issue affects Highlight and Share - Social Text and Image Sharing: from n/a through 5.1.1. | 2025-09-22 | 6.5 | CVE-2025-58260 | https://patchstack.com/database/wordpress/plugin/highlight-and-share/vulnerability/wordpress-highlight-and-share-social-text-and-image-sharing-plugin-5-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| BuddyDev--BuddyPress Notification Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3. | 2025-09-22 | 6.5 | CVE-2025-58263 | https://patchstack.com/database/wordpress/plugin/buddypress-notifications-widget/vulnerability/wordpress-buddypress-notification-widget-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| artbees--JupiterX Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artbees JupiterX Core allows Stored XSS. This issue affects JupiterX Core: from n/a through 4.10.1. | 2025-09-22 | 6.5 | CVE-2025-58264 | https://patchstack.com/database/wordpress/plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Stonehenge Creations--Events Manager – OpenStreetMaps | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stonehenge Creations Events Manager – OpenStreetMaps allows Stored XSS. This issue affects Events Manager – OpenStreetMaps: from n/a through 4.2.1. | 2025-09-22 | 6.5 | CVE-2025-58265 | https://patchstack.com/database/wordpress/plugin/stonehenge-em-osm/vulnerability/wordpress-events-manager-openstreetmaps-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Nicu Micle--Simple JWT Login | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login allows Stored XSS. This issue affects Simple JWT Login: from n/a through 3.6.4. | 2025-09-22 | 6.5 | CVE-2025-58648 | https://patchstack.com/database/wordpress/plugin/simple-jwt-login/vulnerability/wordpress-simple-jwt-login-plugin-3-6-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PlayerJS--PlayerJS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PlayerJS PlayerJS allows DOM-Based XSS. This issue affects PlayerJS: from n/a through 2.24. | 2025-09-22 | 6.5 | CVE-2025-58651 | https://patchstack.com/database/wordpress/plugin/playerjs/vulnerability/wordpress-playerjs-plugin-2-24-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themepoints--Carousel Ultimate | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Carousel Ultimate allows Stored XSS. This issue affects Carousel Ultimate: from n/a through 1.8. | 2025-09-22 | 6.5 | CVE-2025-58652 | https://patchstack.com/database/wordpress/plugin/carousel/vulnerability/wordpress-carousel-ultimate-plugin-1-8-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| JS Morisset--JSM file_get_contents() Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JS Morisset JSM file_get_contents() Shortcode allows Stored XSS. This issue affects JSM file_get_contents() Shortcode: from n/a through 2.7.1. | 2025-09-22 | 6.5 | CVE-2025-58653 | https://patchstack.com/database/wordpress/plugin/wp-file-get-contents/vulnerability/wordpress-jsm-file-get-contents-shortcode-plugin-2-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Michel - xiligroup dev--xili-language | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language allows DOM-Based XSS. This issue affects xili-language: from n/a through 2.21.3. | 2025-09-22 | 6.5 | CVE-2025-58654 | https://patchstack.com/database/wordpress/plugin/xili-language/vulnerability/wordpress-xili-language-plugin-2-21-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PickPlugins--Accordion | Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14. | 2025-09-22 | 6.5 | CVE-2025-58678 | https://patchstack.com/database/wordpress/plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-14-broken-access-control-vulnerability?_s_id=cve |
| gutentor--Gutentor | Missing Authorization vulnerability in gutentor Gutentor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutentor: from n/a through 3.5.2. | 2025-09-22 | 6.5 | CVE-2025-58680 | https://patchstack.com/database/wordpress/plugin/gutentor/vulnerability/wordpress-gutentor-plugin-3-5-2-broken-access-control-vulnerability?_s_id=cve |
| Timur Kamaev--Kama Click Counter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timur Kamaev Kama Click Counter allows Stored XSS. This issue affects Kama Click Counter: from n/a through 4.0.4. | 2025-09-22 | 6.5 | CVE-2025-58682 | https://patchstack.com/database/wordpress/plugin/kama-clic-counter/vulnerability/wordpress-kama-click-counter-plugin-4-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Luke Mlsna--Last Updated Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luke Mlsna Last Updated Shortcode allows Stored XSS. This issue affects Last Updated Shortcode: from n/a through 1.0.1. | 2025-09-22 | 6.5 | CVE-2025-58683 | https://patchstack.com/database/wordpress/plugin/last-updated-shortcode/vulnerability/wordpress-last-updated-shortcode-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themepoints--Logo Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase allows Stored XSS. This issue affects Logo Showcase: from n/a through 3.0.9. | 2025-09-22 | 6.5 | CVE-2025-58684 | https://patchstack.com/database/wordpress/plugin/logo-showcase/vulnerability/wordpress-logo-showcase-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| tapfiliate--Tapfiliate | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tapfiliate Tapfiliate allows Stored XSS. This issue affects Tapfiliate: from n/a through 3.2.2. | 2025-09-22 | 6.5 | CVE-2025-58689 | https://patchstack.com/database/wordpress/plugin/tapfiliate/vulnerability/wordpress-tapfiliate-plugin-3-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Russell Jamieson--Genesis Club Lite | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson Genesis Club Lite allows Stored XSS. This issue affects Genesis Club Lite: from n/a through 1.17. | 2025-09-22 | 6.5 | CVE-2025-58691 | https://patchstack.com/database/wordpress/plugin/genesis-club-lite/vulnerability/wordpress-genesis-club-lite-plugin-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebWizards--MarketKing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebWizards MarketKing allows Stored XSS. This issue affects MarketKing: from n/a through 2.0.92. | 2025-09-22 | 6.5 | CVE-2025-58702 | https://patchstack.com/database/wordpress/plugin/marketking-multivendor-marketplace-for-woocommerce/vulnerability/wordpress-marketking-plugin-2-0-92-cross-site-scripting-xss-vulnerability?_s_id=cve |
| skyword--Skyword API Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skyword Skyword API Plugin allows Stored XSS. This issue affects Skyword API Plugin: from n/a through 2.5.3. | 2025-09-22 | 6.5 | CVE-2025-58703 | https://patchstack.com/database/wordpress/plugin/skyword-plugin/vulnerability/wordpress-skyword-api-plugin-plugin-2-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ren Ventura--WP Delete User Accounts | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows Stored XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.4. | 2025-09-22 | 6.5 | CVE-2025-58704 | https://patchstack.com/database/wordpress/plugin/wp-delete-user-accounts/vulnerability/wordpress-wp-delete-user-accounts-plugin-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Emarket-design--YouTube Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.0. | 2025-09-23 | 6.5 | CVE-2025-58915 | https://patchstack.com/database/wordpress/plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Nick Verwymeren--Quantities and Units for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS. This issue affects Quantities and Units for WooCommerce: from n/a through 1.0.13. | 2025-09-26 | 6.5 | CVE-2025-58917 | https://patchstack.com/database/wordpress/plugin/quantities-and-units-for-woocommerce/vulnerability/wordpress-quantities-and-units-for-woocommerce-plugin-1-0-13-cross-site-scripting-xss-vulnerability?_s_id=cve |
| publitio--Publitio | Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio allows Server Side Request Forgery. This issue affects Publitio: from n/a through 2.2.1. | 2025-09-22 | 6.4 | CVE-2025-58962 | https://patchstack.com/database/wordpress/plugin/publitio/vulnerability/wordpress-publitio-plugin-2-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Agency Dominion Inc.--Fusion Page Builder : Extension – Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Inc. Fusion Page Builder : Extension – Gallery allows Stored XSS. This issue affects Fusion Page Builder : Extension – Gallery: from n/a through 1.7.6. | 2025-09-22 | 6.5 | CVE-2025-58965 | https://patchstack.com/database/wordpress/plugin/fusion-extension-gallery/vulnerability/wordpress-fusion-page-builder-extension-gallery-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| StellarWP--WPComplete | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.2. | 2025-09-22 | 6.5 | CVE-2025-58974 | https://patchstack.com/database/wordpress/plugin/wpcomplete/vulnerability/wordpress-wpcomplete-plugin-2-9-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| impleCode--Product Catalog Simple | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode Product Catalog Simple allows Stored XSS. This issue affects Product Catalog Simple: from n/a through 1.8.2. | 2025-09-22 | 6.5 | CVE-2025-58992 | https://patchstack.com/database/wordpress/plugin/post-type-x/vulnerability/wordpress-product-catalog-simple-plugin-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cubecart--v6 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber's email address. This issue has been patched in version 6.5.11. | 2025-09-22 | 6.5 | CVE-2025-59413 | https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79 https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271 https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0. | 2025-09-22 | 6.5 | CVE-2025-59535 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-wq2j-w9pm-7x2p https://github.com/dnnsoftware/Dnn.Platform/commit/72f30f69fd2214d77f6c2577dfcca495a24caf5c https://github.com/dnnsoftware/Dnn.Platform/blob/develop/DNN%20Platform/Library/UI/Skins/Skin.cs#L305 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers. This issue has been patched in version 10.1.0. | 2025-09-23 | 6.3 | CVE-2025-59539 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-7rcc-q6rq-jpcm |
| fatcatapps--GetResponse Forms | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps GetResponse Forms allows Stored XSS. This issue affects GetResponse Forms: from n/a through 2.6.0. | 2025-09-22 | 6.5 | CVE-2025-59549 | https://patchstack.com/database/wordpress/plugin/getresponse/vulnerability/wordpress-getresponse-forms-plugin-2-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Pdfcrowd Dev Team--Save as PDF | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pdfcrowd Dev Team Save as PDF allows Stored XSS. This issue affects Save as PDF: from n/a through 4.5.2. | 2025-09-22 | 6.5 | CVE-2025-59552 | https://patchstack.com/database/wordpress/plugin/save-as-pdf-by-pdfcrowd/vulnerability/wordpress-save-as-pdf-plugin-4-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Coderz Studio--Custom iFrame for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor allows DOM-Based XSS. This issue affects Custom iFrame for Elementor: from n/a through 1.0.13. | 2025-09-22 | 6.5 | CVE-2025-59553 | https://patchstack.com/database/wordpress/plugin/custom-iframe/vulnerability/wordpress-custom-iframe-for-elementor-plugin-1-0-13-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Swings--Upsell Order Bump Offer for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce allows Stored XSS. This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through 3.0.7. | 2025-09-22 | 6.5 | CVE-2025-59565 | https://patchstack.com/database/wordpress/plugin/upsell-order-bump-offer-for-woocommerce/vulnerability/wordpress-upsell-order-bump-offer-for-woocommerce-plugin-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Emraan Cheema--CubeWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP allows Stored XSS. This issue affects CubeWP: from n/a through 1.1.26. | 2025-09-22 | 6.5 | CVE-2025-59569 | https://patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-26-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Travel Engine--WP Travel Engine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel Engine WP Travel Engine allows Stored XSS. This issue affects WP Travel Engine: from n/a through 1.4.2. | 2025-09-22 | 6.5 | CVE-2025-59574 | https://patchstack.com/database/wordpress/plugin/wte-elementor-widgets/vulnerability/wordpress-wp-travel-engine-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Stylemix--MasterStudy LMS | Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.20. | 2025-09-22 | 6.5 | CVE-2025-59576 | https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-6-20-broken-access-control-vulnerability?_s_id=cve |
| VW THEMES--Ibtana | Missing Authorization vulnerability in VW THEMES Ibtana allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ibtana: from n/a through 1.2.5.3. | 2025-09-22 | 6.5 | CVE-2025-59581 | https://patchstack.com/database/wordpress/plugin/ibtana-visual-editor/vulnerability/wordpress-ibtana-plugin-1-2-5-3-arbitrary-content-deletion-vulnerability?_s_id=cve |
| PenciDesign--Penci Filter Everything | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything allows DOM-Based XSS. This issue affects Penci Filter Everything: from n/a through n/a. | 2025-09-22 | 6.5 | CVE-2025-59583 | https://patchstack.com/database/wordpress/plugin/penci-filter-everything/vulnerability/wordpress-penci-filter-everything-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Podcast | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast allows DOM-Based XSS. This issue affects Penci Podcast: from n/a through 1.6. | 2025-09-22 | 6.5 | CVE-2025-59584 | https://patchstack.com/database/wordpress/plugin/penci-podcast/vulnerability/wordpress-penci-podcast-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Recipe | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe allows DOM-Based XSS. This issue affects Penci Recipe: from n/a through 4.0. | 2025-09-22 | 6.5 | CVE-2025-59585 | https://patchstack.com/database/wordpress/plugin/penci-recipe/vulnerability/wordpress-penci-recipe-plugin-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Portfolio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Portfolio allows DOM-Based XSS. This issue affects Penci Portfolio: from n/a through 3.5. | 2025-09-22 | 6.5 | CVE-2025-59586 | https://patchstack.com/database/wordpress/plugin/penci-portfolio/vulnerability/wordpress-penci-portfolio-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Shortcodes & Performance | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through n/a. | 2025-09-22 | 6.5 | CVE-2025-59587 | https://patchstack.com/database/wordpress/plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Soledad | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad allows DOM-Based XSS. This issue affects Soledad: from n/a through 8.6.8. | 2025-09-22 | 6.5 | CVE-2025-59589 | https://patchstack.com/database/wordpress/theme/soledad/vulnerability/wordpress-soledad-theme-8-6-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Fernando Acosta--Make Column Clickable Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Acosta Make Column Clickable Elementor allows Stored XSS. This issue affects Make Column Clickable Elementor: from n/a through 1.6.0. | 2025-09-22 | 6.5 | CVE-2025-59592 | https://patchstack.com/database/wordpress/plugin/make-column-clickable-elementor/vulnerability/wordpress-make-column-clickable-elementor-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN's URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim's browser to interpret attacker-controlled content as part of the page's HTML. This issue has been patched in version 10.1.0. | 2025-09-23 | 6.5 | CVE-2025-59821 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jc4g-c8ww-5738 |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions starting from 3.8.0 to before 4.11.0, wazuh-analysisd is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel messages. This issue has been patched in version 4.11.0. | 2025-09-27 | 6.5 | CVE-2025-59938 | https://github.com/wazuh/wazuh/security/advisories/GHSA-vw3r-mjg3-9hh2 |
| NNCP--NNCP | nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data. | 2025-09-24 | 6.4 | CVE-2025-60020 | http://www.nncpgo.org/Release-8_005f12_005f0.html http://lists.cypherpunks.su/archive/nncp-devel/CAO-d-4riai9EZx4gVfekow-BCtTn07k8BB1ZdsopPVw=scWD1A@mail.gmail.com/T/#md678a00df1020bb811f47f42ef33c54b789cddd7 |
| fkrauthan--wp-mpdf | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fkrauthan wp-mpdf allows Stored XSS. This issue affects wp-mpdf: from n/a through 3.9.1. | 2025-09-26 | 6.5 | CVE-2025-60040 | https://patchstack.com/database/wordpress/plugin/wp-mpdf/vulnerability/wordpress-wp-mpdf-plugin-3-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jeff Farthing--Theme My Login | Missing Authorization vulnerability in Jeff Farthing Theme My Login allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theme My Login: from n/a through 7.1.12. | 2025-09-26 | 6.5 | CVE-2025-60098 | https://patchstack.com/database/wordpress/plugin/theme-my-login/vulnerability/wordpress-theme-my-login-plugin-7-1-12-broken-access-control-vulnerability?_s_id=cve |
| awsm.in--Embed Any Document | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awsm.in Embed Any Document allows Stored XSS. This issue affects Embed Any Document: from n/a through 2.7.7. | 2025-09-26 | 6.5 | CVE-2025-60099 | https://patchstack.com/database/wordpress/plugin/embed-any-document/vulnerability/wordpress-embed-any-document-plugin-2-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Syam Mohan--WPFront User Role Editor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS. This issue affects WPFront User Role Editor: from n/a through 4.2.3. | 2025-09-26 | 6.5 | CVE-2025-60102 | https://patchstack.com/database/wordpress/plugin/wpfront-user-role-editor/vulnerability/wordpress-wpfront-user-role-editor-plugin-4-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| metaphorcreations--Ditty | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS. This issue affects Ditty: from n/a through 3.1.58. | 2025-09-26 | 6.5 | CVE-2025-60105 | https://patchstack.com/database/wordpress/plugin/ditty-news-ticker/vulnerability/wordpress-ditty-plugin-3-1-58-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Syed Balkhi--aThemes Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS. This issue affects aThemes Addons for Elementor: from n/a through 1.1.3. | 2025-09-26 | 6.5 | CVE-2025-60112 | https://patchstack.com/database/wordpress/plugin/athemes-addons-for-elementor-lite/vulnerability/wordpress-athemes-addons-for-elementor-plugin-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| YayCommerce--YayCurrency | Improper Control of Generation of Code ('Code Injection') vulnerability in YayCommerce YayCurrency allows Code Injection. This issue affects YayCurrency: from n/a through 3.2. | 2025-09-26 | 6.6 | CVE-2025-60114 | https://patchstack.com/database/wordpress/plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-2-remote-code-execution-rce-vulnerability?_s_id=cve |
| Ryan Hellyer--Simple Colorbox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Hellyer Simple Colorbox allows Stored XSS. This issue affects Simple Colorbox: from n/a through 1.6.1. | 2025-09-26 | 6.5 | CVE-2025-60124 | https://patchstack.com/database/wordpress/plugin/simple-colorbox/vulnerability/wordpress-simple-colorbox-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| sonalsinha21--SKT Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows Stored XSS. This issue affects SKT Blocks: from n/a through 2.5. | 2025-09-26 | 6.5 | CVE-2025-60138 | https://patchstack.com/database/wordpress/plugin/skt-blocks/vulnerability/wordpress-skt-blocks-plugin-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| DaganLev--Simple Meta Tags | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaganLev Simple Meta Tags allows DOM-Based XSS. This issue affects Simple Meta Tags: from n/a through 1.5. | 2025-09-26 | 6.5 | CVE-2025-60142 | https://patchstack.com/database/wordpress/plugin/simple-meta-tags/vulnerability/wordpress-simple-meta-tags-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HT Plugins--HT Feed | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Feed allows Stored XSS. This issue affects HT Feed: from n/a through 1.3.0. | 2025-09-26 | 6.5 | CVE-2025-60147 | https://patchstack.com/database/wordpress/plugin/ht-instagram/vulnerability/wordpress-ht-feed-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| emarket-design--WP Ticket Customer Service Software & Support Ticket System | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS. This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through 6.0.2. | 2025-09-26 | 6.5 | CVE-2025-60157 | https://patchstack.com/database/wordpress/plugin/wp-ticket/vulnerability/wordpress-wp-ticket-customer-service-software-support-ticket-system-plugin-6-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PickPlugins--Job Board Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Job Board Manager allows DOM-Based XSS. This issue affects Job Board Manager: from n/a through 2.1.61. | 2025-09-26 | 6.5 | CVE-2025-60162 | https://patchstack.com/database/wordpress/plugin/job-board-manager/vulnerability/wordpress-job-board-manager-plugin-2-1-61-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Robin W--bbp topic count | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS. This issue affects bbp topic count: from n/a through 3.1. | 2025-09-26 | 6.5 | CVE-2025-60163 | https://patchstack.com/database/wordpress/plugin/bbp-topic-count/vulnerability/wordpress-bbp-topic-count-plugin-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CIRCL--vulnerability-lookup | vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models. | 2025-09-25 | 6.4 | CVE-2025-60249 | https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434 |
| Webbeyaz Website Design--Website Software | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webbeyaz Website Design Website Software allows Cross-Site Scripting (XSS).This issue affects Website Software: through 2025.07.14. | 2025-09-26 | 6.1 | CVE-2025-6396 | https://www.usom.gov.tr/bildirim/tr-25-0302 |
| GitLab--GitLab | A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities. | 2025-09-26 | 6.5 | CVE-2025-7691 | GitLab Issue #555786 HackerOne Bug Bounty Report #3200469 |
| kraftplugins--Mega Elements Addons for Elementor | The Mega Elements - Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-8200 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8c676a0-287f-479c-aaa1-ba638b340e11?source=cve https://wordpress.org/plugins/mega-elements-addons-for-elementor/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362890%40mega-elements-addons-for-elementor&new=3362890%40mega-elements-addons-for-elementor&sfp_email=&sfph_mail= |
| spwebguy--Team Members | The Team Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name fields in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-27 | 6.4 | CVE-2025-8440 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b46c3f25-6879-47b1-9026-4297fdd003b0?source=cve https://plugins.trac.wordpress.org/browser/team-members/trunk/inc/tmm-save-metaboxes.php#L77 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3364663%40team-members%2Ftrunk&old=3116517%40team-members%2Ftrunk&sfp_email=&sfph_mail= |
| Marketing Fire, LLC--Widget Options - Extended | The Widget Options - Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'do_sidebar' shortcode in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-23 | 6.4 | CVE-2025-8902 | https://www.wordfence.com/threat-intel/vulnerabilities/id/98f8a524-b0b8-4e11-b789-bed3bd257a10?source=cve https://widget-options.com/changelog/ |
| trustindex--Widgets for Tiktok Feed | The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-8906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b070542-83fc-4086-a40d-15a8d31fadc5?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363725%40widgets-for-tiktok-video-feed&new=3363725%40widgets-for-tiktok-video-feed&sfp_email=&sfph_mail= |
| mapster--Mapster WP Maps | The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-9044 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f2c7f0-ff24-4489-9fb4-8a98ac6dc09a?source=cve https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L15547 https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13932 https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13952 https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13972 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363333%40mapster-wp-maps&new=3363333%40mapster-wp-maps&sfp_email=&sfph_mail= |
| Anadolu Hayat Emeklilik Inc.--AHE Mobile | Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse.This issue affects AHE Mobile: from 1.9.7 before 1.9.9. | 2025-09-23 | 6.5 | CVE-2025-9342 | https://www.usom.gov.tr/bildirim/tr-25-0287 |
| themifyme--Themify Builder | The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9. | 2025-09-24 | 6.4 | CVE-2025-9353 | https://www.wordfence.com/threat-intel/vulnerabilities/id/508e97a0-9757-426c-bf0f-cdce6b489ce7?source=cve https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-icon.php#L95 https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L73 https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L96 https://plugins.trac.wordpress.org/browser/themify-builder/trunk/js/editor/build/modules.min.js https://plugins.trac.wordpress.org/changeset/3366817/ https://plugins.trac.wordpress.org/changeset/3355757/ |
| danieliser--Popup Maker Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder | The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-26 | 6.4 | CVE-2025-9490 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84861460-5257-466e-b2c1-4b8abcf86bd1?source=cve https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.20.6/includes/importer/easy-modal-v2.php#L259 https://wordpress.org/plugins/popup-maker/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362078%40popup-maker&new=3362078%40popup-maker&sfp_email=&sfph_mail= |
| trustreviews--Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms | The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 6.1 | CVE-2025-9899 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a6d22101-06ef-4492-8ba9-8cf2ca1f4474?source=cve https://plugins.trac.wordpress.org/browser/trust-reviews/trunk/includes/class-feed-serializer.php#L12 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations. | 2025-09-26 | 6.5 | CVE-2025-9958 | GitLab Issue #567777 HackerOne Bug Bounty Report #3323573 |
| AMD--AMD Instinct MI300X | Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service. | 2025-09-23 | 5 | CVE-2024-21927 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6016.html |
| AMD--AMD Instinct MI300X | Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to manipulate Redfish® API commands to remove files from the local root directory, potentially resulting in data corruption. | 2025-09-23 | 5 | CVE-2024-21935 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6016.html |
| inc2734--Snow Monkey | The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-09-26 | 5.4 | CVE-2025-10137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d4a938a-044b-4991-bc4c-db9e15210f06?source=cve https://github.com/inc2734/wp-oembed-blog-card https://github.com/inc2734/wp-oembed-blog-card/blob/master/src/App/Model/Requester.php#L64-L89 https://github.com/inc2734/wp-oembed-blog-card/compare/14.0.1...14.0.2 https://github.com/inc2734/snow-monkey/compare/29.1.5...29.1.6 |
| specialk--Banhammer Monitor Site Traffic, Block Bad Users and Bots | The Banhammer - Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide "secret key" being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin's logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request. | 2025-09-26 | 5.3 | CVE-2025-10745 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97c46a13-6981-426f-b24a-c9820657042f?source=cve https://plugins.trac.wordpress.org/browser/banhammer/trunk/inc/banhammer-functions.php#L336 https://plugins.trac.wordpress.org/browser/banhammer/trunk/inc/banhammer-core.php#L101 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365979%40banhammer&new=3365979%40banhammer&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365087%40banhammer&new=3365087%40banhammer&sfp_email=&sfph_mail= |
| axboe--fio | A vulnerability was determined in axboe fio up to 3.41. This impacts the function __parse_jobs_ini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. | 2025-09-23 | 5.3 | CVE-2025-10824 | VDB-325181 | axboe fio init.c __parse_jobs_ini use after free VDB-325181 | CTI Indicators (IOB, IOC, IOA) Submit #654072 | Jens Axboe Fio 3.41 / master commit 84787ad Use After Free https://github.com/axboe/fio/issues/1981 https://github.com/user-attachments/files/22266756/poc.zip |
| Red Hat--Red Hat Enterprise v6,v7,v8,v9,10 | A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. | 2025-09-25 | 5.5 | CVE-2025-10911 | https://access.redhat.com/security/cve/CVE-2025-10911 RHBZ#2397838 https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77 |
| Sistemas Pleno--Gesto de Locao | A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component. | 2025-09-25 | 5.3 | CVE-2025-10947 | VDB-325817 | Sistemas Pleno Gestão de Locação CPF validarCpf authorization VDB-325817 | CTI Indicators (IOB, IOC, IOA) Submit #652282 | Sistemas Pleno Gestão de Locação Prior to 2025.8.0 Insecure Direct Object Reference (IDOR) https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main?tab=readme-ov-file#-proofs |
| geyang--ml-logger | A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stream_handler of the file ml_logger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-09-25 | 5.3 | CVE-2025-10952 | VDB-325822 | geyang ml-logger File server.py stream_handler information disclosure VDB-325822 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652463 | geyang ml-logger latest Arbitrary file read https://github.com/geyang/ml-logger/issues/74 |
| n/a--github.com/nyaruka/phonenumbers | Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range". | 2025-09-27 | 5.3 | CVE-2025-10954 | https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNYARUKAPHONENUMBERS-6084070 https://github.com/nyaruka/phonenumbers/issues/148 https://github.com/nyaruka/phonenumbers/commit/0479e35488e8a002a261cdb515ef8a7f80ca37fe |
| Wavlink--NU516U1 | A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. This affects the function sub_4030C0 of the file /cgi-bin/wireless.cgi of the component Delete_Mac_list Page. Executing manipulation of the argument delete_list can lead to command injection. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 5.5 | CVE-2025-10961 | VDB-325829 | Wavlink NU516U1 Delete_Mac_list wireless.cgi sub_4030C0 command injection VDB-325829 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652781 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/panda666-888/vuls/blob/main/wavlink/nu516u1/Delete_Mac_list.md |
| roncoo--roncoo-pay | A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 5.3 | CVE-2025-10992 | VDB-325919 | roncoo roncoo-pay lookupList improper authorization VDB-325919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653738 | roncoo roncoo-pay latest broken function level authorization https://www.cnblogs.com/aibot/p/19063472 |
| Open Babel -- Up to v3.1.1 | A weakness has been identified in Open Babel up to 3.1.1. This affects the function GAMESSOutputFormat::ReadMolecule of the file gamessformat.cpp. This manipulation causes use after free. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited. | 2025-09-26 | 5.3 | CVE-2025-10994 | VDB-325922 | Open Babel gamessformat.cpp ReadMolecule use after free VDB-325922 | CTI Indicators (IOB, IOC, IOA) Submit #654057 | Open Babel 3.1.1 / master commit 889c350 Use After Free https://github.com/openbabel/openbabel/issues/2834 https://github.com/user-attachments/files/22318611/poc.zip |
| Open Babel -- Up to v3.1.1 | A security vulnerability has been detected in Open Babel up to 3.1.1. This vulnerability affects the function zlib_stream::basic_unzip_streambuf::underflow in the library /src/zipstreamimpl.h. Such manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. | 2025-09-26 | 5.3 | CVE-2025-10995 | VDB-325923 | Open Babel zipstreamimpl.h underflow memory corruption VDB-325923 | CTI Indicators (IOB, IOC, IOA) Submit #654059 | Open Babel 3.1.1 / master commit 889c3501 Memory Corruption https://github.com/openbabel/openbabel/issues/2832 https://github.com/user-attachments/files/22318572/poc.zip |
| Open Babel -- Up to v3.1.1 | A vulnerability was detected in Open Babel up to 3.1.1. This issue affects the function OBSmilesParser::ParseSmiles of the file /src/formats/smilesformat.cpp. Performing manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit is now public and may be used. | 2025-09-26 | 5.3 | CVE-2025-10996 | VDB-325924 | Open Babel smilesformat.cpp ParseSmiles heap-based overflow VDB-325924 | CTI Indicators (IOB, IOC, IOA) Submit #654060 | Open Babel 3.1.1 / master commit 889c350 Heap-based Buffer Overflow https://github.com/openbabel/openbabel/issues/2831 https://github.com/user-attachments/files/22318556/poc.zip |
| Open Babel -- Up to v3.1.1 | A flaw has been found in Open Babel up to 3.1.1. Impacted is the function ChemKinFormat::CheckSpecies of the file /src/formats/chemkinformat.cpp. Executing manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used. | 2025-09-26 | 5.3 | CVE-2025-10997 | VDB-325925 | Open Babel chemkinformat.cpp CheckSpecies heap-based overflow VDB-325925 | CTI Indicators (IOB, IOC, IOA) Submit #654062 | Open Babel 3.1.1 / master commit 889c350 Heap-based Buffer Overflow https://github.com/openbabel/openbabel/issues/2830 https://github.com/user-attachments/files/22318543/poc.zip |
| vstakhov--libucl | A vulnerability has been found in vstakhov libucl up to 0.9.2. Affected by this vulnerability is the function ucl_include_common of the file /src/ucl_util.c. Such manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-09-26 | 5.3 | CVE-2025-11010 | VDB-325953 | vstakhov libucl ucl_util.c ucl_include_common heap-based overflow VDB-325953 | CTI Indicators (IOB, IOC, IOA) Submit #654068 | vstakhov libucl 0.9.2 / master commit d8af953 Heap-based Buffer Overflow https://github.com/vstakhov/libucl/issues/337 https://github.com/user-attachments/files/22317650/poc.zip |
| BehaviorTree -- BehaviorTree up to 4.7.0 | A vulnerability was determined in BehaviorTree up to 4.7.0. This affects the function ParseScript of the file /src/script_parser.cpp of the component Diagnostic Message Handler. Executing manipulation of the argument error_msgs_buffer can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called cb6c7514efa628adb8180b58b4c9ccdebbe096e3. A patch should be applied to remediate this issue. | 2025-09-26 | 5.3 | CVE-2025-11012 | VDB-325955 | BehaviorTree Diagnostic Message script_parser.cpp ParseScript stack-based overflow VDB-325955 | CTI Indicators (IOB, IOC, IOA) Submit #654074 | Davide Faconti BehaviorTree 4.7.0 / master commit 8d47d39 Stack-based Buffer Overflow https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1006 https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1007 https://github.com/user-attachments/files/22251337/poc.zip https://github.com/BehaviorTree/BehaviorTree.CPP/commit/cb6c7514efa628adb8180b58b4c9ccdebbe096e3 |
| OGRECave--Ogre | A security flaw has been discovered in OGRECave Ogre up to 14.4.1. This issue affects the function STBIImageCodec::encode of the file /ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp of the component Image Handler. The manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be exploited. | 2025-09-26 | 5.3 | CVE-2025-11014 | VDB-325957 | OGRECave Ogre Image OgreSTBICodec.cpp encode heap-based overflow VDB-325957 | CTI Indicators (IOB, IOC, IOA) Submit #654269 | Ogre3D Ogre v14.4.1 / master commit f629d22 Heap-based Buffer Overflow https://github.com/OGRECave/ogre/issues/3445 https://github.com/user-attachments/files/22326665/poc.zip |
| OGRECave--Ogre | A weakness has been identified in OGRECave Ogre up to 14.4.1. Impacted is the function STBIImageCodec::encode of the file /ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp. This manipulation causes mismatched memory management routines. The attack is restricted to local execution. The exploit has been made available to the public and could be exploited. | 2025-09-26 | 5.3 | CVE-2025-11015 | VDB-325958 | OGRECave Ogre OgreSTBICodec.cpp encode mismatched memory management routines VDB-325958 | CTI Indicators (IOB, IOC, IOA) Submit #654340 | Ogre3D Ogre v14.4.1 / master commit f629d22 Mismatched Memory Management Routines https://github.com/OGRECave/ogre/issues/3446 https://github.com/user-attachments/files/22328216/poc.zip |
| Four-Faith--Water Conservancy Informatization Platform | A flaw has been found in Four-Faith Water Conservancy Informatization Platform 1.0. This affects an unknown function of the file /sysRole/index.do/../../generalReport/download.do;usrlogout.do.do. Executing manipulation of the argument fileName can lead to path traversal. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 5.3 | CVE-2025-11018 | VDB-325961 | Four-Faith Water Conservancy Informatization Platform download.do;usrlogout.do.do path traversal VDB-325961 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650695 | Four-Faith Water Conservancy Informatization Platform V1.0 Path Traversal https://github.com/MMarch7/CVE/issues/1 |
| Vimesoft Information Technologies and Software Inc.--Vimesoft Corporate Messaging Platform | Insertion of Sensitive Information Into Sent Data vulnerability in Vimesoft Information Technologies and Software Inc. Vimesoft Corporate Messaging Platform allows Retrieve Embedded Sensitive Data.This issue affects Vimesoft Corporate Messaging Platform: from V1.3.0 before V2.0.0. | 2025-09-26 | 5.3 | CVE-2025-11025 | https://www.usom.gov.tr/bildirim/tr-25-0300 |
| givanz--Vvveb | A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | 2025-09-26 | 5.3 | CVE-2025-11028 | VDB-325966 | givanz Vvveb Image information disclosure VDB-325966 | CTI Indicators (IOB, IOC, TTP) Submit #657185 | givanz Vvveb Vvveb 1.0.7.2 Exposure of Sensitive Information Through Metadata https://gist.github.com/KhanMarshaI/9a1a5b72ff7a0a9d180ca77d26814bc7 |
|
DataTables -- DataTables up to V1.10.13 |
A flaw has been found in DataTables up to 1.10.13. The affected element is an unknown function of the file /examples/resources/examples.php. This manipulation of the argument src causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 1.10.15 is sufficient to fix this issue. Patch name: 3b24f99ac4ddb7f9072076b0d07f0b1a408f177a. Upgrading the affected component is advised. This vulnerability was initially reported for code-projects Faculty Management System but appears to affect DataTables as an upstream component instead. The vendor of DataTables explains: "I would suggest that the author upgrade to the latest versions of DataTables (actually, they shouldn't really be deploying that file to their own server at all - it is only relevant for the DataTables examples)." | 2025-09-26 | 5.3 | CVE-2025-11031 | VDB-325970 | DataTables examples.php path traversal VDB-325970 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657918 | code-projects Faculty Management System 1.0 Path Traversal: '.../...//' https://github.com/xiaoliyu-1/Faculty-Management-System-examples.php-v.1.0-Path-Traversal/blob/main/report.md https://github.com/xiaoliyu-1/Faculty-Management-System-examples.php-v.1.0-Path-Traversal/blob/main/report.md#url https://github.com/DataTables/DataTables/commit/3b24f99ac4ddb7f9072076b0d07f0b1a408f177a https://github.com/DataTables/DataTables/releases/tag/1.10.15 |
| Red Hat--OpenShift Service Mesh 3 | A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records. | 2025-09-26 | 5.7 | CVE-2025-11060 | https://access.redhat.com/security/cve/CVE-2025-11060 RHBZ#2394708 https://github.com/surrealdb/surrealdb https://github.com/surrealdb/surrealdb/commit/d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c https://github.com/surrealdb/surrealdb/pull/6247 https://github.com/surrealdb/surrealdb/security/advisories/GHSA-7vm2-j586-vcvc https://surrealdb.com/docs/surrealql/statements/live |
| Campcodes--Farm Management System | A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this issue is some unknown functionality. The manipulation results in file and directory information exposure. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-09-27 | 5.3 | CVE-2025-11079 | VDB-326119 | Campcodes Farm Management System file information disclosure VDB-326119 | CTI Indicators (IOB, IOC, TTP) Submit #661199 | Campcodes Farm Management System v1.0 Directory traversal https://github.com/unicorn33355/cve/issues/1 https://www.campcodes.com/ |
| GNU--Binutils | A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46". | 2025-09-27 | 5.3 | CVE-2025-11082 | VDB-326123 | GNU Binutils Linker elf-eh-frame.c _bfd_elf_parse_eh_frame heap-based overflow VDB-326123 | CTI Indicators (IOB, IOC, IOA) Submit #661276 | GNU Binutils 2.45 Heap-based Buffer Overflow https://sourceware.org/bugzilla/show_bug.cgi?id=33464 https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2 https://sourceware.org/bugzilla/attachment.cgi?id=16358 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8 https://www.gnu.org/ |
| GNU--Binutils | A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46". | 2025-09-27 | 5.3 | CVE-2025-11083 | VDB-326124 | GNU Binutils Linker elfcode.h elf_swap_shdr heap-based overflow VDB-326124 | CTI Indicators (IOB, IOC, IOA) Submit #661277 | GNU Binutils 2.45 Heap-based Buffer Overflow https://sourceware.org/bugzilla/show_bug.cgi?id=33457 https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1 https://sourceware.org/bugzilla/attachment.cgi?id=16353 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490 https://www.gnu.org/ |
| Cisco--Cisco IOS XE Software | A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the public-key infrastructure (PKI) server that is running on an affected device. This vulnerability is due to incomplete cleanup upon completion of the Day One setup process. An attacker could exploit this vulnerability by sending Simple Certificate Enrollment Protocol (SCEP) requests to an affected device. A successful exploit could allow the attacker to request a certificate from the virtual wireless controller and then use the acquired certificate to join an attacker-controlled device to the virtual wireless controller. | 2025-09-24 | 5.3 | CVE-2025-20293 | cisco-sa-9800cl-openscep-SB4xtxzP |
| Cisco--Cisco IOS XE Software | A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software for Cisco Catalyst 9500X and 9600X Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL on an affected device. This vulnerability is due to the flooding of traffic from an unlearned MAC address on a switch virtual interface (SVI) that has an egress ACL applied. An attacker could exploit this vulnerability by causing the VLAN to flush its MAC address table. This condition can also occur if the MAC address table is full. A successful exploit could allow the attacker to bypass an egress ACL on an affected device. | 2025-09-24 | 5.3 | CVE-2025-20316 | cisco-sa-cat9k-acl-L4K7VXgD |
| Cisco--Cisco SD-WAN vEdge Cloud | A vulnerability in the access control list (ACL) processing of IPv4 packets of Cisco SD-WAN vEdge Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to the improper enforcement of the implicit deny all at the end of a configured ACL. An attacker could exploit this vulnerability by attempting to send unauthorized traffic to an interface on an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. | 2025-09-24 | 5.8 | CVE-2025-20339 | cisco-sa-defaultacl-pSJk9nVF |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA nvJPEG library contains a vulnerability where an attacker can cause an out-of-bounds read by means of a specially crafted JPEG file. A successful exploit of this vulnerability might lead to information disclosure or denial of service. | 2025-09-24 | 5.7 | CVE-2025-23272 | https://nvd.nist.gov/vuln/detail/CVE-2025-23272 https://www.cve.org/CVERecord?id=CVE-2025-23272 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| Dell--BSAFE Crypto-J | Dell Crypto-J generates an error message that includes sensitive information about its environment and associated data. A remote attacker could potentially exploit this vulnerability, leading to information exposure. | 2025-09-25 | 5.9 | CVE-2025-26333 | https://www.dell.com/support/kbdoc/en-us/000296144/dsa-2025-100-dell-bsafe-crypto-j-security-update |
| algoliasearch-helper -- v2.00 and before 3.11.2 | Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users. | 2025-09-27 | 5.9 | CVE-2025-3193 | https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-3318396 https://github.com/algolia/algoliasearch-helper-js/issues/922 https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a |
| IBM--webMethods Integration | IBM webMethods Integration 10.15 and 11.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2025-09-22 | 5.4 | CVE-2025-36037 | https://www.ibm.com/support/pages/node/7245758 |
| IBM--Sterling Connect:Express for Microsoft Windows | IBM Sterling Connect:Express for Microsoft Windows 3.1.0.0 through 3.1.0.22 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 2025-09-22 | 5.9 | CVE-2025-36064 | https://www.ibm.com/support/pages/node/7245761 |
| WAGO--Solution Builder | The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | 2025-09-24 | 5.3 | CVE-2025-41716 | https://certvde.com/de/advisories/VDE-2025-087 |
| mihdan--Mihdan: No External Links | Cross-Site Request Forgery (CSRF) vulnerability in mihdan Mihdan: No External Links allows Cross Site Request Forgery. This issue affects Mihdan: No External Links: from n/a through 5.1.4. | 2025-09-22 | 5.4 | CVE-2025-53451 | https://patchstack.com/database/wordpress/plugin/mihdan-no-external-links/vulnerability/wordpress-mihdan-no-external-links-plugin-5-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| CashBill--CashBill.pl – Patnoci WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CashBill CashBill.pl – Płatności WooCommerce allows Stored XSS. This issue affects CashBill.pl – Płatności WooCommerce: from n/a through 3.2.1. | 2025-09-22 | 5.9 | CVE-2025-53455 | https://patchstack.com/database/wordpress/plugin/cashbill-payment-method/vulnerability/wordpress-cashbill-pl-platnosci-woocommerce-plugin-3-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| davaxi--Goracash | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davaxi Goracash allows Stored XSS. This issue affects Goracash: from n/a through 1.1. | 2025-09-22 | 5.9 | CVE-2025-53458 | https://patchstack.com/database/wordpress/plugin/goracash/vulnerability/wordpress-goracash-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ads by WPQuads--Ads by WPQuads | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ads by WPQuads Ads by WPQuads allows Stored XSS. This issue affects Ads by WPQuads: from n/a through 2.0.92. | 2025-09-22 | 5.9 | CVE-2025-53459 | https://patchstack.com/database/wordpress/plugin/quick-adsense-reloaded/vulnerability/wordpress-ads-by-wpquads-plugin-2-0-92-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Syed Balkhi--AffiliateWP External Referral Links | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi AffiliateWP - External Referral Links allows Stored XSS. This issue affects AffiliateWP - External Referral Links: from n/a through 1.2.0. | 2025-09-22 | 5.9 | CVE-2025-53460 | https://patchstack.com/database/wordpress/plugin/affiliatewp-external-referral-links/vulnerability/wordpress-affiliatewp-external-referral-links-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SAPO--SAPO Feed | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed allows Stored XSS. This issue affects SAPO Feed: from n/a through 2.4.2. | 2025-09-22 | 5.9 | CVE-2025-53462 | https://patchstack.com/database/wordpress/plugin/sapo-feed/vulnerability/wordpress-sapo-feed-plugin-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ironikus--WP Mailto Links | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ironikus WP Mailto Links allows Stored XSS. This issue affects WP Mailto Links: from n/a through 3.1.4. | 2025-09-22 | 5.9 | CVE-2025-53464 | https://patchstack.com/database/wordpress/plugin/wp-mailto-links/vulnerability/wordpress-wp-mailto-links-plugin-3-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodeSolz--Better Find and Replace | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Better Find and Replace allows Stored XSS. This issue affects Better Find and Replace: from n/a through 1.7.6. | 2025-09-22 | 5.9 | CVE-2025-53466 | https://patchstack.com/database/wordpress/plugin/real-time-auto-find-and-replace/vulnerability/wordpress-better-find-and-replace-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| webvitaly--Login-Logout | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Login-Logout allows Stored XSS. This issue affects Login-Logout: from n/a through 3.8. | 2025-09-22 | 5.9 | CVE-2025-53467 | https://patchstack.com/database/wordpress/plugin/login-logout/vulnerability/wordpress-login-logout-plugin-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mortgage Calculator--BMI Adult & Kid Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mortgage Calculator BMI Adult & Kid Calculator allows Stored XSS. This issue affects BMI Adult & Kid Calculator: from n/a through 1.2.2. | 2025-09-22 | 5.9 | CVE-2025-53469 | https://patchstack.com/database/wordpress/plugin/bmi-adultkid-calculator/vulnerability/wordpress-bmi-adult-kid-calculator-plugin-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to perform a denial-of-service attack by exhausting all available device sessions in the Remote PLC application. | 2025-09-23 | 5.9 | CVE-2025-57882 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| AresIT--WP Compress | Missing Authorization vulnerability in AresIT WP Compress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Compress: from n/a through 6.50.54. | 2025-09-22 | 5.3 | CVE-2025-57899 | https://patchstack.com/database/wordpress/plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-plugin-6-50-54-broken-access-control-vulnerability?_s_id=cve |
| WPSuperiors Developer--WooCommerce Additional Fees On Checkout (Free) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) allows Stored XSS. This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through 1.5.0. | 2025-09-22 | 5.9 | CVE-2025-57903 | https://patchstack.com/database/wordpress/plugin/woo-additional-fees-on-checkout-wordpress/vulnerability/wordpress-woocommerce-additional-fees-on-checkout-free-plugin-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP-EXPERTS.IN--Sales Count Manager for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce allows Stored XSS. This issue affects Sales Count Manager for WooCommerce: from n/a through 2.5. | 2025-09-22 | 5.9 | CVE-2025-57904 | https://patchstack.com/database/wordpress/plugin/wc-sales-count-manager/vulnerability/wordpress-sales-count-manager-for-woocommerce-plugin-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| epeken--Epeken All Kurir | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in epeken Epeken All Kurir allows Stored XSS. This issue affects Epeken All Kurir: from n/a through 2.0.2. | 2025-09-22 | 5.9 | CVE-2025-57906 | https://patchstack.com/database/wordpress/plugin/epeken-all-kurir/vulnerability/wordpress-epeken-all-kurir-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Heureka Group--Heureka | Missing Authorization vulnerability in Heureka Group Heureka allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Heureka: from n/a through 1.1.0. | 2025-09-22 | 5.3 | CVE-2025-57907 | https://patchstack.com/database/wordpress/plugin/heureka/vulnerability/wordpress-heureka-plugin-1-1-0-broken-access-control-vulnerability?_s_id=cve |
| ProWCPlugins--Product Time Countdown for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Product Time Countdown for WooCommerce allows Stored XSS. This issue affects Product Time Countdown for WooCommerce: from n/a through 1.6.4. | 2025-09-22 | 5.9 | CVE-2025-57908 | https://patchstack.com/database/wordpress/plugin/product-countdown-for-woocommerce/vulnerability/wordpress-product-time-countdown-for-woocommerce-plugin-1-6-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dialogity--Dialogity Free Live Chat | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dialogity Dialogity Free Live Chat allows Stored XSS. This issue affects Dialogity Free Live Chat: from n/a through 1.0.3. | 2025-09-22 | 5.9 | CVE-2025-57912 | https://patchstack.com/database/wordpress/plugin/dialogity-website-chat/vulnerability/wordpress-dialogity-free-live-chat-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CK MacLeod--Category Featured Images Extended | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CK MacLeod Category Featured Images Extended allows Stored XSS. This issue affects Category Featured Images Extended: from n/a through 1.52. | 2025-09-22 | 5.9 | CVE-2025-57920 | https://patchstack.com/database/wordpress/plugin/category-featured-images-extended/vulnerability/wordpress-category-featured-images-extended-plugin-1-52-cross-site-scripting-xss-vulnerability?_s_id=cve |
| N-Media--Frontend File Manager | Missing Authorization vulnerability in N-Media Frontend File Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frontend File Manager: from n/a through 23.2. | 2025-09-22 | 5.3 | CVE-2025-57921 | https://patchstack.com/database/wordpress/plugin/nmedia-user-file-uploader/vulnerability/wordpress-frontend-file-manager-plugin-23-2-broken-access-control-vulnerability?_s_id=cve |
| Coordinadora Mercantil S.A.--Envos Coordinadora Woocommerce | Insertion of Sensitive Information Into Sent Data vulnerability in Coordinadora Mercantil S.A. Envíos Coordinadora Woocommerce allows Retrieve Embedded Sensitive Data. This issue affects Envíos Coordinadora Woocommerce: from n/a through 1.1.31. | 2025-09-22 | 5.3 | CVE-2025-57922 | https://patchstack.com/database/wordpress/plugin/coordinadora/vulnerability/wordpress-envios-coordinadora-woocommerce-plugin-1-1-31-sensitive-data-exposure-vulnerability?_s_id=cve |
| Ideal Postcodes--UK Address Postcode Validation | Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation allows Retrieve Embedded Sensitive Data. This issue affects UK Address Postcode Validation: from n/a through 3.9.2. | 2025-09-22 | 5.3 | CVE-2025-57923 | https://patchstack.com/database/wordpress/plugin/uk-address-postcode-validation/vulnerability/wordpress-uk-address-postcode-validation-plugin-3-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| Strategy11 Team--AWP Classifieds | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Team AWP Classifieds allows Code Injection. This issue affects AWP Classifieds: from n/a through 4.3.5. | 2025-09-22 | 5.3 | CVE-2025-57928 | https://patchstack.com/database/wordpress/plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-3-5-content-injection-vulnerability?_s_id=cve |
| kanwei_doublethedonation--Double the Donation | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kanwei_doublethedonation Double the Donation allows Stored XSS. This issue affects Double the Donation: from n/a through 2.0.0. | 2025-09-22 | 5.9 | CVE-2025-57929 | https://patchstack.com/database/wordpress/plugin/double-the-donation/vulnerability/wordpress-double-the-donation-plugin-2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ricky Dawn--Bot Block – Stop Spam Referrals in Google Analytics | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ricky Dawn Bot Block – Stop Spam Referrals in Google Analytics allows Stored XSS. This issue affects Bot Block – Stop Spam Referrals in Google Analytics: from n/a through 2.6. | 2025-09-22 | 5.9 | CVE-2025-57935 | https://patchstack.com/database/wordpress/plugin/bot-block-stop-spam-google-analytics-referrals/vulnerability/wordpress-bot-block-stop-spam-referrals-in-google-analytics-plugin-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Blocksera--Image Hover Effects Elementor Addon | Missing Authorization vulnerability in Blocksera Image Hover Effects - Elementor Addon allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Hover Effects - Elementor Addon: from n/a through 1.4.4. | 2025-09-22 | 5.3 | CVE-2025-57939 | https://patchstack.com/database/wordpress/plugin/image-hover-effects-addon-for-elementor/vulnerability/wordpress-image-hover-effects-elementor-addon-plugin-1-4-4-broken-access-control-vulnerability?_s_id=cve |
| Suresh Kumar Mukhiya--Append extensions on Pages | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Kumar Mukhiya Append extensions on Pages allows Stored XSS. This issue affects Append extensions on Pages: from n/a through 1.1.2. | 2025-09-22 | 5.9 | CVE-2025-57940 | https://patchstack.com/database/wordpress/plugin/append-extensions-on-pages/vulnerability/wordpress-append-extensions-on-pages-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| JonathanMH--Append Link on Copy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JonathanMH Append Link on Copy allows Stored XSS. This issue affects Append Link on Copy: from n/a through 0.2. | 2025-09-22 | 5.9 | CVE-2025-57941 | https://patchstack.com/database/wordpress/plugin/append-link-on-copy/vulnerability/wordpress-append-link-on-copy-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Skimlinks--Skimlinks Affiliate Marketing Tool | Missing Authorization vulnerability in Skimlinks Skimlinks Affiliate Marketing Tool allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Skimlinks Affiliate Marketing Tool: from n/a through 1.3. | 2025-09-22 | 5.3 | CVE-2025-57944 | https://patchstack.com/database/wordpress/plugin/skimlinks/vulnerability/wordpress-skimlinks-affiliate-marketing-tool-plugin-1-3-broken-access-control-vulnerability?_s_id=cve |
| cedcommerce--WP Advanced PDF | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cedcommerce WP Advanced PDF allows Stored XSS. This issue affects WP Advanced PDF: from n/a through 1.1.7. | 2025-09-22 | 5.9 | CVE-2025-57945 | https://patchstack.com/database/wordpress/plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Loc Bui--payOS | Cross-Site Request Forgery (CSRF) vulnerability in Loc Bui payOS allows Cross Site Request Forgery. This issue affects payOS: from n/a through 1.0.61. | 2025-09-22 | 5.4 | CVE-2025-57946 | https://patchstack.com/database/wordpress/plugin/payos/vulnerability/wordpress-payos-plugin-1-0-61-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| oggix--Ongkoskirim.id | Missing Authorization vulnerability in oggix Ongkoskirim.id allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ongkoskirim.id: from n/a through 1.0.6. | 2025-09-22 | 5.4 | CVE-2025-57949 | https://patchstack.com/database/wordpress/plugin/ongkoskirim-id/vulnerability/wordpress-ongkoskirim-id-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| Glen Scott--Plugin Security Scanner | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner allows Stored XSS. This issue affects Plugin Security Scanner: from n/a through 2.0.2. | 2025-09-22 | 5.9 | CVE-2025-57950 | https://patchstack.com/database/wordpress/plugin/plugin-security-scanner/vulnerability/wordpress-plugin-security-scanner-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ken107--SiteNarrator Text-to-Speech Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ken107 SiteNarrator Text-to-Speech Widget allows Stored XSS. This issue affects SiteNarrator Text-to-Speech Widget: from n/a through 1.9. | 2025-09-22 | 5.9 | CVE-2025-57951 | https://patchstack.com/database/wordpress/plugin/sitespeaker-widget/vulnerability/wordpress-sitenarrator-text-to-speech-widget-plugin-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| icopydoc--Maps for WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Maps for WP allows Stored XSS. This issue affects Maps for WP: from n/a through 1.2.5. | 2025-09-22 | 5.9 | CVE-2025-57952 | https://patchstack.com/database/wordpress/plugin/maps-for-wp/vulnerability/wordpress-maps-for-wp-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpcraft--WooMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcraft WooMS allows Stored XSS. This issue affects WooMS: from n/a through 9.12. | 2025-09-22 | 5.9 | CVE-2025-57956 | https://patchstack.com/database/wordpress/plugin/wooms/vulnerability/wordpress-wooms-plugin-9-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpcraft--WooMS | Missing Authorization vulnerability in wpcraft WooMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooMS: from n/a through 9.12. | 2025-09-22 | 5.3 | CVE-2025-57957 | https://patchstack.com/database/wordpress/plugin/wooms/vulnerability/wordpress-wooms-plugin-9-12-broken-access-control-vulnerability?_s_id=cve |
| WPXPO--WowAddons | Missing Authorization vulnerability in WPXPO WowAddons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowAddons: from n/a through 1.0.17. | 2025-09-22 | 5.3 | CVE-2025-57958 | https://patchstack.com/database/wordpress/plugin/product-addons/vulnerability/wordpress-wowaddons-plugin-1-0-17-broken-access-control-vulnerability?_s_id=cve |
| tmatsuur--Slightly troublesome permalink | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink allows Stored XSS. This issue affects Slightly troublesome permalink: from n/a through 1.2.0. | 2025-09-22 | 5.9 | CVE-2025-57959 | https://patchstack.com/database/wordpress/plugin/slightly-troublesome-permalink/vulnerability/wordpress-slightly-troublesome-permalink-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e4jvikwp--VikRestaurants Table Reservations and Take-Away | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Stored XSS. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.4. | 2025-09-22 | 5.9 | CVE-2025-57962 | https://patchstack.com/database/wordpress/plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-table-reservations-and-take-away-plugin-1-4-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| SALESmanago--SALESmanago | Missing Authorization vulnerability in SALESmanago SALESmanago allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SALESmanago: from n/a through 3.8.1. | 2025-09-22 | 5.3 | CVE-2025-57971 | https://patchstack.com/database/wordpress/plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-8-1-broken-access-control-vulnerability?_s_id=cve |
| Chad Butler--WP-Members | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chad Butler WP-Members allows Stored XSS. This issue affects WP-Members: from n/a through 3.5.4.2. | 2025-09-22 | 5.5 | CVE-2025-57973 | https://patchstack.com/database/wordpress/plugin/wp-members/vulnerability/wordpress-wp-members-plugin-3-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| tuyennv--TZ PlusGallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tuyennv TZ PlusGallery allows Stored XSS. This issue affects TZ PlusGallery: from n/a through 1.5.5. | 2025-09-22 | 5.9 | CVE-2025-57974 | https://patchstack.com/database/wordpress/plugin/tz-plus-gallery/vulnerability/wordpress-tz-plusgallery-plugin-1-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CardCom--CardCom Payment Gateway | Missing Authorization vulnerability in CardCom CardCom Payment Gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CardCom Payment Gateway: from n/a through 3.5.0.4. | 2025-09-22 | 5.3 | CVE-2025-57976 | https://patchstack.com/database/wordpress/plugin/woo-cardcom-payment-gateway/vulnerability/wordpress-cardcom-payment-gateway-plugin-3-5-0-4-broken-access-control-vulnerability?_s_id=cve |
| Russell Jamieson--AuthorSure | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson AuthorSure allows Stored XSS. This issue affects AuthorSure: from n/a through 2.3. | 2025-09-22 | 5.9 | CVE-2025-57979 | https://patchstack.com/database/wordpress/plugin/authorsure/vulnerability/wordpress-authorsure-plugin-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tomas Cordero--Safety Exit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas Cordero Safety Exit allows Stored XSS. This issue affects Safety Exit: from n/a through 1.8.0. | 2025-09-22 | 5.9 | CVE-2025-57980 | https://patchstack.com/database/wordpress/plugin/safety-exit/vulnerability/wordpress-safety-exit-plugin-1-8-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPBean--Advance Portfolio Grid | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean Advance Portfolio Grid allows Stored XSS. This issue affects Advance Portfolio Grid: from n/a through 1.07.6. | 2025-09-22 | 5.9 | CVE-2025-57982 | https://patchstack.com/database/wordpress/plugin/advance-portfolio-grid/vulnerability/wordpress-advance-portfolio-grid-plugin-1-07-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress--WP Events Manager | Missing Authorization vulnerability in ThimPress WP Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Events Manager: from n/a through 2.2.1. | 2025-09-22 | 5.3 | CVE-2025-57987 | https://patchstack.com/database/wordpress/plugin/wp-events-manager/vulnerability/wordpress-wp-events-manager-plugin-2-2-1-broken-access-control-vulnerability?_s_id=cve |
| solwininfotech--Blog Designer | Missing Authorization vulnerability in solwininfotech Blog Designer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Blog Designer: from n/a through 3.1.8. | 2025-09-22 | 5.4 | CVE-2025-57990 | https://patchstack.com/database/wordpress/plugin/blog-designer/vulnerability/wordpress-blog-designer-plugin-3-1-8-broken-access-control-vulnerability?_s_id=cve |
| Clariti--Clariti | Missing Authorization vulnerability in Clariti Clariti allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clariti: from n/a through 1.2.1. | 2025-09-22 | 5.4 | CVE-2025-57991 | https://patchstack.com/database/wordpress/plugin/clariti/vulnerability/wordpress-clariti-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve |
| Sayful Islam--Upcoming Events Lists | Authorization Bypass Through User-Controlled Key vulnerability in Sayful Islam Upcoming Events Lists allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Upcoming Events Lists: from n/a through 1.4.0. | 2025-09-22 | 5.4 | CVE-2025-57994 | https://patchstack.com/database/wordpress/plugin/upcoming-events-lists/vulnerability/wordpress-upcoming-events-lists-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Hamid Reza Yazdani--E-namad & Shamed Logo Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hamid Reza Yazdani E-namad & Shamed Logo Manager allows Stored XSS. This issue affects E-namad & Shamed Logo Manager: from n/a through 2.2. | 2025-09-22 | 5.9 | CVE-2025-57998 | https://patchstack.com/database/wordpress/plugin/e-namad-shamed-logo-manager/vulnerability/wordpress-e-namad-shamed-logo-manager-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| memberful--Memberful | Missing Authorization vulnerability in memberful Memberful allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Memberful: from n/a through 1.75.0. | 2025-09-22 | 5.3 | CVE-2025-58000 | https://patchstack.com/database/wordpress/plugin/memberful-wp/vulnerability/wordpress-memberful-plugin-1-75-0-broken-access-control-vulnerability?_s_id=cve |
| javothemes--Javo Core | Missing Authorization vulnerability in javothemes Javo Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Javo Core: from n/a through 3.0.0.266. | 2025-09-22 | 5.3 | CVE-2025-58003 | https://patchstack.com/database/wordpress/plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-broken-access-control-vulnerability?_s_id=cve |
| SmartDataSoft--DriCub | Missing Authorization vulnerability in SmartDataSoft DriCub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DriCub: from n/a through 2.9. | 2025-09-22 | 5.3 | CVE-2025-58004 | https://patchstack.com/database/wordpress/theme/dricub-driving-school/vulnerability/wordpress-dricub-theme-2-9-broken-access-control-vulnerability?_s_id=cve |
| SmartDataSoft--DriCub | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft DriCub allows Server Side Request Forgery. This issue affects DriCub: from n/a through 2.9. | 2025-09-22 | 5.4 | CVE-2025-58005 | https://patchstack.com/database/wordpress/theme/dricub-driving-school/vulnerability/wordpress-dricub-theme-2-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Ays Pro--Quiz Maker | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Ays Pro Quiz Maker allows Retrieve Embedded Sensitive Data. This issue affects Quiz Maker: from n/a through 6.7.0.61. | 2025-09-22 | 5.3 | CVE-2025-58015 | https://patchstack.com/database/wordpress/plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-61-sensitive-data-exposure-vulnerability?_s_id=cve |
| Sumit Singh--Classic Widgets with Block-based Widgets | Missing Authorization vulnerability in Sumit Singh Classic Widgets with Block-based Widgets allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Classic Widgets with Block-based Widgets: from n/a through 1.0.1. | 2025-09-22 | 5.3 | CVE-2025-58029 | https://patchstack.com/database/wordpress/plugin/classic-widgets-with-block-based-widgets/vulnerability/wordpress-classic-widgets-with-block-based-widgets-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| leeshadle--Draft | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leeshadle Draft allows Stored XSS. This issue affects Draft: from n/a through 3.0.9. | 2025-09-22 | 5.9 | CVE-2025-58033 | https://patchstack.com/database/wordpress/plugin/website-builder/vulnerability/wordpress-draft-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session. | 2025-09-23 | 5.3 | CVE-2025-58069 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| Maidul--Team Manager | Missing Authorization vulnerability in Maidul Team Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Manager: from n/a through 2.3.14. | 2025-09-22 | 5.3 | CVE-2025-58222 | https://patchstack.com/database/wordpress/plugin/wp-team-manager/vulnerability/wordpress-team-manager-plugin-2-3-14-broken-access-control-vulnerability?_s_id=cve |
| Chris Taylor--VoucherPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor VoucherPress allows Stored XSS. This issue affects VoucherPress: from n/a through 1.5.7. | 2025-09-22 | 5.9 | CVE-2025-58223 | https://patchstack.com/database/wordpress/plugin/voucherpress/vulnerability/wordpress-voucherpress-plugin-1-5-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Printeers--Printeers Print & Ship | Cross-Site Request Forgery (CSRF) vulnerability in Printeers Printeers Print & Ship allows Cross Site Request Forgery. This issue affects Printeers Print & Ship: from n/a through 1.17.0. | 2025-09-22 | 5.4 | CVE-2025-58224 | https://patchstack.com/database/wordpress/plugin/invition-print-ship/vulnerability/wordpress-printeers-print-ship-plugin-1-17-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| iberezansky--3D FlipBook PDF Flipbook Viewer, Flipbook Image Gallery | Insertion of Sensitive Information Into Sent Data vulnerability in iberezansky 3D FlipBook - PDF Flipbook Viewer, Flipbook Image Gallery allows Retrieve Embedded Sensitive Data. This issue affects 3D FlipBook - PDF Flipbook Viewer, Flipbook Image Gallery: from n/a through 1.16.16. | 2025-09-22 | 5.3 | CVE-2025-58226 | https://patchstack.com/database/wordpress/plugin/interactive-3d-flipbook-powered-physics-engine/vulnerability/wordpress-3d-flipbook-pdf-flipbook-viewer-flipbook-image-gallery-plugin-1-16-16-sensitive-data-exposure-vulnerability?_s_id=cve |
| bestweblayout--Portfolio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bestweblayout Portfolio allows DOM-Based XSS. This issue affects Portfolio : from n/a through 2.58. | 2025-09-22 | 5.9 | CVE-2025-58245 | https://patchstack.com/database/wordpress/plugin/portfolio/vulnerability/wordpress-portfolio-plugin-2-58-cross-site-scripting-xss-vulnerability?_s_id=cve |
| templateinvaders--TI WooCommerce Wishlist | Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TI WooCommerce Wishlist: from n/a through 2.10.0. | 2025-09-22 | 5.3 | CVE-2025-58247 | https://patchstack.com/database/wordpress/plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve |
| Jonathan Brinley--DOAJ Export | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jonathan Brinley DOAJ Export allows Stored XSS. This issue affects DOAJ Export: from n/a through 1.0.4. | 2025-09-22 | 5.9 | CVE-2025-58256 | https://patchstack.com/database/wordpress/plugin/doaj-export/vulnerability/wordpress-doaj-export-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Fumiki Takahashi--Gianism | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fumiki Takahashi Gianism allows Stored XSS. This issue affects Gianism: from n/a through 5.2.2. | 2025-09-22 | 5.9 | CVE-2025-58266 | https://patchstack.com/database/wordpress/plugin/gianism/vulnerability/wordpress-gianism-plugin-5-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| weDevs--WP Project Manager | Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25. | 2025-09-22 | 5.3 | CVE-2025-58269 | https://patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-25-sensitive-data-exposure-vulnerability?_s_id=cve |
| AnyClip Video Platform--AnyClip Luminous Studio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3. | 2025-09-22 | 5.9 | CVE-2025-58271 | https://patchstack.com/database/wordpress/plugin/anyclip-media/vulnerability/wordpress-anyclip-luminous-studio-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to perform a denial-of-service attack by exhausting all available device sessions of the Click Programming Software. | 2025-09-23 | 5.9 | CVE-2025-58473 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| Gravitate--Gravitate Automated Tester | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gravitate Gravitate Automated Tester allows Stored XSS. This issue affects Gravitate Automated Tester: from n/a through 1.4.5. | 2025-09-22 | 5.9 | CVE-2025-58645 | https://patchstack.com/database/wordpress/plugin/gravitate-automated-tester/vulnerability/wordpress-gravitate-automated-tester-plugin-1-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| chtombleson--Mobi2Go | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chtombleson Mobi2Go allows Stored XSS. This issue affects Mobi2Go: from n/a through 1.0.0. | 2025-09-22 | 5.9 | CVE-2025-58646 | https://patchstack.com/database/wordpress/plugin/mobi2go/vulnerability/wordpress-mobi2go-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Will.I.am--Simple Restaurant Menu | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Will.I.am Simple Restaurant Menu allows Stored XSS. This issue affects Simple Restaurant Menu: from n/a through 1.2. | 2025-09-22 | 5.9 | CVE-2025-58647 | https://patchstack.com/database/wordpress/plugin/simple-restaurant-menu/vulnerability/wordpress-simple-restaurant-menu-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Syed Balkhi--All In One SEO Pack | Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects All In One SEO Pack: from n/a through 4.8.7. | 2025-09-22 | 5.4 | CVE-2025-58650 | https://patchstack.com/database/wordpress/plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-8-7-broken-access-control-vulnerability?_s_id=cve |
| Mattia Roccoberton--Category Featured Images | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mattia Roccoberton Category Featured Images allows Stored XSS. This issue affects Category Featured Images: from n/a through 1.1.8. | 2025-09-22 | 5.9 | CVE-2025-58655 | https://patchstack.com/database/wordpress/plugin/category-featured-images/vulnerability/wordpress-category-featured-images-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Risto Niinemets--Estonian Shipping Methods for WooCommerce | Use of Hard-coded Credentials vulnerability in Risto Niinemets Estonian Shipping Methods for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Estonian Shipping Methods for WooCommerce: from n/a through 1.7.2. | 2025-09-22 | 5.3 | CVE-2025-58656 | https://patchstack.com/database/wordpress/plugin/estonian-shipping-methods-for-woocommerce/vulnerability/wordpress-estonian-shipping-methods-for-woocommerce-plugin-1-7-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| Proof Factor LLC--Proof Factor – Social Proof Notifications | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor – Social Proof Notifications allows Stored XSS. This issue affects Proof Factor – Social Proof Notifications: from n/a through 1.0.5. | 2025-09-22 | 5.9 | CVE-2025-58658 | https://patchstack.com/database/wordpress/plugin/proof-factor-social-proof-notifications/vulnerability/wordpress-proof-factor-social-proof-notifications-plugin-1-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Essekia--Helpie FAQ | Use of Hard-coded Credentials vulnerability in Essekia Helpie FAQ allows Retrieve Embedded Sensitive Data. This issue affects Helpie FAQ: from n/a through 1.39. | 2025-09-22 | 5.3 | CVE-2025-58659 | https://patchstack.com/database/wordpress/plugin/helpie-faq/vulnerability/wordpress-helpie-faq-plugin-1-39-sensitive-data-exposure-vulnerability?_s_id=cve |
| brandexponents--Oshine Core | Missing Authorization vulnerability in brandexponents Oshine Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Oshine Core: from n/a through 1.5.5. | 2025-09-22 | 5.4 | CVE-2025-58660 | https://patchstack.com/database/wordpress/plugin/oshine-core/vulnerability/wordpress-oshine-core-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve |
| eZee Technosys--eZee Online Hotel Booking Engine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eZee Technosys eZee Online Hotel Booking Engine allows Stored XSS. This issue affects eZee Online Hotel Booking Engine: from n/a through 1.0.0. | 2025-09-22 | 5.9 | CVE-2025-58661 | https://patchstack.com/database/wordpress/plugin/online-booking-engine/vulnerability/wordpress-ezee-online-hotel-booking-engine-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| tmontg1--Form Generator for WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmontg1 Form Generator for WordPress allows Stored XSS. This issue affects Form Generator for WordPress: from n/a through 1.5.2. | 2025-09-22 | 5.9 | CVE-2025-58665 | https://patchstack.com/database/wordpress/plugin/form-generator-powered-by-jotform/vulnerability/wordpress-form-generator-for-wordpress-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro Reviews | Missing Authorization vulnerability in CridioStudio ListingPro Reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro Reviews: from n/a through 1.6. | 2025-09-22 | 5.4 | CVE-2025-58667 | https://patchstack.com/database/wordpress/plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-plugin-1-6-broken-access-control-vulnerability?_s_id=cve |
| Modern Minds--Magento 2 WordPress Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration allows Stored XSS. This issue affects Magento 2 WordPress Integration: from n/a through 1.4.1. | 2025-09-22 | 5.9 | CVE-2025-58669 | https://patchstack.com/database/wordpress/plugin/m2wp/vulnerability/wordpress-magento-2-wordpress-integration-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tareq Hasan--WP User Frontend | Missing Authorization vulnerability in Tareq Hasan WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.1.11. | 2025-09-22 | 5.4 | CVE-2025-58672 | https://patchstack.com/database/wordpress/plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-1-11-broken-access-control-vulnerability?_s_id=cve |
| Tareq Hasan--WP User Frontend | Improper Control of Generation of Code ('Code Injection') vulnerability in Tareq Hasan WP User Frontend allows Code Injection. This issue affects WP User Frontend: from n/a through 4.1.11. | 2025-09-22 | 5.4 | CVE-2025-58673 | https://patchstack.com/database/wordpress/plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-1-11-content-injection-vulnerability?_s_id=cve |
| Automattic--WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector. This issue affects WordPress: from n/a through 6.8.2. | 2025-09-23 | 5.9 | CVE-2025-58674 | https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AppMySite--AppMySite | Missing Authorization vulnerability in AppMySite AppMySite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AppMySite: from n/a through 3.14.0. | 2025-09-22 | 5.3 | CVE-2025-58679 | https://patchstack.com/database/wordpress/plugin/appmysite/vulnerability/wordpress-appmysite-plugin-3-14-0-broken-access-control-vulnerability?_s_id=cve |
| Jrgen Mller--Easy Quotes | Missing Authorization vulnerability in Jürgen Müller Easy Quotes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Quotes: from n/a through 1.2.4. | 2025-09-22 | 5.3 | CVE-2025-58681 | https://patchstack.com/database/wordpress/plugin/easy-quotes/vulnerability/wordpress-easy-quotes-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| cecabank--Cecabank WooCommerce Plugin | Missing Authorization vulnerability in cecabank Cecabank WooCommerce Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cecabank WooCommerce Plugin: from n/a through 0.3.4. | 2025-09-22 | 5.3 | CVE-2025-58685 | https://patchstack.com/database/wordpress/plugin/cecabank-woocommerce/vulnerability/wordpress-cecabank-woocommerce-plugin-plugin-0-3-4-broken-access-control-vulnerability?_s_id=cve |
| guihom--Wide Banner | Missing Authorization vulnerability in guihom Wide Banner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wide Banner: from n/a through 1.0.4. | 2025-09-26 | 5.3 | CVE-2025-58919 | https://patchstack.com/database/wordpress/plugin/wide-banner/vulnerability/wordpress-wide-banner-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve |
| brijeshk89--IP Based Login | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brijeshk89 IP Based Login allows Stored XSS. This issue affects IP Based Login: from n/a through 2.4.3. | 2025-09-22 | 5.9 | CVE-2025-58960 | https://patchstack.com/database/wordpress/plugin/ip-based-login/vulnerability/wordpress-ip-based-login-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Christiaan Pieterse--MaxiBlocks | Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MaxiBlocks: from n/a through 2.1.3. | 2025-09-22 | 5 | CVE-2025-58968 | https://patchstack.com/database/wordpress/plugin/maxi-blocks/vulnerability/wordpress-maxiblocks-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve |
| Greg Winiarski--Custom Login URL | Missing Authorization vulnerability in Greg Winiarski Custom Login URL allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Login URL: from n/a through 1.0.2. | 2025-09-22 | 5.3 | CVE-2025-58969 | https://patchstack.com/database/wordpress/plugin/custom-login-url/vulnerability/wordpress-custom-login-url-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| cubecart--v6 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form's Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11. | 2025-09-22 | 5.4 | CVE-2025-59411 | https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4 https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047 |
| cubecart--v6 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. This issue has been patched in version 6.5.11. | 2025-09-22 | 5.4 | CVE-2025-59412 | https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2 https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b https://github.com/cubecart/v6/commit/7d4bf593304332fa1258d4f0b10dd7c9f6283a86 |
| GSYT-Productions--BunnyPad-SRC | BunnyPad is a note taking software. Prior to version 11.0.27000.0915, opening files greater than or equal to 20MB causes buffer overflow to occur. This issue has been patched in version 11.0.27000.0915. Users who wish not to upgrade should refrain from opening files larger than 10MB. | 2025-09-22 | 5.5 | CVE-2025-59418 | https://github.com/GSYT-Productions/BunnyPad-SRC/security/advisories/GHSA-qhw4-c7x5-vxmj https://github.com/GSYT-Productions/BunnyPad-SRC/commit/d9224eb5e13c24ac148a77dff93e53c21f066533 |
| conventional-changelog--conventional-changelog | Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags() API, which allows extra parameters to be passed to the git log command. In another API by this library, getRawCommits(), there are secure practices taken to ensure that the extra parameter path is unable to inject an argument by ending the git log command with the special shell syntax --. However, the library does not follow the same practice for getTags() as it does not attempt to sanitize for user input, validate the given params, or restrict them to an allow list. Nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. Thus, allowing users to exploit an argument injection vulnerability in Git due to the --output= command-line option that results with overwriting arbitrary files. This issue has been patched in version 2.0.0. | 2025-09-22 | 5.3 | CVE-2025-59433 | https://github.com/conventional-changelog/conventional-changelog/security/advisories/GHSA-vh25-5764-9wcr https://github.com/conventional-changelog/conventional-changelog/commit/d95c9ffac05af58228bd89fa0ba37ad65741c6a2 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be translated into a path that could expose resources in the internal network of the hosted site. This issue has been patched in version 10.1.0. | 2025-09-23 | 5.3 | CVE-2025-59547 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-cgqj-mw4m-v7hp |
| Academy LMS--Academy LMS | Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS Academy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Academy LMS: from n/a through 3.3.4. | 2025-09-22 | 5.5 | CVE-2025-59562 | https://patchstack.com/database/wordpress/plugin/academy/vulnerability/wordpress-academy-lms-plugin-3-3-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| CozyThemes--Cozy Blocks | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CozyThemes Cozy Blocks allows Code Injection. This issue affects Cozy Blocks: from n/a through 2.1.29. | 2025-09-22 | 5.3 | CVE-2025-59573 | https://patchstack.com/database/wordpress/plugin/cozy-addons/vulnerability/wordpress-cozy-blocks-plugin-2-1-29-content-injection-vulnerability?_s_id=cve |
| Darren Cooney--Ajax Load More | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Darren Cooney Ajax Load More allows Retrieve Embedded Sensitive Data. This issue affects Ajax Load More: from n/a through 7.6.0.2. | 2025-09-22 | 5.3 | CVE-2025-59582 | https://patchstack.com/database/wordpress/plugin/ajax-load-more/vulnerability/wordpress-ajax-load-more-plugin-7-6-0-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| David Lingren--Media Library Assistant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media Library Assistant allows Stored XSS. This issue affects Media Library Assistant: from n/a through 3.28. | 2025-09-22 | 5.9 | CVE-2025-59590 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-28-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Profession Fit--Profession Fit | Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | 2025-09-22 | 5.8 | CVE-2025-59797 | https://www.profession-fit.de https://github.com/Henkel-CyberVM/CVEs/blob/main/CVE-2025-59797/README.md |
| Shahjada--Download Manager | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24. | 2025-09-26 | 5.3 | CVE-2025-60092 | https://patchstack.com/database/wordpress/plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-24-sensitive-data-exposure-vulnerability?_s_id=cve |
| CodexThemes--TheGem (Elementor) | Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5. | 2025-09-26 | 5.4 | CVE-2025-60096 | https://patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve |
| CodexThemes--TheGem | Missing Authorization vulnerability in CodexThemes TheGem allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem: from n/a through 5.10.5. | 2025-09-26 | 5.4 | CVE-2025-60097 | https://patchstack.com/database/wordpress/theme/thegem/vulnerability/wordpress-thegem-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve |
| 8theme--XStore | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3. | 2025-09-26 | 5.3 | CVE-2025-60100 | https://patchstack.com/database/wordpress/theme/xstore/vulnerability/wordpress-xstore-theme-9-5-3-content-injection-vulnerability?_s_id=cve |
| Woostify--Woostify | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Woostify Woostify allows Stored XSS. This issue affects Woostify: from n/a through 2.4.2. | 2025-09-26 | 5.9 | CVE-2025-60101 | https://patchstack.com/database/wordpress/theme/woostify/vulnerability/wordpress-woostify-theme-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro: from n/a through 2.9.8. | 2025-09-26 | 5.4 | CVE-2025-60103 | https://patchstack.com/database/wordpress/plugin/listingpro-plugin/vulnerability/wordpress-listingpro-plugin-2-9-8-broken-access-control-vulnerability?_s_id=cve |
| Jordy Meow--Gallery Custom Links | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jordy Meow Gallery Custom Links allows Stored XSS. This issue affects Gallery Custom Links: from n/a through 2.2.5. | 2025-09-26 | 5.9 | CVE-2025-60104 | https://patchstack.com/database/wordpress/plugin/gallery-custom-links/vulnerability/wordpress-gallery-custom-links-plugin-2-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Conference Theme Custom Post Type | Missing Authorization vulnerability in ThemeGoods Grand Conference Theme Custom Post Type allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Grand Conference Theme Custom Post Type: from n/a through 2.6.3. | 2025-09-26 | 5.4 | CVE-2025-60116 | https://patchstack.com/database/wordpress/plugin/grandconference-custom-post/vulnerability/wordpress-grand-conference-theme-custom-post-type-plugin-2-6-3-broken-access-control-vulnerability?_s_id=cve |
| CoSchedule--CoSchedule | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule allows Retrieve Embedded Sensitive Data. This issue affects CoSchedule: from n/a through 3.3.10. | 2025-09-26 | 5.3 | CVE-2025-60119 | https://patchstack.com/database/wordpress/plugin/coschedule-by-todaymade/vulnerability/wordpress-coschedule-plugin-3-3-10-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpdirectorykit--WP Directory Kit | Missing Authorization vulnerability in wpdirectorykit WP Directory Kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Directory Kit: from n/a through 1.3.8. | 2025-09-26 | 5.3 | CVE-2025-60120 | https://patchstack.com/database/wordpress/plugin/wpdirectorykit/vulnerability/wordpress-wp-directory-kit-plugin-1-3-8-broken-access-control-vulnerability?_s_id=cve |
| Ex-Themes--WooEvents | Missing Authorization vulnerability in Ex-Themes WooEvents allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooEvents: from n/a through 4.1.7. | 2025-09-26 | 5.3 | CVE-2025-60121 | https://patchstack.com/database/wordpress/plugin/woo-events/vulnerability/wordpress-wooevents-plugin-4-1-7-broken-access-control-vulnerability?_s_id=cve |
| themelooks--FoodBook | Insertion of Sensitive Information Into Sent Data vulnerability in themelooks FoodBook allows Retrieve Embedded Sensitive Data. This issue affects FoodBook: from n/a through 4.7.1. | 2025-09-26 | 5.3 | CVE-2025-60125 | https://patchstack.com/database/wordpress/plugin/foodbook/vulnerability/wordpress-foodbook-plugin-4-7-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| ArtistScope--CopySafe Web Protection | Missing Authorization vulnerability in ArtistScope CopySafe Web Protection allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CopySafe Web Protection: from n/a through 4.3. | 2025-09-26 | 5.4 | CVE-2025-60127 | https://patchstack.com/database/wordpress/plugin/wp-copysafe-web/vulnerability/wordpress-copysafe-web-protection-plugin-4-3-broken-access-control-vulnerability?_s_id=cve |
| Yext--Yext | Missing Authorization vulnerability in Yext Yext allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yext: from n/a through 1.1.3. | 2025-09-26 | 5.3 | CVE-2025-60129 | https://patchstack.com/database/wordpress/plugin/yext/vulnerability/wordpress-yext-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| wedos.com--WEDOS Global | Missing Authorization vulnerability in wedos.com WEDOS Global allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEDOS Global: from n/a through 1.2.2. | 2025-09-26 | 5.3 | CVE-2025-60130 | https://patchstack.com/database/wordpress/plugin/wgpwpp/vulnerability/wordpress-wedos-global-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve |
| DJ-Extensions.com--PE Easy Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DJ-Extensions.com PE Easy Slider allows Stored XSS. This issue affects PE Easy Slider: from n/a through 1.1.0. | 2025-09-26 | 5.9 | CVE-2025-60133 | https://patchstack.com/database/wordpress/plugin/pe-easy-slider/vulnerability/wordpress-pe-easy-slider-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cartpauj--User Notes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cartpauj User Notes allows Stored XSS. This issue affects User Notes: from n/a through 1.0.2. | 2025-09-26 | 5.9 | CVE-2025-60136 | https://patchstack.com/database/wordpress/plugin/user-notes/vulnerability/wordpress-user-notes-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| thetechtribe--The Tribal | Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal allows Retrieve Embedded Sensitive Data. This issue affects The Tribal: from n/a through 1.3.3. | 2025-09-26 | 5.3 | CVE-2025-60140 | https://patchstack.com/database/wordpress/plugin/the-tech-tribe/vulnerability/wordpress-the-tribal-plugin-1-3-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| thetechtribe--The Tribal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thetechtribe The Tribal allows Stored XSS. This issue affects The Tribal: from n/a through 1.3.3. | 2025-09-26 | 5.9 | CVE-2025-60141 | https://patchstack.com/database/wordpress/plugin/the-tech-tribe/vulnerability/wordpress-the-tribal-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| yonifre--Lenix scss compiler | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Lenix scss compiler allows Stored XSS. This issue affects Lenix scss compiler: from n/a through 1.2. | 2025-09-26 | 5.9 | CVE-2025-60144 | https://patchstack.com/database/wordpress/plugin/lenix-scss-compiler/vulnerability/wordpress-lenix-scss-compiler-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Amit Verma--Map Categories to Pages | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amit Verma Map Categories to Pages allows Stored XSS. This issue affects Map Categories to Pages: from n/a through 1.3.2. | 2025-09-26 | 5.9 | CVE-2025-60146 | https://patchstack.com/database/wordpress/plugin/map-categories-to-pages/vulnerability/wordpress-map-categories-to-pages-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Michael Ott--Notely | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Ott Notely allows Stored XSS. This issue affects Notely: from n/a through 1.8.0. | 2025-09-26 | 5.9 | CVE-2025-60149 | https://patchstack.com/database/wordpress/plugin/notely/vulnerability/wordpress-notely-plugin-1-8-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jennifer Moss--MWW Disclaimer Buttons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons allows Stored XSS. This issue affects MWW Disclaimer Buttons: from n/a through 3.41. | 2025-09-26 | 5.9 | CVE-2025-60154 | https://patchstack.com/database/wordpress/plugin/mww-disclaimer-buttons/vulnerability/wordpress-mww-disclaimer-buttons-plugin-3-41-cross-site-scripting-xss-vulnerability?_s_id=cve |
| loopus--WP Virtual Assistant | Missing Authorization vulnerability in loopus WP Virtual Assistant allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Virtual Assistant: from n/a through 3.0. | 2025-09-26 | 5.3 | CVE-2025-60155 | https://patchstack.com/database/wordpress/plugin/virtualassistant/vulnerability/wordpress-wp-virtual-assistant-plugin-3-0-broken-access-control-vulnerability?_s_id=cve |
| webmaniabr--Nota Fiscal Eletrnica WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Stored XSS. This issue affects Nota Fiscal Eletrônica WooCommerce: from n/a through 3.4.0.6. | 2025-09-26 | 5.9 | CVE-2025-60158 | https://patchstack.com/database/wordpress/plugin/nota-fiscal-eletronica-woocommerce/vulnerability/wordpress-nota-fiscal-eletronica-woocommerce-plugin-3-4-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| sharkthemes--Smart Related Products | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sharkthemes Smart Related Products allows Stored XSS. This issue affects Smart Related Products: from n/a through 2.0.5. | 2025-09-26 | 5.9 | CVE-2025-60160 | https://patchstack.com/database/wordpress/plugin/ai-related-products/vulnerability/wordpress-smart-related-products-plugin-2-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bdthemes--ZoloBlocks | Server-Side Request Forgery (SSRF) vulnerability in bdthemes ZoloBlocks allows Server Side Request Forgery. This issue affects ZoloBlocks: from n/a through 2.3.9. | 2025-09-26 | 5.4 | CVE-2025-60161 | https://patchstack.com/database/wordpress/plugin/zoloblocks/vulnerability/wordpress-zoloblocks-plugin-2-3-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| rozx--Recaptcha – wp | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha – wp allows Stored XSS. This issue affects Recaptcha – wp: from n/a through 0.2.6. | 2025-09-26 | 5.9 | CVE-2025-60177 | https://patchstack.com/database/wordpress/plugin/recaptcha-wp/vulnerability/wordpress-recaptcha-wp-plugin-0-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Space Studio--Click & Tweet | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS. This issue affects Click & Tweet: from n/a through 0.8.9. | 2025-09-26 | 5.9 | CVE-2025-60179 | https://patchstack.com/database/wordpress/plugin/click-tweet/vulnerability/wordpress-click-tweet-plugin-0-8-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| silence--Silencesoft RSS Reader | Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader allows Server Side Request Forgery. This issue affects Silencesoft RSS Reader: from n/a through 0.6. | 2025-09-26 | 5.4 | CVE-2025-60181 | https://patchstack.com/database/wordpress/plugin/external-rss-reader/vulnerability/wordpress-silencesoft-rss-reader-plugin-0-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Terry L.--SEO Search Permalink | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink allows Stored XSS. This issue affects SEO Search Permalink: from n/a through 1.0.3. | 2025-09-26 | 5.9 | CVE-2025-60184 | https://patchstack.com/database/wordpress/plugin/seo-search-permalink/vulnerability/wordpress-seo-search-permalink-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kontur.us--kontur Admin Style | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style allows Stored XSS. This issue affects kontur Admin Style: from n/a through 1.0.4. | 2025-09-26 | 5.9 | CVE-2025-60185 | https://patchstack.com/database/wordpress/plugin/kontur-admin-style/vulnerability/wordpress-kontur-admin-style-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Alex Moss--Google+ Comments | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Google+ Comments allows Stored XSS. This issue affects Google+ Comments: from n/a through 1.0. | 2025-09-26 | 5.9 | CVE-2025-60186 | https://patchstack.com/database/wordpress/plugin/google-plus-comments/vulnerability/wordpress-google-comments-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Unitree--Go2 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | 2025-09-26 | 5 | CVE-2025-60251 | https://spectrum.ieee.org/unitree-robot-exploit https://github.com/Bin4ry/UniPwn https://news.ycombinator.com/item?id=45381590 |
| Horato Internet Technologies Ind. and Trade Inc.--Virtual Library Platform | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Horato Internet Technologies Ind. And Trade Inc. Virtual Library Platform allows Reflected XSS.This issue affects Virtual Library Platform: before v202. | 2025-09-22 | 5.4 | CVE-2025-9035 | https://www.usom.gov.tr/bildirim/tr-25-0284 |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts. | 2025-09-26 | 5.3 | CVE-2025-9984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9423858b-74be-4b34-961d-97765d8edcbf?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/debug.php?rev=3348285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail= |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | 2025-09-26 | 5.3 | CVE-2025-9985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/991d63da-ca6c-400e-beb7-b44cf629abc9?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/log.php?rev=3344903 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail=#file6 |
| WSO2--WSO2 Identity Server as Key Manager | A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content. | 2025-09-23 | 4.3 | CVE-2024-6429 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490/ |
| PROLIZ Computer Software Hardware Service Trade Ltd. Co.--OBS (Student Affairs Information System) | Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328. | 2025-09-22 | 4.2 | CVE-2025-0875 | https://www.usom.gov.tr/bildirim/tr-25-0282 |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-09-26 | 4.9 | CVE-2025-10036 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ed54fe33-6467-4af2-ba28-dd17287d8f92?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/api.php?rev=3348285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail= |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-09-26 | 4.9 | CVE-2025-10037 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54c1b0e9-6fab-4452-b232-953e671f4d8d?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/admin/db.php?rev=3348285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362830%40featured-image-from-url&new=3362830%40featured-image-from-url&sfp_email=&sfph_mail= |
| qriouslad--System Dashboard | The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-26 | 4.3 | CVE-2025-10377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ea38e16f-4012-4d22-9a47-76f91251e1d7?source=cve https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.20/admin/class-system-dashboard-admin.php#L9108 https://plugins.trac.wordpress.org/changeset/3364295/system-dashboard/tags/2.8.21/admin/class-system-dashboard-admin.php?old=3253979&old_path=system-dashboard%2Ftags%2F2.8.20%2Fadmin%2Fclass-system-dashboard-admin.php |
| dylanjkotze--Zephyr Project Manager | The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-09-26 | 4.4 | CVE-2025-10490 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf68c19-ee1b-4d0a-876b-c061763b39c3?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366388%40zephyr-project-manager&new=3366388%40zephyr-project-manager&sfp_email=&sfph_mail= |
| kstover--Ninja Forms The Contact Form Builder That Grows With You | The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-10498 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b082176c-9486-416c-8215-cdba4d6e5260?source=cve https://plugins.trac.wordpress.org/browser/ninja-forms/trunk/includes/Admin/Menus/Submissions.php#L464 https://plugins.trac.wordpress.org/changeset/3365881/ninja-forms/trunk?contextall=1&old=3362375&old_path=%2Fninja-forms%2Ftrunk#file6 |
| kstover--Ninja Forms The Contact Form Builder That Grows With You | The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-10499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2f118fc-d99a-4713-865e-2da7a9e20db5?source=cve https://plugins.trac.wordpress.org/browser/ninja-forms/trunk/lib/NF_Tracking.php https://plugins.trac.wordpress.org/changeset/3365881/ninja-forms/trunk?contextall=1&old=3362375&old_path=%2Fninja-forms%2Ftrunk#file6 |
| cyberlord92--OAuth Single Sign On SSO (OAuth Client) | The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-26 | 4.3 | CVE-2025-10752 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e8d7e8f3-e8ff-460f-a343-807bcdb865dc?source=cve https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360768%40miniorange-login-with-eve-online-google-facebook&new=3360768%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail= |
| Ruijie--6000-E10 | A weakness has been identified in Ruijie 6000-E10 up to 2.4.3.6-20171117. This affects an unknown part of the file /view/vpn/autovpn/sub_commit.php. This manipulation of the argument key causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-22 | 4.7 | CVE-2025-10774 | VDB-325130 | Ruijie 6000-E10 sub_commit.php os command injection VDB-325130 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649968 | Ruijie 6000-E10 Unified Internet Access Management and Auditing System 6000-E10 command execution https://github.com/maximdevere/CVE2/issues/1 |
| Wavlink--WL-NU516U1 | A security vulnerability has been detected in Wavlink WL-NU516U1 240425. This vulnerability affects the function sub_4012A0 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-22 | 4.7 | CVE-2025-10775 | VDB-325131 | Wavlink WL-NU516U1 login.cgi sub_4012A0 os command injection VDB-325131 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650641 | Wavlink WL-NU516U1 M16U1_V240425 Remote Command Execution https://github.com/swwer7000/iot |
| PHPGurukul--Car Rental Project | A flaw has been found in PHPGurukul Car Rental Project 3.0. Affected by this issue is some unknown functionality of the file /carrental/search.php. Executing manipulation of the argument autofocus can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-09-22 | 4.3 | CVE-2025-10794 | VDB-325151 | PHPGurukul Car Rental Project search.php cross site scripting VDB-325151 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654067 | PHPGurukul Car Rental Project V 3.0 a cross-site scripting (XSS) https://github.com/tddgns/cve/issues/1 https://phpgurukul.com/ |
| fuyang_lipengjun--platform | A security vulnerability has been detected in fuyang_lipengjun platform 1.0. This issue affects the function UserCouponController of the file /usercoupon/queryAll. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-09-22 | 4.3 | CVE-2025-10819 | VDB-325176 | fuyang_lipengjun platform queryAll UserCouponController improper authorization VDB-325176 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653740 | fuyang_lipengjun platform 1 broken function level authorization https://www.cnblogs.com/aibot/p/19063466 |
| fuyang_lipengjun--platform | A vulnerability was detected in fuyang_lipengjun platform 1.0. Impacted is the function TopicController of the file /topic/queryAll. The manipulation results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. | 2025-09-22 | 4.3 | CVE-2025-10820 | VDB-325177 | fuyang_lipengjun platform queryAll TopicController improper authorization VDB-325177 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653741 | fuyang_lipengjun platform 1 broken function level authorization https://www.cnblogs.com/aibot/p/19063465 |
| fuyang_lipengjun--platform | A flaw has been found in fuyang_lipengjun platform 1.0. The affected element is the function TopicCategoryController of the file /topiccategory/queryAll. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-09-22 | 4.3 | CVE-2025-10821 | VDB-325178 | fuyang_lipengjun platform queryAll TopicCategoryController improper authorization VDB-325178 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653742 | fuyang_lipengjun platform 1.0 broken function level authorization https://www.cnblogs.com/aibot/p/19063464 |
| fuyang_lipengjun--platform | A vulnerability has been found in fuyang_lipengjun platform 1.0. The impacted element is the function SysSmsLogController of the file /sys/smslog/queryAll. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-09-22 | 4.3 | CVE-2025-10822 | VDB-325179 | fuyang_lipengjun platform queryAll SysSmsLogController improper authorization VDB-325179 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653743 | fuyang_lipengjun platform 1.0 broken function level authorization https://www.cnblogs.com/aibot/p/19063462 |
| PHPJabbers--Restaurant Menu Maker | A weakness has been identified in PHPJabbers Restaurant Menu Maker up to 1.1. Affected by this issue is some unknown functionality of the file /preview.php. This manipulation of the argument theme causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-23 | 4.3 | CVE-2025-10827 | VDB-325184 | PHPJabbers Restaurant Menu Maker preview.php cross site scripting VDB-325184 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #655884 | PHPJABBERS Restaurant Menu Maker V1.1 Cross Site Scripting https://github.com/485961590/CVE/issues/1 |
| n/a--JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.8.2. The affected element is an unknown function of the file /sys/user/exportXls of the component Filter Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 4.3 | CVE-2025-10978 | VDB-325849 | JeecgBoot Filter exportXls improper authorization VDB-325849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653336 | jeecgboot JeecgBoot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063352 |
| n/a--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 4.3 | CVE-2025-10979 | VDB-325850 | JeecgBoot exportXls improper authorization VDB-325850 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653337 | jeecgboot JeecgBoot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063353 |
| n/a--JeecgBoot | A security vulnerability has been detected in JeecgBoot up to 3.8.2. This affects an unknown function of the file /sys/position/exportXls. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 4.3 | CVE-2025-10980 | VDB-325851 | JeecgBoot exportXls improper authorization VDB-325851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653340 | jeecgboot Jeecgboot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063355 |
| n/a--JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.8.2. This impacts an unknown function of the file /sys/tenant/exportXls. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 4.3 | CVE-2025-10981 | VDB-325852 | JeecgBoot exportXls improper authorization VDB-325852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653341 | jeecgboot JeecgBoot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063356 |
| n/a--MuYuCMS | A security flaw has been discovered in MuYuCMS up to 2.7. Affected by this issue is some unknown functionality of the file /admin.php of the component Template Management. The manipulation results in code injection. It is possible to launch the attack remotely. | 2025-09-26 | 4.7 | CVE-2025-10993 | VDB-325921 | MuYuCMS Template Management admin.php code injection VDB-325921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654014 | MuYuCMS 2.7 rce https://gitee.com/MuYuCMS/MuYuCMS/issues/ICXVCE |
| kalcaddle--kodbox | A security vulnerability has been detected in kalcaddle kodbox up to 1.61.09. The affected element is the function fileOut of the file app/controller/explorer/index.class.php. Such manipulation of the argument path leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-26 | 4.3 | CVE-2025-11016 | VDB-325959 | kalcaddle kodbox index.class.php fileOut path traversal VDB-325959 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #654367 | kalcaddle kodbox V1.61.09 Arbitrary File Read https://github.com/August829/YU1/issues/3 https://github.com/August829/YU1/issues/3#issue-3416620392 |
| givanz--Vvveb | A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | 2025-09-26 | 4.3 | CVE-2025-11029 | VDB-325967 | givanz Vvveb cross-site request forgery VDB-325967 | CTI Indicators (IOB, IOC) Submit #657188 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request Submit #657190 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate) Submit #657191 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate) Submit #657192 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate) https://gist.github.com/KhanMarshaI/165ae8f63ec6b5fdf1f4123252499fce https://gist.github.com/KhanMarshaI/db888b65cfd75bead2035348babfb423 |
| Dibo--Data Decision Making System | A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. The affected element is the function downloadImpTemplet of the file /common/dep/common_dep.action.jsp. The manipulation of the argument filePath results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-09-26 | 4.3 | CVE-2025-11034 | VDB-325981 | Dibo Data Decision Making System common_dep.action.jsp downloadImpTemplet path traversal VDB-325981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658242 | Shenzhen Dibo Enterprise Risk Management Technology Co., Ltd Dibo Data Decision-Making System 2.7.0 arbitrary file read vulnerability https://github.com/FightingLzn9/vul/blob/main/%E8%BF%AA%E5%8D%9A%E6%95%B0%E6%8D%AE%E5%86%B3%E7%AD%96%E7%B3%BB%E7%BB%9F.md |
| GitLab--GitLab | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries. | 2025-09-26 | 4.3 | CVE-2025-11042 | GitLab Issue #550374 |
| SourceCodester--Pet Grooming Management Software | A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. | 2025-09-27 | 4.3 | CVE-2025-11051 | VDB-326088 | SourceCodester Pet Grooming Management Software cross-site request forgery VDB-326088 | CTI Indicators (IOB, IOC) Submit #659305 | SourceCodester Pet Grooming Management Software 0 Cross-Site Request Forgery https://www.sourcecodester.com/ |
| n/a--SeaCMS | A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-27 | 4.7 | CVE-2025-11071 | VDB-326112 | SeaCMS Cron Task Management admin_cron.php sql injection VDB-326112 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659883 | SeaCMS v13.3.20250820 SQL Injection https://github.com/Hebing123/cve/issues/93 |
| Keyfactor--RG-EW5100BE | A vulnerability was detected in Keyfactor RG-EW5100BE EW_3.0B11P280_EW5100BE-PRO_12183019. The affected element is an unknown function of the file /cgi-bin/luci/api/cmd of the component HTTP POST Request Handler. The manipulation of the argument url results in command injection. The attack can be launched remotely. The exploit is now public and may be used. | 2025-09-27 | 4.7 | CVE-2025-11073 | VDB-326113 | Keyfactor RG-EW5100BE HTTP POST Request cmd command injection VDB-326113 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659933 | Ruijie RG-EW5100BE - EW_3.0B11P280_EW5100BE-PRO_12183019 - Command Injection https://github.com/s1nec-1o/cve/blob/main/cve-report.md https://github.com/s1nec-1o/cve/blob/main/cve-report.md#poc |
| zhuimengshaonian--wisdom-education | A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. This vulnerability affects the function selectStudentExamInfoList of the file src/main/java/com/education/api/controller/student/ExamInfoController.java. Such manipulation of the argument subjectId leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-09-27 | 4.3 | CVE-2025-11080 | VDB-326121 | zhuimengshaonian wisdom-education ExamInfoController.java selectStudentExamInfoList improper authorization VDB-326121 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #661308 | https://gitee.com/zhuimengshaonian/wisdom-education wisdom-education 1.0.4 Horizontal overstepping authority https://github.com/xkalami-Tta0/CVE/blob/main/wisdom-education/%E6%B0%B4%E5%B9%B3%E8%B6%8A%E6%9D%83.md https://github.com/xkalami-Tta0/CVE/blob/main/wisdom-education/%E6%B0%B4%E5%B9%B3%E8%B6%8A%E6%9D%83.md#vulnerability-reproduction |
| Projectworlds--Online Tours and Travels | A security vulnerability has been detected in Projectworlds Online Tours and Travels 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/change-image.php. The manipulation of the argument packageimage leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-28 | 4.7 | CVE-2025-11103 | VDB-326184 | Projectworlds Online Tours and Travels change-image.php unrestricted upload VDB-326184 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662395 | projectworlds Online Tours and Travels Project V1.0 Incomplete Identification of Uploaded File Variables https://github.com/Landjun/CVE/issues/1 |
| PHPGurukul--Employee Record Management System | A security vulnerability has been detected in PHPGurukul Employee Record Management System 1.3. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument First name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-28 | 4.3 | CVE-2025-11112 | VDB-326193 | PHPGurukul Employee Record Management System myprofile.php cross site scripting VDB-326193 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #662498 | phpgurukul employee-record-management-system V1.3 Cross Site Scripting https://github.com/tiancesec/CVE/issues/2 https://phpgurukul.com/ |
| itsourcecode--Hostel Management System | A security flaw has been discovered in itsourcecode Hostel Management System 1.0. Impacted is an unknown function of the file /justines/index.php of the component POST Request Handler. Performing manipulation of the argument from results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-28 | 4.3 | CVE-2025-11119 | VDB-326200 | itsourcecode Hostel Management System POST Request index.php cross site scripting VDB-326200 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #663519 | itsourcecode Hostel Management System V1.0 xss https://github.com/iflame28/CVE/issues/1 https://itsourcecode.com/ |
| langleyfcu--Online Banking System | A vulnerability was found in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. Affected by this vulnerability is an unknown functionality of the file /connection_error.php of the component Error Message Handler. Performing manipulation of the argument Error results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2025-09-28 | 4.3 | CVE-2025-11125 | VDB-326206 | langleyfcu Online Banking System Error Message connection_error.php cross site scripting VDB-326206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #664319 | langleyfcu/online-banking-system web 1 XSS vulnerability https://github.com/Lianhaorui/Report/blob/main/xss.docx |
| Cisco--Cisco Aironet Access Point Software (IOS XE Controller) | A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames with arbitrary information. This vulnerability is due to insufficient verification checks of incoming 802.11 action frames. An attacker could exploit this vulnerability by sending 802.11 Device Analytics action frames with arbitrary parameters. A successful exploit could allow the attacker to inject Device Analytics action frames with arbitrary information, which could modify the Device Analytics data of valid wireless clients that are connected to the same wireless controller. | 2025-09-24 | 4.3 | CVE-2025-20364 | cisco-sa-action-frame-inj-QqCNcz8H |
| Cisco--Cisco Aironet Access Point Software (IOS XE Controller) | A vulnerability in the IPv6 Router Advertisement (RA) packet processing of Cisco Access Point Software could allow an unauthenticated, adjacent attacker to modify the IPv6 gateway on an affected device. This vulnerability is due to a logic error in the processing of IPv6 RA packets that are received from wireless clients. An attacker could exploit this vulnerability by associating to a wireless network and sending a series of crafted IPv6 RA packets. A successful exploit could allow the attacker to temporarily change the IPv6 gateway of an affected device. This could also lead to intermittent packet loss for any wireless clients that are associated with the affected device. | 2025-09-24 | 4.3 | CVE-2025-20365 | cisco-sa-ap-ipv6-gw-tUAzpn9O |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA nvJPEG contains a vulnerability in jpeg encoding where a user may cause an out-of-bounds read by providing a maliciously crafted input image with dimensions that cause integer overflows in array index calculations. A successful exploit of this vulnerability may lead to denial of service. | 2025-09-24 | 4.5 | CVE-2025-23274 | https://nvd.nist.gov/vuln/detail/CVE-2025-23274 https://www.cve.org/CVERecord?id=CVE-2025-23274 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEG where a local authenticated user may cause a GPU out-of-bounds write by providing certain image dimensions. A successful exploit of this vulnerability may lead to denial of service and information disclosure. | 2025-09-24 | 4.2 | CVE-2025-23275 | https://nvd.nist.gov/vuln/detail/CVE-2025-23275 https://www.cve.org/CVERecord?id=CVE-2025-23275 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| Dell--PowerEdge R770 | Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure. | 2025-09-25 | 4.9 | CVE-2025-26482 | https://www.dell.com/support/kbdoc/en-us/000370138/dsa-2025-046-security-update-for-dell-poweredge-server-and-dell-idrac9-for-information-disclosure-vulnerability |
| IBM--Watson Studio on Cloud Pak for Data | IBM Watson Studio 4.0 through 5.2.0 on Cloud Pak for Data is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-09-25 | 4.4 | CVE-2025-33116 | https://www.ibm.com/support/pages/node/7246140 |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.11.0.0, contains an exposure of sensitive information to an unauthorized actor vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to Information disclosure. | 2025-09-25 | 4 | CVE-2025-36601 | https://www.dell.com/support/kbdoc/en-us/000353080/dsa-2025-272-security-update-for-dell-powerscale-onefs-multiple-third-party-component-vulnerabilities |
| SAP_SE--SAP BI Platform | SAP BI Platform allows an attacker to modify the IP address of the LogonToken for the OpenDoc. On accessing the modified link in the browser a different server could get the ping request. This has low impact on integrity with no impact on confidentiality and availability of the system. | 2025-09-23 | 4.3 | CVE-2025-42907 | https://me.sap.com/notes/3540622 https://url.sap/sapsecuritypatchday |
| WSO2--WSO2 API Manager | An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. | 2025-09-23 | 4.8 | CVE-2025-4760 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/ |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch. | 2025-09-24 | 4.8 | CVE-2025-48867 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47-j55r |
| Barry--Event Rocket | Missing Authorization vulnerability in Barry Event Rocket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Rocket: from n/a through 3.3. | 2025-09-22 | 4.3 | CVE-2025-53452 | https://patchstack.com/database/wordpress/plugin/event-rocket/vulnerability/wordpress-event-rocket-plugin-3-3-broken-access-control-vulnerability?_s_id=cve |
| activewebsight--SEO Backlink Monitor | Cross-Site Request Forgery (CSRF) vulnerability in activewebsight SEO Backlink Monitor allows Cross Site Request Forgery. This issue affects SEO Backlink Monitor: from n/a through 1.6.0. | 2025-09-22 | 4.3 | CVE-2025-53456 | https://patchstack.com/database/wordpress/plugin/seo-backlink-monitor/vulnerability/wordpress-seo-backlink-monitor-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| activewebsight--SEO Backlink Monitor | Server-Side Request Forgery (SSRF) vulnerability in activewebsight SEO Backlink Monitor allows Server Side Request Forgery. This issue affects SEO Backlink Monitor: from n/a through 1.6.0. | 2025-09-22 | 4.4 | CVE-2025-53457 | https://patchstack.com/database/wordpress/plugin/seo-backlink-monitor/vulnerability/wordpress-seo-backlink-monitor-plugin-1-6-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Binsaifullah--Beaf | Server-Side Request Forgery (SSRF) vulnerability in Binsaifullah Beaf allows Server Side Request Forgery. This issue affects Beaf: from n/a through 1.6.2. | 2025-09-22 | 4.4 | CVE-2025-53461 | https://patchstack.com/database/wordpress/plugin/image-compare-block/vulnerability/wordpress-beaf-plugin-1-6-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| AutomationDirect--CLICK PLUS C0-0x CPU firmware | Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text. | 2025-09-23 | 4.2 | CVE-2025-54855 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 https://www.automationdirect.com/support/software-downloads |
| Amin Y--AgreeMe Checkboxes For WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Amin Y AgreeMe Checkboxes For WooCommerce allows Cross Site Request Forgery. This issue affects AgreeMe Checkboxes For WooCommerce: from n/a through 1.1.3. | 2025-09-22 | 4.3 | CVE-2025-57905 | https://patchstack.com/database/wordpress/plugin/agreeme-checkboxes-for-woocommerce/vulnerability/wordpress-agreeme-checkboxes-for-woocommerce-plugin-1-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Matat Technologies--Deliver via Shipos for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Matat Technologies Deliver via Shipos for WooCommerce allows Cross Site Request Forgery. This issue affects Deliver via Shipos for WooCommerce: from n/a through 3.0.2. | 2025-09-22 | 4.3 | CVE-2025-57914 | https://patchstack.com/database/wordpress/plugin/wc-shipos-delivery/vulnerability/wordpress-deliver-via-shipos-for-woocommerce-plugin-3-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Csar Martn--TOCHAT.BE | Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE allows Cross Site Request Forgery. This issue affects TOCHAT.BE: from n/a through 1.3.4. | 2025-09-22 | 4.3 | CVE-2025-57915 | https://patchstack.com/database/wordpress/plugin/tochat-be/vulnerability/wordpress-tochat-be-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nurul Amin--WP System Information | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Nurul Amin WP System Information allows Retrieve Embedded Sensitive Data. This issue affects WP System Information: from n/a through 1.5. | 2025-09-22 | 4.3 | CVE-2025-57916 | https://patchstack.com/database/wordpress/plugin/wp-system-info/vulnerability/wordpress-wp-system-information-plugin-1-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| printcart--Printcart Web to Print Product Designer for WooCommerce | Missing Authorization vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.4.3. | 2025-09-22 | 4.3 | CVE-2025-57917 | https://patchstack.com/database/wordpress/plugin/printcart-integration/vulnerability/wordpress-printcart-web-to-print-product-designer-for-woocommerce-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve |
| Automattic--Developer | Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6. | 2025-09-22 | 4.3 | CVE-2025-57924 | https://patchstack.com/database/wordpress/plugin/developer/vulnerability/wordpress-developer-plugin-1-2-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Stephanie Leary--Dashboard Notepad | Cross-Site Request Forgery (CSRF) vulnerability in Stephanie Leary Dashboard Notepad allows Cross Site Request Forgery. This issue affects Dashboard Notepad: from n/a through 1.42. | 2025-09-22 | 4.3 | CVE-2025-57927 | https://patchstack.com/database/wordpress/plugin/dashboard-notepad/vulnerability/wordpress-dashboard-notepad-plugin-1-42-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| kanwei_doublethedonation--Double the Donation | Cross-Site Request Forgery (CSRF) vulnerability in kanwei_doublethedonation Double the Donation allows Cross Site Request Forgery. This issue affects Double the Donation: from n/a through 2.0.0. | 2025-09-22 | 4.3 | CVE-2025-57930 | https://patchstack.com/database/wordpress/plugin/double-the-donation/vulnerability/wordpress-double-the-donation-plugin-2-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| piotnetdotcom--Piotnet Forms | Cross-Site Request Forgery (CSRF) vulnerability in piotnetdotcom Piotnet Forms allows Cross Site Request Forgery. This issue affects Piotnet Forms: from n/a through 1.0.30. | 2025-09-22 | 4.3 | CVE-2025-57933 | https://patchstack.com/database/wordpress/plugin/piotnetforms/vulnerability/wordpress-piotnet-forms-plugin-1-0-30-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Aurlien LWS--LWS Affiliation | Cross-Site Request Forgery (CSRF) vulnerability in Aurélien LWS LWS Affiliation allows Cross Site Request Forgery. This issue affects LWS Affiliation: from n/a through 2.3.6. | 2025-09-22 | 4.3 | CVE-2025-57934 | https://patchstack.com/database/wordpress/plugin/lws-affiliation/vulnerability/wordpress-lws-affiliation-plugin-2-3-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Meitar--Subresource Integrity (SRI) Manager | Missing Authorization vulnerability in Meitar Subresource Integrity (SRI) Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subresource Integrity (SRI) Manager: from n/a through 0.4.0. | 2025-09-22 | 4.3 | CVE-2025-57936 | https://patchstack.com/database/wordpress/plugin/wp-sri/vulnerability/wordpress-subresource-integrity-sri-manager-plugin-0-4-0-broken-access-control-vulnerability?_s_id=cve |
| etruel--WPeMatico RSS Feed Fetcher | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in etruel WPeMatico RSS Feed Fetcher allows Retrieve Embedded Sensitive Data. This issue affects WPeMatico RSS Feed Fetcher: from n/a through 2.8.10. | 2025-09-22 | 4.3 | CVE-2025-57937 | https://patchstack.com/database/wordpress/plugin/wpematico/vulnerability/wordpress-wpematico-rss-feed-fetcher-plugin-2-8-10-sensitive-data-exposure-vulnerability?_s_id=cve |
| andy_moyle--Emergency Password Reset | Cross-Site Request Forgery (CSRF) vulnerability in andy_moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 9.0. | 2025-09-22 | 4.3 | CVE-2025-57942 | https://patchstack.com/database/wordpress/plugin/emergency-password-reset/vulnerability/wordpress-emergency-password-reset-plugin-9-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Skimlinks--Skimlinks Affiliate Marketing Tool | Server-Side Request Forgery (SSRF) vulnerability in Skimlinks Skimlinks Affiliate Marketing Tool allows Server Side Request Forgery. This issue affects Skimlinks Affiliate Marketing Tool: from n/a through 1.3. | 2025-09-22 | 4.4 | CVE-2025-57943 | https://patchstack.com/database/wordpress/plugin/skimlinks/vulnerability/wordpress-skimlinks-affiliate-marketing-tool-plugin-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| TravelMap--Travel Map | Cross-Site Request Forgery (CSRF) vulnerability in TravelMap Travel Map allows Cross Site Request Forgery. This issue affects Travel Map: from n/a through 1.0.3. | 2025-09-22 | 4.3 | CVE-2025-57960 | https://patchstack.com/database/wordpress/plugin/travelmap-blog/vulnerability/wordpress-travel-map-plugin-1-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Codexpert, Inc--CoDesigner | Missing Authorization vulnerability in Codexpert, Inc CoDesigner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CoDesigner: from n/a through 4.25.2. | 2025-09-22 | 4.3 | CVE-2025-57961 | https://patchstack.com/database/wordpress/plugin/woolementor/vulnerability/wordpress-codesigner-plugin-4-25-2-broken-access-control-vulnerability?_s_id=cve |
| Jeremy Saxey--Hide WP Toolbar | Missing Authorization vulnerability in Jeremy Saxey Hide WP Toolbar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hide WP Toolbar: from n/a through 2.7. | 2025-09-22 | 4.3 | CVE-2025-57969 | https://patchstack.com/database/wordpress/plugin/hide-wp-toolbar/vulnerability/wordpress-hide-wp-toolbar-plugin-2-7-broken-access-control-vulnerability?_s_id=cve |
| SALESmanago--SALESmanago | Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago allows Cross Site Request Forgery. This issue affects SALESmanago: from n/a through 3.8.1. | 2025-09-22 | 4.3 | CVE-2025-57970 | https://patchstack.com/database/wordpress/plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WPFactory--Helpdesk Support Ticket System for WooCommerce | Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through 2.0.2. | 2025-09-22 | 4.3 | CVE-2025-57972 | https://patchstack.com/database/wordpress/plugin/support-ticket-system-for-woocommerce/vulnerability/wordpress-helpdesk-support-ticket-system-for-woocommerce-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| RadiusTheme--Team | Missing Authorization vulnerability in RadiusTheme Team allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team: from n/a through 5.0.6. | 2025-09-22 | 4.3 | CVE-2025-57975 | https://patchstack.com/database/wordpress/plugin/tlp-team/vulnerability/wordpress-team-plugin-5-0-6-broken-access-control-vulnerability?_s_id=cve |
| themespride--Advanced Appointment Booking & Scheduling | Cross-Site Request Forgery (CSRF) vulnerability in themespride Advanced Appointment Booking & Scheduling allows Cross Site Request Forgery. This issue affects Advanced Appointment Booking & Scheduling: from n/a through 1.9. | 2025-09-22 | 4.3 | CVE-2025-57978 | https://patchstack.com/database/wordpress/plugin/advanced-appointment-booking-scheduling/vulnerability/wordpress-advanced-appointment-booking-scheduling-plugin-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Pratik Ghela--MakeStories (for Google Web Stories) | Server-Side Request Forgery (SSRF) vulnerability in Pratik Ghela MakeStories (for Google Web Stories) allows Server Side Request Forgery. This issue affects MakeStories (for Google Web Stories): from n/a through 3.0.4. | 2025-09-22 | 4.4 | CVE-2025-57984 | https://patchstack.com/database/wordpress/plugin/makestories-helper/vulnerability/wordpress-makestories-for-google-web-stories-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| MantraBrain--Ultimate Watermark | Missing Authorization vulnerability in MantraBrain Ultimate Watermark allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Watermark: from n/a through 1.1. | 2025-09-22 | 4.3 | CVE-2025-57985 | https://patchstack.com/database/wordpress/plugin/ultimate-watermark/vulnerability/wordpress-ultimate-watermark-plugin-1-1-broken-access-control-vulnerability?_s_id=cve |
| InterServer--Mail Baby SMTP | Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP allows Cross Site Request Forgery. This issue affects Mail Baby SMTP: from n/a through 2.8. | 2025-09-22 | 4.3 | CVE-2025-57992 | https://patchstack.com/database/wordpress/plugin/mail-baby-smtp/vulnerability/wordpress-mail-baby-smtp-plugin-2-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Detheme--DethemeKit For Elementor | Missing Authorization vulnerability in Detheme DethemeKit For Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DethemeKit For Elementor: from n/a through 2.1.10. | 2025-09-22 | 4.3 | CVE-2025-57995 | https://patchstack.com/database/wordpress/plugin/dethemekit-for-elementor/vulnerability/wordpress-dethemekit-for-elementor-plugin-2-1-10-broken-access-control-vulnerability-2?_s_id=cve |
| Trustpilot--Trustpilot Reviews | Missing Authorization vulnerability in Trustpilot Trustpilot Reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trustpilot Reviews: from n/a through 2.5.925. | 2025-09-22 | 4.3 | CVE-2025-57997 | https://patchstack.com/database/wordpress/plugin/trustpilot-reviews/vulnerability/wordpress-trustpilot-reviews-plugin-2-5-925-broken-access-control-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms Keap/Infusionsoft | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft allows Phishing. This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through 1.2.4. | 2025-09-22 | 4.7 | CVE-2025-58006 | https://patchstack.com/database/wordpress/plugin/gf-infusionsoft/vulnerability/wordpress-wp-gravity-forms-keap-infusionsoft-plugin-1-2-4-open-redirection-vulnerability?_s_id=cve |
| NerdPress--Social Pug | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Social Pug allows Retrieve Embedded Sensitive Data. This issue affects Social Pug: from n/a through 1.35.1. | 2025-09-22 | 4.3 | CVE-2025-58007 | https://patchstack.com/database/wordpress/plugin/social-pug/vulnerability/wordpress-social-pug-plugin-1-35-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| straightvisions GmbH--SV Proven Expert | Cross-Site Request Forgery (CSRF) vulnerability in straightvisions GmbH SV Proven Expert allows Cross Site Request Forgery. This issue affects SV Proven Expert: from n/a through 2.0.06. | 2025-09-22 | 4.3 | CVE-2025-58010 | https://patchstack.com/database/wordpress/plugin/sv-provenexpert/vulnerability/wordpress-sv-proven-expert-plugin-2-0-06-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Ays Pro--Quiz Maker | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker allows Cross Site Request Forgery. This issue affects Quiz Maker: from n/a through 6.7.0.61. | 2025-09-22 | 4.3 | CVE-2025-58014 | https://patchstack.com/database/wordpress/plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-61-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Codexpert, Inc--CF7 Submissions | Missing Authorization vulnerability in Codexpert, Inc CF7 Submissions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 Submissions: from n/a through 0.26. | 2025-09-22 | 4.3 | CVE-2025-58016 | https://patchstack.com/database/wordpress/plugin/cf7-submissions/vulnerability/wordpress-cf7-submissions-plugin-0-26-broken-access-control-vulnerability?_s_id=cve |
| Bytes.co--WP Compiler | Cross-Site Request Forgery (CSRF) vulnerability in Bytes.co WP Compiler allows Cross Site Request Forgery. This issue affects WP Compiler: from n/a through 1.0.0. | 2025-09-22 | 4.3 | CVE-2025-58032 | https://patchstack.com/database/wordpress/plugin/wp-compiler/vulnerability/wordpress-wp-compiler-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Fastly--Fastly | Cross-Site Request Forgery (CSRF) vulnerability in Fastly Fastly allows Cross Site Request Forgery. This issue affects Fastly: from n/a through 1.2.28. | 2025-09-22 | 4.3 | CVE-2025-58199 | https://patchstack.com/database/wordpress/plugin/fastly/vulnerability/wordpress-fastly-plugin-1-2-28-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Bage--Flexible FAQ | Cross-Site Request Forgery (CSRF) vulnerability in Bage Flexible FAQ allows Cross Site Request Forgery. This issue affects Flexible FAQ: from n/a through 0.2. | 2025-09-22 | 4.3 | CVE-2025-58200 | https://patchstack.com/database/wordpress/plugin/flexible-faq/vulnerability/wordpress-flexible-faq-plugin-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| LIJE--Show Pages List | Cross-Site Request Forgery (CSRF) vulnerability in LIJE Show Pages List allows Cross Site Request Forgery. This issue affects Show Pages List: from n/a through 1.2.0. | 2025-09-22 | 4.3 | CVE-2025-58219 | https://patchstack.com/database/wordpress/plugin/show-pages-list/vulnerability/wordpress-show-pages-list-plugin-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ONTRAPORT--PilotPress | Missing Authorization vulnerability in ONTRAPORT PilotPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PilotPress: from n/a through 2.0.35. | 2025-09-22 | 4.3 | CVE-2025-58221 | https://patchstack.com/database/wordpress/plugin/pilotpress/vulnerability/wordpress-pilotpress-plugin-2-0-35-broken-access-control-vulnerability?_s_id=cve |
| Mayo Moriyama--Force Update Translations | Cross-Site Request Forgery (CSRF) vulnerability in Mayo Moriyama Force Update Translations allows Cross Site Request Forgery. This issue affects Force Update Translations: from n/a through 0.5. | 2025-09-22 | 4.3 | CVE-2025-58236 | https://patchstack.com/database/wordpress/plugin/force-update-translations/vulnerability/wordpress-force-update-translations-plugin-0-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Automattic--WordPress | Insertion of Sensitive Information Into Sent Data vulnerability in Automattic WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from n/a through 6.8.2 | 2025-09-23 | 4.3 | CVE-2025-58246 | https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| Themeum--Qubely | Insertion of Sensitive Information Into Sent Data vulnerability in Themeum Qubely allows Retrieve Embedded Sensitive Data. This issue affects Qubely: from n/a through 1.8.14. | 2025-09-22 | 4.3 | CVE-2025-58249 | https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-sensitive-data-exposure-vulnerability?_s_id=cve |
| POSIMYTH--Sticky Header Effects for Elementor | Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sticky Header Effects for Elementor: from n/a through 2.1.2. | 2025-09-22 | 4.3 | CVE-2025-58251 | https://patchstack.com/database/wordpress/plugin/sticky-header-effects-for-elementor/vulnerability/wordpress-sticky-header-effects-for-elementor-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve |
| jetmonsters--Getwid | Insertion of Sensitive Information Into Sent Data vulnerability in jetmonsters Getwid allows Retrieve Embedded Sensitive Data. This issue affects Getwid: from n/a through 2.1.2. | 2025-09-22 | 4.3 | CVE-2025-58252 | https://patchstack.com/database/wordpress/plugin/getwid/vulnerability/wordpress-getwid-plugin-2-1-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| nK--Lazy Blocks | Missing Authorization vulnerability in nK Lazy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lazy Blocks: from n/a through 4.1.0. | 2025-09-22 | 4.3 | CVE-2025-58258 | https://patchstack.com/database/wordpress/plugin/lazy-blocks/vulnerability/wordpress-lazy-blocks-plugin-4-1-0-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi--All In One SEO Pack | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack allows Retrieve Embedded Sensitive Data. This issue affects All In One SEO Pack: from n/a through 4.8.7. | 2025-09-22 | 4.3 | CVE-2025-58649 | https://patchstack.com/database/wordpress/plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-8-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| Themeum--Qubely | Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14. | 2025-09-22 | 4.3 | CVE-2025-58663 | https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-broken-access-control-vulnerability?_s_id=cve |
| Azizul Hasan--Text To Speech TTS Accessibility | Missing Authorization vulnerability in Azizul Hasan Text To Speech TTS Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Text To Speech TTS Accessibility: from n/a through 1.9.20. | 2025-09-22 | 4.3 | CVE-2025-58664 | https://patchstack.com/database/wordpress/plugin/text-to-audio/vulnerability/wordpress-text-to-speech-tts-accessibility-plugin-1-9-20-broken-access-control-vulnerability?_s_id=cve |
| Kommo--Website Chat Button: Kommo integration | Missing Authorization vulnerability in Kommo Website Chat Button: Kommo integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Website Chat Button: Kommo integration: from n/a through 1.3.1. | 2025-09-22 | 4.3 | CVE-2025-58666 | https://patchstack.com/database/wordpress/plugin/website-chat-button-kommo-integration/vulnerability/wordpress-website-chat-button-kommo-integration-plugin-1-3-1-broken-access-control-vulnerability?_s_id=cve |
| VibeThemes--WPLMS | Missing Authorization vulnerability in VibeThemes WPLMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPLMS : from n/a through 4.970. | 2025-09-22 | 4.3 | CVE-2025-58668 | https://patchstack.com/database/wordpress/theme/wplms/vulnerability/wordpress-wplms-theme-4-970-broken-access-control-vulnerability?_s_id=cve |
| tryinteract--Interact: Embed A Quiz On Your Site | Cross-Site Request Forgery (CSRF) vulnerability in tryinteract Interact: Embed A Quiz On Your Site allows Cross Site Request Forgery. This issue affects Interact: Embed A Quiz On Your Site: from n/a through 3.1. | 2025-09-22 | 4.3 | CVE-2025-58675 | https://patchstack.com/database/wordpress/plugin/interact-quiz-embed/vulnerability/wordpress-interact-embed-a-quiz-on-your-site-plugin-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Di Themes--Di Themes Demo Site Importer | Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2. | 2025-09-26 | 4.3 | CVE-2025-58914 | https://patchstack.com/database/wordpress/plugin/di-themes-demo-site-importer/vulnerability/wordpress-di-themes-demo-site-importer-plugin-1-2-cross-site-request-forgery-csrf-to-plugin-activation-vulnerability?_s_id=cve |
| Vikas Ratudi--VPSUForm | Missing Authorization vulnerability in Vikas Ratudi VPSUForm allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VPSUForm: from n/a through 3.2.20. | 2025-09-22 | 4.3 | CVE-2025-58957 | https://patchstack.com/database/wordpress/plugin/v-form/vulnerability/wordpress-vpsuform-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve |
| lobehub--lobe-chat | Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1. | 2025-09-25 | 4.3 | CVE-2025-59426 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445 https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127 |
| WP Chill--Revive.so | Missing Authorization vulnerability in WP Chill Revive.so allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Revive.so: from n/a through 2.0.6. | 2025-09-22 | 4.3 | CVE-2025-59551 | https://patchstack.com/database/wordpress/plugin/revive-so/vulnerability/wordpress-revive-so-plugin-2-0-6-broken-access-control-vulnerability?_s_id=cve |
| payrexx--Payrexx Payment Gateway for WooCommerce | Missing Authorization vulnerability in payrexx Payrexx Payment Gateway for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payrexx Payment Gateway for WooCommerce: from n/a through 3.1.5. | 2025-09-22 | 4.3 | CVE-2025-59559 | https://patchstack.com/database/wordpress/plugin/woo-payrexx-gateway/vulnerability/wordpress-payrexx-payment-gateway-for-woocommerce-plugin-3-1-5-broken-access-control-vulnerability?_s_id=cve |
| hashthemes--Smart Blocks | Missing Authorization vulnerability in hashthemes Smart Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Blocks: from n/a through 2.4. | 2025-09-22 | 4.3 | CVE-2025-59561 | https://patchstack.com/database/wordpress/plugin/smart-blocks/vulnerability/wordpress-smart-blocks-plugin-2-4-broken-access-control-vulnerability?_s_id=cve |
| Elliot Sowersby / RelyWP--Coupon Affiliates | Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Coupon Affiliates: from n/a through 6.8.0. | 2025-09-22 | 4.3 | CVE-2025-59567 | https://patchstack.com/database/wordpress/plugin/woo-coupon-usage/vulnerability/wordpress-coupon-affiliates-plugin-6-8-0-broken-access-control-vulnerability?_s_id=cve |
| Zoho Flow--Zoho Flow | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Flow Zoho Flow allows Cross Site Request Forgery. This issue affects Zoho Flow: from n/a through 2.14.1. | 2025-09-22 | 4.3 | CVE-2025-59568 | https://patchstack.com/database/wordpress/plugin/zoho-flow/vulnerability/wordpress-zoho-flow-plugin-2-14-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Stylemix--MasterStudy LMS | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Stylemix MasterStudy LMS allows Leveraging Race Conditions. This issue affects MasterStudy LMS: from n/a through 3.6.20. | 2025-09-22 | 4.3 | CVE-2025-59577 | https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-6-20-race-condition-vulnerability?_s_id=cve |
| AdvancedCoding--wpDiscuz | Missing Authorization vulnerability in AdvancedCoding wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpDiscuz: from n/a through 7.6.33. | 2025-09-22 | 4.3 | CVE-2025-59591 | https://patchstack.com/database/wordpress/plugin/wpdiscuz/vulnerability/wordpress-wpdiscuz-plugin-7-6-33-broken-access-control-vulnerability?_s_id=cve |
| Artifex--Ghostscript | Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c. | 2025-09-22 | 4.3 | CVE-2025-59798 | https://bugs.ghostscript.com/show_bug.cgi?id=708539 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 |
| Artifex--Ghostscript | Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size value. | 2025-09-22 | 4.3 | CVE-2025-59799 | https://bugs.ghostscript.com/show_bug.cgi?id=708517 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=6dab38fb211f15226c242ab7a83fa53e4b0ff781 |
| Artifex--Ghostscript | In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8. | 2025-09-22 | 4.3 | CVE-2025-59800 | https://bugs.ghostscript.com/show_bug.cgi?id=708602 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=176cf0188a2294bc307b8caec876f39412e58350 |
| Artifex--GhostXPS | In Artifex GhostXPS before 10.06.0, there is a stack-based buffer overflow in xps_unpredict_tiff in xpstiff.c because the samplesperpixel value is not checked. | 2025-09-22 | 4.3 | CVE-2025-59801 | https://bugs.ghostscript.com/show_bug.cgi?id=708819 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=99727069197d548a8db69ba5d63f766bff40eaab |
| glib-networking's OpenSSL backend --N/A | glib-networking's OpenSSL backend fails to properly check the return value of a call to BIO_write(), resulting in an out of bounds read. | 2025-09-25 | 4.8 | CVE-2025-60018 | https://access.redhat.com/security/cve/CVE-2025-60018 RHBZ#2398135 https://gitlab.gnome.org/GNOME/glib-networking/-/issues/226 |
| Shahjada--Download Manager | Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager allows Cross Site Request Forgery. This issue affects Download Manager: from n/a through 3.3.24. | 2025-09-26 | 4.3 | CVE-2025-60093 | https://patchstack.com/database/wordpress/plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-24-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Benjamin Intal--Stackable | Missing Authorization vulnerability in Benjamin Intal Stackable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stackable: from n/a through 3.18.1. | 2025-09-26 | 4.3 | CVE-2025-60094 | https://patchstack.com/database/wordpress/plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-18-1-broken-access-control-vulnerability?_s_id=cve |
| Benjamin Intal--Stackable | Insertion of Sensitive Information Into Sent Data vulnerability in Benjamin Intal Stackable allows Retrieve Embedded Sensitive Data. This issue affects Stackable: from n/a through 3.18.1. | 2025-09-26 | 4.3 | CVE-2025-60095 | https://patchstack.com/database/wordpress/plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-18-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Roxnor--EmailKit | Missing Authorization vulnerability in Roxnor EmailKit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EmailKit: from n/a through 1.6.0. | 2025-09-26 | 4.9 | CVE-2025-60106 | https://patchstack.com/database/wordpress/plugin/emailkit/vulnerability/wordpress-emailkit-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| grooni--Groovy Menu | Cross-Site Request Forgery (CSRF) vulnerability in grooni Groovy Menu allows Cross Site Request Forgery. This issue affects Groovy Menu: from n/a through 1.4.3. | 2025-09-26 | 4.3 | CVE-2025-60113 | https://patchstack.com/database/wordpress/plugin/groovy-menu-free/vulnerability/wordpress-groovy-menu-plugin-1-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| instapagedev--Instapage Plugin | Cross-Site Request Forgery (CSRF) vulnerability in instapagedev Instapage Plugin allows Cross Site Request Forgery. This issue affects Instapage Plugin: from n/a through 3.5.12. | 2025-09-26 | 4.3 | CVE-2025-60115 | https://patchstack.com/database/wordpress/plugin/instapage/vulnerability/wordpress-instapage-plugin-plugin-3-5-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| TangibleWP--Vehica Core | Cross-Site Request Forgery (CSRF) vulnerability in TangibleWP Vehica Core allows Cross Site Request Forgery. This issue affects Vehica Core: from n/a through 1.0.100. | 2025-09-26 | 4.3 | CVE-2025-60117 | https://patchstack.com/database/wordpress/plugin/vehica-core/vulnerability/wordpress-vehica-core-plugin-1-0-100-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| HivePress--HivePress Claim Listings | Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HivePress Claim Listings: from n/a through 1.1.3. | 2025-09-26 | 4.3 | CVE-2025-60122 | https://patchstack.com/database/wordpress/plugin/hivepress-claim-listings/vulnerability/wordpress-hivepress-claim-listings-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| HivePress--HivePress Claim Listings | Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HivePress Claim Listings: from n/a through 1.1.3. | 2025-09-26 | 4.3 | CVE-2025-60123 | https://patchstack.com/database/wordpress/plugin/hivepress-claim-listings/vulnerability/wordpress-hivepress-claim-listings-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| WP Delicious--Delisho | Missing Authorization vulnerability in WP Delicious Delisho allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Delisho: from n/a through 1.1.3. | 2025-09-26 | 4.3 | CVE-2025-60128 | https://patchstack.com/database/wordpress/plugin/dr-widgets-blocks/vulnerability/wordpress-delisho-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| Galaxy Weblinks--Post Featured Video | Cross-Site Request Forgery (CSRF) vulnerability in Galaxy Weblinks Post Featured Video allows Cross Site Request Forgery. This issue affects Post Featured Video: from n/a through 1.7. | 2025-09-26 | 4.3 | CVE-2025-60137 | https://patchstack.com/database/wordpress/plugin/post-featured-video/vulnerability/wordpress-post-featured-video-plugin-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joovii--Sendle Shipping | Cross-Site Request Forgery (CSRF) vulnerability in Joovii Sendle Shipping allows Cross Site Request Forgery. This issue affects Sendle Shipping: from n/a through 6.02. | 2025-09-26 | 4.3 | CVE-2025-60139 | https://patchstack.com/database/wordpress/plugin/official-sendle-shipping-method/vulnerability/wordpress-sendle-shipping-plugin-6-02-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| netgsm--Netgsm | Missing Authorization vulnerability in netgsm Netgsm allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Netgsm: from n/a through 2.9.58. | 2025-09-26 | 4.3 | CVE-2025-60143 | https://patchstack.com/database/wordpress/plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-58-broken-access-control-vulnerability?_s_id=cve |
| yonifre--Lenix scss compiler | Cross-Site Request Forgery (CSRF) vulnerability in yonifre Lenix scss compiler allows Cross Site Request Forgery. This issue affects Lenix scss compiler: from n/a through 1.2. | 2025-09-26 | 4.3 | CVE-2025-60145 | https://patchstack.com/database/wordpress/plugin/lenix-scss-compiler/vulnerability/wordpress-lenix-scss-compiler-plugin-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpshuffle--Subscribe to Download | Missing Authorization vulnerability in wpshuffle Subscribe to Download allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe to Download: from n/a through 2.0.9. | 2025-09-26 | 4.3 | CVE-2025-60148 | https://patchstack.com/database/wordpress/plugin/subscribe-to-download/vulnerability/wordpress-subscribe-to-download-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve |
| wpshuffle--Subscribe To Unlock | Missing Authorization vulnerability in wpshuffle Subscribe To Unlock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe To Unlock: from n/a through 1.1.5. | 2025-09-26 | 4.3 | CVE-2025-60152 | https://patchstack.com/database/wordpress/plugin/subscribe-to-unlock/vulnerability/wordpress-subscribe-to-unlock-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| webmaniabr--Nota Fiscal Eletrnica WooCommerce | Missing Authorization vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nota Fiscal Eletrônica WooCommerce: from n/a through 3.4.0.6. | 2025-09-26 | 4.3 | CVE-2025-60159 | https://patchstack.com/database/wordpress/plugin/nota-fiscal-eletronica-woocommerce/vulnerability/wordpress-nota-fiscal-eletronica-woocommerce-plugin-3-4-0-6-broken-access-control-vulnerability?_s_id=cve |
| HaruTheme--Frames | Missing Authorization vulnerability in HaruTheme Frames allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frames: from n/a through 1.5.7. | 2025-09-26 | 4.3 | CVE-2025-60165 | https://patchstack.com/database/wordpress/theme/frames/vulnerability/wordpress-frames-theme-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| wpshuffle--WP Subscription Forms PRO | Missing Authorization vulnerability in wpshuffle WP Subscription Forms PRO allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscription Forms PRO: from n/a through 2.0.5. | 2025-09-26 | 4.3 | CVE-2025-60166 | https://patchstack.com/database/wordpress/plugin/wp-subscription-forms-pro/vulnerability/wordpress-wp-subscription-forms-pro-plugin-2-0-5-arbitrary-content-deletion-vulnerability?_s_id=cve |
| honzat--Page Manager for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in honzat Page Manager for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Page Manager for Elementor: from n/a through 2.0.5. | 2025-09-26 | 4.3 | CVE-2025-60167 | https://patchstack.com/database/wordpress/plugin/page-manager-for-elementor/vulnerability/wordpress-page-manager-for-elementor-plugin-2-0-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| Unitree--Go2 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV. | 2025-09-26 | 4.7 | CVE-2025-60250 | https://spectrum.ieee.org/unitree-robot-exploit https://github.com/Bin4ry/UniPwn https://news.ycombinator.com/item?id=45381590 |
| Akll Ticaret Software Technologies Ltd. Co.--Smart Trade E-Commerce | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akıllı Ticaret Software Technologies Ltd. Co. Smart Trade E-Commerce allows Reflected XSS.This issue affects Smart Trade E-Commerce: before 4.5.0.0.1. | 2025-09-22 | 4.6 | CVE-2025-8079 | https://www.usom.gov.tr/bildirim/tr-25-0283 |
| DivvyDrive Information Technologies Inc.--DivvyDrive Web | Observable Timing Discrepancy vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive Web allows Cross-Domain Search Timing.This issue affects DivvyDrive Web: from 4.8.2.2 before 4.8.2.15. | 2025-09-24 | 4.3 | CVE-2025-9031 | https://www.usom.gov.tr/bildirim/tr-25-0293 |
| milankyada--VM Menu Reorder plugin | The VM Menu Reorder plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the vm_set_to_default function. This makes it possible for unauthenticated attackers to reset all menu reordering settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-9893 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df7e57a7-ba15-4181-89f9-e3f1f5de36cf?source=cve https://plugins.trac.wordpress.org/browser/vm-menu-reorder/trunk/vm-menu-class.php#L275 |
| cristianr909090--Sync Feedly | The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-9894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3889aa6f-987a-4a2d-80fd-28628a6ed287?source=cve https://plugins.trac.wordpress.org/browser/sync-feedly/trunk/sync-feedly.php#L156 |
| funnnny--HidePost | The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-9896 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a618dbf-1180-4937-8466-5abc784a3365?source=cve https://plugins.trac.wordpress.org/browser/hidepost/tags/2.3.8/options.php#L7 |
| compojoom--cForms Light speed fast Form Builder | The cForms - Light speed fast Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the cforms_api function. This makes it possible for unauthenticated attackers to modify forms and their settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-9898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac23bca5-38dd-4460-83ce-5f7fc8a1f6a0?source=cve https://plugins.trac.wordpress.org/browser/cforms-plugin/trunk/admin/api/form.php#L36 |
| kelderic--Professional Contact Form | The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-27 | 4.3 | CVE-2025-9944 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b8a82989-e7e7-484a-b619-3897d88872b9?source=cve https://plugins.trac.wordpress.org/browser/professional-contact-form/tags/1.0.0/includes/mailer.php#L31 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a--Coinomi | A vulnerability has been found in Coinomi up to 1.7.6. This issue affects some unknown processing. Such manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor replied with: "(...) there isn't any security implication associated with your findings." | 2025-09-23 | 3.7 | CVE-2017-20200 | VDB-325143 | Coinomi cleartext transmission VDB-325143 | CTI Indicators (IOB, IOC, TTP) Submit #653875 | COINOMI LTD Coinomi <=1.7.6 Cleartext Transmission of Sensitive Information (information dis https://web.archive.org/web/20171013065745/https://github.com/Coinomi/coinomi-android/issues/213 https://www.reddit.com/r/CryptoCurrency/comments/72osq7/security_warning_coinomi_wallet_transmits_all/dnkhpob/ https://web.archive.org/web/20171013065745/https://github.com/Coinomi/coinomi-android/issues/213#issuecomment-332371549 https://www.reddit.com/r/Bitcoin/comments/72yvnj/so_coinomis_official_response_on_the/ |
| WSO2--WSO2 Identity Server as Key Manager | An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication. | 2025-09-23 | 3.3 | CVE-2025-0672 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/ |
| LionCoders--SalePro POS | A vulnerability was detected in LionCoders SalePro POS up to 5.5.0. This issue affects some unknown processing of the component Login. Performing manipulation results in cleartext transmission of sensitive information. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-22 | 3.7 | CVE-2025-10776 | VDB-325132 | LionCoders SalePro POS Login cleartext transmission VDB-325132 | CTI Indicators (IOB, IOC, TTP) Submit #650795 | LionCoders SalePro POS 5.5.0 Cleartext Transmission of Sensitive Information https://github.com/PlsRevert/CVEs/issues/1 https://github.com/PlsRevert/CVEs/issues/1#issue-3398101584 |
| n/a--Smartstore | A vulnerability has been found in Smartstore up to 6.2.0. The affected element is an unknown function of the file /checkout/confirm/ of the component Gift Voucher Handler. The manipulation leads to race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-22 | 3.1 | CVE-2025-10778 | VDB-325134 | Smartstore Gift Voucher confirm race condition VDB-325134 | CTI Indicators (IOB, IOC, IOA) Submit #640785 | Smartstore AG Smartstore 6.2.0 Race Condition |
| axboe--fio | A vulnerability was found in axboe fio up to 3.41. This affects the function str_buffer_pattern_cb of the file options.c. Performing manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been made public and could be used. | 2025-09-22 | 3.3 | CVE-2025-10823 | VDB-325180 | axboe fio options.c str_buffer_pattern_cb null pointer dereference VDB-325180 | CTI Indicators (IOB, IOC, IOA) Submit #654069 | Jens Axboe Fio 3.41 / master commit 84787ad NULL Pointer Dereference https://github.com/axboe/fio/issues/1982 https://github.com/user-attachments/files/22266964/poc.zip |
| code-projects--Simple Food Ordering System | A security vulnerability has been detected in code-projects Simple Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /ordersimple/order.php. The manipulation of the argument ID leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-23 | 3.5 | CVE-2025-10837 | VDB-325194 | code-projects Simple Food Ordering System order.php cross site scripting VDB-325194 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #657108 | code-projects Simple Food Ordering System 1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss3.md https://code-projects.org/ |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests. | 2025-09-26 | 3.5 | CVE-2025-10867 | GitLab Issue #517757 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs. | 2025-09-26 | 3.5 | CVE-2025-10868 | GitLab Issue #526482 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges. | 2025-09-26 | 3.8 | CVE-2025-10871 | GitLab Issue #569482 |
| MikeCen--WeChat-Face-Recognition | A security flaw has been discovered in MikeCen WeChat-Face-Recognition up to 6e3f72bf8547d80b59e330f1137e4aa505f492c1. This vulnerability affects the function valid of the file wx.php. The manipulation of the argument echostr results in cross site scripting. The attack can be launched remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 3.5 | CVE-2025-10943 | VDB-325813 | MikeCen WeChat-Face-Recognition wx.php valid cross site scripting VDB-325813 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651882 | MikeCen WeChat-Face-Recognition master CWE-79 https://github.com/MikeCen/WeChat-Face-Recognition/blob/master/wx.php#L25 |
| yi-ge--get-header-ip | A weakness has been identified in yi-ge get-header-ip up to 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15. This issue affects the function ip of the file ip.php. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 3.5 | CVE-2025-10944 | VDB-325814 | yi-ge get-header-ip ip.php cross site scripting VDB-325814 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651884 | yi-ge get-header-ip master CWE-79 https://github.com/yi-ge/get-header-ip/blob/master/ip.php#L32 |
| nuz007--smsboom | A security vulnerability has been detected in nuz007 smsboom up to 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674. Impacted is an unknown function of the file d.php. Such manipulation of the argument hm leads to cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-09-25 | 3.5 | CVE-2025-10945 | VDB-325815 | nuz007 smsboom d.php cross site scripting VDB-325815 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651886 | nuz007 smsboom master CWE-79 https://github.com/nuz007/smsboom/blob/main/d.php#L25 |
| nuz007--smsboom | A vulnerability was detected in nuz007 smsboom up to 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674. The affected element is an unknown function of the file dy.php. Performing manipulation of the argument hm results in cross site scripting. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2025-09-25 | 3.5 | CVE-2025-10946 | VDB-325816 | nuz007 smsboom dy.php cross site scripting VDB-325816 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651887 | nuz007 smsboom master CWE-79 https://github.com/nuz007/smsboom/blob/main/dy.php#L20 |
| n/a--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.8.2. This issue affects some unknown processing of the file /api/getDepartUserList. Executing manipulation of the argument departId can lead to improper authorization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 3.1 | CVE-2025-10976 | VDB-325847 | JeecgBoot getDepartUserList improper authorization VDB-325847 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653333 | jeecgboot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063349 |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.8.2. Impacted is an unknown function of the file /sys/tenant/deleteBatch. The manipulation of the argument ids leads to improper authorization. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 3.1 | CVE-2025-10977 | VDB-325848 | JeecgBoot deleteBatch improper authorization VDB-325848 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653335 | jeecgboot JeecgBoot 3.8.2 broken function level authorization https://www.cnblogs.com/aibot/p/19063351 |
| n/a--Open Babel | A vulnerability has been found in Open Babel up to 3.1.1. The affected element is the function ChemKinFormat::ReadReactionQualifierLines of the file /src/formats/chemkinformat.cpp. The manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. | 2025-09-26 | 3.3 | CVE-2025-10998 | VDB-325926 | Open Babel chemkinformat.cpp ReadReactionQualifierLines null pointer dereference VDB-325926 | CTI Indicators (IOB, IOC, IOA) Submit #654063 | Open Babel 3.1.1 / master commit 889c350 NULL Pointer Dereference https://github.com/openbabel/openbabel/issues/2829 https://github.com/user-attachments/files/22318526/poc.zip |
| n/a--Open Babel | A vulnerability was found in Open Babel up to 3.1.1. The impacted element is the function CacaoFormat::SetHilderbrandt of the file /src/formats/cacaoformat.cpp. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been made public and could be used. | 2025-09-26 | 3.3 | CVE-2025-10999 | VDB-325927 | Open Babel cacaoformat.cpp SetHilderbrandt null pointer dereference VDB-325927 | CTI Indicators (IOB, IOC, IOA) Submit #654064 | Open Babel 3.1.1 / master commit 889c350 NULL Pointer Dereference https://github.com/openbabel/openbabel/issues/2827 https://github.com/user-attachments/files/22318503/poc.zip |
| n/a--Open Babel | A vulnerability was determined in Open Babel up to 3.1.1. This affects the function PQSFormat::ReadMolecule of the file /src/formats/PQSformat.cpp. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. | 2025-09-26 | 3.3 | CVE-2025-11000 | VDB-325928 | Open Babel PQSformat.cpp ReadMolecule null pointer dereference VDB-325928 | CTI Indicators (IOB, IOC, IOA) Submit #654066 | Open Babel 3.1.1 / master commit 889c350 NULL Pointer Dereference https://github.com/openbabel/openbabel/issues/2826 https://github.com/user-attachments/files/22318474/poc.zip |
| n/a--BehaviorTree | A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/json_export.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named 4b23dcaf0ce951a31299ebdd61df69f9ce99a76d. It is suggested to install a patch to address this issue. | 2025-09-26 | 3.3 | CVE-2025-11011 | VDB-325954 | BehaviorTree json_export.cpp fromJson null pointer dereference VDB-325954 | CTI Indicators (IOB, IOC, IOA) Submit #654073 | Davide Faconti BehaviorTree 4.7.0 / master commit 8d47d39 NULL Pointer Dereference https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1008 https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1009 https://github.com/user-attachments/files/22270928/poc.zip https://github.com/BehaviorTree/BehaviorTree.CPP/commit/4b23dcaf0ce951a31299ebdd61df69f9ce99a76d |
| n/a--BehaviorTree | A vulnerability was identified in BehaviorTree up to 4.7.0. This vulnerability affects the function XMLParser::PImpl::loadDocImpl of the file /src/xml_parsing.cpp of the component XML Parser. The manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit is publicly available and might be used. | 2025-09-26 | 3.3 | CVE-2025-11013 | VDB-325956 | BehaviorTree XML Parser xml_parsing.cpp loadDocImpl null pointer dereference VDB-325956 | CTI Indicators (IOB, IOC, IOA) Submit #654075 | Davide Faconti BehaviorTree 4.7.0 / master commit 8d47d39 NULL Pointer Dereference https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1003 https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1004 https://github.com/user-attachments/files/22245915/poc.zip |
| OGRECave--Ogre | A vulnerability was detected in OGRECave Ogre up to 14.4.1. The impacted element is the function Ogre::LogManager::stream of the file /ogre/OgreMain/src/OgreLogManager.cpp. Performing manipulation of the argument mDefaultLog results in null pointer dereference. The attack must be initiated from a local position. The exploit is now public and may be used. | 2025-09-26 | 3.3 | CVE-2025-11017 | VDB-325960 | OGRECave Ogre OgreLogManager.cpp stream null pointer dereference VDB-325960 | CTI Indicators (IOB, IOC, IOA) Submit #654456 | Ogre3D Ogre v14.4.1 / master commit f629d22 NULL Pointer Dereference https://github.com/OGRECave/ogre/issues/3447 https://github.com/user-attachments/files/22335685/poc.zip |
| givanz--Vvveb | A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | 2025-09-26 | 3.5 | CVE-2025-11026 | VDB-325964 | givanz Vvveb Configuration File information disclosure VDB-325964 | CTI Indicators (IOB, IOC, TTP) Submit #657181 | givanz Vvveb Vvveb 1.0.7.2 Information Disclosure https://gist.github.com/KhanMarshaI/14b48f974cbdaa3278a81a169e4caae1 |
| GNU--Binutils | A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue. | 2025-09-27 | 3.3 | CVE-2025-11081 | VDB-326122 | GNU Binutils objdump.c dump_dwarf_section out-of-bounds VDB-326122 | CTI Indicators (IOB, IOC, IOA) Submit #661275 | GNU Binutils 2.45 Out-of-Bounds Read https://sourceware.org/bugzilla/show_bug.cgi?id=33406 https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2 https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b https://www.gnu.org/ |
| code-projects--Project Monitoring System | A vulnerability has been found in code-projects Project Monitoring System 1.0. Affected is an unknown function of the file /onlineJobSearchEngine/postjob.php. Such manipulation of the argument txtapplyto leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-09-28 | 3.5 | CVE-2025-11124 | VDB-326205 | code-projects Project Monitoring System postjob.php cross site scripting VDB-326205 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #664309 | code-projects Project Monitoring System 1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/asd1238525/cve/blob/main/xss4.md https://github.com/asd1238525/cve/blob/main/xss4.md#poc https://code-projects.org/ |
| WSO2--WSO2 Identity Server | A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system. | 2025-09-26 | 3.7 | CVE-2025-1396 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3983/ |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service. | 2025-09-24 | 3.3 | CVE-2025-23248 | https://nvd.nist.gov/vuln/detail/CVE-2025-23248 https://www.cve.org/CVERecord?id=CVE-2025-23248 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the cuobjdump binary where a user may cause an out-of-bounds read by passing a malformed ELF file to cuobjdump. A successful exploit of this vulnerability may lead to a partial denial of service. | 2025-09-24 | 3.3 | CVE-2025-23255 | https://nvd.nist.gov/vuln/detail/CVE-2025-23255 https://www.cve.org/CVERecord?id=CVE-2025-23255 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service. | 2025-09-24 | 3.3 | CVE-2025-23271 | https://nvd.nist.gov/vuln/detail/CVE-2025-23271 https://www.cve.org/CVERecord?id=CVE-2025-23271 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where an attacker may cause a heap-based buffer overflow by getting the user to run nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running nvdisasm. | 2025-09-24 | 3.3 | CVE-2025-23308 | https://nvd.nist.gov/vuln/detail/CVE-2025-23308 https://www.cve.org/CVERecord?id=CVE-2025-23308 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where a user may cause an out-of-bounds write by running nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to denial of service. | 2025-09-24 | 3.3 | CVE-2025-23338 | https://nvd.nist.gov/vuln/detail/CVE-2025-23338 https://www.cve.org/CVERecord?id=CVE-2025-23338 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in cuobjdump where an attacker may cause a stack-based buffer overflow by getting the user to run cuobjdump on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running cuobjdump. | 2025-09-24 | 3.3 | CVE-2025-23339 | https://nvd.nist.gov/vuln/detail/CVE-2025-23339 https://www.cve.org/CVERecord?id=CVE-2025-23339 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service. | 2025-09-24 | 3.3 | CVE-2025-23340 | https://nvd.nist.gov/vuln/detail/CVE-2025-23340 https://www.cve.org/CVERecord?id=CVE-2025-23340 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an unprivileged user can cause a NULL pointer dereference. A successful exploit of this vulnerability may lead to a limited denial of service. | 2025-09-24 | 3.3 | CVE-2025-23346 | https://nvd.nist.gov/vuln/detail/CVE-2025-23346 https://www.cve.org/CVERecord?id=CVE-2025-23346 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| IBM--watsonx.data | IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user. | 2025-09-27 | 3.3 | CVE-2025-36144 | https://www.ibm.com/support/pages/node/7246267 |
| IBM--Cognos Controller | IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies. | 2025-09-26 | 3.7 | CVE-2025-36326 | https://www.ibm.com/support/pages/node/7246015 |
| Rapid7--Appspider Pro | Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management. This vulnerability was remediated in version 7.5.021 of the product. | 2025-09-25 | 3.3 | CVE-2025-36857 | https://docs.rapid7.com/insight/releasenotes-2025sep/#application-security-insightappsec-and-appspider |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name to the victim's project. | 2025-09-26 | 3.5 | CVE-2025-5069 | GitLab Issue #544926 HackerOne Bug Bounty Report #3019236 |
| Zohocorp--Endpoint Central | ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13. | 2025-09-25 | 3.9 | CVE-2025-5494 | https://www.manageengine.com/products/desktop-central/privilege-escalation-endpointcentral-agent.html |
| codepeople--CP Multi View Event Calendar | Missing Authorization vulnerability in codepeople CP Multi View Event Calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CP Multi View Event Calendar : from n/a through 1.4.32. | 2025-09-22 | 3.8 | CVE-2025-58009 | https://patchstack.com/database/wordpress/plugin/cp-multi-view-calendar/vulnerability/wordpress-cp-multi-view-event-calendar-plugin-1-4-32-broken-access-control-vulnerability?_s_id=cve |
| Alex--Content Mask | Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2. | 2025-09-22 | 3.8 | CVE-2025-58012 | https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| glib-networking's OpenSSL backend --N/A | glib-networking's OpenSSL backend fails to properly check the return value of memory allocation routines. An out of memory condition could potentially result in writing to an invalid memory location. | 2025-09-25 | 3.7 | CVE-2025-60019 | https://access.redhat.com/security/cve/CVE-2025-60019 RHBZ#2398140 https://gitlab.gnome.org/GNOME/glib-networking/-/issues/227 |
| roxnor--ShopEngine Elementor WooCommerce Builder Addon All in One WooCommerce Solution | The ShopEngine Elementor WooCommerce Builder Addon - All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings. | 2025-09-26 | 2.7 | CVE-2025-10173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d8b816f-815a-4109-b34b-06e806c765e8?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3365569%40shopengine&new=3365569%40shopengine&sfp_email=&sfph_mail= |
| Mangati--NovoSGA | A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-24 | 2.4 | CVE-2025-10909 | VDB-325696 | Mangati NovoSGA SVG File admin cross site scripting VDB-325696 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651379 | Mangati NovoSGA 2.2.9 Cross Site Scripting https://hackmd.io/@noka/B1qwCyR9ll https://hackmd.io/@noka/B1qwCyR9ll#%E2%9E%A4-Payload |
| Total.js--CMS | A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 2.4 | CVE-2025-10940 | VDB-325810 | Total.js CMS Layout admin layouts_save cross site scripting VDB-325810 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651867 | Total.js CMS 10 Cross Site Scripting |
| Changsha Developer Technology--iView Editor | A vulnerability was found in Changsha Developer Technology iView Editor up to 1.1.1. This impacts an unknown function of the component Markdown Handler. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-25 | 2.4 | CVE-2025-10949 | VDB-325819 | Changsha Developer Technology iView Editor Markdown cross site scripting VDB-325819 | CTI Indicators (IOB, IOC, TTP) Submit #652402 | Changsha Developer Technology Co., Ltd. iView Editor <=1.1.1 XSS vulnerability https://github.com/duckpigdog/CVE/blob/main/iView%20Editor%20XSS.docx |
| Total.js--CMS | A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-09-26 | 2.4 | CVE-2025-11019 | VDB-325962 | Total.js CMS Files Menu cross site scripting VDB-325962 | CTI Indicators (IOB, IOC, TTP) Submit #651427 | Total.js CMS v19.9.0 Cross Site Scripting |
| givanz--Vvveb | A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | 2025-09-26 | 2.4 | CVE-2025-11027 | VDB-325965 | givanz Vvveb SVG File cross site scripting VDB-325965 | CTI Indicators (IOB, IOC, TTP) Submit #657184 | givanz Vvveb Vvveb 1.0.7.2 File Upload https://gist.github.com/KhanMarshaI/b90045ee823866a52f33615776b5a6ec |
| Projectworlds--Visitor Management System | A vulnerability has been found in Projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /myform.php of the component Add Visitor Page. The manipulation of the argument Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-09-27 | 2.4 | CVE-2025-11067 | VDB-326106 | Projectworlds Visitor Management System Add Visitor myform.php cross site scripting VDB-326106 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659652 | projectworlds Visitor Management System V 1.0 Cross Site Scripting https://github.com/tddgns/cve/issues/2 |
| westboy--CicadasCMS | A vulnerability was found in westboy CicadasCMS 1.0. Affected by this vulnerability is an unknown functionality of the file /system/cms/category/save. The manipulation of the argument categoryName results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-09-27 | 2.4 | CVE-2025-11068 | VDB-326107 | westboy CicadasCMS save cross site scripting VDB-326107 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #658064 | https://gitee.com/westboy/CicadasCMS/branches CicadasCMS 1.0 Incomplete Denylist to Cross-Site Scripting https://github.com/devastatingglamour/CVE/blob/main/CicadasCMS-XSS2.md |
| westboy--CicadasCMS | A vulnerability was determined in westboy CicadasCMS 1.0. Affected by this issue is some unknown functionality of the file /system/org/save of the component Add Department Handler. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-27 | 2.4 | CVE-2025-11069 | VDB-326108 | westboy CicadasCMS Add Department save cross site scripting VDB-326108 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #659653 | https://gitee.com/westboy/CicadasCMS/branches CicadasCMS v1.0 Cross Site Scripting https://github.com/devastatingglamour/CVE/blob/main/CicadasCMS-XSS3.md |
| NVIDIA--NVIDIA CUDA Toolkit | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEG where a local authenticated user may cause a divide by zero error by submitting a specially crafted JPEG file. A successful exploit of this vulnerability may lead to denial of service. | 2025-09-24 | 2.5 | CVE-2025-23273 | https://nvd.nist.gov/vuln/detail/CVE-2025-23273 https://www.cve.org/CVERecord?id=CVE-2025-23273 https://nvidia.custhelp.com/app/answers/detail/a_id/5661 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched in version 10.1.0. | 2025-09-23 | 2.4 | CVE-2025-59546 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-gj8m-5492-q98h |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Rob--W / cors-anywhere--Rob--W / cors-anywhere | Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF). Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services, retrieve instance role credentials or other sensitive metadata, and interact with internal APIs and services that are not intended to be internet-facing. The vulnerability is exploitable by sending crafted requests to the proxy with the target resource encoded in the URL; many cors-anywhere deployments forward arbitrary methods and headers (including PUT), which can permit exploitation of IMDSv2 workflows as well as access to internal management APIs. Successful exploitation can result in theft of cloud credentials, unauthorized access to internal services, remote code execution or privilege escalation (depending on reachable backends), data exfiltration, and full compromise of cloud resources. Mitigation includes: restricting the proxy to trusted origins or authentication, whitelisting allowed target hosts, preventing access to link-local and internal IP ranges, removing support for unsafe HTTP methods/headers, enabling cloud provider mitigations, and deploying network-level protections. | 2025-09-25 | not yet calculated | CVE-2020-36851 | https://github.com/Rob--W/cors-anywhere/issues/152 https://github.com/Rob--W/cors-anywhere/issues/78 https://www.certik.com/resources/blog/cors-anywhere-dangers-of-misconfigured-third-party-software https://www.vulncheck.com/advisories/rob-w-cors-anywhere-misconfigured-cors-proxy-allows-ssrf https://github.com/SocketDev/security-research/security/advisories/GHSA-9wmg-93pw-fc3g https://github.com/Rob--W/cors-anywhere/issues/521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable works on hci_unregister_dev This make use of disable_work_* on hci_unregister_dev since the hci_dev is about to be freed new submissions are not disarable. | 2025-09-24 | not yet calculated | CVE-2024-58241 | https://git.kernel.org/stable/c/cfdb13a54e05eb98d9940cb6d1a13e7f994d811f https://git.kernel.org/stable/c/989fa5171f005ecf63440057218d8aeb1795287d |
| Invoice Ninja--Invoice Ninja 5 | Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files. | 2025-09-22 | not yet calculated | CVE-2025-10009 | https://github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de |
| OnePlus--OxygenOS | The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. | 2025-09-23 | not yet calculated | CVE-2025-10184 | https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/ https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip |
| Perforce--Puppet Enterprise | In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version. | 2025-09-24 | not yet calculated | CVE-2025-10360 | https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insufficiently-protected-credentials-in-puppet-enterprise-20254-and-20255 |
| Google--Chrome | Use after free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10500 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://issues.chromium.org/issues/435875050 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10501 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://issues.chromium.org/issues/440737137 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10502 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://issues.chromium.org/issues/438038775 |
| iMonitor Software Inc.--iMonitor EAM | iMonitor EAM 9.6394 transmits communication between the EAM client agent and the EAM server, as well as between the EAM monitor management software and the server, in plaintext without authentication or encryption. An attacker with network access can intercept sensitive information (such as credentials, keylogger data, and personally identifiable information) and tamper with traffic. This allows both unauthorized disclosure and modification of data, including issuing arbitrary commands to client agents. | 2025-09-25 | not yet calculated | CVE-2025-10540 | https://r.sec-consult.com/imonitor |
| iMonitor Software Inc.--iMonitor EAM | iMonitor EAM 9.6394 installs a system service (eamusbsrv64.exe) that runs with NT AUTHORITY\SYSTEM privileges. This service includes an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during startup. Because any local user can create and write to this directory, an attacker can place malicious DLLs or executables in it. Upon service restart, the files are moved to the application's installation path and executed with SYSTEM privileges, leading to privilege escalation. | 2025-09-25 | not yet calculated | CVE-2025-10541 | https://r.sec-consult.com/imonitor |
| iMonitor Software Inc.--iMonitor EAM | iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client's connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients. | 2025-09-25 | not yet calculated | CVE-2025-10542 | https://r.sec-consult.com/imonitor |
| AvePoint--DocAve | Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files that compromise the system. In addition, it is vulnerable to Path Traversal, which allows files to be written to arbitrary directories within the web root. | 2025-09-26 | not yet calculated | CVE-2025-10544 | https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-uploading-dangerous-file-types-avepoint-products |
| CleverControl--CleverControl employee monitoring software | The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using curl.exe --insecure, enabling a man-in-the-middle attacker to deliver malicious files that are executed with SYSTEM privileges. This can lead to full remote code execution with administrative rights. No patch is available as the vendor has been unresponsive. It is assumed that previous versions are also affected, but this is not confirmed. | 2025-09-23 | not yet calculated | CVE-2025-10548 | https://r.sec-consult.com/clevercontrol |
| Google--Chrome | Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10585 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://issues.chromium.org/issues/445380761 |
| Docker--Docker Desktop | In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions to restrict commands that a container with a Docker socket mount may issue on that socket. Due to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands. The vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket. | 2025-09-26 | not yet calculated | CVE-2025-10657 | https://docs.docker.com/desktop/release-notes |
| Dingtian--DT-R002 | All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. | 2025-09-25 | not yet calculated | CVE-2025-10879 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 |
| Dingtian--DT-R002 | All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to extract the proprietary "Dingtian Binary" protocol password by sending an unauthenticated GET request. | 2025-09-25 | not yet calculated | CVE-2025-10880 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 |
| Google--Chrome | Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10890 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html https://issues.chromium.org/issues/430336833 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10891 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html https://issues.chromium.org/issues/443765373 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-09-24 | not yet calculated | CVE-2025-10892 | https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html https://issues.chromium.org/issues/444048019 |
| Syrotech Networks--Syrotech SY-GPON-2010-WADONT | This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP connection using default credentials, potentially gaining unauthorized access to configuration files, user credentials, or other sensitive information stored on the targeted device. | 2025-09-25 | not yet calculated | CVE-2025-10957 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0223 |
| TOTOLINK--X6000R | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708. | 2025-09-25 | not yet calculated | CVE-2025-11005 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0005/PANW-2025-0005.md |
| Asterisk--Asterisk | A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart. | 2025-09-23 | not yet calculated | CVE-2025-1131 | https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp |
| RTI--Connext Professional | Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer Manipulation.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.2.0 before 7.3.0.9. | 2025-09-23 | not yet calculated | CVE-2025-1255 | https://www.rti.com/vulnerabilities/#cve-2025-1255 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions. | 2025-09-22 | not yet calculated | CVE-2025-25177 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Sourcecodester[.]com -- EMS v1.0 | Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' | 2025-09-26 | not yet calculated | CVE-2025-26258 | https://www.sourcecodester.com/php/17847/employee-management-system-using-php-and-mysql-source-code.html https://github.com/oye-ujjwal/CVEs/blob/main/Employee%20Management%20System%20App/CVE-2025-26258 |
| DREF -- dref v0.1.2 | A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | 2025-09-25 | not yet calculated | CVE-2025-26278 | https://gist.github.com/tariqhawis/ad92d5e683f3a5d83e0629955ff42ad7 https://github.com/OrangeShieldInfos/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-26278 |
| Ericsson--Indoor Connect 8855 | Ericsson Indoor Connect 8855 contains a SQL injection vulnerability which if exploited can lead to unauthorized disclosure and modification of user and configuration data. | 2025-09-25 | not yet calculated | CVE-2025-27261 | https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25 |
| Ericsson--Indoor Connect 8855 | Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can lead to loss of integrity and confidentiality, as well as unauthorized disclosure and modification of user and configuration data. It may also be possible to execute commands with escalated privileges, impact service availability, as well as modify system files and configuration data. | 2025-09-25 | not yet calculated | CVE-2025-27262 | https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25 |
| CSZCMS[.]com -- CSZ-CMS v.1.3.0 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file. | 2025-09-23 | not yet calculated | CVE-2025-29083 | https://github.com/fax77829yz/CSZ_CMS-exploit/blob/main/README.md#cve2 |
| CSZCMS[.]com -- CSZ-CMS v.1.3.0 | SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file. | 2025-09-23 | not yet calculated | CVE-2025-29084 | https://github.com/fax77829yz/CSZ_CMS-exploit/blob/main/README.md#cve1 |
| https//petstore[.]swagger[.]io / OpenAPI 3 petstore -- petstore v.1.0.7 | An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via the DELETE endpoint | 2025-09-25 | not yet calculated | CVE-2025-29155 | https://github.com/swagger-api/swagger-petstore https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml https://gist.github.com/HouqiyuA/4efd1aac7c7c7ab0cd5db48d62541a74 |
| https//petstore[.]swagger[.]io / OpenAPI 3 petstore -- petstore v.1.0.7 | Cross Site Scripting vulnerability in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via a crafted script to the /api/v3/pet | 2025-09-25 | not yet calculated | CVE-2025-29156 | https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fswagger-api%2Fswagger-petstore&sa=D&sntz=1&usg=AOvVaw0bPYxOZ-XKNAbTj4h0EOMD https://gist.github.com/HouqiyuA/9d2c3f0ba075d01631aff879546e419c |
| https//petstore[.]swagger[.]io / OpenAPI 3 petstore -- petstore v.1.0.7 | An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via accessing a non-existent endpoint/cart, the server returns a 404-error page exposing sensitive information including the Servlet name (default) and server version | 2025-09-25 | not yet calculated | CVE-2025-29157 | https://github.com/swagger-api/swagger-petstore https://petstore3.swagger.io/#/pet/updatePet https://gist.github.com/HouqiyuA/3c36f78e8de9f6a3cfb0959477c07443 |
| Nagios--Nagios XI | Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user. | 2025-09-25 | not yet calculated | CVE-2025-34227 | https://www.nagios.com/changelog/ https://www.nagios.com/products/security/ https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix runtime warning on truncate_folio_batch_exceptionals() Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to filesystem unmount") introduced the WARN_ON_ONCE to capture whether the filesystem has removed all DAX entries or not and applied the fix to xfs and ext4. Apply the missed fix on erofs to fix the runtime warning: [ 5.266254] ------------[ cut here ]------------ [ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260 [ 5.266294] Modules linked in: [ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary) [ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC [ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022 [ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260 [ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df <0f> 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90 [ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202 [ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898 [ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000 [ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001 [ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000 [ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0 [ 5.267144] PKRU: 55555554 [ 5.267150] Call Trace: [ 5.267154] <TASK> [ 5.267181] truncate_inode_pages_range+0x118/0x5e0 [ 5.267193] ? save_trace+0x54/0x390 [ 5.267296] truncate_inode_pages_final+0x43/0x60 [ 5.267309] evict+0x2a4/0x2c0 [ 5.267339] dispose_list+0x39/0x80 [ 5.267352] evict_inodes+0x150/0x1b0 [ 5.267376] generic_shutdown_super+0x41/0x180 [ 5.267390] kill_block_super+0x1b/0x50 [ 5.267402] erofs_kill_sb+0x81/0x90 [erofs] [ 5.267436] deactivate_locked_super+0x32/0xb0 [ 5.267450] deactivate_super+0x46/0x60 [ 5.267460] cleanup_mnt+0xc3/0x170 [ 5.267475] __cleanup_mnt+0x12/0x20 [ 5.267485] task_work_run+0x5d/0xb0 [ 5.267499] exit_to_user_mode_loop+0x144/0x170 [ 5.267512] do_syscall_64+0x2b9/0x7c0 [ 5.267523] ? __lock_acquire+0x665/0x2ce0 [ 5.267535] ? __lock_acquire+0x665/0x2ce0 [ 5.267560] ? lock_acquire+0xcd/0x300 [ 5.267573] ? find_held_lock+0x31/0x90 [ 5.267582] ? mntput_no_expire+0x97/0x4e0 [ 5.267606] ? mntput_no_expire+0xa1/0x4e0 [ 5.267625] ? mntput+0x24/0x50 [ 5.267634] ? path_put+0x1e/0x30 [ 5.267647] ? do_faccessat+0x120/0x2f0 [ 5.267677] ? do_syscall_64+0x1a2/0x7c0 [ 5.267686] ? from_kgid_munged+0x17/0x30 [ 5.267703] ? from_kuid_munged+0x13/0x30 [ 5.267711] ? __do_sys_getuid+0x3d/0x50 [ 5.267724] ? do_syscall_64+0x1a2/0x7c0 [ 5.267732] ? irqentry_exit+0x77/0xb0 [ 5.267743] ? clear_bhb_loop+0x30/0x80 [ 5.267752] ? clear_bhb_loop+0x30/0x80 [ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 5.267772] RIP: 0033:0x7aaa8b32a9fb [ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8 [ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb [ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080 [ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020 [ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00 [ 5.267817] R13: 00000000 ---truncated--- | 2025-09-23 | not yet calculated | CVE-2025-39868 | https://git.kernel.org/stable/c/91c34cd6ca1bc67ccf2d104834956af56b5893de https://git.kernel.org/stable/c/181993bb0d626cf88cc803f4356ce5c5abe86278 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_map[i][1] = i; The bug manifested as kernel crashes with "Oops - undefined instruction" on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the memory corruption triggered kernel hardening features on Clang. Change the allocation to use sizeof(*queue_priority_map) which automatically gets the correct size for the 2D array structure. | 2025-09-23 | not yet calculated | CVE-2025-39869 | https://git.kernel.org/stable/c/5e462fa0dfdb52b3983cf41532d3d4c7d63e2f93 https://git.kernel.org/stable/c/1baed10553fc8b388351d8fc803e3ae6f1a863bc https://git.kernel.org/stable/c/069fd1688c57c0cc8a3de64d108579b31676f74b https://git.kernel.org/stable/c/d5e82f3f2c918d446df46e8d65f8083fd97cdec5 https://git.kernel.org/stable/c/e63419dbf2ceb083c1651852209c7f048089ac0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when "conf_dev" hasn't been initialized. 2) If kzalloc_node() fails then again "conf_dev" is invalid. It's either uninitialized or it points to the "conf_dev" from the previous iteration so it leads to a double free. It's better to free partial loop iterations within the loop and then the unwinding at the end can handle whole loop iterations. I also renamed the labels to describe what the goto does and not where the goto was located. | 2025-09-23 | not yet calculated | CVE-2025-39870 | https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31 https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9 https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2 https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1 https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace: <TASK> idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload. | 2025-09-23 | not yet calculated | CVE-2025-39871 | https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11 https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hsr: hold rcu and dev lock for hsr_get_port_ndev hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock. On the other hand, before return the port device, we need to hold the device reference to avoid UaF in the caller function. | 2025-09-23 | not yet calculated | CVE-2025-39872 | https://git.kernel.org/stable/c/68a6729afd3e8e9a2a32538642ce92b96ccf9b1d https://git.kernel.org/stable/c/847748fc66d08a89135a74e29362a66ba4e3ab15 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb() after the code is done touching the SKB. The tx_lock is held for the entire xcan_write_frame() execution and also on the can_get_echo_skb() side so the order of operations does not matter. An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb memory") did not move the can_put_echo_skb() call far enough. [mkl: add "commit" in front of sha1 in patch description] [mkl: fix indention] | 2025-09-23 | not yet calculated | CVE-2025-39873 | https://git.kernel.org/stable/c/1139321161a3ba5e45e61e0738b37f42f20bc57a https://git.kernel.org/stable/c/94b050726288a56a6b8ff55aa641f2fedbd3b44c https://git.kernel.org/stable/c/725b33deebd6e4c96fe7893f384510a54258f28f https://git.kernel.org/stable/c/668cc1e3bb21101d074e430de1b7ba8fd10189e7 https://git.kernel.org/stable/c/ef79f00be72bd81d2e1e6f060d83cf7e425deee4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: macsec: sync features on RTM_NEWLINK Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES: netdev_lock include/linux/netdevice.h:2761 [inline] netdev_lock_ops include/net/netdev_lock.h:42 [inline] netdev_sync_lower_features net/core/dev.c:10649 [inline] __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819 netdev_update_features+0x6d/0xe0 net/core/dev.c:10876 macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline] call_netdevice_notifiers net/core/dev.c:2281 [inline] netdev_features_change+0x85/0xc0 net/core/dev.c:1570 __dev_ethtool net/ethtool/ioctl.c:3469 [inline] dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502 dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759 It happens because lower features are out of sync with the upper: __dev_ethtool (real_dev) netdev_lock_ops(real_dev) ETHTOOL_SFEATURES __netdev_features_change netdev_sync_upper_features disable LRO on the lower if (old_features != dev->features) netdev_features_change fires NETDEV_FEAT_CHANGE macsec_notify NETDEV_FEAT_CHANGE netdev_update_features (for each macsec dev) netdev_sync_lower_features if (upper_features != lower_features) netdev_lock_ops(lower) # lower == real_dev stuck ... netdev_unlock_ops(real_dev) Per commit af5f54b0ef9e ("net: Lock lower level devices when updating features"), we elide the lock/unlock when the upper and lower features are synced. Makes sure the lower (real_dev) has proper features after the macsec link has been created. This makes sure we never hit the situation where we need to sync upper flags to the lower. | 2025-09-23 | not yet calculated | CVE-2025-39874 | https://git.kernel.org/stable/c/d7624629ccf47135c65fef0701fa0d9a115b87f3 https://git.kernel.org/stable/c/0f82c3ba66c6b2e3cde0f255156a753b108ee9dc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated q_vector for the test ring when it is set up, as interrupts are typically not added to the test rings. Since commit 5ef44b3cb43b removed the napi_id assignment in __xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it. Therefore, simply use 0 as the last parameter. | 2025-09-23 | not yet calculated | CVE-2025-39875 | https://git.kernel.org/stable/c/473be7d39efd3be383e9c0c8e44b53508b4ffeb5 https://git.kernel.org/stable/c/75871a525a596ff4d16c4aebc0018f8d0923c9b1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. | 2025-09-23 | not yet calculated | CVE-2025-39876 | https://git.kernel.org/stable/c/5f1bb554a131e59b28482abad21f691390651752 https://git.kernel.org/stable/c/fe78891f296ac05bf4e5295c9829ef822f3c32e7 https://git.kernel.org/stable/c/4fe53aaa4271a72fe5fe3e88a45ce01646b68dc5 https://git.kernel.org/stable/c/eb148d85e126c47d65be34f2a465d69432ca5541 https://git.kernel.org/stable/c/03e79de4608bdd48ad6eec272e196124cefaf798 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); damon_destroy_ctx(kdamond->damon_ctx); kdamond->damon_ctx = NULL; mutex_unlock(&damon_sysfs_lock); damon_is_running(ctx); /* ctx is freed */ mutex_lock(&ctx->kdamond_lock); /* UAF */ (The race can also occur with damon_sysfs_kdamonds_rm_dirs() and damon_sysfs_kdamond_release(), which free or replace the context under damon_sysfs_lock.) Fix by taking damon_sysfs_lock before dereferencing the context, mirroring the locking used in pid_show(). The bug has existed since state_show() first accessed kdamond->damon_ctx. | 2025-09-23 | not yet calculated | CVE-2025-39877 | https://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50e https://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19 https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4c https://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58ce https://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error The function move_dirty_folio_in_page_array() was created by commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") by moving code from ceph_writepages_start() to this function. This new function is supposed to return an error code which is checked by the caller (now ceph_process_folio_batch()), and on error, the caller invokes redirty_page_for_writepage() and then breaks from the loop. However, the refactoring commit has gone wrong, and it by accident, it always returns 0 (= success) because it first NULLs the pointer and then returns PTR_ERR(NULL) which is always 0. This means errors are silently ignored, leaving NULL entries in the page array, which may later crash the kernel. The simple solution is to call PTR_ERR() before clearing the pointer. | 2025-09-23 | not yet calculated | CVE-2025-39878 | https://git.kernel.org/stable/c/dd1616ecbea920d228c56729461ed223cc501425 https://git.kernel.org/stable/c/249e0a47cdb46bb9eae65511c569044bd8698d7d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: always call ceph_shift_unused_folios_left() The function ceph_process_folio_batch() sets folio_batch entries to NULL, which is an illegal state. Before folio_batch_release() crashes due to this API violation, the function ceph_shift_unused_folios_left() is supposed to remove those NULLs from the array. However, since commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method"), this shifting doesn't happen anymore because the "for" loop got moved to ceph_process_folio_batch(), and now the `i` variable that remains in ceph_writepages_start() doesn't get incremented anymore, making the shifting effectively unreachable much of the time. Later, commit 1551ec61dc55 ("ceph: introduce ceph_submit_write() method") added more preconditions for doing the shift, replacing the `i` check (with something that is still just as broken): - if ceph_process_folio_batch() fails, shifting never happens - if ceph_move_dirty_page_in_page_array() was never called (because ceph_process_folio_batch() has returned early for some of various reasons), shifting never happens - if `processed_in_fbatch` is zero (because ceph_process_folio_batch() has returned early for some of the reasons mentioned above or because ceph_move_dirty_page_in_page_array() has failed), shifting never happens Since those two commits, any problem in ceph_process_folio_batch() could crash the kernel, e.g. this way: BUG: kernel NULL pointer dereference, address: 0000000000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023 Workqueue: writeback wb_workfn (flush-ceph-1) RIP: 0010:folios_put_refs+0x85/0x140 Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 > RSP: 0018:ffffb880af8db778 EFLAGS: 00010207 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003 RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0 RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000 FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ceph_writepages_start+0xeb9/0x1410 The crash can be reproduced easily by changing the ceph_check_page_before_write() return value to `-E2BIG`. (Interestingly, the crash happens only if `huge_zero_folio` has already been allocated; without `huge_zero_folio`, is_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL entries instead of dereferencing them. That makes reproducing the bug somewhat unreliable. See https://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com for a discussion of this detail.) My suggestion is to move the ceph_shift_unused_folios_left() to right after ceph_process_folio_batch() to ensure it always gets called to fix up the illegal folio_batch state. | 2025-09-23 | not yet calculated | CVE-2025-39879 | https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2 https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, so such a read is almost guaranteed to return a bogus value instead of 0 when msgr2 is in use. This ends up being fairly benign because the side effect is just the invalidation of the authorizer and successive fetching of new tickets. con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that it's being written to can cause more serious consequences, but luckily it's not something that happens often. | 2025-09-23 | not yet calculated | CVE-2025-39880 | https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5 https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8 https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983 https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1 psi_trigger_poll+0x3c/0x140 cgroup_pressure_poll+0x70/0xa0 cgroup_file_poll+0x8c/0x100 kernfs_fop_poll+0x11c/0x1c0 ep_item_poll.isra.0+0x188/0x2c0 Allocated by task 1: cgroup_file_open+0x88/0x388 kernfs_fop_open+0x73c/0xaf0 do_dentry_open+0x5fc/0x1200 vfs_open+0xa0/0x3f0 do_open+0x7e8/0xd08 path_openat+0x2fc/0x6b0 do_filp_open+0x174/0x368 Freed by task 8462: cgroup_file_release+0x130/0x1f8 kernfs_drain_open_files+0x17c/0x440 kernfs_drain+0x2dc/0x360 kernfs_show+0x1b8/0x288 cgroup_file_show+0x150/0x268 cgroup_pressure_write+0x1dc/0x340 cgroup_file_write+0x274/0x548 Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroup_file_release() - Frees of->priv through kernfs_drain_open_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv epolling disable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epoll_wait kernfs_fop_poll kernfs_get_active = true echo 0 > cgroup.pressure ... cgroup_file_show kernfs_show // inactive kn kernfs_drain_open_files cft->release(of); kfree(ctx); ... kernfs_get_active = false echo 1 > cgroup.pressure kernfs_show kernfs_activate_one(kn); kernfs_fop_poll kernfs_get_active = true cgroup_file_poll psi_trigger_poll // UAF ... end: close(fd) To address this issue, introduce kernfs_get_active_of() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfs_get_active() with kernfs_get_active_of() to prevent further operations on released file descriptors. | 2025-09-23 | not yet calculated | CVE-2025-39881 | https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79 https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77 https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: fix potential OF node use-after-free The for_each_child_of_node() helper drops the reference it takes to each node as it iterates over children and an explicit of_node_put() is only needed when exiting the loop early. Drop the recently introduced bogus additional reference count decrement at each iteration that could potentially lead to a use-after-free. | 2025-09-23 | not yet calculated | CVE-2025-39882 | https://git.kernel.org/stable/c/b2fbe0f9f80b9cfa1e06ddcf8b863d918394ef1d https://git.kernel.org/stable/c/b58a26cdd4795c1ce6a80e38e9348885555dacd6 https://git.kernel.org/stable/c/c4901802ed1ce859242e10af06e6a7752cba0497 https://git.kernel.org/stable/c/4de37a48b6b58faaded9eb765047cf0d8785ea18 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Call Trace: <TASK> unpoison_memory+0x2f3/0x590 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xd5/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08f0314887 RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 </TASK> Modules linked in: hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The root cause is that unpoison_memory() tries to check the PG_HWPoison flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered. This can be reproduced by below steps: 1.Offline memory block: echo offline > /sys/devices/system/memory/memory12/state 2.Get offlined memory pfn: page-types -b n -rlN 3.Write pfn to unpoison-pfn echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn This scenario can be identified by pfn_to_online_page() returning NULL. And ZONE_DEVICE pages are never expected, so we can simply fail if pfn_to_online_page() == NULL to fix the bug. | 2025-09-23 | not yet calculated | CVE-2025-39883 | https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6 https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0 https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96 https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix subvolume deletion lockup caused by inodes xarray race There is a race condition between inode eviction and inode caching that can cause a live struct btrfs_inode to be missing from the root->inodes xarray. Specifically, there is a window during evict() between the inode being unhashed and deleted from the xarray. If btrfs_iget() is called for the same inode in that window, it will be recreated and inserted into the xarray, but then eviction will delete the new entry, leaving nothing in the xarray: Thread 1 Thread 2 --------------------------------------------------------------- evict() remove_inode_hash() btrfs_iget_path() btrfs_iget_locked() btrfs_read_locked_inode() btrfs_add_inode_to_root() destroy_inode() btrfs_destroy_inode() btrfs_del_inode_from_root() __xa_erase In turn, this can cause issues for subvolume deletion. Specifically, if an inode is in this lost state, and all other inodes are evicted, then btrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely. If the lost inode has a delayed_node attached to it, then when btrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(), it will loop forever because the delayed_nodes xarray will never become empty (unless memory pressure forces the inode out). We saw this manifest as soft lockups in production. Fix it by only deleting the xarray entry if it matches the given inode (using __xa_cmpxchg()). | 2025-09-23 | not yet calculated | CVE-2025-39884 | https://git.kernel.org/stable/c/9ba898c9fcbe6ebb88bcd4df8aab0f90090d202e https://git.kernel.org/stable/c/f1498abaf74f8d7b1e7001f16ed77818d8ae6a59 https://git.kernel.org/stable/c/f6a6c280059c4ddc23e12e3de1b01098e240036f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 __down_write_common kernel/locking/rwsem.c:1317 [inline] __down_write kernel/locking/rwsem.c:1326 [inline] down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 do_page_mkwrite+0x14d/0x310 mm/memory.c:3361 wp_page_shared mm/memory.c:3762 [inline] do_wp_page+0x268d/0x5800 mm/memory.c:3981 handle_pte_fault mm/memory.c:6068 [inline] __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline] RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline] RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline] RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26 Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 copy_to_user include/linux/uaccess.h:225 [inline] fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145 ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532 __do_sys_ioctl fs/ioctl.c:596 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f13850fd9 RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the extent list of this running mmap executable. The user supplied buffer to hold the fiemap information page faults calling ocfs2_page_mkwrite() which will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same semaphore. This recursive semaphore will hold filesystem locks and causes a hang of the fileystem. The ip_alloc_sem protects the inode extent list and size. Release the read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap() and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock on the last extent but simplifies the error path. | 2025-09-23 | not yet calculated | CVE-2025-39885 | https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02 https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Currently, calling bpf_map_kmalloc_node() from __bpf_async_init() can cause various locking issues; see the following stack trace (edited for style) as one example: ... [10.011566] do_raw_spin_lock.cold [10.011570] try_to_wake_up (5) double-acquiring the same [10.011575] kick_pool rq_lock, causing a hardlockup [10.011579] __queue_work [10.011582] queue_work_on [10.011585] kernfs_notify [10.011589] cgroup_file_notify [10.011593] try_charge_memcg (4) memcg accounting raises an [10.011597] obj_cgroup_charge_pages MEMCG_MAX event [10.011599] obj_cgroup_charge_account [10.011600] __memcg_slab_post_alloc_hook [10.011603] __kmalloc_node_noprof ... [10.011611] bpf_map_kmalloc_node [10.011612] __bpf_async_init [10.011615] bpf_timer_init (3) BPF calls bpf_timer_init() [10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable [10.011619] bpf__sched_ext_ops_runnable [10.011620] enqueue_task_scx (2) BPF runs with rq_lock held [10.011622] enqueue_task [10.011626] ttwu_do_activate [10.011629] sched_ttwu_pending (1) grabs rq_lock ... The above was reproduced on bpf-next (b338cf849ec8) by modifying ./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during ops.runnable(), and hacking the memcg accounting code a bit to make a bpf_timer_init() call more likely to raise an MEMCG_MAX event. We have also run into other similar variants (both internally and on bpf-next), including double-acquiring cgroup_file_kn_lock, the same worker_pool::lock, etc. As suggested by Shakeel, fix this by using __GFP_HIGH instead of GFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg() raises an MEMCG_MAX event, we call __memcg_memory_event() with @allow_spinning=false and avoid calling cgroup_file_notify() there. Depends on mm patch "memcg: skip cgroup_file_notify if spinning is not allowed": https://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/ v0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/ https://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/ v1 approach: https://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/ | 2025-09-23 | not yet calculated | CVE-2025-39886 | https://git.kernel.org/stable/c/449682e76f32601f211816d3e2100bed87e67a4c https://git.kernel.org/stable/c/cd1fd26bb13473c1734e3026b2b97025a0a4087b https://git.kernel.org/stable/c/ac70cd446f83ccb25532b343919ab86eacdcd06a https://git.kernel.org/stable/c/6d78b4473cdb08b74662355a9e8510bde09c511e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() A crash was observed with the following output: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary) RIP: 0010:bitmap_parselist+0x53/0x3e0 Call Trace: <TASK> osnoise_cpus_write+0x7a/0x190 vfs_write+0xf8/0x410 ? do_sys_openat2+0x88/0xd0 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This issue can be reproduced by below code: fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, "0-2", 0); When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which trigger the null pointer dereference. Add check for the parameter 'count'. | 2025-09-23 | not yet calculated | CVE-2025-39887 | https://git.kernel.org/stable/c/e33228a2cc7ff706ca88533464e8a3b525b961ed https://git.kernel.org/stable/c/c1628c00c4351dd0727ef7f670694f68d9e663d8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: Block access to folio overlimit syz reported a slab-out-of-bounds Write in fuse_dev_do_write. When the number of bytes to be retrieved is truncated to the upper limit by fc->max_pages and there is an offset, the oob is triggered. Add a loop termination condition to prevent overruns. | 2025-09-23 | not yet calculated | CVE-2025-39888 | https://git.kernel.org/stable/c/623719227b114d73a2cee45f1b343ced63ce09ec https://git.kernel.org/stable/c/9d81ba6d49a7457784f0b6a71046818b86ec7e44 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size. Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)WildCard: Exists(gt) Length: [8 (0x0008)] Destination CID: (lt)WildCard: Exists(gt) Source CID: [64 (0x0040)] Result: [3 (0x0003)] Connection refused - Security block Status: (lt)WildCard: Exists(gt), but received:Connection Response: Code: [3 (0x03)] Code Identifier: [1 (0x01)] Length: [8 (0x0008)] Destination CID: [64 (0x0040)] Source CID: [64 (0x0040)] Result: [0 (0x0000)] Connection Successful Status: [0 (0x0000)] No further information available And HCI logs: < HCI Command: Read Encrypti.. (0x05|0x0008) plen 2 Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) > HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) Key size: 7 > ACL Data RX: Handle 14 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 1 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 14 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 1 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) | 2025-09-24 | not yet calculated | CVE-2025-39889 | https://git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f https://git.kernel.org/stable/c/c6d527bbd3d3896375079f5dbc8b7f96734a3ba5 https://git.kernel.org/stable/c/9e3114958d87ea88383cbbf38c89e04b8ea1bce5 https://git.kernel.org/stable/c/d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6 https://git.kernel.org/stable/c/d4ca2fd218caafbf50e3343ba1260c6a23b5676a https://git.kernel.org/stable/c/522e9ed157e3c21b4dd623c79967f72c21e45b78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps is not freed in the failure case, causing a memory leak. The following trace is observed in kmemleak: unreferenced object 0xffff8b3eb5789c00 (size 1024): comm "softirq", pid 0, jiffies 4294942577 hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. backtrace (crc 44e1c357): __kmalloc_noprof+0x30b/0x410 ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] process_one_work+0x219/0x680 bh_worker+0x198/0x1f0 tasklet_action+0x13/0x30 handle_softirqs+0xca/0x460 __irq_exit_rcu+0xbe/0x110 irq_exit_rcu+0x9/0x30 Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-09-24 | not yet calculated | CVE-2025-39890 | https://git.kernel.org/stable/c/99dbad1b01d3b2f361a9db55c1af1212be497a3d https://git.kernel.org/stable/c/3a392f874ac83a77ad0e53eb8aafdbeb787c9298 https://git.kernel.org/stable/c/1089f65b2de78c7837ef6b4f26146a5a5b0b9749 https://git.kernel.org/stable/c/89142d34d5602c7447827beb181fa06eb08b9d5c |
| Nedatec Consulting--Prevengos | SQL injection vulnerability in Prevengos v2.44 by Nedatec Consulting. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameters "mpsCentroin", "mpsEmpresa", "mpsProyecto", and "mpsContrata" in "/servicios/autorizaciones.asmx/mfsRecuperarListado". | 2025-09-25 | not yet calculated | CVE-2025-40698 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-prevengos-nedatec-consulting |
| Ericsson--Indoor Connect 8855 | Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can lead to loss of integrity and confidentiality, as well as unauthorized disclosure and modification of of user and configuration data. It may also be possible to execute commands with escalated privileges, impact service availability, as well as modify system files and configuration data. | 2025-09-25 | not yet calculated | CVE-2025-40836 | https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25 |
| Ericsson--Indoor Connect 8855 | Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended. | 2025-09-25 | not yet calculated | CVE-2025-40837 | https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25 |
| Ericsson--Indoor Connect 8855 | Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of user accounts. | 2025-09-25 | not yet calculated | CVE-2025-40838 | https://www.ericsson.com/en/about-us/security/psirt/e2025-09-25 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser. | 2025-09-24 | not yet calculated | CVE-2025-43779 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43779 |
| Liferay--Portal | Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via the REST APIs. | 2025-09-22 | not yet calculated | CVE-2025-43806 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43806 |
| Liferay--Portal | Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication's "Name" text field. | 2025-09-22 | not yet calculated | CVE-2025-43807 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43807 |
| Liferay--Portal | Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | 2025-09-22 | not yet calculated | CVE-2025-43810 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43810 |
| Liferay--Portal | In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user's password reminder answer, which allows remote authenticated users to obtain a user's password reminder answer via the audit events. | 2025-09-22 | not yet calculated | CVE-2025-43814 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43814 |
| Liferay--Portal | A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API endpoint. | 2025-09-25 | not yet calculated | CVE-2025-43816 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43816 |
| Liferay--Portal | A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API | 2025-09-24 | not yet calculated | CVE-2025-43819 | https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819 |
| https://2wcom[.]com -- IP-4c 2.16 | In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen. | 2025-09-22 | not yet calculated | CVE-2025-43953 | https://2wcom.com https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-43953 |
| pocketvj[.]com -- pocketvj-cp-v3 | An issue in PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1 allows remote attackers to execute arbitrary code via the submit_size.php component. | 2025-09-23 | not yet calculated | CVE-2025-45326 | https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release https://gist.github.com/mamdouhalrekabi-ops/3e230eb973101aa6ac7003427a723e29 |
| RTI--Connext Professional | Buffer Over-read, Off-by-one Error vulnerability in RTI Connext Professional (Core Libraries) allows File Manipulation.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.0.0 before 7.3.0.8, from 6.1.0 before 6.1.2.26, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.4a before 5.2.*. | 2025-09-23 | not yet calculated | CVE-2025-4582 | https://www.rti.com/vulnerabilities/#cve-2025-4582 |
| Arandasoft[.]com – PassRecovery v1.0 | An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1. | 2025-09-26 | not yet calculated | CVE-2025-45994 | https://github.com/spoNge369/CVE/blob/main/CVE-2025-45994/README.md https://arandasoft.com/en/productos/password-recovery/ |
| PyTorch[.]org – PyTorch v2.6.0 and below | In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results. | 2025-09-25 | not yet calculated | CVE-2025-46148 | https://github.com/pytorch/pytorch/issues/151198 https://gist.github.com/shaoyuyoung/65a587a579dfdff887b9b35bb79b9093 https://github.com/pytorch/pytorch/pull/152993 https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a |
| PyTorch[.]org – PyTorch v2.6.0 and below | In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error. | 2025-09-25 | not yet calculated | CVE-2025-46149 | https://github.com/pytorch/pytorch/issues/147848 https://github.com/pytorch/pytorch/pull/147961 https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a |
| PyTorch[.]org – PyTorch v2.6.0 and below | In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results. | 2025-09-25 | not yet calculated | CVE-2025-46150 | https://github.com/pytorch/pytorch/issues/141538 https://github.com/pytorch/pytorch/issues/141538#issuecomment-2537424658 https://github.com/pytorch/pytorch/pull/144395 https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a |
| PyTorch[.]org – PyTorch v2.6.0 and below | In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument. | 2025-09-25 | not yet calculated | CVE-2025-46152 | https://github.com/pytorch/pytorch/issues/143555 https://github.com/pytorch/pytorch/pull/143635 https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a |
| PyTorch[.]org – PyTorch v3.7.0 and below | PyTorch before 3.7.0 has a bernoulli_p decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d for fallback_random=True. | 2025-09-25 | not yet calculated | CVE-2025-46153 | https://github.com/pytorch/pytorch/issues/142853 https://github.com/pytorch/pytorch/pull/143460 https://gist.github.com/shaoyuyoung/e636f2e7a306105b7e96809e2b85c28a https://github.com/pytorch/pytorch/compare/v2.6.0...v2.7.0 https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger NULL pointer dereference kernel exceptions. | 2025-09-22 | not yet calculated | CVE-2025-46711 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Go standard library--net/http | When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. | 2025-09-22 | not yet calculated | CVE-2025-47910 | https://go.dev/cl/699275 https://go.dev/issue/75054 https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ https://pkg.go.dev/vuln/GO-2025-3955 |
| Apache Software Foundation--Apache IoTDB | A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue. | 2025-09-24 | not yet calculated | CVE-2025-48392 | https://lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21td |
| Apache Software Foundation--Apache IoTDB | Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue. | 2025-09-24 | not yet calculated | CVE-2025-48459 | https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f |
| Stormshield Network Security – SNS and FW before 5.0.1 | An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | 2025-09-25 | not yet calculated | CVE-2025-48707 | https://advisories.stormshield.eu/2025-003/ |
| RTI--Connext Professional | Untrusted Pointer Dereference vulnerability in RTI Connext Professional (Core Libraries) allows Pointer Manipulation.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.0.0 before 7.3.0.10, from 6.1.0 before 6.1.2.27, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.4a before 5.2.*. | 2025-09-23 | not yet calculated | CVE-2025-4993 | https://www.rti.com/vulnerabilities/#cve-2025-4993 |
| Ubuntu 22.04.4 LTS -- tcpreplay-4.5.1 | A heap-buffer-overflow vulnerability exists in the tcpliveplay utility of the tcpreplay-4.5.1. When a crafted pcap file is processed, the program incorrectly handles memory in the checksum calculation logic at do_checksum_math_liveplay in tcpliveplay.c, leading to a possible denial of service. | 2025-09-23 | not yet calculated | CVE-2025-51005 | https://github.com/appneta/tcpreplay/issues/925 https://github.com/sy460129/CVE-2025-51005 |
| Ubuntu 22.04.4 LTS -- tcpreplay-4.5.1 | Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c. This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes the cleanup routine multiple times on the same memory region. By supplying a specifically crafted pcap file to the tcprewrite binary, a local attacker can exploit this flaw to cause a Denial of Service (DoS) via memory corruption. | 2025-09-22 | not yet calculated | CVE-2025-51006 | https://github.com/appneta/tcpreplay/issues/926 https://github.com/sy460129/CVE-2025-51006 |
| Pivotx[.]com – CMS v3.0.0 | Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field. | 2025-09-22 | not yet calculated | CVE-2025-52367 | http://pivotx.com https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3 |
| TOTOLINK--X6000R | Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207. | 2025-09-23 | not yet calculated | CVE-2025-52905 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0001/PANW-2025-0001.md |
| TOTOLINK--X6000R | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207. | 2025-09-24 | not yet calculated | CVE-2025-52906 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0002/PANW-2025-0002.md |
| TOTOLINK--X6000R | Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207. | 2025-09-24 | not yet calculated | CVE-2025-52907 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0003/PANW-2025-0003.md |
| AMD--Kintex 7-Series FPGA | Improper Protection Against Voltage and Clock Glitches in FPGA devices, could allow an attacker with physical access to undervolt the platform resulting in a loss of confidentiality. | 2025-09-24 | not yet calculated | CVE-2025-54520 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8018.html |
| Apache Software Foundation--Apache Airflow | Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option. This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior. Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4. | 2025-09-26 | not yet calculated | CVE-2025-54831 | https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf |
| Meta Platforms, Inc--Llama Stack | Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote code execution. | 2025-09-24 | not yet calculated | CVE-2025-55178 | https://www.facebook.com/security/advisories/cve-2025-55178 https://github.com/llamastack/llama-stack/pull/3281 https://github.com/llamastack/llama-stack/releases/tag/v0.2.20 |
| Drivelock[.]com – Drivelock v24.1.5, 24.2.5, 25.2.6, 25.1.2, 25.1.4 | In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges. | 2025-09-26 | not yet calculated | CVE-2025-55187 | https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/NewRelease/Aenderungen_Patch2.htm https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-001-RemotePriviledge.htm https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-001-RemotePriviledge.htm |
| PyTorch[.]org – PyTorch v2.8.0 | An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation. | 2025-09-25 | not yet calculated | CVE-2025-55551 | https://github.com/pytorch/pytorch/issues/151401 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.8.0 | pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together. | 2025-09-25 | not yet calculated | CVE-2025-55552 | https://github.com/pytorch/pytorch/issues/147847 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.7.0 | A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS). | 2025-09-25 | not yet calculated | CVE-2025-55553 | https://github.com/pytorch/pytorch/issues/151432 https://github.com/pytorch/pytorch/pull/154645 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.8.0 | pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long(). | 2025-09-25 | not yet calculated | CVE-2025-55554 | https://github.com/pytorch/pytorch/issues/151510 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| TensorFlow[.]org -- TensorFlow v2.18.0 | TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application. | 2025-09-25 | not yet calculated | CVE-2025-55556 | https://github.com/tensorflow/tensorflow/issues/82317 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.7.0 | A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS). | 2025-09-25 | not yet calculated | CVE-2025-55557 | https://github.com/pytorch/pytorch/issues/151738 https://github.com/pytorch/pytorch/pull/151931 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.7.0 | A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a Denial of Service (DoS). | 2025-09-25 | not yet calculated | CVE-2025-55558 | https://github.com/pytorch/pytorch/issues/151523 https://github.com/pytorch/pytorch/pull/151887 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| TensorFlow[.]org -- TensorFlow v2.18.0 | An issue was discovered TensorFlow v2.18.0. A Denial of Service (DoS) occurs when padding is set to 'valid' in tf.keras.layers.Conv2D. | 2025-09-25 | not yet calculated | CVE-2025-55559 | https://github.com/tensorflow/tensorflow/issues/84205 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| PyTorch[.]org – PyTorch v2.7.0 | An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor. | 2025-09-25 | not yet calculated | CVE-2025-55560 | https://github.com/pytorch/pytorch/issues/151522 https://github.com/pytorch/pytorch/pull/151897 https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc |
| MUPDF[.]com -- MuPDF 1.26.4 EPUB Rendering | A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. | 2025-09-23 | not yet calculated | CVE-2025-55780 | https://bugs.ghostscript.com/show_bug.cgi?id=708720 https://github.com/ISH2YU/CVE-2025-55780/tree/main https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5 |
| Wavlink[.]com -- M86X3A_V240730 | Wavlink M86X3A_V240730 contains a buffer overflow vulnerability in the /cgi-bin/ExportAllSettings.cgi file. The vulnerability arises because the Cookie parameter does not properly validate the length of input data. Attackers can exploit this to execute arbitrary code or cause a denial of service (DoS) on the system | 2025-09-26 | not yet calculated | CVE-2025-55847 | https://github.com/meigui637/iot_zone/blob/main/%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E.md |
| DLink – DIR-823 firmware 20250416 | An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of reverse connection commands. | 2025-09-26 | not yet calculated | CVE-2025-55848 | https://www.dlink.com/en/security-bulletin/ https://github.com/meigui637/iot_zone/blob/main/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md |
| Alpes[.]com -- ARD GEC before v.2025-04-23 | SQL Injection vulnerability in Alpes Recherche et Developpement ARD GEC en Lign before v.2025-04-23 allows a remote attacker to escalate privileges via the GET parameters in index.php | 2025-09-22 | not yet calculated | CVE-2025-55885 | http://alpes.com http://ard.com https://services.ard.fr/index.php https://github.com/0xZeroSec/CVE-2025-55885 |
| n/a – ARD Insecure Direct Object Reference (IDOR) | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ARD. The flaw exists in the `fe_uid` parameter of the payment history API endpoint. An authenticated attacker can manipulate this parameter to access the payment history of other users without authorization. | 2025-09-22 | not yet calculated | CVE-2025-55886 | https://services.ard.fr https://github.com/0xZeroSec/CVE-2025-55886 |
| n/a--ARD Insecure Direct Object Reference (IDOR) | Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim. | 2025-09-22 | not yet calculated | CVE-2025-55887 | http://alpes.com http://ard.com https://services.ard.fr/index.php https://github.com/0xZeroSec/CVE-2025-55887 |
| n/a--ARD Ajax transaction manager | Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encoded when rendered, allowing script execution in the context of users browsers. This flaw could lead to session hijacking, cookie theft, and other malicious actions. | 2025-09-22 | not yet calculated | CVE-2025-55888 | http://alpes.com http://ard.com https://services.ard.fr/?eID=tx_afereload_ajax_transactionmanager https://github.com/0xZeroSec/CVE-2025-55888 |
| PHPGurukul[.]com -- PHPGurukul Park Ticketing Management System v2.0 | A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the fromdate parameter in a POST request. | 2025-09-22 | not yet calculated | CVE-2025-56074 | https://github.com/baixiaobi/Park/blob/main/foreigner-bwdates-reports-details.php%20SQL%20Injection.md |
| PHPGurukul[.]com -- PHPGurukul Park Ticketing Management System v2.0 | A SQL Injection vulnerability was discovered in the normal-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the fromdate parameter in a POST request. | 2025-09-22 | not yet calculated | CVE-2025-56075 | https://github.com/baixiaobi/Park/blob/main/normal-bwdates-reports-details.php%20SQL%20%20Injection.md |
| Indian Bank IndSMART -- IndSMART Android App 3.8.1 | Indian Bank IndSMART Android App 3.8.1 is vulnerable to Missing SSL Certificate Validation in NuWebViewActivity. | 2025-09-23 | not yet calculated | CVE-2025-56146 | https://medium.com/@parvbajaj2000/cve-2025-56146-missing-ssl-certificate-validation-in-indian-bank-indsmart-android-app-9db200ac1c69 |
| Router-network[.]com -- Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 | Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 and possibly other versions allows unauthenticated attackers to change the administrator password via a crafted POST request to sysAccess.asp. This allows full administrative control of the router without authentication. | 2025-09-24 | not yet calculated | CVE-2025-56241 | https://www.exploit-db.com/exploits/52093 https://github.com/amirhosseinjamshidi64/Aztech-POC https://gist.github.com/amirhosseinjamshidi64/cca123a0dda5a17f3708ffc2dd2a7a45 |
| YzmCMS[.]com -- YzmCMS thru 7.3 | Cross-site scripting (XSS) vulnerability in YzmCMS thru 7.3 via the referer header in the register page. | 2025-09-23 | not yet calculated | CVE-2025-56304 | http://yzmcms.com https://www.yzmcms.com/ https://gitee.com/cyjsyj/cve/wikis/CVE-2025-56304?sort_id=14635721 |
| Shenzhen C-Data Technology Co. -- FD602GW-DX-R410 | In Shenzhen C-Data Technology Co. FD602GW-DX-R410 (firmware v2.2.14), the web management interface contains an authenticated CSRF vulnerability on the reboot endpoint (/boaform/admin/formReboot). An attacker can craft a malicious webpage that, when visited by an authenticated administrator, causes the router to reboot without explicit user consent. This lack of CSRF protection on a sensitive administrative function can lead to denial of service by disrupting network availability. | 2025-09-23 | not yet calculated | CVE-2025-56311 | https://github.com/wrathfulDiety/fd602gw-dx-r410-csrf-advisory https://github.com/wrathfulDiety/CVE-2025-56311 |
| Notepad-plus-plus[.]org -- Notepad++ v8.8.3 | Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. | 2025-09-26 | not yet calculated | CVE-2025-56383 | https://github.com/notepad-plus-plus/notepad-plus-plus https://github.com/zer0t0/CVE-2025-56383-Proof-of-Concept |
| Ubuntu 22.04.3 LTS -- free5GC Version: 4.0.1 | Free5gc 4.0.1 is vulnerable to Buffer Overflow. The AMF incorrectly validates the 5GS mobile identity, resulting in slice reference overflow. | 2025-09-23 | not yet calculated | CVE-2025-56394 | https://github.com/free5gc/free5gc/issues/690 https://gist.github.com/DDGod2025/532691e3e2db9b47c67c3d153c026e62 |
| mercusys[.]com -- DMW305R(EU)_V3.30_1.11.2 Build 241223 | Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. | 2025-09-26 | not yet calculated | CVE-2025-56463 | https://packetstormsecurity.com https://github.com/MatJosephs/CVEs/tree/main/CVE-2025-56463 |
| chinabugotech -- chinabugotech hutool before 5.8. | An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. | 2025-09-25 | not yet calculated | CVE-2025-56769 | https://github.com/chinabugotech/hutool/issues/3994 |
| n/a -- Datart 1.0.0-rc.3 | Datart 1.0.0-rc.3 is vulnerable to Directory Traversal in the POST /viz/image interface, since the server directly uses MultipartFile.transferTo() to save the uploaded file to a path controllable by the user, and lacks strict verification of the file name. | 2025-09-24 | not yet calculated | CVE-2025-56815 | https://github.com/running-elephant/datart/tags https://github.com/xiaoxiaoranxxx/CVE-2025-56815 |
| n/a -- Datart 1.0.0-rc.3 | Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. The configuration file handling of the application allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml path. The application parses this file using SnakeYAML's unsafe load() or loadAs() method without input sanitization. This allows deserialization of attacker-controlled YAML content, leading to arbitrary class instantiation. Under certain conditions, this can be exploited to achieve remote code execution (RCE). | 2025-09-24 | not yet calculated | CVE-2025-56816 | https://github.com/running-elephant/datart https://github.com/xiaoxiaoranxxx/CVE-2025-56815 |
| n/a -- Datart 1.0.0-rc.3 | An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter. | 2025-09-24 | not yet calculated | CVE-2025-56819 | https://h2database.com/html/features.html#runscript https://github.com/h2database/h2database https://github.com/xyyzxc/CVE-2025-56819 |
| MagicProject AI – MagicProject v9.19.1 | MagicProject AI version 9.1 is affected by a Cross-Site Scripting (XSS) vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a multipart/form-data POST request. Due to insufficient input sanitization, attackers can inject HTML-based JavaScript payloads. This payload is stored and rendered unsanitized in subsequent views, leading to execution in other users' browsers when they access affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not implement a Content Security Policy (CSP) or adequate input filtering to prevent such attacks. A fix should include proper sanitization, output encoding, and strong CSP enforcement to mitigate exploitation. | 2025-09-22 | not yet calculated | CVE-2025-57203 | https://codecanyon.net/item/magicai-openai-content-text-image-chat-code-generator-as-saas/45408109 |
| Codecanyon[.]net – POS w/ Inventory Mgt & HRM v5 | Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 is affected by a Stored Cross-Site Scripting (XSS) vulnerability within the Products module available to authenticated users. The vulnerability resides in the product name parameter submitted to the product-creation endpoint via a standard POST form. Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is stored and subsequently rendered unsanitized in downstream views, leading to JavaScript execution in other users' browsers when they access the affected product pages. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially enabling session hijacking, privilege escalation within the application, data exfiltration, or administrative account takeover. The application also lacks a restrictive Content Security Policy (CSP), increasing exploitability. | 2025-09-22 | not yet calculated | CVE-2025-57204 | https://codecanyon.net/item/stockyultimate-inventory-management-system-with-pos/31445124 https://grumpz.net/cve-2025-57204-stored-xss-in-stocky-pos-with-inventory-management-and-hrm-ui-lib-50 |
| Codecanyon[.]net -- iNiLabs School Express (SMS Express) 6.2 | iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/{id} endpoint (and similarly in Notice and Pages editors). Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is saved and later rendered unsanitized, resulting in JavaScript execution in other users' browsers when they access the affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not enforce a restrictive Content Security Policy (CSP) or adequate filtering to prevent such attacks. | 2025-09-22 | not yet calculated | CVE-2025-57205 | https://codecanyon.net/item/inilabs-school-management-system-express/11630340 https://grumpz.net/cve-2025-57205-stored-xss-in-inilabs-school-express-62-sms-express |
| Todoist[.]com -- Todoist v8484 | Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata. | 2025-09-26 | not yet calculated | CVE-2025-57292 | https://github.com/echoBRT/TodoistStoredXSS https://github.com/ASencerK/TodoistStoredXSS |
| npmjs[.]com -- apidoc-core package version 0.15.0 | apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess function of apidoc-core versions thru 0.15.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-25 | not yet calculated | CVE-2025-57317 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/apidoc-core%400.15.0/index.js https://github.com/OrangeShieldInfos/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57317 |
| n/a -- Prototype Pollution toCsv function of csvjson thru 5.1.0 | A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57318 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/csvjson%405.1.0/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57318 |
| n/a -- Prototype Pollution nestedRestore function of fast-redact 3.5.0 | fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. NOTE: the Supplier disputes this because the reporter only demonstrated access to properties by an internal utility function, and there is no means for achieving prototype pollution via the public API. | 2025-09-24 | not yet calculated | CVE-2025-57319 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319 https://github.com/davidmarkclements/fast-redact/issues/75 |
| n/a -- json-schema-editor-visual thru 1.1.1 | json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57320 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/json-schema-editor-visual%401.1.1/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57320 |
| n/a -- magix-combine-ex versions thru 1.2.10 | A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57321 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321 |
| n/a -- mpregular version 0.2.0 | mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57323 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/mpregular%400.2.0/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57323 |
| n/a -- SingleInstanceStateController.initializeState function 5.3.0 | parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57324 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/parse%405.3.0/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57324 |
| n/a -- rollbar v2.26.4 | rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57325 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325 |
| n/a -- sassdoc-extras v2.5.1 | A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57326 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/sassdoc-extras%402.5.1/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57326 |
| n/a -- spmrc version 1.2.0 | spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57327 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/spmrc%401.2.0/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57327 |
| n/a -- toggle-array v1.0.1 | toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57328 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/toggle-array%401.0.1/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57328 |
| npmjs[.]com -- web3-core-method version 1.10.4 | web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57329 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/web3-core-method%401.10.4/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57329 |
| npmjs[.]com -- web3-core-method version 1.10.4 | The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | 2025-09-24 | not yet calculated | CVE-2025-57330 | https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/web3-core-subscriptions%401.10.4/index.js https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57330 |
| npmjs[.]com -- 'dagre-d3-es' Node.js package version 7.0.9 | A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure. | 2025-09-24 | not yet calculated | CVE-2025-57347 | https://github.com/tbo47/dagre-es/issues/52 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347 |
| n/a -- node-cube package (prior to version 5.0.0) | The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date. | 2025-09-24 | not yet calculated | CVE-2025-57348 | https://github.com/node-cube/cube/issues/153 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57348 |
| n/a -- MessageFormat 2 specification for JavaScript | The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component. | 2025-09-24 | not yet calculated | CVE-2025-57349 | https://github.com/messageformat/messageformat/issues/452 |
| n/a -- csvtojson package prior to 2.0.10 | The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file. | 2025-09-24 | not yet calculated | CVE-2025-57350 | https://github.com/Keyang/node-csvtojson/issues/498 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57350 |
| n/a -- ts-fns package prior 13.0.7 | A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties into the global object's prototype, potentially leading to application crashes, unexpected code execution behaviors, or bypasses of security-critical validation logic dependent on prototype integrity. The vulnerability stems from improper handling of deep property assignment operations within the library's public API functions. This issue remains unaddressed in the latest available version. | 2025-09-24 | not yet calculated | CVE-2025-57351 | https://github.com/tangshuang/ts-fns/issues/36 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57351 |
| n/a -- min-document prior to 2.19.0 | A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version. | 2025-09-24 | not yet calculated | CVE-2025-57352 | https://github.com/Raynos/min-document/issues/54 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57352 |
| n/a -- messageformat package for Node.js prior to v3.0.1 | The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version. | 2025-09-24 | not yet calculated | CVE-2025-57353 | https://github.com/messageformat/messageformat/issues/453 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353 |
| n/a -- 'counterpart' library for Node.js prior to 0.18.6 | A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing. | 2025-09-24 | not yet calculated | CVE-2025-57354 | https://github.com/martinandert/counterpart/issues/54 https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57354 |
| n/a -- Admin Log Viewer of S-Cart prior to 10.0.3 | A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which could lead to session hijacking or other malicious actions. | 2025-09-23 | not yet calculated | CVE-2025-57407 | https://github.com/s-cart/core/blob/7c9aa42761be5fd0131c61dbe2b5323beb96d5dd/src/Admin/Controllers/AdminLogController.php https://github.com/gp247net/core/releases/tag/1.1.24 |
| creacast[.]com -- Creacast Creabox Manager 4.4.4 | Creacast Creabox Manager 4.4.4 exposes sensitive configuration data via a publicly accessible endpoint /get. When accessed, this endpoint returns internal configuration including the creacodec.lua file, which contains plaintext admin credentials. | 2025-09-22 | not yet calculated | CVE-2025-57430 | http://www.creacast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57430 |
| sound4[.]com -- Sound4 PULSE-ECO AES67 v1.22 | The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | 2025-09-22 | not yet calculated | CVE-2025-57431 | https://www.sound4.com https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57431 |
| blackmagicdesign[.]com -- Blackmagic Web Presenter version 3.3 | Blackmagic Web Presenter version 3.3 exposes a Telnet service on port 9977 that accepts unauthenticated commands. This service allows remote attackers to manipulate stream settings, including changing video modes and possibly altering device functionality. No credentials or authentication mechanisms are required to interact with the Telnet interface. | 2025-09-22 | not yet calculated | CVE-2025-57432 | https://www.blackmagicdesign.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57432 |
| 2wcom[.]com -- IP-4c 2.15.5 | The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device. | 2025-09-22 | not yet calculated | CVE-2025-57433 | https://www.2wcom.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57433 |
| Creatcast[.]com -- Creacast Creabox Manager v4.4.4 | Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | 2025-09-22 | not yet calculated | CVE-2025-57434 | http://www.creacast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57434 |
| blackmagicdesign[.]com -- Blackmagic Web Presenter version 3.3 | The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuration data including: - Model, version, and unique identifiers - Network settings including IP, MAC, DNS - Current stream platform, stream key, and streaming URL - Audio/video configuration This data can be used to hijack live streams or perform network reconnaissance. | 2025-09-22 | not yet calculated | CVE-2025-57437 | https://www.blackmagicdesign.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57437 |
| 2wcom[.]com -- IP-4c 2.15.5 | The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level user can bypass these controls by intercepting and modifying requests. | 2025-09-22 | not yet calculated | CVE-2025-57438 | https://www.2wcom.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57438 |
| Creatcast[.]com -- Creacast Creabox Manager v4.4.4 | Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows full system compromise, including reverse shell execution or arbitrary command execution. | 2025-09-22 | not yet calculated | CVE-2025-57439 | http://www.creacast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57439 |
| blackmagicdesign[.]com -- Blackmagic ATEM Mini Pro 2.7 | The Blackmagic ATEM Mini Pro 2.7 exposes an undocumented Telnet service on TCP port 9993, which accepts unauthenticated plaintext commands for controlling streaming, recording, formatting storage devices, and system reboot. This interface, referred to as the "ATEM Ethernet Protocol 1.0", provides complete device control without requiring credentials or encryption. An attacker on the same network (or with remote access to the exposed port) can exploit this interface to execute arbitrary streaming commands, erase disks, or shut down the device - effectively gaining full remote control. | 2025-09-22 | not yet calculated | CVE-2025-57440 | https://www.blackmagicdesign.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57440 |
| blackmagicdesign[.]com -- Blackmagic ATEM Mini Pro 2.7 | The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks. | 2025-09-22 | not yet calculated | CVE-2025-57441 | https://www.blackmagicdesign.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57441 |
| lf-o-ran-sc.atlassian[.]net/browse/RIC-1073 -- ric-plt-submgr | An issue in O-RAN Near Realtime RIC ric-plt-submgr in the J-Release environment, allows remote attackers to cause a denial of service (DoS) via a crafted request to the Subscription Manager API component. | 2025-09-25 | not yet calculated | CVE-2025-57446 | https://lf-o-ran-sc.atlassian.net/browse/RIC-1073 https://github.com/ting1197/vulnerability-research/tree/main/CVE-2025-57446 |
| AiKaan Cloud Controller – n/a | AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static private key to the target device. The device then uses it to establish a reverse SSH tunnel to a remote access server, enabling browser-based SSH access for the administrator. Because the same `proxyuser` account and SSH key are reused across all customer environments: - An attacker who obtains the key (e.g., by intercepting it in transit, extracting it from the remote access server, or from a compromised admin account) can impersonate any managed device. - They can establish unauthorized reverse SSH tunnels and interact with devices without the owner's consent. This is a design flaw in the authentication model: compromise of a single key compromises the trust boundary between the controller and devices. | 2025-09-22 | not yet calculated | CVE-2025-57601 | https://github.com/Shubhangborkar/aikaan-vulnerabilities/blob/main/cve1-shared-ssh-key.md |
| AiKaan IoT Manager -- n/a | Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | 2025-09-22 | not yet calculated | CVE-2025-57602 | https://github.com/Shubhangborkar/aikaan-vulnerabilities/blob/main/cve2-proxyuser-shell.md |
| AiKaan IoT Manager -- n/a | Lack of server-side authorisation on department admin assignment APIs in AiKaan IoT Platform allows authenticated users to elevate their privileges by assigning themselves as admins of other departments. This results in unauthorized privilege escalation across the department | 2025-09-22 | not yet calculated | CVE-2025-57605 | https://github.com/Shubhangborkar/aikaan-vulnerabilities/blob/main/cve5-department-switch.md |
| Totolink[.]net – N600R v4.3.0 | A NULL pointer dereference in TOTOLINK N600R firmware v4.3.0cu.7866_B2022506 allows attackers to cause a Denial of Service. | 2025-09-25 | not yet calculated | CVE-2025-57623 | https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/TOTOLink/CONTENT_LENGTH.md https://gist.github.com/z472421519/d17061ea79a72d39fe69c000fa1a6280 |
| n/a -- libsmb2 6.2 | libsmb2 6.2+ is vulnerable to Buffer Overflow. When processing SMB2 chained PDUs (NextCommand), libsmb2 repeatedly calls smb2_add_iovector() to append to a fixed-size iovec array without checking the upper bound of v->niov (SMB2_MAX_VECTORS=256). An attacker can craft responses with many chained PDUs to overflow v->niov and perform heap out-of-bounds writes, causing memory corruption, crashes, and potentially arbitrary code execution. The SMB2_OPLOCK_BREAK path bypasses message ID validation. | 2025-09-25 | not yet calculated | CVE-2025-57632 | https://github.com/sahlberg/libsmb2 https://github.com/sahlberg/libsmb2/blob/master/lib/compat.c#L569 https://gist.github.com/ZjW1nd/0b95b63307ceee7890e88e4abc6f041e |
| DLink – DI – 7100G Firmware C1 2020-02-21 | OS Command injection vulnerability in D-Link C1 2020-02-21. The sub_47F028 function in jhttpd contains a command injection vulnerability via the HTTP parameter "time". | 2025-09-23 | not yet calculated | CVE-2025-57636 | https://www.dlink.com/en/security-bulletin/ https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_1.md |
| DLink – DI – 7100G Firmware C1 2020-02-21 | Buffer overflow vulnerability in D-Link DI-7100G 2020-02-21 in the sub_451754 function of the jhttpd service in the viav4 parameter allowing attackers to cause a denial of service or execute arbitrary code. | 2025-09-23 | not yet calculated | CVE-2025-57637 | https://www.dlink.com/en/security-bulletin/ https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_2.md |
| Tenda – Tenda AC9 V1.0 | Buffer overflow vulnerability in Tenda AC9 1.0 via the user supplied sys.vendor configuration value. | 2025-09-23 | not yet calculated | CVE-2025-57638 | https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda1.md |
| Tenda – Tenda AC9 V1.0 | OS Command injection vulnerability in Tenda AC9 1.0 was discovered to contain a command injection vulnerability via the usb.samba.guest.user parameter in the formSetSambaConf function of the httpd file. | 2025-09-23 | not yet calculated | CVE-2025-57639 | https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda2.md |
| papermark[.]com -- Papermark 0.20.0 | Directory Traversal vulnerability in Papermark 0.20.0 and prior allows authenticated attackers to retrieve arbitrary files from an S3 bucket through its CloudFront distribution via the "POST /api/file/s3/get-presigned-get-url-proxy" API | 2025-09-22 | not yet calculated | CVE-2025-57682 | https://papermark.com/ https://github.com/mfts/papermark https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-57682 |
| b-link[.]net[.]cn -- BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, BL-LTE300_DA4 V1.2.3 models | The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthorized command injection. Attackers can exploit this vulnerability by accessing the /goform/set_serial_cfg interface to gain the highest level of device privileges without authorization, enabling them to remotely execute malicious commands. | 2025-09-22 | not yet calculated | CVE-2025-57685 | https://www.b-link.net.cn/ http://bl-ac2100.com https://github.com/mono7s/LB-Link/blob/main/bs_SetSerial.md |
| n/a -- PiranhaCMS 12.0 | PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser. | 2025-09-26 | not yet calculated | CVE-2025-57692 | https://github.com/PiranhaCMS/piranha.core/releases/tag/v12.0 https://github.com/Saconyfx/security-advisories/blob/main/CVE-2025-57692/advisory.md |
| kata-containers--kata-containers | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0. | 2025-09-23 | not yet calculated | CVE-2025-58354 | https://github.com/kata-containers/kata-containers/security/advisories/GHSA-989w-4xr2-ww9m https://github.com/kata-containers/kata-containers/commit/3e67f92e34be974e792c153add76e4e4baac9de0 |
| doxense[.]com -- DOXENSE WATCHDOC prior to 6.1.1.5332 | In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. | 2025-09-26 | not yet calculated | CVE-2025-58384 | https://update.doxense.com/ https://doc.doxense.com/Watchdoc/J_Securite/cve-2025-58384.htm |
| doxense[.]com -- DOXENSE WATCHDOC prior to 6.1.1.5332 | In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). | 2025-09-26 | not yet calculated | CVE-2025-58385 | https://update.doxense.com/ https://doc.doxense.com/Watchdoc/J_Securite/cve-2025-58385.htm |
| Apache Software Foundation--Apache ZooKeeper | Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.) | 2025-09-24 | not yet calculated | CVE-2025-58457 | https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx |
| Langfuse[.]com -- Langfuse 3.1 | Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all, backgroundMigrations.status, and backgroundMigrations.retry. | 2025-09-24 | not yet calculated | CVE-2025-59305 | https://depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study |
| mafintosh--tar-fs | tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories. | 2025-09-24 | not yet calculated | CVE-2025-59343 | https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09 |
| Squid Web Proxy Cache -- Version 7.1 | Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c. | 2025-09-26 | not yet calculated | CVE-2025-59362 | https://github.com/squid-cache/squid/pull/2149 https://github.com/Microsvuln/advisories/blob/main/CVE-2025-59362/CVE-2025-59362.md |
| Flock Safety Bravo Edge Compute Device – n/a | Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode. This enables attackers with physical access to flash arbitrary firmware, dump partitions, and bypass bootloader and OS security controls. | 2025-09-25 | not yet calculated | CVE-2025-59402 | https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf https://www.flocksafety.com/products https://www.flocksafety.com/products/license-plate-readers https://gainsec.com/2025/09/19/root-from-the-coop-device-3-root-shell-on-flock-safetys-bravo-compute-box/ |
| Flock Safety Bravo Edge Compute Device – n/a | Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 ships with its bootloader unlocked. This permits bypass of Android Verified Boot (AVB) and allows direct modification of partitions. | 2025-09-25 | not yet calculated | CVE-2025-59404 | https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf https://www.flocksafety.com/products https://www.flocksafety.com/products/license-plate-readers https://gainsec.com/2025/09/19/root-from-the-coop-device-3-root-shell-on-flock-safetys-bravo-compute-box/ |
| Flock Safety Bravo Edge Compute Device – n/a | Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 ships with Secure Boot disabled. This allows an attacker to flash modified firmware with no cryptographic protections. | 2025-09-25 | not yet calculated | CVE-2025-59408 | https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf https://www.flocksafety.com/products https://www.flocksafety.com/products/license-plate-readers https://gainsec.com/2025/09/19/root-from-the-coop-device-3-root-shell-on-flock-safetys-bravo-compute-box/ |
| langgenius--dify | Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same workspace to read chat messages of other users. A regular user is able to read the query data and the filename of the admins and probably other users chats, if they know the conversation_id. This impacts the confidentiality of chats. This issue has been patched in version 1.9.0. | 2025-09-25 | not yet calculated | CVE-2025-59422 | https://github.com/langgenius/dify/security/advisories/GHSA-jg5j-c9pq-w894 https://github.com/langgenius/dify/commit/b2d8a7eaf1693841411934e2056042845ab4f354 |
| ongres--scram | SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. This vulnerability has been patched in version 3.1 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison. | 2025-09-22 | not yet calculated | CVE-2025-59432 | https://github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537 https://github.com/ongres/scram/commit/f04975680d4a67bc84cc6c61bbffd5186223e2e2 https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte%5B%5D,byte%5B%5D) |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, the file upload flow performs validation only in the browser and does not enforce server-side checks. An attacker can bypass the client-side validation (for example, with an intercepting proxy or by submitting a crafted request) to store an executable HTML document on the server. When an administrator or other privileged user views the uploaded file, the embedded script runs in their context and sends session cookies (or other credentials) to an attacker-controlled endpoint. The attacker then reuses those credentials to impersonate the admin. This issue has been patched in version 1.4.0. | 2025-09-24 | not yet calculated | CVE-2025-59524 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mff9-p8j9-9v5q https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59524/2025-08-Horilla_Vulnerability_3.pdf https://github.com/horilla-opensource/horilla/releases/tag/1.4.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0. | 2025-09-24 | not yet calculated | CVE-2025-59525 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvp https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf https://github.com/horilla-opensource/horilla/releases/tag/1.4.0 |
| eladnava--mailgen | mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Prior to version 2.0.30, there is an HTML injection vulnerability in plaintext e-mails generated by Mailgen. Projects are affected if the Mailgen.generatePlaintext(email) method is used and given user-generated content. This vulnerability has been patched in version 2.0.30. A workaround involves stripping all HTML tags before passing any content into Mailgen.generatePlaintext(email). | 2025-09-22 | not yet calculated | CVE-2025-59526 | https://github.com/eladnava/mailgen/security/advisories/GHSA-j2xj-h7w5-r7vp https://github.com/eladnava/mailgen/commit/741a0190ddae0f408b22ae3b5f0f4c3f5cf4f11d |
| openai--codex | Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox's writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. This issue has been patched in Codex CLI 0.39.0 that canonicalizes and validates that the boundary used for sandbox policy is based on where the user started the session, and not the one generated by the model. Users running 0.38.0 or earlier should update immediately via their package manager or by reinstalling the latest Codex CLI to ensure sandbox boundaries are enforced. If using the Codex IDE extension, users should immediately update to 0.4.12 for a fix of the sandbox issue. | 2025-09-22 | not yet calculated | CVE-2025-59532 | https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw https://github.com/openai/codex/commit/8595237505a1e0faabc2af3db805b66ce3ae182d https://github.com/openai/codex/releases/tag/rust-v0.39.0 |
| dnnsoftware--Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0. | 2025-09-23 | not yet calculated | CVE-2025-59548 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-5fj9-542v-w4rq |
| http4s--http4s | Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31. | 2025-09-23 | not yet calculated | CVE-2025-59822 | https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr https://github.com/http4s/http4s/commit/dd518f7c967e5165813b8d4a48a82b8fab852d41 |
| gardener--gardener-extension-provider-aws | Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0. | 2025-09-25 | not yet calculated | CVE-2025-59823 | https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6 https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0 https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0 https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0 https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0 |
| siderolabs--omni | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet's destination address. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. This issue has been patched in version 0.48.0. | 2025-09-24 | not yet calculated | CVE-2025-59824 | https://github.com/siderolabs/omni/security/advisories/GHSA-hqrf-67pm-wgfq https://github.com/siderolabs/omni/commit/a5efd816a239e6c9e5ea7c0d43c02c04504d7b60 |
| astral-sh--tokio-tar | astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading. | 2025-09-23 | not yet calculated | CVE-2025-59825 | https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3wgq-wrwc-vqmv https://github.com/astral-sh/uv/issues/12163 https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75 |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and impersonation of administrative roles. This issue has been patched in version 2.2.0. | 2025-09-24 | not yet calculated | CVE-2025-59827 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-7944-xvv7-cv79 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. | 2025-09-24 | not yet calculated | CVE-2025-59828 | https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4 |
| snowyu--git-commiters.js | git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2. | 2025-09-25 | not yet calculated | CVE-2025-59831 | https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6 https://github.com/snowyu/git-commiters.js/commit/7f0abfedbf506e3a61ac875d91324a8dbe756e84 |
| monkeytypegame--monkeytype | Monkeytype is a minimalistic and customizable typing test. In versions 25.36.0 and prior, improper handling of user input when loading a saved custom text results in XSS. This issue has been patched via commit f025b12. | 2025-09-25 | not yet calculated | CVE-2025-59838 | https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-j4xx-fww5-774w https://github.com/monkeytypegame/monkeytype/commit/f025b121cbe437e29de432b4aa72e0de22c755b7 |
| jupyterlab--jupyterlab | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8. | 2025-09-26 | not yet calculated | CVE-2025-59842 | https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The problem has been patched in FlagForge version 2.3.1. The fix removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.1 or later to eliminate exposure. There are no workarounds for this vulnerability. | 2025-09-26 | not yet calculated | CVE-2025-59843 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpj |
| SonarSource--sonarqube-scan-action | SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. The vulnerability has been fixed in version 6.0.0. Users should upgrade to this version or later. | 2025-09-26 | not yet calculated | CVE-2025-59844 | https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-5xq9-5g24-4g6f https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281 https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0 |
| nearform--get-jwks | get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted iss value. The vulnerability will work only if the iss validation is done after the use of get-jwks for keys retrieval. This issue has been patched in version 11.0.2. | 2025-09-27 | not yet calculated | CVE-2025-59936 | https://github.com/nearform/get-jwks/security/advisories/GHSA-qc2q-qhf3-235m https://github.com/nearform/get-jwks/commit/1706a177a80a1759fe68e3339dc5a219ce03ddb9 |
| huggingface--huggingface/transformers | The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive. | 2025-09-23 | not yet calculated | CVE-2025-6921 | https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be |
| danny-avila--danny-avila/librechat | danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, which incorrectly grants access if only one of multiple required permissions is present. This allows users with the 'USER' role to create agents despite having `CREATE: false` permission, as the check for `['USE', 'CREATE']` passes with just `USE: true`. This vulnerability affects other permission checks as well, such as `PROMPTS`. The issue is present in all versions prior to the fix. | 2025-09-23 | not yet calculated | CVE-2025-7106 | https://huntr.com/bounties/7de2765b-d1fe-4495-9144-220070857c48 https://github.com/danny-avila/librechat/commit/91a2df47599c09d80886bfc28e0ccf1debd42110 |
| run-llama--run-llama/llama_index | The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions. | 2025-09-27 | not yet calculated | CVE-2025-7647 | https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f7411afd9e https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4 |
| Unknown--SureForms | The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks. | 2025-09-23 | not yet calculated | CVE-2025-8282 | https://wpscan.com/vulnerability/62680106-1313-4ef0-80a5-33e93b4221a1/ |
| RTI--Connext Professional | Use After Free vulnerability in RTI Connext Professional (Security Plugins) allows File Manipulation.This issue affects Connext Professional: from 7.5.0 before 7.6.0. | 2025-09-23 | not yet calculated | CVE-2025-8410 | https://www.rti.com/vulnerabilities/#cve-2025-8410 |
| Python Packaging Authority--pip | When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice. | 2025-09-24 | not yet calculated | CVE-2025-8869 | https://github.com/pypa/pip/pull/13550 https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/ |
| GE Vernova--S1 Agile Configuration Software | Improper Privilege Management vulnerability in GE Vernova S1 Agile Configuration Software on Windows allows Privilege Escalation.This issue affects S1 Agile Configuration Software: 3.1 and previous version. | 2025-09-22 | not yet calculated | CVE-2025-9038 | https://www.gevernova.com/grid-solutions/sites/default/files/resources/products/support/ges-2025-001.pdf |
| Unknown--Etsy Shop | The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | 2025-09-22 | not yet calculated | CVE-2025-9115 | https://wpscan.com/vulnerability/67721fa5-4d4f-468b-aa77-c406e68fcf17/ |
| Seagate--Toolkit | In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be exploited by placing a malicious DLL in the same directory as the installer executable, leading to arbitrary code execution with the privileges of the user running the installer. The issue stems from the use of insecure DLL loading practices, such as relying on relative paths or failing to specify fully qualified paths when invoking system libraries. | 2025-09-26 | not yet calculated | CVE-2025-9267 | https://www.seagate.com/product-security/#security-advisories https://www.seagate.com/support/software/toolkit/ |
| Unknown--Admin and Site Enhancements (ASE) | The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads | 2025-09-22 | not yet calculated | CVE-2025-9487 | https://wpscan.com/vulnerability/b957b7c4-7a7c-497e-b8e4-499c821fb1b0/ |
| Viessmann--Vitogate 300 | An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices. | 2025-09-23 | not yet calculated | CVE-2025-9494 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Viessmann--Vitogate 300 | The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser's developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device. | 2025-09-23 | not yet calculated | CVE-2025-9495 | https://https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Unknown--Markup Markdown | The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-09-22 | not yet calculated | CVE-2025-9540 | https://wpscan.com/vulnerability/79e606df-50a0-4639-b2d9-4a77111fd729/ |
| Unknown--Markup Markdown | The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-09-22 | not yet calculated | CVE-2025-9541 | https://wpscan.com/vulnerability/3828b320-9f7b-4a2a-a6b0-200b023d602c/ |
| Salesforce--Salesforce CLI | Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6. | 2025-09-23 | not yet calculated | CVE-2025-9844 | https://help.salesforce.com/s/articleView?id=005224301&type=1 |
| is-localhost-ip--is-localhost-ip | A restriction bypass vulnerability in is-localhost-ip could allow attackers to perform Server-Side Request Forgery (SSRF). This issue affects is-localhost-ip: 2.0.0. | 2025-09-22 | not yet calculated | CVE-2025-9960 | https://fluidattacks.com/advisories/registrada https://github.com/tinovyatkin/is-localhost-ip |
| Novakon--P series | A buffer overflow vulnerability in Novakon P series allows attackers to gain root permission without prior authentication.This issue affects P series: P - V2001.A.C518o2. | 2025-09-23 | not yet calculated | CVE-2025-9962 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series/ |
| Novakon--P series | A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. This way the system can also be compromized.This issue affects P series: P - V2001.A.C518o2. | 2025-09-23 | not yet calculated | CVE-2025-9963 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series/ |
| Novakon--P series | No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. This issue affects P series: P - V2001.A.C518o2. | 2025-09-23 | not yet calculated | CVE-2025-9964 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series/ |
| Novakon--P series | Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P - V2001.A.C518o2. | 2025-09-23 | not yet calculated | CVE-2025-9965 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series/ |
| Novakon--P series | Improper privilege management vulnerability in Novakon P series allows attackers to gain root privileges if one service is compromized.This issue affects P series: P - V2001.A.C518o2. | 2025-09-23 | not yet calculated | CVE-2025-9966 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series/ |
| GALAYOU--G2 | GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera's behavior. The vendor did not respond in any way. Only version 11.100001.01.28 was tested, other versions might also be vulnerable. | 2025-09-22 | not yet calculated | CVE-2025-9983 | https://cert.pl/en/posts/2025/09/CVE-2025-9983 https://www.galayou-store.com/g2 |
Vulnerability Summary for the Week of September 15, 2025
Posted on Tuesday September 23, 2025
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Logo Software--Diva | Authorization Bypass Through User-Controlled SQL Primary Key, CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Logo Software Diva allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Diva: through 4.56.00.00. | 2025-09-18 | 10 | CVE-2024-13151 | https://www.usom.gov.tr/bildirim/tr-25-0273 |
| Fortra--GoAnywhere MFT | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. | 2025-09-18 | 10 | CVE-2025-10035 | https://www.fortra.com/security/advisories/product-security/fi-2025-012 |
| Spring--Cloud Gateway | Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured. | 2025-09-16 | 10 | CVE-2025-41243 | https://spring.io/security/cve-2025-41243 |
| Arma Store--Armalife | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arma Store Armalife allows SQL Injection.This issue affects Armalife: through 20250916. NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-09-16 | 9.8 | CVE-2024-13149 | https://www.usom.gov.tr/bildirim/tr-25-0258 |
| Tenda--AC1206 | A vulnerability was found in Tenda AC1206 15.03.06.23. This vulnerability affects the function check_param_changed of the file /goform/AdvSetMacMtuWa of the component HTTP Request Handler. Performing manipulation of the argument wanMTU results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-09-15 | 9.8 | CVE-2025-10432 | VDB-323866 | Tenda AC1206 HTTP Request AdvSetMacMtuWa check_param_changed stack-based overflow VDB-323866 | CTI Indicators (IOB, IOC, IOA) Submit #647527 | Tenda AC1206 AC1206V1.0RTL_V15.03.06.23 Stack-based Buffer Overflow https://github.com/M4st3rYi/IoTVulPocs/blob/main/Tenda/AC1206/fromAdvSetMacMtuWan.md https://www.tenda.com.cn/ |
| Yordam Informatics--Yordam Library Automation System | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yordam Informatics Yordam Library Automation System allows SQL Injection.This issue affects Yordam Library Automation System: from 21.5 & 21.6 before 21.7. | 2025-09-17 | 9.8 | CVE-2025-10439 | https://www.usom.gov.tr/bildirim/tr-25-0268 |
| Gotac--Statistical Database System | Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges. | 2025-09-15 | 9.8 | CVE-2025-10452 | https://www.twcert.org.tw/tw/cp-132-10379-70d40-1.html https://www.twcert.org.tw/en/cp-139-10380-1ce73-2.html |
| Bearsthemes--Goza - Nonprofit Charity WordPress Theme | The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. | 2025-09-19 | 9.8 | CVE-2025-10690 | https://www.wordfence.com/threat-intel/vulnerabilities/id/628bfa19-2ffa-426b-8b88-22a0c4d0ba92?source=cve https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575 https://www.cve.org/CVERecord?id=CVE-2025-5394 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause a remote code execution by manipulating the model name parameter in the model control APIs. A successful exploit of this vulnerability might lead to remote code execution, denial of service, information disclosure, and data tampering. | 2025-09-17 | 9.8 | CVE-2025-23316 | https://nvidia.custhelp.com/app/answers/detail/a_id/5691 |
| Dover Fueling Solutions--ProGauge MagLink LX 4 | Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain administrative access to the system. | 2025-09-18 | 9.8 | CVE-2025-30519 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-07 https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html |
| BGS Interactive--SINAV.LINK Exam Result Module | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection.This issue affects SINAV.LINK Exam Result Module: before 1.2. | 2025-09-16 | 9.8 | CVE-2025-4688 | https://www.usom.gov.tr/bildirim/tr-25-0252 |
| centos-webpanel--CentOS Web Panel | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | 2025-09-19 | 9 | CVE-2025-48703 | https://fenrisk.com/rce-centos-webpanel |
| Dover Fueling Solutions--ProGauge MagLink LX 4 | The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system. | 2025-09-18 | 9.8 | CVE-2025-54807 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-07 https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html |
| BMC--Control-M/Agent | An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent. The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired. In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication. | 2025-09-16 | 9 | CVE-2025-55109 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441963 |
| BMC--Control-M/Agent | If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate. | 2025-09-16 | 9 | CVE-2025-55113 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967 |
| dyad-sh--dyad | Dyad is a local AI app builder. A critical security vulnerability has been discovered that affected Dyad v0.19.0 and earlier versions that allows attackers to execute arbitrary code on users' systems. The vulnerability affects the application's preview window functionality and can bypass Docker container protections. An attacker can craft web content that automatically executes when the preview loads. The malicious content can break out of the application's security boundaries and gain control of the system. This has been fixed in Dyad v0.20.0 and later. | 2025-09-17 | 9.1 | CVE-2025-58766 | https://github.com/dyad-sh/dyad/security/advisories/GHSA-7fxm-c5xx-7vpq https://github.com/dyad-sh/dyad/commit/1c0255ab126d3b38ae9e78b17cdab9a07e5f0185 https://github.com/dyad-sh/dyad/commit/ebcf89ee6cead83a33add5ef1e19c8d4f9b4ce9b |
| mohammadzain2008--Linkr | Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers. | 2025-09-16 | 9.7 | CVE-2025-59334 | https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv https://github.com/mohammadzain2008/Linkr/commit/182e5ddaa51972e144005b500c4bcebf2fd1a6c0 |
| HubSpot--jinjava | jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1. | 2025-09-17 | 9.8 | CVE-2025-59340 | https://github.com/HubSpot/jinjava/security/advisories/GHSA-m49c-g9wr-hv6v https://github.com/HubSpot/jinjava/commit/66df351e7e8ad71ca04dcacb4b65782af820b8b1 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.1 |
| Chaos Mesh—Chaos Controller Manager | The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | 2025-09-15 | 9.8 | CVE-2025-59359 | https://github.com/chaos-mesh/chaos-mesh/pull/4702 https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover |
| Chaos Mesh—Chaos Controller Manager | The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | 2025-09-15 | 9.8 | CVE-2025-59360 | https://github.com/chaos-mesh/chaos-mesh/pull/4702 https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover |
| Chaos Mesh—Chaos Controller Manager | The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | 2025-09-15 | 9.8 | CVE-2025-59361 | https://github.com/chaos-mesh/chaos-mesh/pull/4702 https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover |
| aonetheme--Service Finder Bookings | The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to claiming a business when using the claim_business AJAX action. This makes it possible for unauthenticated attackers to login as any user including admins. Please note that subscriber privileges or brute-forcing are needed when completing the business takeover. The claim_id is needed to takeover the admin account, but brute-forcing is a practical approach to obtaining valid IDs. | 2025-09-19 | 9.8 | CVE-2025-5948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb018bc-2650-4e0d-8da9-325eac826d45?source=cve https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 |
| Dolusoft--Omaspot | Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation.This issue affects Omaspot: before 12.09.2025. | 2025-09-16 | 9.6 | CVE-2025-7743 | https://www.usom.gov.tr/bildirim/tr-25-0254 |
| Dolusoft--Omaspot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection.This issue affects Omaspot: before 12.09.2025. | 2025-09-16 | 9.8 | CVE-2025-7744 | https://www.usom.gov.tr/bildirim/tr-25-0254 |
| SUSE--neuvector | A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs. | 2025-09-17 | 9.8 | CVE-2025-8077 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-8077 https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56 |
| Planet Technology--ICG-2510WG-LTE (EU/US) | Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality. | 2025-09-17 | 9.8 | CVE-2025-9971 | https://www.twcert.org.tw/tw/cp-132-10389-265a3-1.html https://www.twcert.org.tw/en/cp-139-10390-7ce12-2.html https://www.planet.com.tw/en/support/security-advisory/8 |
| Planet Technology--ICG-2510WG-LTE (EU/US) | The N-Reporter, N-Cloud, and N-Probe developed by N-Partner has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-09-17 | 9.8 | CVE-2025-9972 | https://www.twcert.org.tw/tw/cp-132-10389-265a3-1.html https://www.twcert.org.tw/en/cp-139-10390-7ce12-2.html https://www.planet.com.tw/en/support/security-advisory/8 |
| Vegagrup Software--Vega Master | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vegagrup Software Vega Master allows Directory Indexing.This issue affects Vega Master: from v.1.12.35 through 20250916. NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-09-16 | 8.6 | CVE-2024-12367 | https://www.usom.gov.tr/bildirim/tr-25-0249 |
| Megatek Communication System--Azora Wireless Network Management | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Megatek Communication System Azora Wireless Network Management allows SQL Injection.This issue affects Azora Wireless Network Management: through 20250916. NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-09-16 | 8.8 | CVE-2024-12913 | https://www.usom.gov.tr/bildirim/tr-25-0253 |
| E1 Informatics--Web Application | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection.This issue affects Web Application: through 20250916. NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-09-16 | 8.6 | CVE-2024-13174 | https://www.usom.gov.tr/bildirim/tr-25-0259 |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution. | 2025-09-17 | 8.8 | CVE-2025-10057 | https://www.wordfence.com/threat-intel/vulnerabilities/id/925af22b-a728-496e-a63a-5966347ebe6c?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.25/importExtensions/ImportHelpers.php#L585 https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/uploadModules/DesktopUpload.php https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-09-17 | 8.1 | CVE-2025-10058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200 https://plugins.trac.wordpress.org/changeset/3360611/ https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php |
| ABB--FLXEON | Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. and newer versions | 2025-09-17 | 8.8 | CVE-2025-10205 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121&LanguageCode=en&DocumentPartId=pdf&Action=Launch |
| Tenda--AC9 | A vulnerability was identified in Tenda AC9 and AC15 15.03.05.14/15.03.05.18. This vulnerability affects the function formexeCommand of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-09-15 | 8.8 | CVE-2025-10443 | VDB-323877 | Tenda AC9/AC15 exeCommand formexeCommand buffer overflow VDB-323877 | CTI Indicators (IOB, IOC, IOA) Submit #647840 | Tenda Tenda AC15、AC9 AC15 V1.0BR_V15.03.05.18 AC9 V1.0BR_V15.03.05.14 Buffer Overflow https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC15_AC9_Bof.md https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC15_AC9_Bof.md#poc https://www.tenda.com.cn/ |
| N-Partner--N-Reporter | The N-Reporter, N-Cloud, and N-Probe developed by N-Partner has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-09-17 | 8.8 | CVE-2025-10589 | https://www.twcert.org.tw/tw/cp-132-10386-231ae-1.html https://www.twcert.org.tw/en/cp-139-10387-b8a4e-2.html |
| salzano--Embed PDF for WPForms | The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-09-19 | 8.8 | CVE-2025-10647 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af67a544-daff-469f-a66b-e998b79b7845?source=cve https://wordpress.org/plugins/embed-pdf-wpforms/ https://plugins.trac.wordpress.org/changeset/3364156/embed-pdf-wpforms/trunk/includes/class-wpforms-field-pdf-viewer.php |
| D-Link--DIR-825 | A security flaw has been discovered in D-Link DIR-825 up to 2.10. Affected by this vulnerability is the function sub_4106d4 of the file apply.cgi. The manipulation of the argument countdown_time results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-18 | 8.8 | CVE-2025-10666 | VDB-324787 | D-Link DIR-825 apply.cgi sub_4106d4 buffer overflow VDB-324787 | CTI Indicators (IOB, IOC, IOA) Submit #652047 | D-Link DIR-825 Rev.B 2.10 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dir-825/apply.cgi.md https://github.com/panda666-888/vuls/blob/main/d-link/dir-825/apply.cgi.md#poc https://www.dlink.com/ |
| UTT--HiPER 840G | A security flaw has been discovered in UTT HiPER 840G up to 3.1.1-190328. Impacted is an unknown function of the file /goform/getOneApConfTempEntry. The manipulation of the argument tempName results in buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-20 | 8.8 | CVE-2025-10756 | VDB-325111 | UTT HiPER 840G getOneApConfTempEntry buffer overflow VDB-325111 | CTI Indicators (IOB, IOC, IOA) Submit #645678 | UTT HiPER 840G <=V3v3.1.1-190328 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/5.md https://github.com/cymiao1978/cve/blob/main/5.md#poc |
| UTT--1200GW | A weakness has been identified in UTT 1200GW up to 3.0.0-170831. The affected element is an unknown function of the file /goform/formConfigDnsFilterGlobal. This manipulation of the argument GroupName causes buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-20 | 8.8 | CVE-2025-10757 | VDB-325112 | UTT 1200GW formConfigDnsFilterGlobal buffer overflow VDB-325112 | CTI Indicators (IOB, IOC, IOA) Submit #645681 | UTT 进取 1200GW <=v3.0.0-170831 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/6.md https://github.com/cymiao1978/cve/blob/main/6.md#poc |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker may cause an improper input validation issue. A successful exploit of this vulnerability may lead to code execution. | 2025-09-17 | 8 | CVE-2025-23268 | https://nvidia.custhelp.com/app/answers/detail/a_id/5691 |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in the command-line interface of HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to escalate privileges. Successful exploitation of this vulnerability may enable the attacker to execute arbitrary system commands with root privileges on the underlying operating system. | 2025-09-16 | 8.8 | CVE-2025-37123 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in the HPE Aruba Networking SD-WAN Gateways could allow an unauthenticated remote attacker to bypass firewall protections. Successful exploitation could allow an attacker to route potentially harmful traffic through the internal network, leading to unauthorized access or disruption of services. | 2025-09-16 | 8.6 | CVE-2025-37124 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSystemConfig functionality to modify relevant device properties (such as network settings), contradicting the security model proposed in the user manual. | 2025-09-18 | 8.1 | CVE-2025-52873 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying users' access to the device. | 2025-09-18 | 8.8 | CVE-2025-53969 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSerialPort functionality to modify relevant device properties (such as serial interface settings), contradicting the security model proposed in the user manual. | 2025-09-18 | 8.1 | CVE-2025-54497 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Cognex--In-Sight 2000 series | An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to decrypt sensitive network traffic, affecting the Cognex device. | 2025-09-18 | 8 | CVE-2025-54754 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device. | 2025-09-18 | 8 | CVE-2025-54810 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device. | 2025-09-18 | 8 | CVE-2025-54818 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Dover Fueling Solutions--ProGauge MagLink LX 4 | Dover Fueling Solutions ProGauge MagLink LX4 Devices fail to handle Unix time values beyond a certain point. An attacker can manually change the system time to exploit this limitation, potentially causing errors in authentication and leading to a denial-of-service condition. | 2025-09-18 | 8.2 | CVE-2025-55068 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-07 https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html |
| BMC--Control-M/Agent | A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above. | 2025-09-16 | 8.8 | CVE-2025-55115 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441969 |
| BMC--Control-M/Agent | A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. | 2025-09-16 | 8.8 | CVE-2025-55116 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441969 |
| BMC--Control-M/Agent | Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n". | 2025-09-16 | 8.9 | CVE-2025-55118 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441972 |
| greenshot--greenshot | Greenshot is an open source Windows screenshot utility. Greenshot 1.3.300 and earlier deserializes attacker-controlled data received in a WM_COPYDATA message using BinaryFormatter.Deserialize without prior validation or authentication, allowing a local process at the same integrity level to trigger arbitrary code execution inside the Greenshot process. The vulnerable logic resides in a WinForms WndProc handler for WM_COPYDATA (message 74) that copies the supplied bytes into a MemoryStream and invokes BinaryFormatter.Deserialize, and only afterward checks whether the specified channel is authorized. Because the authorization check occurs after deserialization, any gadget chain embedded in the serialized payload executes regardless of channel membership. A local attacker who can send WM_COPYDATA to the Greenshot main window can achieve in-process code execution, which may aid evasion of application control policies by running payloads within the trusted, signed Greenshot.exe process. This issue is fixed in version 1.3.301. No known workarounds exist. | 2025-09-16 | 8.4 | CVE-2025-59050 | https://github.com/greenshot/greenshot/security/advisories/GHSA-8f7f-x7ww-xx5w https://github.com/greenshot/greenshot/commit/f5a29a2ed3b0eb49231c0f4618300f488cf1b04d |
| dolfinus--3DAlloy | 3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed. | 2025-09-15 | 8.6 | CVE-2025-59332 | https://github.com/dolfinus/3DAlloy/security/advisories/GHSA-f2rp-232x-mqrh https://github.com/dolfinus/3DAlloy/commit/9fac7936254886265ac89c8824c4816d009b7a1b |
| executeautomation--mcp-database-server | The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors. | 2025-09-16 | 8.1 | CVE-2025-59333 | https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw |
| JetBrains--Junie | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation | 2025-09-17 | 8.3 | CVE-2025-59458 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| lemonldap-ng--LemonLDAP::NG | In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server. | 2025-09-17 | 8 | CVE-2025-59518 | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/3462 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/228d01945d48015f3f9ea8a8dc64d7e6a27750e9 |
| aonetheme--Service Finder SMS System | The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users. | 2025-09-19 | 8.1 | CVE-2025-5955 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc4598a7-d5cf-4553-b29a-659fe288ece9?source=cve https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 |
| cyberlord92--Miniorange OTP Verification with Firebase | The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability. | 2025-09-19 | 8.1 | CVE-2025-7665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php |
| wplegalpages--Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages | The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the wplp_gdpr_install_plugin_ajax_handler() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to install arbitrary repository plugins. | 2025-09-18 | 8.1 | CVE-2025-8565 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ed5f2c6d-a548-44c1-a07a-e33999bb164d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355766%40wplegalpages%2Ftrunk&old=3348524%40wplegalpages%2Ftrunk&sfp_email=&sfph_mail= |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | 2025-09-19 | 8 | CVE-2025-9079 | https://mattermost.com/security-updates |
| kodezen--StoreEngine Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More | The StoreEngine - Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-09-17 | 8.8 | CVE-2025-9216 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52 https://github.com/d0n601/CVE-2025-9216 https://ryankozak.com/posts/cve-2025-9216/ https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php |
| ABB--FLXEON | Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions | 2025-09-17 | 7 | CVE-2024-48842 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121&LanguageCode=en&DocumentPartId=pdf&Action=Launch |
| ABB--FLXEON | Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.A remote code execution is possible due to an improper input validation. This issue affects FLXEON: through 9.3.5. | 2025-09-18 | 7.2 | CVE-2024-48851 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121&LanguageCode=en&DocumentPartId=pdf&Action=Launch |
| catchthemes--Catch Dark Mode | The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2025-09-17 | 7.5 | CVE-2025-10143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46776cd5-5262-46ea-b56c-0cbf2b9ae43d?source=cve https://plugins.trac.wordpress.org/browser/catch-dark-mode/trunk/plugin.php#L483 https://wordpress.org/plugins/catch-dark-mode https://plugins.trac.wordpress.org/changeset/3359058/ |
| Digilent--WaveForms | Relative path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .DWF3WORK file. This vulnerability affects Digilent WaveForms 3.24.3 and prior versions. | 2025-09-15 | 7.8 | CVE-2025-10203 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/relative-path-traversal-vulnerability-in-digilent-waveforms.html |
| ABB--FLXEON | Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. | 2025-09-18 | 7.2 | CVE-2025-10207 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121&LanguageCode=en&DocumentPartId=pdf&Action=Launch |
| Campcodes--Grocery Sales and Inventory System | A security flaw has been discovered in Campcodes Grocery Sales and Inventory System 1.0. Affected is an unknown function of the file /ajax.php?action=delete_product. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10417 | VDB-323851 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-323851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646973 | campcodes Grocery Sales and Inventory System V1.0 SQL injection https://github.com/zzb1388/cve/issues/78 https://www.campcodes.com/ |
| 1000projects--Online Student Project Report Submission and Evaluation System | A vulnerability was determined in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The affected element is an unknown function of the file /admin/controller/faculty_controller.php. This manipulation of the argument new_image causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-15 | 7.3 | CVE-2025-10424 | VDB-323858 | 1000projects Online Student Project Report Submission and Evaluation System faculty_controller.php unrestricted upload VDB-323858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647173 | 1000projects.org Online Student Project Report Submission and Evaluation System v1.0 File unrestricted upload Submit #647176 | 1000projects.org Online Student Project Report Submission and Evaluation System PHP Project v1.0 File unrestricted upload (Duplicate) https://github.com/lan041221/cvec/issues/22 |
| 1000projects--Online Student Project Report Submission and Evaluation System | A vulnerability was identified in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The impacted element is an unknown function of the file /admin/controller/student_controller.php. Such manipulation of the argument new_image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-09-15 | 7.3 | CVE-2025-10425 | VDB-323859 | 1000projects Online Student Project Report Submission and Evaluation System student_controller.php unrestricted upload VDB-323859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647175 | 1000projects.org Online Student Project Report Submission and Evaluation System v1.0 File unrestricted upload Submit #647177 | 1000projects.org Online Student Project Report Submission and Evaluation System PHP Project v1.0 File unrestricted upload (Duplicate) https://github.com/lan041221/cvec/issues/23 |
| itsourcecode--Online Laundry Management System | A security flaw has been discovered in itsourcecode Online Laundry Management System 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10426 | VDB-323860 | itsourcecode Online Laundry Management System login.php sql injection VDB-323860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647210 | Campcodes Online Laundry Management System V1.0 SQL Injection https://github.com/HAO-RAY/HCR-CVE/issues/3 https://itsourcecode.com/ |
| Campcodes--Computer Sales and Inventory System | A security flaw has been discovered in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/cust_edit1.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10435 | VDB-323869 | Campcodes Computer Sales and Inventory System cust_edit1.php sql injection VDB-323869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647615 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/ldz23/cve/issues/1 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A weakness has been identified in Campcodes Computer Sales and Inventory System 1.0. The impacted element is an unknown function of the file /pages/sup_searchfrm.php?action=edit. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-09-15 | 7.3 | CVE-2025-10436 | VDB-323870 | Campcodes Computer Sales and Inventory System sup_searchfrm.php sql injection VDB-323870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647616 | Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/ldz23/cve/issues/2 https://www.campcodes.com/ |
| Campcodes--Online Job Finder System | A security flaw has been discovered in Campcodes Online Job Finder System 1.0. This issue affects some unknown processing of the file /advancesearch.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10444 | VDB-323878 | Campcodes Online Job Finder System advancesearch.php sql injection VDB-323878 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647851 | Campcodes Online Job Finder System V1.0 SQL Injection https://github.com/HAO-RAY/HCR-CVE/issues/5 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A weakness has been identified in Campcodes Computer Sales and Inventory System 1.0. Impacted is an unknown function of the file /pages/us_transac.php?action=add. Executing manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-09-15 | 7.3 | CVE-2025-10445 | VDB-323879 | Campcodes Computer Sales and Inventory System us_transac.php sql injection VDB-323879 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647886 | Campcodes Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/e1evensu/cve/issues/2 https://www.campcodes.com/ |
| Campcodes--Computer Sales and Inventory System | A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/cust_searchfrm.php?action=edit. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-09-15 | 7.3 | CVE-2025-10446 | VDB-323880 | Campcodes Computer Sales and Inventory System cust_searchfrm.php sql injection VDB-323880 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647887 | Campcodes Campcodes Computer Sales and Inventory System V1.0 SQL Injection https://github.com/e1evensu/cve/issues/3 https://www.campcodes.com/ |
| Campcodes--Online Job Finder System | A vulnerability was detected in Campcodes Online Job Finder System 1.0. The impacted element is an unknown function of the file /eris/applicationform.php. The manipulation of the argument picture results in unrestricted upload. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-09-15 | 7.3 | CVE-2025-10447 | VDB-323881 | Campcodes Online Job Finder System applicationform.php unrestricted upload VDB-323881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648014 | Campcodes Online Job Finder System V1.0 Unrestricted Upload https://github.com/HAO-RAY/HCR-CVE/issues/6 https://www.campcodes.com/ |
| Campcodes--Online Job Finder System | A flaw has been found in Campcodes Online Job Finder System 1.0. This affects an unknown function of the file /index.php?q=result&searchfor=bycompany. This manipulation of the argument Search causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-09-15 | 7.3 | CVE-2025-10448 | VDB-323882 | Campcodes Online Job Finder System index.php sql injection VDB-323882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648023 | Campcodes Online Job Finder System V1.0 SQL Injection https://github.com/HAO-RAY/HCR-CVE/issues/7 https://www.campcodes.com/ |
| zephyrproject-rtos--Zephyr | A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | 2025-09-19 | 7.1 | CVE-2025-10456 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hcc8-3qr7-c9m8 |
| zephyrproject-rtos--Zephyr | Parameters are not validated or sanitized, and are later used in various internal operations. | 2025-09-19 | 7.6 | CVE-2025-10458 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-vmww-237q-2fwp |
| PHPGurukul--Beauty Parlour Management System | A security flaw has been discovered in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/all-appointment.php. The manipulation of the argument delid results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10459 | VDB-323887 | PHPGurukul Beauty Parlour Management System all-appointment.php sql injection VDB-323887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648355 | PHPGurukul Beauty Parlour Management System V1.1 SQL Injection https://github.com/xiaoxinkaishi/cve/issues/5 https://phpgurukul.com/ |
| Beyaz Computer--CityPlus | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Beyaz Computer CityPlus allows Path Traversal.This issue affects CityPlus: before 24.29375. | 2025-09-19 | 7.5 | CVE-2025-10468 | https://www.usom.gov.tr/bildirim/tr-25-0279 |
| SourceCodester--Online Student File Management System | A security flaw has been discovered in SourceCodester Online Student File Management System 1.0. The impacted element is an unknown function of the file /index.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 7.3 | CVE-2025-10479 | VDB-323914 | SourceCodester Online Student File Management System index.php sql injection VDB-323914 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648520 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/ganzhi-qcy/cve/issues/25 https://www.sourcecodester.com/ |
| SourceCodester--Online Student File Management System | A vulnerability was detected in SourceCodester Online Student File Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-09-15 | 7.3 | CVE-2025-10482 | VDB-323917 | SourceCodester Online Student File Management System index.php sql injection VDB-323917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648580 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/11 https://www.sourcecodester.com/ |
| MongoDB Inc--MongoDB Server | The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5 | 2025-09-15 | 7.8 | CVE-2025-10491 | https://jira.mongodb.org/browse/SERVER-51366 |
| Campcodes--Grocery Sales and Inventory System | A flaw has been found in Campcodes Grocery Sales and Inventory System 1.0. This affects an unknown function of the file /ajax.php?action=save_product. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-09-16 | 7.3 | CVE-2025-10562 | VDB-324476 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-324476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646976 | campcodes Grocery Sales and Inventory System V1.0 SQL Injection https://github.com/zzb1388/cve/issues/77 https://www.campcodes.com/ |
| Campcodes--Grocery Sales and Inventory System | A vulnerability has been found in Campcodes Grocery Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_category. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-09-16 | 7.3 | CVE-2025-10563 | VDB-324477 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-324477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646977 | campcodes Grocery Sales and Inventory System V1.0 SQL injection https://github.com/zzb1388/cve/issues/76 https://www.campcodes.com/ |
| Campcodes--Grocery Sales and Inventory System | A vulnerability was found in Campcodes Grocery Sales and Inventory System 1.0. Affected is an unknown function of the file /ajax.php?action=delete_category. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-09-16 | 7.3 | CVE-2025-10564 | VDB-324478 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-324478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646978 | campcodes Grocery Sales and Inventory System V1.0 SQL injection https://github.com/zzb1388/cve/issues/75 https://www.campcodes.com/ |
| Campcodes--Grocery Sales and Inventory System | A vulnerability was determined in Campcodes Grocery Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_receiving. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-09-16 | 7.3 | CVE-2025-10565 | VDB-324479 | Campcodes Grocery Sales and Inventory System ajax.php sql injection VDB-324479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646981 | campcodes Grocery Sales and Inventory System V1.0 SQL Injection https://github.com/zzb1388/cve/issues/74 https://www.campcodes.com/ |
| SourceCodester--Online Exam Form Submission | A vulnerability was found in SourceCodester Online Exam Form Submission 1.0. This affects an unknown part of the file /index.php. The manipulation of the argument usn results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-09-17 | 7.3 | CVE-2025-10596 | VDB-324613 | SourceCodester Online Exam Form Submission index.php sql injection VDB-324613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649315 | SourceCodester Online Exam Form Submission 1.0 SQL Injection Hibernate https://github.com/qcycop0101-hash/CVE/issues/16 https://www.sourcecodester.com/ |
| kidaze--CourseSelectionSystem | A vulnerability was determined in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This vulnerability affects unknown code of the file /Profilers/PriProfile/COUNT2.php. This manipulation of the argument cname causes sql injection. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2025-09-17 | 7.3 | CVE-2025-10597 | VDB-324614 | kidaze CourseSelectionSystem COUNT2.php sql injection VDB-324614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649316 | github.com Course Selection System V1.0 SQL Injection https://github.com/shang-hh/shang/blob/main/sql.txt |
| SourceCodester--Pet Grooming Management Software | A vulnerability was identified in SourceCodester Pet Grooming Management Software 1.0. This issue affects some unknown processing of the file /admin/search_product.php. Such manipulation of the argument group_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-09-17 | 7.3 | CVE-2025-10598 | VDB-324615 | SourceCodester Pet Grooming Management Software search_product.php sql injection VDB-324615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649317 | SourceCodester Pet grooming management 1.0 SQL Injection https://github.com/Jacob-z691/CVE/issues/3 https://www.sourcecodester.com/ |
| itsourcecode--Web-Based Internet Laboratory Management System | A security flaw has been discovered in itsourcecode Web-Based Internet Laboratory Management System 1.0. Impacted is the function User::AuthenticateUser of the file login.php. Performing manipulation of the argument user_email results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-09-17 | 7.3 | CVE-2025-10599 | VDB-324616 | itsourcecode Web-Based Internet Laboratory Management System login.php AuthenticateUser sql injection VDB-324616 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649501 | itsourcecode Web-Based-Internet-Laboratory-Management-System 1 Time-Based Blind SQL Injection in login.php https://github.com/drew-byte/Web-Based-Internet-Laboratory-Management-System_SQLi-PoC/blob/main/README.md https://itsourcecode.com/ |
| SourceCodester--Online Exam Form Submission | A flaw has been found in SourceCodester Online Exam Form Submission 1.0. This impacts an unknown function of the file /register.php. This manipulation of the argument img causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-09-17 | 7.3 | CVE-2025-10600 | VDB-324620 | SourceCodester Online Exam Form Submission register.php unrestricted upload VDB-324620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649541 | SourceCodester Online Exam Form Submission 1.0 Unrestricted Upload https://github.com/qcycop0101-hash/CVE/issues/18 https://www.sourcecodester.com/ |
| SourceCodester--Online Exam Form Submission | A vulnerability has been found in SourceCodester Online Exam Form Submission 1.0. Affected is an unknown function of the file /admin/index.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-09-17 | 7.3 | CVE-2025-10601 | VDB-324621 | SourceCodester Online Exam Form Submission index.php sql injection VDB-324621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649542 | SourceCodester Online Exam Form Submission 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/19 https://www.sourcecodester.com/ |
| PHPGurukul--Online Discussion Forum | A vulnerability was determined in PHPGurukul Online Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_forum/search_result.php. Executing manipulation of the argument Search can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-17 | 7.3 | CVE-2025-10603 | VDB-324623 | PHPGurukul Online Discussion Forum search_result.php sql injection VDB-324623 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649867 | PHPGurukul Online Discussion Forum Project V1.0 SQL injection https://github.com/maximdevere/cve/issues/1 https://phpgurukul.com/ |
| PHPGurukul--Online Discussion Forum | A vulnerability was identified in PHPGurukul Online Discussion Forum 1.0. This affects an unknown part of the file /admin/edit_member.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-09-17 | 7.3 | CVE-2025-10604 | VDB-324624 | PHPGurukul Online Discussion Forum edit_member.php sql injection VDB-324624 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649868 | PHPGurukul Online Discussion Forum Project V1.0 SQL injection https://github.com/maximdevere/cve/issues/2 https://phpgurukul.com/ |
| SourceCodester--Hotel Reservation System | A vulnerability was determined in SourceCodester Hotel Reservation System 1.0. The affected element is an unknown function of the file editroomimage.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-17 | 7.3 | CVE-2025-10621 | VDB-324650 | SourceCodester Hotel Reservation System editroomimage.php sql injection VDB-324650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650218 | SourceCodester Hotel Reservation System 1.0 SQL Injection https://github.com/aCas1o/cve_report/blob/main/report.md https://www.sourcecodester.com/ |
| SourceCodester--Hotel Reservation System | A vulnerability was identified in SourceCodester Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteuser.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-09-17 | 7.3 | CVE-2025-10623 | VDB-324651 | SourceCodester Hotel Reservation System deleteuser.php sql injection VDB-324651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650221 | SourceCodester Hotel Reservation System 1.0 SQL Injection https://github.com/aCas1o/cve_report02/blob/main/report.md https://www.sourcecodester.com/ |
| PHPGurukul--User Management System | A security flaw has been discovered in PHPGurukul User Management System 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument emailid results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-09-17 | 7.3 | CVE-2025-10624 | VDB-324652 | PHPGurukul User Management System login.php sql injection VDB-324652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650222 | PHPGurukul User Management System V1.0 SQL Injection https://github.com/CSentinel/CVE/issues/3 https://phpgurukul.com/ |
| PHPGurukul--Online Course Registration | A vulnerability was found in PHPGurukul Online Course Registration 3.1. This affects an unknown function of the file /my-profile.php. Performing manipulation of the argument cgpa results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-09-18 | 7.3 | CVE-2025-10663 | VDB-324784 | PHPGurukul Online Course Registration my-profile.php sql injection VDB-324784 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651914 | PHPGurukul Online Course Registration V3.1 SQL Injection https://github.com/LitBot123/mycve/issues/8 https://phpgurukul.com/ |
| PHPGurukul--Small CRM | A vulnerability was determined in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /create-ticket.php. Executing manipulation of the argument subject can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-18 | 7.3 | CVE-2025-10664 | VDB-324785 | PHPGurukul Small CRM create-ticket.php sql injection VDB-324785 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651933 | PHPGurukul Small CRM V4.0 SQL Injection https://github.com/HF101010/myCVE/issues/1 https://phpgurukul.com/ |
| itsourcecode--Online Discussion Forum | A weakness has been identified in itsourcecode Online Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /members/compose_msg.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-09-18 | 7.3 | CVE-2025-10667 | VDB-324788 | itsourcecode Online Discussion Forum compose_msg.php sql injection VDB-324788 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652167 | itsourcecode Online Discussion Forum Project V1.0 SQL Injection https://github.com/S77code/CVE1/issues/1 https://itsourcecode.com/ |
| itsourcecode--Online Discussion Forum | A security vulnerability has been detected in itsourcecode Online Discussion Forum 1.0. This affects an unknown part of the file /members/compose_msg_admin.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-09-18 | 7.3 | CVE-2025-10668 | VDB-324789 | itsourcecode Online Discussion Forum compose_msg_admin.php sql injection VDB-324789 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652176 | itsourcecode Online Discussion Forum Project V1.0 SQL Injection https://github.com/S77code/CVE1/issues/3 https://itsourcecode.com/ |
| itsourcecode--E-Logbook with Health Monitoring System for COVID-19 | A flaw has been found in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. This issue affects some unknown processing of the file /check_profile.php. Executing manipulation of the argument profile_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-09-18 | 7.3 | CVE-2025-10670 | VDB-324791 | itsourcecode E-Logbook with Health Monitoring System for COVID-19 check_profile.php sql injection VDB-324791 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #652396 | itsourcecode E-Logbook with Health Monitoring System for COVID-19 V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/25 https://itsourcecode.com/ |
| whuan132--AIBattery | A vulnerability was found in whuan132 AIBattery up to 1.0.9. The affected element is an unknown function of the file AIBatteryHelper/XPC/BatteryXPCService.swift of the component com.collweb.AIBatteryHelper. The manipulation results in missing authentication. The attack requires a local approach. The exploit has been made public and could be used. | 2025-09-18 | 7.8 | CVE-2025-10672 | VDB-324793 | whuan132 AIBattery com.collweb.AIBatteryHelper BatteryXPCService.swift missing authentication VDB-324793 | CTI Indicators (IOB, IOC, IOA) Submit #653159 | whuan132 AIBattery v1.0.9 Unauthenticated XPC to root helper exposes SMC power controls https://github.com/SwayZGl1tZyyy/n-days/blob/main/AIBattery-Charge-Limiter/README.md https://github.com/SwayZGl1tZyyy/n-days/blob/main/AIBattery-Charge-Limiter/README.md#proof-of-concept |
| itsourcecode--Student Information Management System | A vulnerability was determined in itsourcecode Student Information Management System 1.0. The impacted element is an unknown function of the file /admin/modules/class/index.php. This manipulation of the argument classId causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-18 | 7.3 | CVE-2025-10673 | VDB-324794 | itsourcecode Student Information Management System index.php sql injection VDB-324794 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653191 | itsourcecode Student Information Management System V1.0 SQL injection https://github.com/windhxy/CVE-my/issues/1 https://itsourcecode.com/ |
| SourceCodester--Responsive E-Learning System | A vulnerability was found in SourceCodester Responsive E-Learning System 1.0. This affects an unknown part of the file /admin/add_teacher.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-09-18 | 7.3 | CVE-2025-10687 | VDB-324811 | SourceCodester Responsive E-Learning System add_teacher.php sql injection VDB-324811 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653365 | SourceCodester elearning V1.0 SQL Injection https://github.com/kele28886/cve/issues/1 https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code of the file /admin/operation/paid.php. This manipulation of the argument inv_no/insta_amt causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-18 | 7.3 | CVE-2025-10688 | VDB-324812 | SourceCodester Pet Grooming Management Software paid.php sql injection VDB-324812 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653437 | SourceCodester Pet Grooming Management 1.0 SQL Injection https://github.com/K1nakoo/cve/blob/main/21/report.md https://www.sourcecodester.com/ |
| n/a--07FLYCMS | A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 7.3 | CVE-2025-10712 | VDB-325000 | 07FLYCMS/07FLY-CMS/07FlyCRM login sql injection VDB-325000 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644970 | 07FLY Customer Management System V1.0 SQL Injection https://github.com/1276486/CVE/issues/13 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause an out-of-bounds write through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service. | 2025-09-17 | 7.5 | CVE-2025-23328 | https://nvidia.custhelp.com/app/answers/detail/a_id/5691 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause memory corruption by identifying and accessing the shared memory region used by the Python backend. A successful exploit of this vulnerability might lead to denial of service. | 2025-09-17 | 7.5 | CVE-2025-23329 | https://nvidia.custhelp.com/app/answers/detail/a_id/5691 |
| NetApp--StorageGRID | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user. | 2025-09-19 | 7.5 | CVE-2025-26515 | https://security.netapp.com/advisory/NTAP-20250910-0002 |
| Gen Digital--CCleaner | Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Reported in CCleaner v. 6.33.11465. This issue affects CCleaner: before < 6.36.11508. | 2025-09-15 | 7.3 | CVE-2025-3025 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| IBM--AIX | IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables. | 2025-09-16 | 7.4 | CVE-2025-36244 | https://www.ibm.com/support/pages/node/7245092 |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A broken access control vulnerability exists in HPE Aruba Networking EdgeConnect OS (ECOS). Successful exploitation could allow an attacker to bypass firewall protections, potentially leading to unauthorized traffic being handled improperly | 2025-09-16 | 7.5 | CVE-2025-37125 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN Gateways Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute arbitrary commands as root on the underlying operating system. | 2025-09-16 | 7.2 | CVE-2025-37126 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in the cryptographic logic used by HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to gain shell access. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system, potentially leading to unauthorized access and control over the affected systems. | 2025-09-16 | 7.2 | CVE-2025-37127 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| VMware--Spring Security | The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 . | 2025-09-16 | 7.5 | CVE-2025-41248 | https://spring.io/security/cve-2025-41248 |
| VMware--Spring Framework | The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 . | 2025-09-16 | 7.5 | CVE-2025-41249 | https://spring.io/security/cve-2025-41249 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. | 2025-09-16 | 7.4 | CVE-2025-4953 | https://access.redhat.com/security/cve/CVE-2025-4953 RHBZ#2367235 |
| SmartVista Suite -- 2.2.22 | Cross Site Request Forgery (CSRF) vulnerability in Smartvista BackOffice SmartVista Suite 2.2.22 via crafted GET request. | 2025-09-18 | 7.8 | CVE-2025-50255 | https://gitlab.com/c2at3/cve-2025-50255/-/blob/main/Bypassing_CSRF_Protection_in_Smartvista-BackOffice.pdf |
| Sitecore--Sitecore Experience Manager (XM) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4. | 2025-09-21 | 7.1 | CVE-2025-53692 | https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003734 https://labs.watchtowr.com/disclosed-vulnerabilities/ https://chudypb.github.io/ |
| Cognex--In-Sight 2000 series | A local attacker with low privileges on the Windows system where the software is installed can exploit this vulnerability to corrupt sensitive data. A data folder is created with very weak privileges, allowing any user logged into the Windows system to modify its content. | 2025-09-18 | 7.7 | CVE-2025-53947 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.3 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-09-16 | 7.8 | CVE-2025-54262 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-81.html |
| Cognex--In-Sight 2000 series | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service allows a denial-of-service attack, leaving the telnet service into an unreachable state. | 2025-09-18 | 7.7 | CVE-2025-54860 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06 |
| BMC--Control-M/Agent | Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server. | 2025-09-16 | 7.4 | CVE-2025-55112 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441966 |
| I-O DATA DEVICE, INC.--WN-7D36QR | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker. | 2025-09-17 | 7.2 | CVE-2025-58116 | https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm https://jvn.jp/en/vu/JVNVU97490987/ |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2025-09-18 | 7 | CVE-2025-59215 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2025-09-18 | 7 | CVE-2025-59216 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | 2025-09-18 | 7 | CVE-2025-59220 | Windows Bluetooth Service Elevation of Privilege Vulnerability |
| aliasvault--aliasvault | AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows <link rel="icon" href="…">. Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1. | 2025-09-19 | 7.7 | CVE-2025-59344 | https://github.com/aliasvault/aliasvault/security/advisories/GHSA-f253-f7xc-w7pj https://github.com/aliasvault/aliasvault/pull/1226 https://github.com/aliasvault/aliasvault/commit/58c39815e4c8bb27a311c3b592d54e157b4e6968 https://github.com/aliasvault/aliasvault/releases/tag/0.23.1 |
| Chaos Mesh—Chaos Controller Manager | The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | 2025-09-15 | 7.5 | CVE-2025-59358 | https://github.com/chaos-mesh/chaos-mesh/pull/4702 https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover |
| libexpat project--libexpat | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. | 2025-09-15 | 7.5 | CVE-2025-59375 | https://github.com/libexpat/libexpat/issues/1018 https://github.com/libexpat/libexpat/pull/1034 https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74 https://issues.oss-fuzz.com/issues/439133977 https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes |
| Kovah--LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.3.1, a Stored Cross-Site Scripting (XSS) vulnerability has been identified on the /system/audit page. The application fails to properly sanitize the username field before it is rendered in the audit log. An authenticated attacker can set a malicious JavaScript payload as their username. When an action performed by this user is recorded (e.g., generate or revoke an API token), the payload is stored in the database. The script is then executed in the browser of any user, particularly administrators, who views the /system/audit page. This vulnerability is fixed in 2.3.1. | 2025-09-18 | 7.3 | CVE-2025-59424 | https://github.com/Kovah/LinkAce/security/advisories/GHSA-289g-9gff-p4wh https://github.com/Kovah/LinkAce/commit/c0d21b974b32f1ca2fab550fb476c573a068e196 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows | 2025-09-17 | 7.7 | CVE-2025-59457 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| zephyrproject-rtos--Zephyr | Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | 2025-09-19 | 7.6 | CVE-2025-7403 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9r46-cqqw-6j2j |
| Dokuzsoft Technology--E-Commerce Web Design Product | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology E-Commerce Web Design Product allows XSS Through HTTP Headers.This issue affects E-Commerce Web Design Product: before 11.08.2025. | 2025-09-17 | 7.1 | CVE-2025-8411 | https://www.usom.gov.tr/bildirim/tr-25-0267 |
| Autodesk--Revit | A maliciously crafted PDF file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-09-16 | 7.8 | CVE-2025-8893 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0018 |
| Autodesk--Revit | A maliciously crafted PDF file, when parsed through certain Autodesk products, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-09-16 | 7.8 | CVE-2025-8894 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0018 |
| Mattermost--Mattermost | Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user's cookies to an attacker-controlled URL. | 2025-09-15 | 7.6 | CVE-2025-9072 | https://mattermost.com/security-updates |
| Dassault Systmes--SOLIDWORKS eDrawings | An Out-Of-Bounds Read vulnerability affecting the PAR file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 could allow an attacker to execute arbitrary code while opening a specially crafted PAR file. | 2025-09-17 | 7.8 | CVE-2025-9447 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9447 |
| Dassault Systmes--SOLIDWORKS eDrawings | A Use After Free vulnerability affecting the PAR file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 could allow an attacker to execute arbitrary code while opening a specially crafted PAR file. | 2025-09-17 | 7.8 | CVE-2025-9449 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9449 |
| Dassault Systmes--SOLIDWORKS eDrawings | A Use of Uninitialized Variable vulnerability affecting the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 could allow an attacker to execute arbitrary code while opening a specially crafted JT file. | 2025-09-17 | 7.8 | CVE-2025-9450 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9450 |
| Vizly Web Design--Real Estate Packages | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vizly Web Design Real Estate Packages allows Content Spoofing, CAPEC - 593 - Session Hijacking, CAPEC - 591 - Reflected XSS.This issue affects Real Estate Packages: before 5.1. | 2025-09-19 | 7.1 | CVE-2025-9969 | https://www.usom.gov.tr/bildirim/tr-25-0278 |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| eskapism--Developer Loggers for Simple History | The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2025-09-17 | 6.6 | CVE-2025-10050 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ea3a9e-2a9a-4628-8ea1-e18e756f915f?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3361543%40developer-loggers-for-simple-history&new=3361543%40developer-loggers-for-simple-history&sfp_email=&sfph_mail= |
| strangerstudios--Memberlite Shortcodes | The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-10125 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb7316e-8b55-4e7a-9309-8a9e84f22c90?source=cve https://plugins.trac.wordpress.org/browser/memberlite-shortcodes/tags/1.4/shortcodes/columns.php#L12 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3359252%40memberlite-shortcodes&new=3359252%40memberlite-shortcodes&sfp_email=&sfph_mail= |
| codename065--Download Manager | The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'user_ids' parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-09-19 | 6.1 | CVE-2025-10146 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1adb414-8945-4e11-8770-dab3285d608e?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.23/src/Admin/views/stats/history.php#L225 |
| tw2113--Social Media Shortcodes | The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twitter' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-10166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d96465a-d1b6-4991-8e81-e80a0d15a902?source=cve https://plugins.trac.wordpress.org/browser/social-media-shortcodes/trunk/social_media_shortcode_plugin.php#L187 https://wordpress.org/plugins/social-media-shortcodes https://plugins.trac.wordpress.org/changeset/3359485/ |
| dartiss--Draft List | The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-20 | 6.4 | CVE-2025-10181 | https://www.wordfence.com/threat-intel/vulnerabilities/id/12a750c6-85b6-48fc-b006-adf0121610dc?source=cve https://github.com/dartiss/draft-list/blob/master/inc/create-lists.php https://wordpress.org/plugins/simple-draft-list/ https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6/inc/create-lists.php#L339 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363488%40simple-draft-list&new=3363488%40simple-draft-list&sfp_email=&sfph_mail= |
| SourceCodester--Student Grading System | A weakness has been identified in SourceCodester Student Grading System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_students.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-15 | 6.3 | CVE-2025-10418 | VDB-323852 | SourceCodester Student Grading System view_students.php sql injection VDB-323852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646917 | SourceCodester Student Grading System using PHP/MySQL 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/6 https://www.sourcecodester.com/ |
| SourceCodester--Student Grading System | A security vulnerability has been detected in SourceCodester Student Grading System 1.0. Affected by this issue is some unknown functionality of the file /del_promote.php. Such manipulation of the argument sy leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-09-15 | 6.3 | CVE-2025-10419 | VDB-323853 | SourceCodester Student Grading System del_promote.php sql injection VDB-323853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646921 | SourceCodester Student Grading System using PHP/MySQL 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/7 https://www.sourcecodester.com/ |
| SourceCodester--Student Grading System | A vulnerability was detected in SourceCodester Student Grading System 1.0. This affects an unknown part of the file /form137.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-09-15 | 6.3 | CVE-2025-10420 | VDB-323854 | SourceCodester Student Grading System form137.php sql injection VDB-323854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646927 | SourceCodester Student Grading System using PHP/MySQL 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/8 https://www.sourcecodester.com/ |
| SourceCodester--Student Grading System | A flaw has been found in SourceCodester Student Grading System 1.0. This vulnerability affects unknown code of the file /update_account.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-09-15 | 6.3 | CVE-2025-10421 | VDB-323855 | SourceCodester Student Grading System update_account.php sql injection VDB-323855 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646952 | SourceCodester Student Grading System using PHP/MySQL 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/9 https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. This impacts an unknown function of the file /admin/operation/user.php. Executing manipulation of the argument website_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-09-15 | 6.3 | CVE-2025-10427 | VDB-323861 | SourceCodester Pet Grooming Management Software user.php unrestricted upload VDB-323861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647463 | sourcecodester Pet grooming management software August 30, 2025 Unrestricted Upload https://github.com/joinia/webray.com.cn/blob/main/Pet-grooming-management-software/petgrooming-upload-user.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/seo_setting.php of the component Setting Handler. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-09-15 | 6.3 | CVE-2025-10428 | VDB-323862 | SourceCodester Pet Grooming Management Software Setting seo_setting.php unrestricted upload VDB-323862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647464 | sourcecodester Pet grooming management software August 30, 2025 Unrestricted Upload https://github.com/joinia/webray.com.cn/blob/main/Pet-grooming-management-software/petgrooming-upload-seosetting.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_product.php. The manipulation of the argument drop_services results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. | 2025-09-15 | 6.3 | CVE-2025-10429 | VDB-323863 | SourceCodester Pet Grooming Management Software ajax_product.php sql injection VDB-323863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647470 | sourcecodester Pet grooming management software August 30, 2025 SQL Injection https://github.com/joinia/webray.com.cn/blob/main/Pet-grooming-management-software/petgrooming-sql-ajaxpro.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/barcode.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-09-15 | 6.3 | CVE-2025-10430 | VDB-323864 | SourceCodester Pet Grooming Management Software barcode.php sql injection VDB-323864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647488 | sourcecodester Pet grooming management software August 30, 2025 SQL Injection Submit #647622 | SourceCodester Pet grooming management V1.0 SQL Injection (Duplicate) https://github.com/joinia/webray.com.cn/blob/main/Pet-grooming-management-software/petgrooming-sql-barcode.md https://www.sourcecodester.com/ |
| SourceCodester--Pet Grooming Management Software | A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown part of the file /admin/ajax_represent.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-09-15 | 6.3 | CVE-2025-10431 | VDB-323865 | SourceCodester Pet Grooming Management Software ajax_represent.php sql injection VDB-323865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647493 | sourcecodester Pet grooming management software August 30, 2025 SQL Injection https://github.com/joinia/webray.com.cn/blob/main/Pet-grooming-management-software/petgrooming-sql-ajaxrepresent.md https://www.sourcecodester.com/ |
| 1Panel-dev--MaxKB | A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. This issue affects some unknown processing of the file /admin/api/workspace/default/tool/debug. Executing manipulation of the argument code can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.1 is capable of addressing this issue. It is suggested to upgrade the affected component. | 2025-09-15 | 6.3 | CVE-2025-10433 | VDB-323867 | 1Panel-dev MaxKB debug deserialization VDB-323867 | CTI Indicators (IOB, IOC, IOA) Submit #647589 | 1Panel-dev MaxKB 2.0.2, 2.1.0 Deserialization https://zealous-brand-b4a.notion.site/MaxKB-2-1-0-tool-debug-RCE-2647244a828c80e7850dc6503061b88b https://github.com/1Panel-dev/MaxKB/releases/tag/v2.1.1 |
| D-Link--DI-8100 | A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-09-15 | 6.3 | CVE-2025-10440 | VDB-323874 | D-Link DI-8100/DI-8100G/DI-8200/DI-8200G/DI-8003/DI-8003G jhttpd usb_paswd.asp sub_4621DC os command injection VDB-323874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647835 | D-Link D-Link DI-8100、DI-8100G、DI-8200、DI-8200G、DI-8003、DI-8003G DI_8100-16.07.26A1 DI_8100G-17.12.20A1 DI_8200-16.07.26A1 DI_8200G-17.12.20A1 DI_8003-16.07.26A1 DI_8003G-19.12.10A1 OS Command Injection https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_1.md#exp https://www.dlink.com/ |
| D-Link--DI-8100G | A vulnerability was found in D-Link DI-8100G, DI-8200G and DI-8003G 17.12.20A1/19.12.10A1. Affected by this issue is the function sub_433F7C of the file version_upgrade.asp of the component jhttpd. The manipulation of the argument path results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-09-15 | 6.3 | CVE-2025-10441 | VDB-323875 | D-Link DI-8100G/DI-8200G/DI-8003G jhttpd version_upgrade.asp sub_433F7C os command injection VDB-323875 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647837 | D-Link D-Link DI-8100G、DI-8200G、DI-8003G DI_8100G-17.12.20A1 DI_8200G-17.12.20A1 DI_8003G-19.12.10A1 OS Command Injection https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_2.md https://github.com/2664521593/mycve/blob/main/D-Link/D-Link_CJ_2.md#poc https://www.dlink.com/ |
| Tenda--AC9 | A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-09-15 | 6.3 | CVE-2025-10442 | VDB-323876 | Tenda AC9/AC15 exeCommand formexeCommand os command injection VDB-323876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647838 | Tenda Tenda AC9 V1.0BR_V15.03.05.14 OS Command Injection Submit #647839 | Tenda Tenda AC15 V1.0BR_V15.03.05.18 OS Command Injection (Duplicate) https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC9_CJ.md https://github.com/2664521593/mycve/blob/main/Tenda/Tenda_AC9_CJ.md#poc https://www.tenda.com.cn/ |
| n/a--ZKEACMS | A vulnerability was detected in ZKEACMS 4.3. Impacted is the function Proxy of the file src/ZKEACMS/Controllers/MediaController.cs. Performing manipulation of the argument url results in server-side request forgery. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-09-15 | 6.3 | CVE-2025-10471 | VDB-323890 | ZKEACMS MediaController.cs Proxy server-side request forgery VDB-323890 | CTI Indicators (IOB, IOC, IOA) Submit #648387 | SeriaWei ZKEACMS v4.3 Non-blind SSRF https://github.com/August829/Yu/blob/main/58ead8e7e08bfb022.md https://github.com/August829/Yu/blob/main/58ead8e7e08bfb022.md#poc |
| yangzongzhuan--RuoYi | A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/ruoyi/common/utils/sql/SqlUtil.java of the component Blacklist Handler. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-15 | 6.3 | CVE-2025-10473 | VDB-323905 | yangzongzhuan RuoYi Blacklist SqlUtil.java filterKeyword sql injection VDB-323905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648475 | yangzongzhuan RuoYi ≤4.8.1 sqli injection https://github.com/mo957/vuln/blob/main/ruoyi_sqlinject/ruoyi_sqlinject.md |
| kidaze--CourseSelectionSystem | A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The affected element is an unknown function of the file /Profilers/PriProfile/eligibility.php. Such manipulation of the argument Branch leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-09-15 | 6.3 | CVE-2025-10477 | VDB-323913 | kidaze CourseSelectionSystem eligibility.php sql injection VDB-323913 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648516 | github.com Course Selection System V1.0 SQL Injection https://github.com/Miker132/CVE-/issues/6 |
| SourceCodester--Online Student File Management System | A weakness has been identified in SourceCodester Online Student File Management System 1.0. This affects an unknown function of the file /save_file.php. Executing manipulation can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-09-15 | 6.3 | CVE-2025-10480 | VDB-323915 | SourceCodester Online Student File Management System save_file.php unrestricted upload VDB-323915 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648541 | SourceCodester Online Student File Management System 1.0 Unrestricted Upload https://github.com/ganzhi-qcy/cve/issues/26 https://www.sourcecodester.com/ |
| SourceCodester--Online Student File Management System | A security vulnerability has been detected in SourceCodester Online Student File Management System 1.0. This impacts an unknown function of the file /remove_file.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-09-15 | 6.3 | CVE-2025-10481 | VDB-323916 | SourceCodester Online Student File Management System remove_file.php sql injection VDB-323916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648542 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/10 https://www.sourcecodester.com/ |
| SourceCodester--Online Student File Management System | A flaw has been found in SourceCodester Online Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/save_user.php. This manipulation of the argument firstname causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Other parameters might be affected as well. | 2025-09-15 | 6.3 | CVE-2025-10483 | VDB-323918 | SourceCodester Online Student File Management System save_user.php sql injection VDB-323918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648597 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/12 https://www.sourcecodester.com/ |
| itsourcecode--Online Public Access Catalog OPAC | A security vulnerability has been detected in itsourcecode Online Public Access Catalog OPAC 1.0. This impacts an unknown function of the file mysearch.php of the component POST Parameter Handler. Such manipulation of the argument search_field/search_text leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-09-17 | 6.3 | CVE-2025-10592 | VDB-324609 | itsourcecode Online Public Access Catalog OPAC POST Parameter mysearch.php sql injection VDB-324609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648959 | itsourcecode Online Public Access Catalog (OPAC) 1 SQL Injection https://github.com/drew-byte/Online-Public-Access-Catalog-OPAC-SQLi-PoC/blob/main/README.md https://itsourcecode.com/ |
| SourceCodester--Online Student File Management System | A vulnerability was detected in SourceCodester Online Student File Management System 1.0. Affected is an unknown function of the file /admin/update_student.php. Performing manipulation of the argument stud_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-09-17 | 6.3 | CVE-2025-10593 | VDB-324610 | SourceCodester Online Student File Management System update_student.php sql injection VDB-324610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649223 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/13 https://www.sourcecodester.com/ |
| SourceCodester--Online Student File Management System | A flaw has been found in SourceCodester Online Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/delete_student.php. Executing manipulation of the argument stud_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-09-17 | 6.3 | CVE-2025-10594 | VDB-324611 | SourceCodester Online Student File Management System delete_student.php sql injection VDB-324611 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649224 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/14 https://www.sourcecodester.com/ |
| SourceCodester--Online Student File Management System | A vulnerability has been found in SourceCodester Online Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/delete_user.php. The manipulation of the argument user_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-09-17 | 6.3 | CVE-2025-10595 | VDB-324612 | SourceCodester Online Student File Management System delete_user.php sql injection VDB-324612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649232 | SourceCodester Online Student File Management System 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/15 https://www.sourcecodester.com/ |
| SourceCodester--Online Exam Form Submission | A vulnerability was found in SourceCodester Online Exam Form Submission 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/delete_s1.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-09-17 | 6.3 | CVE-2025-10602 | VDB-324622 | SourceCodester Online Exam Form Submission delete_s1.php sql injection VDB-324622 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649543 | SourceCodester Online Exam Form Submission 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/20 https://www.sourcecodester.com/ |
| Portabilis--i-Educar | A vulnerability was detected in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /enrollment-history/. Performing manipulation results in improper access controls. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-09-17 | 6.3 | CVE-2025-10608 | VDB-324628 | Portabilis i-Educar enrollment-history access control VDB-324628 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649876 | Portabilis i-educar 2.10 Broken Access Control https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10608.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20Vulnerability%20%20in%20%60.enrollment-history.(ID)%60%20Endpoint.md |
| itsourcecode--Student Information System | A vulnerability has been found in itsourcecode Student Information System 1.0. The affected element is an unknown function of the file /leveledit1.php. Such manipulation of the argument level_id leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-09-17 | 6.3 | CVE-2025-10613 | VDB-324639 | itsourcecode Student Information System leveledit1.php sql injection VDB-324639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649898 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/jianx0i/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--E-Commerce Website | A vulnerability was identified in itsourcecode E-Commerce Website 1.0. This impacts an unknown function of the file /admin/products.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-09-17 | 6.3 | CVE-2025-10615 | VDB-324642 | itsourcecode E-Commerce Website products.php unrestricted upload VDB-324642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649911 | itsourcecode E-Commerce Website V1.0 Unrestricted Upload https://github.com/yihaofuweng/cve/issues/23 https://itsourcecode.com/ |
| itsourcecode--E-Commerce Website | A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-17 | 6.3 | CVE-2025-10616 | VDB-324643 | itsourcecode E-Commerce Website users.php unrestricted upload VDB-324643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649912 | itsourcecode E-Commerce Website V1.0 V1.0 upload https://github.com/yihaofuweng/cve/issues/24 https://itsourcecode.com/ |
| SourceCodester--Online Polling System | A weakness has been identified in SourceCodester Online Polling System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/positions.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-17 | 6.3 | CVE-2025-10617 | VDB-324644 | SourceCodester Online Polling System positions.php sql injection VDB-324644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649948 | SOU Online Polling System Code 1.0 SQL Injection Submit #649958 | SourceCodester Online Polling System Code 1.0 SQL Injection (Duplicate) https://github.com/ganzhi-qcy/cve/issues/23 https://github.com/ganzhi-qcy/cve/issues/27 https://www.sourcecodester.com/ |
| itsourcecode--Online Clinic Management System | A security vulnerability has been detected in itsourcecode Online Clinic Management System 1.0. Affected by this issue is some unknown functionality of the file transact.php. Such manipulation of the argument firstname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Other parameters might be affected as well. | 2025-09-17 | 6.3 | CVE-2025-10618 | VDB-324645 | itsourcecode Online Clinic Management System transact.php sql injection VDB-324645 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650177 | itsourcecode Online Clinic Management System 1 Time-Based Blind SQL Injection in transact.php https://github.com/drew-byte/Online-Clinic-Management-System_TimeBasedSQLi_PoC/blob/main/README.md https://itsourcecode.com/ |
| sequa-ai--sequa-mcp | A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oauth-client-provider.ts of the component OAuth Server Discovery. Performing manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 1.0.14 is able to mitigate this issue. The patch is named e569815854166db5f71c2e722408f8957fb9e804. It is recommended to upgrade the affected component. The vendor explains: "We only promote that mcp server with our own URLs that have a valid response, but yes if someone would use it with a non sequa url, this is a valid attack vector. We have released a new version (1.0.14) that fixes this and validates that only URLs can be opened." | 2025-09-17 | 6.3 | CVE-2025-10619 | VDB-324646 | sequa-ai sequa-mcp OAuth Server Discovery node-oauth-client-provider.ts redirectToAuthorization os command injection VDB-324646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650189 | Github https://github.com/sequa-ai/sequa-mcp 0.0.1 OS Command Injection https://lavender-bicycle-a5a.notion.site/Sequa-MCP-RCE-26853a41781f807da1c0cd158f9e3e1a?source=copy_link https://github.com/sequa-ai/sequa-mcp/commit/e569815854166db5f71c2e722408f8957fb9e804 |
| itsourcecode--Online Clinic Management System | A flaw has been found in itsourcecode Online Clinic Management System 1.0. This vulnerability affects unknown code of the file /editp2.php. Executing manipulation of the argument id/firstname/lastname/type/age/address can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-09-17 | 6.3 | CVE-2025-10620 | VDB-324647 | itsourcecode Online Clinic Management System editp2.php sql injection VDB-324647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650193 | itsourcecode Online Clinic Management System 1 Time-Based Blind SQL Injection in editp2.php https://github.com/drew-byte/OnlineClinicManagementSystem_TimeBasedSQLi_PoC/blob/main/README.md https://itsourcecode.com/ |
| SourceCodester--Online Exam Form Submission | A vulnerability was detected in SourceCodester Online Exam Form Submission 1.0. Affected by this vulnerability is an unknown functionality of the file /user/dashboard.php?page=update_profile. The manipulation of the argument phone results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. Other parameters might be affected as well. | 2025-09-17 | 6.3 | CVE-2025-10625 | VDB-324655 | SourceCodester Online Exam Form Submission dashboard.php sql injection VDB-324655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650444 | SourceCodester Online Exam Form Submission 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/24 https://www.sourcecodester.com/ |
| SourceCodester--Online Exam Form Submission | A flaw has been found in SourceCodester Online Exam Form Submission 1.0. Affected by this issue is some unknown functionality of the file /admin/update_s3.php. This manipulation of the argument credits causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-09-17 | 6.3 | CVE-2025-10626 | VDB-324656 | SourceCodester Online Exam Form Submission update_s3.php sql injection VDB-324656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650449 | SourceCodester Online Exam Form Submission 1.0 SQL Injection https://github.com/qcycop0101-hash/CVE/issues/25 https://www.sourcecodester.com/ |
| SourceCodester--Online Exam Form Submission | A vulnerability has been found in SourceCodester Online Exam Form Submission 1.0. This affects an unknown part of the file /admin/delete_user.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-09-17 | 6.3 | CVE-2025-10627 | VDB-324657 | SourceCodester Online Exam Form Submission delete_user.php sql injection VDB-324657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650542 | SourceCodester Online Exam Form Submission in PHP/MySQL with Full Source Code (2020) V1.0 /admin/delete_user.php SQL injection #1 V1.0 SQL Injection https://github.com/bdrfly/cve-/issues/1 https://www.sourcecodester.com/ |
| D-Link--DIR-852 | A vulnerability was found in D-Link DIR-852 1.00CN B09. This vulnerability affects unknown code of the file /htdocs/cgibin/hedwig.cgi of the component Web Management Interface. Performing manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-18 | 6.3 | CVE-2025-10628 | VDB-324658 | D-Link DIR-852 Web Management hedwig.cgi command injection VDB-324658 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650656 | D-Link DIR-852 1.00CN B09 Command Injection https://github.com/i-Corner/cve/issues/31 https://www.dlink.com/ |
| D-Link--DIR-852 | A vulnerability was determined in D-Link DIR-852 1.00CN B09. This issue affects the function ssdpcgi_main of the file htodcs/cgibin of the component Simple Service Discovery Protocol Service. Executing manipulation of the argument ST can lead to command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-18 | 6.3 | CVE-2025-10629 | VDB-324659 | D-Link DIR-852 Simple Service Discovery Protocol Service cgibin ssdpcgi_main command injection VDB-324659 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650660 | D-Link DIR-852 1.00CN B09 Command Injection https://github.com/i-Corner/cve/issues/30 https://www.dlink.com/ |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 240126/240802/250416. The impacted element is the function sub_412E7C of the file /usr/sbin/goahead of the component Environment Variable Handler. This manipulation of the argument terminal_addr/server_ip/server_port causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-09-18 | 6.3 | CVE-2025-10634 | VDB-324662 | D-Link DIR-823X Environment Variable goahead sub_412E7C command injection VDB-324662 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650792 | D-Link DIR-823X DIR-823x 250416, 240802, 240126 Command Injection https://github.com/Cpppq43/D-Link/blob/main/DIink-DIR-823x.md https://pan.baidu.com/s/1dWnXEa58P0KHw53L9U_PoQ https://www.dlink.com/ |
| robcore89--Robcore Netatmo | The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the 'module_id' attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-09-20 | 6.5 | CVE-2025-10652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd383f1-0546-4ff2-9f93-ee9d48ac3053?source=cve https://plugins.trac.wordpress.org/browser/robcore-netatmo/tags/1.7/robcore-netatmo.php#L80 https://plugins.trac.wordpress.org/browser/robcore-netatmo/tags/1.7/inc/class_robcore_netatmo.php#L3 |
| psmplugins--SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code. | 2025-09-20 | 6.5 | CVE-2025-10658 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b11670a-f6e4-4555-ab76-4223f0194517?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/class-wpsc-current-user.php#L820 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/models/class-wpsc-email-otp.php#L348 https://plugins.trac.wordpress.org/changeset/3364335/ |
| kidaze--CourseSelectionSystem | A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Affected is an unknown function of the file /Profilers/PProfile/COUNT3s3.php. The manipulation of the argument csem leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2025-09-18 | 6.3 | CVE-2025-10665 | VDB-324786 | kidaze CourseSelectionSystem COUNT3s3.php sql injection VDB-324786 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651941 | github.com Course Selection System V1.0 SQL Injection https://github.com/qi-wm/cve/issues/1 |
| n/a--Airsonic-Advanced | A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-09-18 | 6.3 | CVE-2025-10669 | VDB-324790 | Airsonic-Advanced Playlist Upload unrestricted upload VDB-324790 | CTI Indicators (IOB, IOC, TTP) Submit #652356 | GitHub Airsonic-Advanced 10.6.0 OS Command Injection https://github.com/mikecole-mg/security_findings/blob/main/airsonic-advanced/airsonic-rce.md |
| D-Link--DIR-645 | A vulnerability was identified in D-Link DIR-645 105B01. This issue affects the function soapcgi_main of the file /soap.cgi. Such manipulation of the argument service leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-09-18 | 6.3 | CVE-2025-10689 | VDB-324813 | D-Link DIR-645 soap.cgi soapcgi_main command injection VDB-324813 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653689 | D-Link DIR-645 DIR645A1_FW105B01 Command Injection https://github.com/scanleale/IOT_sec/blob/main/DIR-645-soapcgi.pdf https://www.dlink.com/ |
| n/a--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.8.2. Affected is an unknown function of the file /message/sysMessageTemplate/sendMsg. Executing manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 6.3 | CVE-2025-10707 | VDB-324995 | JeecgBoot sendMsg improper authorization VDB-324995 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644659 | jeecgboot JeecgBoot latest broken function level authorization https://www.cnblogs.com/aibot/p/19063346 |
| Selleo--Mentingo | A security vulnerability has been detected in Selleo Mentingo up to 2025.08.27. The affected element is an unknown function of the component Profile Picture Handler. The manipulation of the argument userAvatar leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-20 | 6.3 | CVE-2025-10741 | VDB-325068 | Selleo Mentingo Profile Picture unrestricted upload VDB-325068 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #645385 | Selleo Labs Sp. z o.o. Mentingo learn-v2025.08.27 Unrestricted Upload https://gist.github.com/KhanMarshaI/ba3e74b331ce4ab602a5a22a59aaf819 https://gist.github.com/KhanMarshaI/7a2e74fcb194f7d6ee7e60da4a14af7b |
| Selleo--Mentingo | A vulnerability was detected in Selleo Mentingo 2025.08.27. The impacted element is an unknown function of the component Content-Type Handler. The manipulation of the argument userAvatar results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-20 | 6.3 | CVE-2025-10755 | VDB-325069 | Selleo Mentingo Content-Type unrestricted upload VDB-325069 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #645419 | Selleo Labs Sp. z o.o. Mentingo learn-v2025.08.27 File Upload Restriction Bypass https://gist.github.com/KhanMarshaI/7a2e74fcb194f7d6ee7e60da4a14af7b |
| n/a--Harness | A flaw has been found in Harness 3.3.0. This impacts the function LookupRepo of the file app/api/controller/gitspace/lookup_repo.go. Executing manipulation of the argument url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10760 | VDB-325115 | Harness lookup_repo.go LookupRepo server-side request forgery VDB-325115 | CTI Indicators (IOB, IOC, IOA) Submit #646843 | Harness harness v3.3.0 SSRF https://github.com/August829/Yu/blob/main/58ead8e7e08bfb019.md https://github.com/August829/Yu/blob/main/58ead8e7e08bfb019.md#poc |
| kuaifan--DooTask | A vulnerability was found in kuaifan DooTask up to 1.2.49. Affected by this vulnerability is an unknown functionality of the file app/Http/Controllers/Api/UsersController.php. The manipulation of the argument keys[department] results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-09-21 | 6.3 | CVE-2025-10762 | VDB-325117 | kuaifan DooTask UsersController.php sql injection VDB-325117 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646886 | kuaifan DooTask <= 1.2.49 SQL Injection https://github.com/kuaifan/dootask/issues/283 https://github.com/kuaifan/dootask/issues/283#issue-3379188930 |
| academico-sis--academico | A vulnerability was determined in academico-sis academico up to d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab. Affected by this issue is some unknown functionality of the file /edit-photo of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10763 | VDB-325118 | academico-sis academico Profile Picture edit-photo unrestricted upload VDB-325118 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646915 | academico-sis academico OSS Current Unrestricted File Upload to RCE https://gist.github.com/KhanMarshaI/86d0c1553355bb168084fffbdb6e7fea |
| SeriaWei--ZKEACMS | A vulnerability was identified in SeriaWei ZKEACMS up to 4.3. This affects the function Edit of the file src/ZKEACMS.EventAction/Controllers/PendingTaskController.cs of the component Event Action System. Such manipulation of the argument Data leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10764 | VDB-325119 | SeriaWei ZKEACMS Event Action System PendingTaskController.cs Edit server-side request forgery VDB-325119 | CTI Indicators (IOB, IOC, IOA) Submit #647629 | SeriaWei ZKEACMS v4.3 SSRF https://github.com/August829/Yu/blob/main/58ead8e7e08bfb021.md |
| h2oai--h2o-3 | A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connection_url causes deserialization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10768 | VDB-325124 | h2oai h2o-3 IBMDB2 JDBC Driver ImportSQLTable deserialization VDB-325124 | CTI Indicators (IOB, IOC, IOA) Submit #649508 | h2oai h2o-3 <=v3.46.08 Deserialization https://github.com/ez-lbz/poc/issues/50 https://github.com/ez-lbz/poc/issues/50#issue-3389830879 |
| h2oai--h2o-3 | A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connection_url leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10769 | VDB-325125 | h2oai h2o-3 H2 JDBC Driver ImportSQLTable deserialization VDB-325125 | CTI Indicators (IOB, IOC, IOA) Submit #649728 | h2oai h2o-3 <=v3.46.08 Deserialization Submit #649793 | h2oai h2o-3 3.46.0.7 Deserialization (Duplicate) https://github.com/ez-lbz/poc/issues/51 https://github.com/ez-lbz/poc/issues/51#issue-3391023368 https://huntr.com/bounties/4066ce21-7148-44f5-8336-b1674c2f588d |
| jeecgboot--JimuReport | A vulnerability was found in jeecgboot JimuReport up to 2.1.2. This impacts an unknown function of the file /drag/onlDragDataSource/testConnection of the component MySQL JDBC Handler. Performing manipulation results in deserialization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-09-21 | 6.3 | CVE-2025-10770 | VDB-325126 | jeecgboot JimuReport MySQL JDBC testConnection deserialization VDB-325126 | CTI Indicators (IOB, IOC, IOA) Submit #649755 | jeecgboot jimureport ≤ v2.1.2 Deserialization https://github.com/jeecgboot/jimureport/issues/4116 https://github.com/jeecgboot/jimureport/issues/4116#issue-3391107887 |
| jeecgboot--JimuReport | A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Affected is an unknown function of the file /drag/onlDragDataSource/testConnection of the component DB2 JDBC Handler. Executing manipulation of the argument clientRerouteServerListJNDIName can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-21 | 6.3 | CVE-2025-10771 | VDB-325127 | jeecgboot JimuReport DB2 JDBC testConnection deserialization VDB-325127 | CTI Indicators (IOB, IOC, IOA) Submit #649778 | jeecgboot jimureport ≤ v2.1.2 Deserialization https://github.com/jeecgboot/jimureport/issues/4117 https://github.com/jeecgboot/jimureport/issues/4117#issue-3391268438 |
| huggingface--LeRobot | A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 6.3 | CVE-2025-10772 | VDB-325128 | huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication VDB-325128 | CTI Indicators (IOB, IOC, IOA) Submit #649798 | huggingface lerobot <0.3.3 Execution with Unnecessary Privileges |
| NVIDIA--HGX GB200, HGX GB300, HGC B300 | NVIDIA HGX & DGX GB200, GB300, B300 contain a vulnerability in the HGX Management Controller (HMC) that may allow a malicious actor with administrative access on the BMC to access the HMC as an administrator. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2025-09-17 | 6.7 | CVE-2025-23337 | https://nvidia.custhelp.com/app/answers/detail/a_id/5692 |
| Wind River Systems Inc--VxWorks 7 | A crafted system call argument can cause memory corruption. | 2025-09-18 | 6.7 | CVE-2025-26503 | https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2025-26503 |
| NetApp--StorageGRID | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Reflected Cross-Site Scripting vulnerability. Successful exploit could allow an attacker to view or modify configuration settings or add or modify user accounts but requires the attacker to know specific information about the target instance and then trick a privileged user into clicking a specially crafted link. | 2025-09-19 | 6.4 | CVE-2025-26514 | https://security.netapp.com/advisory/NTAP-20250910-0001 |
| Oracle Corporation--OpenGrok | OpenGrok 1.14.1 has a reflected Cross-Site Scripting (XSS) issue when producing the cross reference page. This happens through improper handling of the revision parameter. The application reflects unsanitized user input into the HTML output. | 2025-09-18 | 6.1 | CVE-2025-30755 | Oracle Advisory |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking ClearPass Policy Manager | A vulnerability in the web-based management interface of network access control services could allow an unauthenticated remote attacker to conduct a Reflected Cross-Site Scripting (XSS) attack. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in a victim's browser in the context of the affected interface. | 2025-09-17 | 6.1 | CVE-2025-37122 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04950en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in the web API of HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to terminate arbitrary running processes. Successful exploitation could allow an attacker to disrupt system operations, potentially resulting in an unstable system state. | 2025-09-16 | 6.8 | CVE-2025-37128 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerable feature in the command line interface of EdgeConnect SD-WAN could allow an authenticated attacker to exploit built-in script execution capabilities. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system if the feature is enabled without proper security measures. | 2025-09-16 | 6.7 | CVE-2025-37129 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Successful exploitation could allow an attacker to read sensitive data from the underlying file system. | 2025-09-16 | 6.5 | CVE-2025-37130 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| WAGO--CC100 0751-9301 | During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration. | 2025-09-15 | 6.5 | CVE-2025-41713 | https://certvde.com/en/advisories/VDE-2025-083 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-083.json |
| ArgusTech--BILGER | Authorization Bypass Through User-Controlled Key vulnerability with user privileges in ArgusTech BILGER allows Exploitation of Trusted Identifiers.This issue affects BILGER: before 2.4.6. | 2025-09-16 | 6.5 | CVE-2025-5518 | https://www.usom.gov.tr/bildirim/tr-25-0250 |
| ArgusTech--BILGER | Insertion of Sensitive Information Into Sent Data vulnerability in ArgusTech BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.6. | 2025-09-16 | 6.5 | CVE-2025-5519 | https://www.usom.gov.tr/bildirim/tr-25-0250 |
| Libraesva--Email Security Gateway | Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7. | 2025-09-19 | 6.1 | CVE-2025-59689 | https://www.libraesva.com/security-blog/ https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ |
| snipeitapp--Snipe-IT | Snipe-IT before 8.1.18 allows XSS. | 2025-09-19 | 6.4 | CVE-2025-59712 | https://github.com/grokability/snipe-it/releases/tag/v8.1.18 |
| snipeitapp--Snipe-IT | Snipe-IT before 8.1.18 allows unsafe deserialization. | 2025-09-19 | 6.8 | CVE-2025-59713 | https://github.com/grokability/snipe-it/releases/tag/v8.1.18 |
| Internet2--Grouper | In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs. | 2025-09-19 | 6.5 | CVE-2025-59714 | https://spaces.at.internet2.edu/display/Grouper/Grouper+bug+-+GRP-6311+-+non-Grouper-admins+can+configure+loader+jobs |
| SMCI--X13SEM-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. | 2025-09-19 | 6.4 | CVE-2025-6198 | https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025 |
| Beefull Energy Technologies--Beefull App | Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025. | 2025-09-16 | 6.5 | CVE-2025-7355 | https://www.usom.gov.tr/bildirim/tr-25-0255 |
| SMCI--MBD-X12STW | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . An attacker can update the system firmware with a specially crafted image. | 2025-09-19 | 6.6 | CVE-2025-7937 | https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025 |
| Patika Global Technologies--HumanSuite | Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client.This issue affects HumanSuite: before 53.21.0. | 2025-09-16 | 6.5 | CVE-2025-8057 | https://www.usom.gov.tr/bildirim/tr-25-0257 |
| productiveminds--Productive Style Optimisations & Content Publishing Support | The Productive Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_productive_breadcrumb shortcode in all versions up to, and including, 1.1.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-8394 | https://www.wordfence.com/threat-intel/vulnerabilities/id/358a1a87-a87c-41b9-addc-d4945cd8fb40?source=cve https://plugins.svn.wordpress.org/productive-style/tags/1.1.23/includes/common/module/breadcrumb.php https://wordpress.org/plugins/productive-style/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3341842%40productive-style&new=3341842%40productive-style&sfp_email=&sfph_mail= |
| Mitsubishi Electric Corporation--MELSEC-Q Series Q03UDVCPU | Improper Handling of Length Parameter Inconsistency vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series Q03UDVCPU, Q04UDVCPU, Q06UDVCPU, Q13UDVCPU, Q26UDVCPU, Q04UDPVCPU, Q06UDPVCPU, Q13UDPVCPU, and Q26UDPVCPU with the first 5 digits of serial No. "24082" to "27081" allows a remote attacker to cause an integer underflow by sending specially crafted packets to the affected product to stop Ethernet communication and the execution of control programs on the product, when the user authentication function is enabled. The user authentication function is enabled by default only when settings are configured by GX Works2, which complies with the Cybersecurity Law of the People's Republic of China, and is normally disabled. | 2025-09-19 | 6.8 | CVE-2025-8531 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-013_en.pdf https://jvn.jp/vu/JVNVU97846038/ |
| Bimser Solution Software Trade Inc.--eBA Document and Workflow Management System | Authorization Bypass Through User-Controlled Key, CWE - 862 - Missing Authorization, - Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows - Exploitation of Trusted Identifiers, - Exploitation of Authorization, - Variable Manipulation.This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166. | 2025-09-19 | 6.4 | CVE-2025-8532 | https://www.usom.gov.tr/bildirim/tr-25-0280 |
| Saysis Computer Systems Trade Ltd. Co.--StarCities E-Municipality Management | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities E-Municipality Management allows Cross-Site Scripting (XSS).This issue affects StarCities E-Municipality Management: before 20250825. | 2025-09-19 | 6.3 | CVE-2025-8664 | https://www.usom.gov.tr/bildirim/tr-25-0281 |
| Mattermost--Mattermost | Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled. | 2025-09-15 | 6.5 | CVE-2025-9076 | https://mattermost.com/security-updates |
| bplugins--Media Player Addons for Elementor Audio and Video Widgets for Elementor | The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-9203 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1067cc82-3595-4228-a7a2-5b3be7677b1f?source=cve https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/bplayer-widget-video.php#L207 https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/b_html5_addon.php#L432 https://plugins.trac.wordpress.org/log/media-player-addons-for-elementor/ |
| kodezen--StoreEngine Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More | The StoreEngine - Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-09-17 | 6.5 | CVE-2025-9215 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07b1dc05-1340-4ea3-9315-3e1ca4a0cb7f?source=cve https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/export.php#L47 https://github.com/d0n601/CVE-2025-9215 https://ryankozak.com/posts/cve-2025-9215/ https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/export.php |
| creativethemeshq--Blocksy Companion | The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-9565 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c28e740e-9337-41b5-a8e7-ca68e41eaed4?source=cve https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.9/framework/extensions/newsletter-subscribe/extension.php#L191 https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.9/framework/extensions/newsletter-subscribe/helpers.php#L65 https://wordpress.org/plugins/blocksy-companion/ https://plugins.trac.wordpress.org/changeset/3360000/blocksy-companion/trunk/framework/extensions/newsletter-subscribe/helpers.php |
| Kubernetes--Kubernetes CSharp Client | A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation. | 2025-09-16 | 6.8 | CVE-2025-9708 | https://groups.google.com/g/kubernetes-security-announce/c/rLopt2Msvbw/m/rK6XeNw2CgAJ https://github.com/kubernetes/kubernetes/issues/134063 |
| OMRON SOCIAL SOLUTIONS CO., Ltd.--PowerAttendant Standard Edition | A vulnerability (CWE-428) has been identified in the Uninterruptible Power Supply (UPS) management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd., where the executable file paths of Windows services are not enclosed in quotation marks. If the installation folder path of this product contains spaces, there is a possibility that unauthorized files may be executed under the service privileges by using paths containing spaces. | 2025-09-17 | 6.7 | CVE-2025-9818 | https://www.omron.com/jp/ja/inquiry/vulnerability_information/OMSR-2025-005_ja.pdf https://www.omron.com/global/en/inquiry/vulnerability_information/OMSR-2025-005_en.pdf |
| gentlesource--Appointmind | The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-17 | 6.4 | CVE-2025-9851 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65d965ac-66ae-4c23-b9c2-335b93a140d9?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3359404%40appointmind&new=3359404%40appointmind&sfp_email=&sfph_mail= |
| michaelbo--osTicket WP Bridge | The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-20 | 6.1 | CVE-2025-9882 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88e508ad-e7dd-4c8f-a44d-ef633e826007?source=cve https://wordpress.org/plugins/osticket-wp-bridge/ https://plugins.trac.wordpress.org/browser/osticket-wp-bridge/tags/1.9.2/admin/ost-config.php#L122 |
| bpedrassani--Browser Sniff | The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-20 | 6.1 | CVE-2025-9883 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b7210fd7-0812-47bc-bc62-d69280253e0a?source=cve https://wordpress.org/plugins/browser-sniff/ https://plugins.trac.wordpress.org/browser/browser-sniff/tags/2.3/browsersniff.php#L88 |
| nko--Ghost Kit Page Builder Blocks, Motion Effects & Extensions | The Ghost Kit - Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-09-18 | 6.4 | CVE-2025-9992 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a58bdc25-6171-47d5-bdcc-b4fe89b906f1?source=cve https://plugins.trac.wordpress.org/changeset/3359701/ghostkit/trunk/gutenberg/plugins/custom-code/index.php?old=3037555&old_path=ghostkit%2Ftrunk%2Fgutenberg%2Fplugins%2Fcustom-code%2Findex.php |
| Holistic IT, Consultancy Coop.--Workcube ERP | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Holistic IT, Consultancy Coop. Workcube ERP allows Reflected XSS.This issue affects Workcube ERP: from V12 - V14 before Cognitive. | 2025-09-16 | 5.3 | CVE-2024-12796 | https://www.usom.gov.tr/bildirim/tr-25-0256 |
| Ericsson--Ericsson Catalog Manager | Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Authentication checks can be configured to remediate the information disclosure issue. | 2025-09-18 | 5.3 | CVE-2024-25011 | https://www.ericsson.com/en/about-us/security/psirt/cve-2024-25011 |
| ays-pro--Quiz Maker | The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like `X-Forwarded-For` and limit users by IP is enabled. | 2025-09-17 | 5.9 | CVE-2025-10042 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4eeae6dd-a41f-4878-aa92-064ec78367d7?source=cve https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.52/public/class-quiz-maker-public.php https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.52/public/class-quiz-maker-public.php#L7145 https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.57/public/class-quiz-maker-public.php#L7149 |
| tvcnet--The Hack Repair Guy's Plugin Archiver | The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the bulk_remove() function. This makes it possible for unauthenticated attackers to arbitrary directory deletion in /wp-content via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-17 | 5.4 | CVE-2025-10188 | https://www.wordfence.com/threat-intel/vulnerabilities/id/51810981-5d2b-471b-b602-35809e281a0b?source=cve https://plugins.trac.wordpress.org/browser/hackrepair-plugin-archiver/tags/3.1.1/includes/bulk.php |
| endisha--Secure Passkeys | The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys. | 2025-09-20 | 5.3 | CVE-2025-10305 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c41651ce-ee9b-408f-a25f-113d71beb935?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363280%40secure-passkeys&new=3363280%40secure-passkeys&sfp_email=&sfph_mail=#file2 |
| PilotGaea Technologies--O'View MapServer | O'View MapServer developed by PilotGaea Technologies has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network. | 2025-09-15 | 5.3 | CVE-2025-10453 | https://www.twcert.org.tw/tw/cp-132-10381-4d482-1.html https://www.twcert.org.tw/en/cp-139-10382-781cc-2.html |
| harry0703--MoneyPrinterTurbo | A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function download_video/stream_video of the file app/controllers/v1/video.py of the component URL Handler. The manipulation of the argument file_path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-09-15 | 5.3 | CVE-2025-10472 | VDB-323892 | harry0703 MoneyPrinterTurbo URL video.py stream_video path traversal VDB-323892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648393 | MoneyPrinterTurbo project MoneyPrinterTurbo 1.2.6 Absolute Path Traversal https://www.notion.so/Path-Traversal-Vulnerability-in-MoneyPrinterTurbo-1-2-6-265014c4d9ca80e38da4deaeee8b46f5?source=copy_link |
| n/a--SpyShelter | A weakness has been identified in SpyShelter up to 15.4.0.1015. Affected is an unknown function in the library SpyShelter.sys of the component IOCTL Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. Upgrading to version 15.4.0.1028 is able to address this issue. It is advisable to upgrade the affected component. | 2025-09-15 | 5.5 | CVE-2025-10475 | VDB-323906 | SpyShelter IOCTL SpyShelter.sys denial of service VDB-323906 | CTI Indicators (IOB, IOC, IOA) Submit #648484 | SpyShelter <=15.4.0.1012 Local Privilege Escalation https://www.yuque.com/u28538081/sea4q5/aokhgdfpf5ueguk5 https://www.spyshelter.com/help/SpyShelter-Changelog#15401028-3sep2025 |
| prasunsen--Chained Quiz | The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5. | 2025-09-18 | 5.3 | CVE-2025-10493 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1d8f6965-1fe3-4f24-bd6b-9026e91bc5db?source=cve https://plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/controllers/quizzes.php https://plugins.trac.wordpress.org/browser/chained-quiz/tags/1.3.3/models/quiz.php https://plugins.trac.wordpress.org/changeset/3362561/ https://plugins.trac.wordpress.org/changeset/3362701/ https://plugins.trac.wordpress.org/changeset/3362966/ |
| Four-Faith--Water Conservancy Informatization Platform | A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this vulnerability is an unknown functionality of the file /history/historyDownload.do;usrlogout.do. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10708 | VDB-324996 | Four-Faith Water Conservancy Informatization Platform historyDownload.do;usrlogout.do path traversal VDB-324996 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644871 | Four-Faith Water Conservancy Informatization Platform V1.0 Path Traversal https://github.com/Cstarplus/CVE/issues/4 |
| Four-Faith--Water Conservancy Informatization Platform | A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this issue is some unknown functionality of the file /history/historyDownload.do;otheruserLogin.do;getfile. The manipulation of the argument fileName results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10709 | VDB-324997 | Four-Faith Water Conservancy Informatization Platform historyDownload.do;otheruserLogin.do;getfile path traversal VDB-324997 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644874 | Four-Faith Water Conservancy Informatization Platform V1.0 Path Traversal https://github.com/Cstarplus/CVE/issues/5 |
| APEUni--PTE Exam Practice App | A security flaw has been discovered in APEUni PTE Exam Practice App up to 10.8.0 on Android. The impacted element is an unknown function of the file AndroidManifest.xml of the component com.ape_edication. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10715 | VDB-325003 | APEUni PTE Exam Practice App com.ape_edication AndroidManifest.xml improper export of android application components VDB-325003 | CTI Indicators (IOB, IOC, IOA) Submit #645006 | APEUni Edu APEUni 10.8.0 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/com.ape_edication.md https://github.com/KMov-g/androidapps/blob/main/com.ape_edication.md#steps-to-reproduce |
| Creality--Cloud App | A flaw has been found in Creality Cloud App up to 6.1.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cxsw.sdprinter. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10716 | VDB-325007 | Creality Cloud App com.cxsw.sdprinter AndroidManifest.xml improper export of android application components VDB-325007 | CTI Indicators (IOB, IOC, IOA) Submit #645009 | Creality Cloud 6.1.0 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/com.cxsw.sdprinter.md |
| intsig--CamScanner App | A vulnerability has been found in intsig CamScanner App 6.91.1.5.250711 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.intsig.camscanner. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10717 | VDB-325008 | intsig CamScanner App com.intsig.camscanner AndroidManifest.xml improper export of android application components VDB-325008 | CTI Indicators (IOB, IOC, IOA) Submit #645010 | INTSIG PTE CamScanner 6.91.1.5.2507110000 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md https://github.com/KMov-g/androidapps/blob/main/com.intsig.camscanner.md#steps-to-reproduce |
| Ooma--Office Business Phone App | A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. This affects an unknown part of the component com.ooma.office2. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10718 | VDB-325009 | Ooma Office Business Phone App com.ooma.office2 improper export of android application components VDB-325009 | CTI Indicators (IOB, IOC) Submit #645012 | Ooma Ooma Office 7.2.2 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/com.ooma.office2.md |
| Webull--Investing & Trading App | A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10721 | VDB-325010 | Webull Investing & Trading App AndroidManifest.xml improper export of android application components VDB-325010 | CTI Indicators (IOB, IOC, IOA) Submit #645014 | ebull Technologies Pte. Ltd. webbull-stock 11.2.5.63 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/org.dayup.stocks.md https://github.com/KMov-g/androidapps/blob/main/org.dayup.stocks.md#steps-to-reproduce |
| SKTLab--Mukbee App | A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 5.3 | CVE-2025-10722 | VDB-325015 | SKTLab Mukbee App com.dw.android.mukbee AndroidManifest.xml improper export of android application components VDB-325015 | CTI Indicators (IOB, IOC, IOA) Submit #645019 | SKTLab Mukbee 1.01.196 Task Hijacking https://github.com/KMov-g/androidapps/blob/main/com.dw.android.mukbee.md https://github.com/KMov-g/androidapps/blob/main/com.dw.android.mukbee.md#steps-to-reproduce |
| Webkul--QloApps | A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | 2025-09-21 | 5.3 | CVE-2025-10759 | VDB-325114 | Webkul QloApps CSRF Token authorization VDB-325114 | CTI Indicators (IOB, IOC, IOA) Submit #645821 | webkul qloapps 1.7.0 Authorization Bypass https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md#proof-of-concept-poc |
| NetApp--StorageGRID | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Denial of Service vulnerability. Successful exploit could allow an unauthenticated attacker to cause a Denial of Service on the Admin node. | 2025-09-19 | 5.3 | CVE-2025-26516 | https://security.netapp.com/advisory/NTAP-20250910-0003 |
| NetApp--StorageGRID | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a privilege escalation vulnerability. Successful exploit could allow an unauthorized authenticated attacker to discover Grid node names and IP addresses or modify Storage Grades. | 2025-09-19 | 5.4 | CVE-2025-26517 | https://security.netapp.com/advisory/NTAP-20250910-0004 |
| ZTE--T5400 | There is an unauthorized access vulnerability in ZTE T5400. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface. | 2025-09-16 | 5.7 | CVE-2025-26711 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1441846006241435677 |
| CISA--Thorium | CISA Thorium does not adequately validate the paths of downloaded files via 'download_ephemeral' and 'download_children'. A remote, authenticated attacker could access arbitrary files subject to file system permissions. Fixed in 1.1.2. | 2025-09-17 | 5 | CVE-2025-35430 | url url url url |
| CISA--Thorium | CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data such as group memberships. Fixed in 1.1.1. | 2025-09-17 | 5.4 | CVE-2025-35431 | url url url url |
| CISA--Thorium | CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes. | 2025-09-17 | 5.3 | CVE-2025-35432 | url url url url |
| CISA--Thorium | CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1. | 2025-09-17 | 5 | CVE-2025-35433 | url url url url |
| CISA--Thorium | CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27. | 2025-09-17 | 5.3 | CVE-2025-35436 | url url url |
| IBM--watsonx.data | IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-09-18 | 5.5 | CVE-2025-36139 | https://www.ibm.com/support/pages/node/7245387 |
| IBM--Copy Services Manager | IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-09-19 | 5.4 | CVE-2025-36248 | https://www.ibm.com/support/pages/node/7245562 |
| SUSE--neuvector | NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). | 2025-09-17 | 5.3 | CVE-2025-53884 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53884 https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3 |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-09-16 | 5.5 | CVE-2025-54237 | https://helpx.adobe.com/security/products/substance3d_stager/apsb25-81.html |
| SUSE--neuvector | When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. | 2025-09-17 | 5.3 | CVE-2025-54467 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54467 https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq |
| BMC--Control-M/Agent | Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password. | 2025-09-16 | 5.5 | CVE-2025-55110 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441964 |
| BMC--Control-M/Agent | Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files. | 2025-09-16 | 5.5 | CVE-2025-55111 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441965 |
| BMC--Control-M/Agent | The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion. | 2025-09-16 | 5.3 | CVE-2025-55114 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441968 |
| BMC--Control-M/Agent | A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n". | 2025-09-16 | 5.3 | CVE-2025-55117 | https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099 https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441972 |
| n8n-io--n8n | n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scripting (XSS) vulnerability in @n8n/n8n-nodes-langchain.chatTrigger. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access so that the payload is executed in the browser of any user who visits the resulting public chat URL. This can be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link. The issue is fixed in version 1.107.0. Updating to 1.107.0 or later is recommended. As a workaround, the affected chatTrigger node can be disabled. No other workarounds are known. | 2025-09-15 | 5.4 | CVE-2025-58177 | https://github.com/n8n-io/n8n/security/advisories/GHSA-mvh4-2cm2-6hpg https://github.com/n8n-io/n8n/pull/18148 https://github.com/n8n-io/n8n/commit/d4ef191be0b39b65efa68559a3b8d5dad2e102b2 |
| igniterealtime--Openfire | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0. | 2025-09-15 | 5.9 | CVE-2025-59154 | https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43 https://igniterealtime.atlassian.net/browse/OF-3122 https://igniterealtime.atlassian.net/browse/OF-3123 https://igniterealtime.atlassian.net/browse/OF-3124 |
| GNU--Guix | In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended). | 2025-09-15 | 5.7 | CVE-2025-59378 | https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/ https://codeberg.org/guix/guix/commit/1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45 |
| openwebanalytics--Open Web Analytics | Open Web Analytics (OWA) before 1.8.1 allows SQL injection. | 2025-09-15 | 5 | CVE-2025-59397 | https://www.openwebanalytics.com https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.8.1 https://github.com/Open-Web-Analytics/Open-Web-Analytics/compare/1.8.0...1.8.1 https://github.com/Open-Web-Analytics/Open-Web-Analytics/commit/1e5531522acb8f145627c9feb0175cf8a66561ba |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload | 2025-09-17 | 5.5 | CVE-2025-59456 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| DigitalOcean--@digitalocean/do-markdownit | In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array). | 2025-09-19 | 5.4 | CVE-2025-59717 | https://github.com/digitalocean/do-markdownit https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7a766e70c9eafd0 https://www.npmjs.com/package/@digitalocean/do-markdownit |
| Dolusoft--Omaspot | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS.This issue affects Omaspot: before 12.09.2025. | 2025-09-16 | 5.4 | CVE-2025-6575 | https://www.usom.gov.tr/bildirim/tr-25-0254 |
| SecHard Information Technologies--SecHard | Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Parameter Injection.This issue affects SecHard: before 3.6.2-20250805. | 2025-09-17 | 5.3 | CVE-2025-8463 | https://www.usom.gov.tr/bildirim/tr-25-0271 |
| extendthemes--Kubio AI Page Builder | The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin. | 2025-09-19 | 5.4 | CVE-2025-8487 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1f528c89-2b8c-4750-b9eb-47ebd8c1630e?source=cve https://plugins.trac.wordpress.org/browser/kubio/tags/2.6.3/lib/integrations/image-hub/image-hub.php#L70 https://plugins.trac.wordpress.org/changeset/3361499/kubio/trunk/lib/integrations/image-hub/image-hub.php |
| athemes--Sydney | The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules. | 2025-09-17 | 5.3 | CVE-2025-8999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/965582c6-a52e-4f88-81ef-b5dd761a0c23?source=cve https://themes.trac.wordpress.org/browser/sydney/2.55/inc/classes/class-sydney-modules.php#L166 https://themes.trac.wordpress.org/browser/sydney/2.55/inc/modules/class-sydney-modules.php#L72 https://themes.trac.wordpress.org/changeset/288374/ |
| theeventscalendar--The Events Calendar | The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues. | 2025-09-16 | 5.3 | CVE-2025-9808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0f2968d6-f1b1-4cd5-b76b-9dc0f6dd1a6a?source=cve https://plugins.trac.wordpress.org/changeset/3359403/ |
| Zirve Information Technologies Inc.--Zirve Nova | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. Zirve Nova allows Cross-Site Scripting (XSS).This issue affects Zirve Nova: from 235 through 20250131. | 2025-09-17 | 4.7 | CVE-2025-0419 | https://www.usom.gov.tr/bildirim/tr-25-0260 |
| Parat Software--Parat | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Paraşüt Software Paraşüt allows Cross-Site Scripting (XSS).This issue affects Paraşüt: from 0.0.0.65efa44e through 20250204. | 2025-09-17 | 4.7 | CVE-2025-0420 | https://www.usom.gov.tr/bildirim/tr-25-0261 |
| Mevzuattr Software--MevzuatTR | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges. This issue affects MevzuatTR: before 12.02.2025. | 2025-09-17 | 4.7 | CVE-2025-0546 | https://www.usom.gov.tr/bildirim/tr-25-0269 |
| Parat Software--Bizmu | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Paraşüt Software Bizmu allows Cross-Site Scripting (XSS).This issue affects Bizmu: from 2.27.0 through 20250212. | 2025-09-18 | 4.7 | CVE-2025-0547 | https://www.usom.gov.tr/bildirim/tr-25-0272 |
| Shopside Software--Shopside App | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shopside Software Shopside App allows Cross-Site Scripting (XSS). This issue requires high privileges.This issue affects Shopside App: before 17.02.2025. | 2025-09-17 | 4.7 | CVE-2025-0879 | https://www.usom.gov.tr/bildirim/tr-25-0270 |
| clickwhale--ClickWhale Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages | The ClickWhale - Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted. | 2025-09-20 | 4.9 | CVE-2025-10002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6eba6da-ac14-4914-a807-6e234b80ee71?source=cve https://plugins.trac.wordpress.org/changeset/3361848/clickwhale/trunk/includes/admin/Clickwhale_Ajax.php |
| n/a--newbee-mall | A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2025-09-15 | 4.3 | CVE-2025-10422 | VDB-323856 | newbee-mall Order Status paySuccess improper authorization VDB-323856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646997 | newbee-ltd newbee-mall V1.0 IDOR https://github.com/newbee-ltd/newbee-mall/issues/100 https://github.com/newbee-ltd/newbee-mall/issues/100#issue-3379977698 |
| zephyrproject-rtos--Zephyr | The function responsible for handling BLE connection responses does not verify whether a response is expected-that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | 2025-09-19 | 4.3 | CVE-2025-10457 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xqj6-vh76-2vv8 |
| pojoin--h3blog | A vulnerability has been found in pojoin h3blog up to 5bf704425ebc11f4c24da51f32f36bb17ae20489. Affected by this issue is the function ppt_log of the file /login of the component HTTP Header Handler. Such manipulation of the argument X-Forwarded-For leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-09-15 | 4.3 | CVE-2025-10485 | VDB-323919 | pojoin h3blog HTTP Header login ppt_log cross site scripting VDB-323919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648548 | https://gitee.com/pojoin/h3blog h3blog 1.0 Stored Cross-Site Scripting Attack https://github.com/hhhh333/CVE/blob/main/xss.md |
| brainstormforce--SureForms Drag and Drop Contact Form Builder Multi-step Forms, Conversational Forms and more | The SureForms - Drag and Drop Contact Form Builder - Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it. | 2025-09-20 | 4.3 | CVE-2025-10489 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d03f316-542c-4128-b49d-fd2fd8609dd6?source=cve https://plugins.trac.wordpress.org/changeset/3363914/sureforms/trunk/inc/post-types.php |
| Campcodes--Grocery Sales and Inventory System | A vulnerability was identified in Campcodes Grocery Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=users. The manipulation of the argument page leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-09-16 | 4.3 | CVE-2025-10566 | VDB-324480 | Campcodes Grocery Sales and Inventory System index.php cross site scripting VDB-324480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646982 | campcodes Grocery Sales and Inventory System V1.0 cross site scripting https://github.com/zzb1388/cve/issues/73 https://www.campcodes.com/ |
| Portabilis--i-Educar | A security flaw has been discovered in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_usuario_det.php. The manipulation of the argument ref_pessoa results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-09-17 | 4.3 | CVE-2025-10590 | VDB-324607 | Portabilis i-Educar educar_usuario_det.php cross site scripting VDB-324607 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648832 | Portabilis i-educar 2.10 Cross Site Scripting (XSS) Reflected https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Reflected%20endpoint%20%60educar_usuario_det.php%60%20parameter%20%60ref_pessoa%60.md |
| Portabilis--i-Educar | A security flaw has been discovered in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /agenda_preferencias.php. The manipulation of the argument tipoacao results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-09-17 | 4.3 | CVE-2025-10605 | VDB-324625 | Portabilis i-Educar agenda_preferencias.php cross site scripting VDB-324625 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649872 | Portabilis i-educar 2.10 Cross Site Scripting (XSS) Stored https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10605.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Reflected%20endpoint%20%60agenda_preferencias.php%60%20parameter%20%60tipoacao%60.md |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /module/Configuracao/ConfiguracaoMovimentoGeral. This manipulation of the argument tipoacao causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-09-17 | 4.3 | CVE-2025-10606 | VDB-324626 | Portabilis i-Educar ConfiguracaoMovimentoGeral cross site scripting VDB-324626 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649874 | Portabilis i-educar 2.10 Cross Site Scripting (XSS) Reflected https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10606.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Reflected%20endpoint%20%60.module.Configuracao.ConfiguracaoMovimentoGeral%60%20parameter%20%60tipoacao%60.md |
| Portabilis--i-Educar | A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/Avaliacao/diarioApi. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-09-17 | 4.3 | CVE-2025-10607 | VDB-324627 | Portabilis i-Educar diarioApi information disclosure VDB-324627 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649875 | Portabilis i-educar 2.10 Broken Object Level Authorization https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-10607.md https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Object%20Level%20Authorization%20(BOLA)%20allows%20enumeration%20of%20classes%20informations%20via%20.module.Avaliacao.diarioApi.md |
| itsourcecode--E-Logbook with Health Monitoring System for COVID-19 | A vulnerability was determined in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0 on COVID. This affects an unknown function of the file /print_reports_prev.php. Executing manipulation of the argument profile_id can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-09-17 | 4.3 | CVE-2025-10614 | VDB-324641 | itsourcecode E-Logbook with Health Monitoring System for COVID-19 print_reports_prev.php cross site scripting VDB-324641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649910 | itsourcecode E-Logbook with Health Monitoring System V1.0 Reflected XSS https://github.com/yihaofuweng/cve/issues/22 https://itsourcecode.com/ |
| Grafana--grafana-zabbix-plugin | Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulnerability via user-supplied regex query which could causes CPU usage to max out. This vulnerability is fixed in version 6.0.0. | 2025-09-19 | 4.3 | CVE-2025-10630 | https://grafana.com/security/security-advisories/cve-2025-10630/ https://github.com/grafana/grafana-zabbix/releases/tag/v6.0.0 |
| n/a--SeaCMS | A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This affects another injection point than CVE-2025-25513. | 2025-09-18 | 4.7 | CVE-2025-10662 | VDB-324783 | SeaCMS admin_members.php sql injection VDB-324783 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #649866 | SeaCMS V13.3 SQL Injection https://github.com/coolcj-stack/seacms-v13.3-sqli/blob/main/README.md |
| fuyang_lipengjun--platform | A vulnerability was identified in fuyang_lipengjun platform 1.0. This affects the function AttributeCategoryController of the file /attributecategory/queryAll. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-09-18 | 4.3 | CVE-2025-10674 | VDB-324795 | fuyang_lipengjun platform queryAll AttributeCategoryController improper authorization VDB-324795 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653342 | fuyang_lipengjun platform v1.0 broken function level authorization https://www.cnblogs.com/aibot/p/19063429 |
| fuyang_lipengjun--platform | A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-09-18 | 4.3 | CVE-2025-10675 | VDB-324796 | fuyang_lipengjun platform queryAll AttributeController improper authorization VDB-324796 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653343 | fuyang_lipengjun platform v1.0 broken function level authorization https://www.cnblogs.com/aibot/p/19063430 |
| fuyang_lipengjun--platform | A weakness has been identified in fuyang_lipengjun platform 1.0. Affected is the function BrandController of the file /brand/queryAll. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-09-18 | 4.3 | CVE-2025-10676 | VDB-324797 | fuyang_lipengjun platform queryAll BrandController improper authorization VDB-324797 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653344 | fuyang_lipengjun platform v1.0 broken function level authorization https://www.cnblogs.com/aibot/p/19063431 |
| n/a--07FLYCMS | A flaw has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This affects an unknown part of the file /index.php. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 4.3 | CVE-2025-10710 | VDB-324998 | 07FLYCMS/07FLY-CMS/07FlyCRM index.php cross site scripting VDB-324998 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644968 | 07FLY Enterprise Management System S1 Basic Cross Site Scripting https://github.com/1276486/CVE/issues/11 |
| n/a--07FLYCMS | A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-19 | 4.3 | CVE-2025-10711 | VDB-324999 | 07FLYCMS/07FLY-CMS/07FlyCRM Login cross site scripting VDB-324999 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644969 | 07FLY Enterprise Management System S1 Basic Cross Site Scripting https://github.com/1276486/CVE/issues/12 |
| WisdomGarden--Tronclass | Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files. | 2025-09-19 | 4.3 | CVE-2025-10719 | https://www.twcert.org.tw/tw/cp-132-10396-68624-1.html https://www.twcert.org.tw/en/cp-139-10397-49db1-2.html |
| SeriaWei--ZKEACMS | A security flaw has been discovered in SeriaWei ZKEACMS up to 4.3. This vulnerability affects the function CheckPage/Suggestions in the library cms-v4.3\wwwroot\Plugins\ZKEACMS.SEOSuggestions\ZKEACMS.SEOSuggestions.dll of the component SEOSuggestions. Performing manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 4.7 | CVE-2025-10765 | VDB-325120 | SeriaWei ZKEACMS SEOSuggestions ZKEACMS.SEOSuggestions.dll server-side request forgery VDB-325120 | CTI Indicators (IOB, IOC, IOA) Submit #647952 | SeriaWei ZKEACMS ZKEACMS.v4.3 ssrf https://github.com/wooyun123/wooyun/issues/1 |
| SeriaWei--ZKEACMS | A weakness has been identified in SeriaWei ZKEACMS up to 4.3. This issue affects the function Download of the file EventViewerController.cs. Executing manipulation of the argument ID can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 4.3 | CVE-2025-10766 | VDB-325121 | SeriaWei ZKEACMS EventViewerController.cs Download path traversal VDB-325121 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650445 | SeriaWei ZKEACMS v4.3 Arbitrary File Reading https://github.com/August829/YU1/issues/1 |
| CosmodiumCS--OnlyRAT | A vulnerability was detected in CosmodiumCS OnlyRAT up to 3.2. The affected element is the function connect/remote_upload/remote_download of the file main.py of the component Configuration File Handler. The manipulation of the argument configuration["PASSWORD"] results in os command injection. The attack requires a local approach. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 4.5 | CVE-2025-10767 | VDB-325123 | CosmodiumCS OnlyRAT Configuration File main.py remote_download os command injection VDB-325123 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648118 | CosmodiumCS OnlyRAT Latest version available OS Command Injection https://docs.google.com/document/d/1oq9YO831FbEDBI2BqNiW-7YA_kMzHJmMgy82F8f-L9g/edit?usp=sharing |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause a denial of service by loading a misconfigured model. A successful exploit of this vulnerability might lead to denial of service. | 2025-09-17 | 4.4 | CVE-2025-23336 | https://nvidia.custhelp.com/app/answers/detail/a_id/5691 |
| Ubit Information Technologies--STOYS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ubit Information Technologies STOYS allows Cross-Site Scripting (XSS).This issue affects STOYS: from 2 before 20250916. | 2025-09-16 | 4.3 | CVE-2025-2404 | https://www.usom.gov.tr/bildirim/tr-25-0251 |
| CISA--Thorium | CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2. | 2025-09-17 | 4.2 | CVE-2025-35434 | url url url url |
| CISA--Thorium | CISA Thorium accepts a stream split size of zero then divides by this value. A remote, authenticated attacker could cause the service to crash. Fixed in commit 89101a6. | 2025-09-17 | 4.3 | CVE-2025-35435 | url url url |
| IBM--OpenPages | IBM OpenPages 9.0 and 9.1 allows web page cache to be stored locally which can be read by another user on the system. | 2025-09-15 | 4 | CVE-2025-36082 | https://www.ibm.com/support/pages/node/7244777 |
| IBM--watsonx.data | IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input. | 2025-09-18 | 4.7 | CVE-2025-36143 | https://www.ibm.com/support/pages/node/7245379 |
| IBM--watsonx.data | IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system. | 2025-09-18 | 4.3 | CVE-2025-36146 | https://www.ibm.com/support/pages/node/7245384 |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking EdgeConnect SD-WAN Gateway | A vulnerability in EdgeConnect SD-WAN ECOS could allow an authenticated remote threat actor with admin privileges to access sensitive unauthorized system files. Under certain conditions, this could lead to exposure and exfiltration of sensitive information. | 2025-09-16 | 4.9 | CVE-2025-37131 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US |
| Microsoft--Microsoft Edge (Chromium-based) | Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2025-09-16 | 4.7 | CVE-2025-47967 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| Microsoft--Microsoft PC Manager | Cleartext storage of sensitive information in Microsoft PC Manager allows an unauthorized attacker to bypass a security feature locally. | 2025-09-16 | 4 | CVE-2025-49728 | Microsoft PC Manager Security Feature Bypass Vulnerability |
| I-O DATA DEVICE, INC.--WN-7D36QR | Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker. | 2025-09-17 | 4.9 | CVE-2025-55075 | https://www.iodata.jp/support/information/2025/09_wn-7d36qr/index.htm https://jvn.jp/en/vu/JVNVU97490987/ |
| LDAPAccountManager--lam | LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned. | 2025-09-16 | 4.6 | CVE-2025-58174 | https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6gqg-wm9x-5x3m |
| Enalean--tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. Backlog item representations do not verify the permissions of the child trackers. Users might see tracker names they should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.11.99.1757427600 and Tuleap Enterprise Edition 16.11-6 and 16.10-8. | 2025-09-18 | 4.3 | CVE-2025-59040 | https://github.com/Enalean/tuleap/security/advisories/GHSA-67xc-39v9-pffg https://github.com/Enalean/tuleap/commit/92e4aa2d830a624a9183206c1c3558b90b8a5525 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=92e4aa2d830a624a9183206c1c3558b90b8a5525 https://tuleap.net/plugins/tracker/?aid=44489 |
| ovh--the-bastion | The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. Session-recording ttyrec files, may be handled by the provided osh-encrypt-rsync script that is a helper to rotate, encrypt, sign, copy, and optionally move them to a remote storage periodically, if configured to. When running, the script properly rotates and encrypts the files using the provided GPG key(s), but silently fails to sign them, even if asked to. | 2025-09-17 | 4.4 | CVE-2025-59339 | https://github.com/ovh/the-bastion/security/advisories/GHSA-h66q-g57p-rgg6 https://github.com/ovh/the-bastion/commit/9bc85ec3f4b724f903773ba64909777c4826a13f |
| frappe--lms | Frappe Learning is a learning system that helps users structure their content. In versions 2.34.1 and below, there is a security vulnerability in Frappe Learning where the system did not adequately sanitize the content uploaded in the profile bio. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. | 2025-09-17 | 4.6 | CVE-2025-59415 | https://github.com/frappe/lms/security/advisories/GHSA-h7gh-3vq5-96jx https://github.com/frappe/lms/commit/ed162e254690772365d4d1365f176b59bc4db72d |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition | 2025-09-17 | 4.2 | CVE-2025-59455 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| SMSEagle--SMSEagle | SMSEagle before 6.11 allows reflected XSS via a username or contact phone number. | 2025-09-19 | 4.8 | CVE-2025-59715 | https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-6-11/ |
| Pusula Communication Information Internet Industry and Trade Ltd. Co.--Manageable Email Sending System | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Pusula Communication Information Internet Industry and Trade Ltd. Co. Manageable Email Sending System allows Exploiting Trust in Client.This issue affects Manageable Email Sending System: from <=2025.06 before 2025.08.06. | 2025-09-19 | 4.7 | CVE-2025-7702 | https://www.usom.gov.tr/bildirim/tr-25-0274 |
| blazethemes--Blaze Demo Importer | The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability. | 2025-09-16 | 4.3 | CVE-2025-8446 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a91bd1cf-ac63-4d65-b9fc-3fa2507cc27e?source=cve https://plugins.trac.wordpress.org/browser/blaze-demo-importer/trunk/blaze-demo-importer.php#L91 https://plugins.trac.wordpress.org/changeset/3361179/ |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing | 2025-09-15 | 4.3 | CVE-2025-9078 | https://mattermost.com/security-updates |
| shenyanzhi--USS Upyun | The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-17 | 4.3 | CVE-2025-9629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2cee46a-03d5-4a31-ba15-28be97794199?source=cve https://plugins.trac.wordpress.org/browser/uss-upyun/tags/1.5.0/upyun-uss-wordpress.php#L493 https://plugins.trac.wordpress.org/browser/uss-upyun/tags/1.5.0/upyun-uss-wordpress.php#L499 https://plugins.trac.wordpress.org/browser/uss-upyun/tags/1.5.1/upyun-uss-wordpress.php#L493 |
| bittokazi--Custom Login And Signup Widget | The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-20 | 4.3 | CVE-2025-9887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f478db7f-6339-446e-b00d-0710707e679a?source=cve https://plugins.trac.wordpress.org/browser/custom-login-and-signup-widget/tags/1.0/frndzk_adminclsw.php#L3 |
| cyberlord92--User Sync | The User Sync - Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-17 | 4.3 | CVE-2025-9891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6b60777e-6e07-42bd-9364-43367e209227?source=cve https://plugins.trac.wordpress.org/browser/user-sync/tags/1.0.1/mo-user-sync-main.php#L118 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360328%40user-sync&new=3360328%40user-sync&sfp_email=&sfph_mail= |
| webraketen--Internal Links Manager | The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-09-20 | 4.3 | CVE-2025-9949 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e5e143-c4de-4312-8c8b-acf7ef60e0d5?source=cve https://wordpress.org/plugins/seo-automated-link-building/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362770%40seo-automated-link-building&new=3362770%40seo-automated-link-building&sfp_email=&sfph_mail= |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a--newbee-mall | A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used. | 2025-09-15 | 3.7 | CVE-2025-10423 | VDB-323857 | newbee-mall kaptcha mallKaptcha Captcha VDB-323857 | CTI Indicators (IOB, IOC, IOA) Submit #647066 | newbee-ltd newbee-mall V1.0 Guessable CAPTCHA https://github.com/newbee-ltd/newbee-mall/issues/101 https://github.com/newbee-ltd/newbee-mall/issues/101#issue-3380163659 |
| Portabilis--i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /intranet/educar_calendario_anotacao_cad.php. Such manipulation of the argument nm_anotacao/descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-09-17 | 3.5 | CVE-2025-10584 | VDB-324561 | Portabilis i-Educar educar_calendario_anotacao_cad.php cross site scripting VDB-324561 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #644374 | Portabilis i-Educar 2.10 Cross Site Scripting https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/25.md |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_funcao_cad.php of the component Editar Função Page. This manipulation of the argument abreviatura/tipoacao causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-09-17 | 3.5 | CVE-2025-10591 | VDB-324608 | Portabilis i-Educar Editar Função educar_funcao_cad.php cross site scripting VDB-324608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #648837 | Portabilis i-educar 2.10 Cross Site Scripting (XSS) Stored https://github.com/marcelomulder/CVE/blob/main/i-educar/Cross-Site%20Scripting%20(XSS)%20Stored%20endpoint%20%60educar_funcao_cad.php%60%20parameters%20%60abreviatura%60,%20%60tipoacao%60.md |
| itsourcecode--Online Petshop Management System | A vulnerability was identified in itsourcecode Online Petshop Management System 1.0. Impacted is an unknown function of the file addcnp.php of the component Available Products Page. The manipulation of the argument name/description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-09-18 | 3.5 | CVE-2025-10631 | VDB-324660 | itsourcecode Online Petshop Management System Available Products addcnp.php cross site scripting VDB-324660 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650675 | itsourcecode Online Petshop Management System 1 Stored XSS in addcnp.php https://github.com/drew-byte/Online-Pet-Shop-Management-System-Stored-XSS-PoC/blob/main/README.md https://itsourcecode.com/ |
| itsourcecode--Online Petshop Management System | A security flaw has been discovered in itsourcecode Online Petshop Management System 1.0. The affected element is an unknown function of the file availableframe.php of the component Admin Dashboard. The manipulation of the argument name/address results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-09-18 | 3.5 | CVE-2025-10632 | VDB-324661 | itsourcecode Online Petshop Management System Admin Dashboard availableframe.php cross site scripting VDB-324661 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #650676 | itsourcecode Online Petshop Management System 1 Stored XSS in Admin Dashboard Triggered by Customer Orders https://github.com/drew-byte/Online-Pet-Shop-Management-System_AdminDashboard_Stored-XSS-PoC/blob/main/README.md https://itsourcecode.com/ |
| wangchenyi1996--chat_forum | A vulnerability has been found in wangchenyi1996 chat_forum up to 80bdb92f5b460d36cab36e530a2c618acef5afd2. This impacts an unknown function of the file /q.php. Such manipulation of the argument path leads to cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-09-18 | 3.5 | CVE-2025-10642 | VDB-324675 | wangchenyi1996 chat_forum q.php cross site scripting VDB-324675 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #651885 | wangchenyi1996 chat_forum master CWE-79 https://github.com/wangchenyi1996/chat_forum/blob/master/q.php#L31 |
| youth-is-as-pale-as-poetry--e-learning | A vulnerability has been found in youth-is-as-pale-as-poetry e-learning 1.0. Impacted is the function encryptSecret of the file e-learning-master\exam-api\src\main\java\com\yf\exam\ability\shiro\jwt\JwtUtils.java of the component JWT Token Handler. The manipulation leads to insufficiently random values. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. | 2025-09-18 | 3.7 | CVE-2025-10671 | VDB-324792 | youth-is-as-pale-as-poetry e-learning JWT Token JwtUtils.java encryptSecret random values VDB-324792 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #653029 | https://gitee.com/youth-is-as-pale-as-poetry/e-learning ExamSystem V1.0 Authentication Bypass Issues https://github.com/SuJing-cy/CVE/blob/main/yfhl.md |
| n/a--Harness | A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 3.7 | CVE-2025-10761 | VDB-325116 | Harness Login Endpoint login excessive authentication VDB-325116 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #646871 | Harness harness v3.3.0 Login Endpoint Brute-Force https://github.com/August829/Yu/blob/main/58ead8e7e08bfb020.md https://github.com/August829/Yu/blob/main/58ead8e7e08bfb020.md#poc |
| ZTE--T5400 | There is an an information disclosure vulnerability in ZTE T5400. Due to improper configuration of the access control mechanism, attackers can obtain information through interfaces without authorization, causing the risk of information disclosure. | 2025-09-16 | 3.5 | CVE-2025-26710 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1441846006241435667 |
| PowerDNS--DNSdist | In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. | 2025-09-18 | 3.7 | CVE-2025-30187 | https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html |
| n/a--Tor | A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is an unknown function of the component Onion Service Descriptor Handler. Performing manipulation results in resource consumption. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. Upgrading to version 0.4.8.18 and 0.4.9.3-alpha is recommended to address this issue. It is recommended to upgrade the affected component. | 2025-09-18 | 3.7 | CVE-2025-4444 | VDB-324814 | Tor Onion Service Descriptor resource consumption VDB-324814 | CTI Indicators (IOB, IOC, TTP) Submit #640605 | Tor ≤ 0.4.8 Memory Management vulnerability https://github.com/chunmianwang/Tordos https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes https://forum.torproject.org/t/alpha-and-stable-release-0-4-8-18-and-0-4-9-3-alpha/20578 |
| pspete--psPAS | psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' position could manipulate the TLS handshake and downgrade TLS to a deprecated protocol. Fixed in 7.0.209. | 2025-09-16 | 3.1 | CVE-2025-59270 | url url url url |
| feiskyer--mcp-kubernetes-server | feiskyer mcp-kubernetes-server through 0.1.11 does not consider chained commands in the implementation of --disable-write and --disable-delete, e.g., it allows a "kubectl version; kubectl delete pod" command because the first word (i.e., "version") is not a write or delete operation. | 2025-09-15 | 3.7 | CVE-2025-59376 | https://github.com/feiskyer/mcp-kubernetes-server/blob/78957b6c1a3982080cf6fcaac6f6e9014116a71c/src/mcp_kubernetes_server/main.py#L106-L137 https://github.com/william31212/CVE-Requests-1896609 |
| feiskyer--mcp-kubernetes-server | feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355. | 2025-09-15 | 3.7 | CVE-2025-59377 | https://github.com/feiskyer/mcp-kubernetes-server/blob/78957b6c1a3982080cf6fcaac6f6e9014116a71c/src/mcp_kubernetes_server/command.py#L38 https://github.com/william31212/CVE-Requests-1896609 |
| EVerest--libocpp | The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw. | 2025-09-15 | 3.1 | CVE-2025-59398 | https://github.com/EVerest/everest-core/issues/1152 https://github.com/EVerest/everest-core/commit/253432ae7458ad0445f68f9d716086090c2be49c https://github.com/EVerest/libocpp/compare/v0.26.1...v0.26.2 https://github.com/EVerest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe https://github.com/EVerest/libocpp/pull/1052 |
| EVerest--libocpp | libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation. | 2025-09-15 | 3.1 | CVE-2025-59399 | https://github.com/EVerest/libocpp/commit/0b84d7f9fb3c338d470770f220a7b7f21db78878 https://github.com/EVerest/libocpp/compare/v0.27.1...v0.28.0 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+. | 2025-09-17 | 3.1 | CVE-2025-59414 | https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6 https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595 |
| fedorindutny--ip | The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. | 2025-09-16 | 3.2 | CVE-2025-59436 | https://cosmosofcyberspace.github.io/CVE-Application-Document.html https://github.com/indutny/node-ip/issues/160 |
| fedorindutny--ip | The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable). | 2025-09-16 | 3.2 | CVE-2025-59437 | https://cosmosofcyberspace.github.io/CVE-Application-Document.html https://github.com/indutny/node-ip/tags |
| clickstudios--Passwordstate | Click Studios Passwordstate before 9.9 Build 9972 has a potential authentication bypass for Passwordstate emergency access. By using a crafted URL while on the Emergency Access web page, an unauthorized person can gain access to the Passwordstate Administration section. | 2025-09-16 | 3.2 | CVE-2025-59453 | https://www.clickstudios.com.au/passwordstate-changelog.aspx https://www.clickstudios.com.au/security/advisories/ |
| PureVPN--PureVPN | PureVPN client applications on Linux through September 2025 allow IPv6 traffic to leak outside the VPN tunnel upon network events such as Wi-Fi reconnect or system resume. In the CLI client, the VPN auto-reconnects and claims to be connected, but IPv6 traffic is no longer routed or blocked. In the GUI client, the IPv6 connection remains functional after disconnection until the user clicks Reconnect. In both cases, the real IPv6 address is exposed to external services, violating user privacy and defeating the advertised IPv6 leak protection. This affects CLI 2.0.1 and GUI 2.10.0. | 2025-09-18 | 3.7 | CVE-2025-59691 | https://anagogistis.com/posts/purevpn-ipv6-leak/ |
| PureVPN--PureVPN | PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system's existing iptables rules and apply default ACCEPT policies when connecting to a VPN server. This removes firewall rules that may have been configured manually or by other software (e.g., UFW, container engines, or system security policies). Upon VPN disconnect, the original firewall state is not restored. As a result, the system may become unintentionally exposed to network traffic that was previously blocked. This affects CLI 2.0.1 and GUI 2.10.0. | 2025-09-18 | 3.7 | CVE-2025-59692 | https://anagogistis.com/posts/purevpn-ipv6-leak/ |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | 2025-09-19 | 3.1 | CVE-2025-9081 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs | 2025-09-15 | 3.1 | CVE-2025-9084 | https://mattermost.com/security-updates |
| n/a--IbuyuCMS | A vulnerability was identified in IbuyuCMS up to 2.6.3. Impacted is an unknown function of the file /admin/article.php?a=mod of the component Add Article Page. The manipulation of the argument Title leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-09-15 | 2.4 | CVE-2025-10434 | VDB-323868 | IbuyuCMS Add Article article.php cross site scripting VDB-323868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #647590 | ibuyucms ibuyucms_v2.6.3 v2.6.3 Doubled Character XSS Manipulations https://github.com/Upgradeextension/ibuyu/blob/main/README.md |
| n/a--htmly | A security vulnerability has been detected in htmly up to 3.1.0. The impacted element is an unknown function of the file /htmly/admin/field/post of the component Custom Field Handler. Such manipulation of the argument label leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-09-21 | 2.4 | CVE-2025-10758 | VDB-325113 | htmly Custom Field post cross site scripting VDB-325113 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #645806 | Htmly Htmly CMS 3.1.0 Cross Site Scripting https://www.notion.so/inmog/Reported-Vulnerability-XSS-Vulnerability-in-htmly-v3-1-0-2627752d1edd804fbd71f310bde44d11 |
| Alludo--MindManager | In Alludo MindManager before 25.0.208 on Windows, attackers could potentially execute code as other local users on the same machine if they could write DLL files to directories within victims' DLL search paths. | 2025-09-16 | 2.2 | CVE-2025-30075 | https://pastebin.com/5CaNfyGH |
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| InterSystems Corporation--InterSystems Cach | A stack-based buffer overflow exists in the UtilConfigHome.csp endpoint of InterSystems Caché 2009.1. The vulnerability is triggered by sending a specially crafted HTTP GET request containing an oversized argument to the .csp handler. Due to insufficient bounds checking, the input overflows a stack buffer, allowing an attacker to overwrite control structures and execute arbitrary code. It is unknown if this vulnerability was patched and an affected version range remains undefined. | 2025-09-16 | not yet calculated | CVE-2009-20005 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/intersystems_cache.rb https://www.exploit-db.com/exploits/16807 https://www.juniper.net/us/en/threatlabs/ips-signatures/detail.APP:INTERSYSTEMS-CACHE-OF.html https://www.intersystems.com/products/cache/ https://www.vulncheck.com/advisories/intersystems-cache-stack-buffer-overflow |
| osCommerce--osCommerce | osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server. | 2025-09-16 | not yet calculated | CVE-2009-20006 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb https://www.exploit-db.com/exploits/9556 https://www.exploit-db.com/exploits/16899 https://www.oscommerce.com/ https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution |
| Talkative--Talkative IRC | Talkative IRC v0.4.4.16 is vulnerable to a stack-based buffer overflow when processing specially crafted response strings sent to a connected client. An attacker can exploit this flaw by sending an overly long message that overflows a fixed-length buffer, potentially leading to arbitrary code execution in the context of the vulnerable process. This vulnerability is exploitable remotely and does not require authentication. | 2025-09-16 | not yet calculated | CVE-2009-20007 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/talkative_response.rb https://www.exploit-db.com/exploits/8227 https://www.exploit-db.com/exploits/16459 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2009-4909.php https://web.archive.org/web/20090116203306/http://www.talkative-irc.com/ https://www.vulncheck.com/advisories/talkative-irc-response-buffer-overflow |
| General Bytes--Crypto Application Server (CAS) | General Bytes Crypto Application Server (CAS) beginning with version 20201208 prior to 20220531.38 (backport) and 20220725.22 (mainline) contains an authentication bypass in the admin web interface. An unauthenticated attacker could invoke the same URL used by the product's default-installation / first-admin creation page and create a new administrative account remotely. By gaining admin privileges, the attacker can change the ATM configuration resulting in redirected funds. Public vendor advisories and multiple independent writeups describe the vulnerability as a call to the page used for initial/default installation / first administration user creation; General Bytes has not publicly published the exact endpoint/parameter name. The issue was actively exploited in the wild against cloud-hosted and standalone CAS deployments (scanning exposed CAS instances on ports 7777/443), and publicly acknowledged by the General Bytes in September 2022. | 2025-09-19 | not yet calculated | CVE-2022-4980 | https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security%2BIncident%2B https://www.halborn.com/blog/post/explained-the-general-bytes-bitcoin-atm-hack-august-2022 https://news.sophos.com/en-us/2022/08/23/bitcoin-atms-leeched-by-attackers-who-created-fake-admin-accounts/ https://www.incibe.es/en/incibe-cert/publications/cybersecurity-highlights/0day-vulnerability-exploited-general-bytes https://thehackernews.com/2022/08/hackers-stole-crypto-from-bitcoin-atms.html https://www.vulncheck.com/advisories/general-bytes-cas-unauth-creation-of-admin-account-via-default-installation-first-admin-page |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: defer registered files gc to io_uring release Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring can't register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free(). [axboe: add kerneldoc comment to skb, fold in skb leak fix] | 2025-09-15 | not yet calculated | CVE-2022-50234 | https://git.kernel.org/stable/c/04df9719df1865f6770af9bc7880874af0e594b2 https://git.kernel.org/stable/c/c378c479c5175833bb22ff71974cda47d7b05401 https://git.kernel.org/stable/c/813d8fe5d30388f73a21d3a2bf46b0a1fd72498c https://git.kernel.org/stable/c/b4293c01ee0d0ecdd3cb5801e13f62271144667a https://git.kernel.org/stable/c/75e94c7e8859e58aadc15a98cc9704edff47d4f2 https://git.kernel.org/stable/c/0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv2 READDIR Restore the previous limit on the @count argument to prevent a buffer overflow attack. | 2025-09-15 | not yet calculated | CVE-2022-50235 | https://git.kernel.org/stable/c/0e57d696f60dee6117a8ace0cac7c5761d375277 https://git.kernel.org/stable/c/dc7f225090c29a5f3b9419b1af32846a201555e7 https://git.kernel.org/stable/c/c2a878095b5c6f04f90553a3c45872f990dab14e https://git.kernel.org/stable/c/f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d https://git.kernel.org/stable/c/00b4492686e0497fdb924a9d4c8f6f99377e176c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fix crash on isr after kexec() If the system is rebooted via isr(), the IRQ handler might be triggered before the domain is initialized. Resulting on an invalid memory access error. Fix: [ 0.500930] Unable to handle kernel read from unreadable memory at virtual address 0000000000000070 [ 0.501166] Call trace: [ 0.501174] report_iommu_fault+0x28/0xfc [ 0.501180] mtk_iommu_isr+0x10c/0x1c0 [ joro: Fixed spelling in commit message ] | 2025-09-15 | not yet calculated | CVE-2022-50236 | https://git.kernel.org/stable/c/f13acee780cedb3e06a6dadf64d9104cccd2b9fc https://git.kernel.org/stable/c/85cc8a187f2de7a91e2cea522e9406fa12999269 https://git.kernel.org/stable/c/00ef8885a945c37551547d8ac8361cacd20c4e42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix writes in read-only memory region This commit fixes a kernel oops because of a write in some read-only memory: [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8 ..snip.. [ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP ..snip.. [ 9.269161] Call trace: [ 9.276271] __memcpy+0x5c/0x230 [ 9.278531] snprintf+0x58/0x80 [ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190 [ 9.284869] qcom_cpufreq_probe+0xc8/0x39c ..snip.. The following line defines a pointer that point to a char buffer stored in read-only memory: char *pvs_name = "speedXX-pvsXX-vXX"; This pointer is meant to hold a template "speedXX-pvsXX-vXX" where the XX values get overridden by the qcom_cpufreq_krait_name_version function. Since the template is actually stored in read-only memory, when the function executes the following call we get an oops: snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d", speed, pvs, pvs_ver); To fix this issue, we instead store the template name onto the stack by using the following syntax: char pvs_name_buffer[] = "speedXX-pvsXX-vXX"; Because the `pvs_name` needs to be able to be assigned to NULL, the template buffer is stored in the pvs_name_buffer and not under the pvs_name variable. | 2025-09-15 | not yet calculated | CVE-2022-50239 | https://git.kernel.org/stable/c/794ded0bc461287a268bed21fea2eebb6e5d232c https://git.kernel.org/stable/c/14d260f94ff89543597ffea13db8b277a810e08e https://git.kernel.org/stable/c/b74ee4e301ca01e431e240c046173332966e2431 https://git.kernel.org/stable/c/01039fb8e90c9cb684430414bff70cea9eb168c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. Note this patch is specific to stable branches 5.4 and 5.10. Since in newer kernel releases binder no longer caches a pointer to the vma. Instead, it has been refactored to use vma_lookup() which avoids the issue described here. This switch was introduced in commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA"). | 2025-09-15 | not yet calculated | CVE-2022-50240 | https://git.kernel.org/stable/c/015ac18be7de25d17d6e5f1643cb3b60bfbe859e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntf_state entry on the s2s_cp_stateids list after inter-server copy completed. The sc_cp_list that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lock_state x), FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state from the s2s_cp_stateids list before freeing the lock state's stid. However, sometimes the CLOSE was sent before the FREE_STATEID request. When this happens, the nfsd4_close_open_stateid call from nfsd4_close frees all lock states on its st_locks list without cleaning up the copy state on the sc_cp_list list. When the time the FREE_STATEID arrives the server returns BAD_STATEID since the lock state was freed. This causes the use-after-free error to occur when the laundromat tries to free the expired cpntf_state. This patch adds a call to nfs4_free_cpntf_statelist in nfsd4_close_open_stateid to clean up the copy state before calling free_ol_stateid_reaplist to free the lock state's stid on the reaplist. | 2025-09-15 | not yet calculated | CVE-2022-50241 | https://git.kernel.org/stable/c/bbacfcde5fff25ac22597e8373a065c647da6738 https://git.kernel.org/stable/c/83b94969751a691347606dbe6b1865efcfa5a643 https://git.kernel.org/stable/c/6ea71246b7a02af675d733e72d14bd0d591d5f4a https://git.kernel.org/stable/c/35aa0fb8c3033a3d78603356e96fc18c5b9cceb2 https://git.kernel.org/stable/c/019805fea91599b22dfa62ffb29c022f35abeb06 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. | 2025-09-15 | not yet calculated | CVE-2022-50242 | https://git.kernel.org/stable/c/15770edc01edfce773269e8a443ca8e420f6f859 https://git.kernel.org/stable/c/0aefadf23ee5e33b747df195ace42d3be2025e4e https://git.kernel.org/stable/c/132c502919bb08e16e3054cb28bb7b149ec20cf5 https://git.kernel.org/stable/c/a44490abaf00f5b0cc5c448a17eae331c6195d0a https://git.kernel.org/stable/c/14b349a15c297cf3e01b5deb4116f7cf297b6184 https://git.kernel.org/stable/c/8399b9893548c03fdb18be277bf99d985dbde925 https://git.kernel.org/stable/c/aa2d179544b6815b4a23c0c44543ba0971d49fce https://git.kernel.org/stable/c/dcae92a249551d1a447804b4be1c9fab0e8c95e8 https://git.kernel.org/stable/c/01de1123322e4fe1bbd0fcdf0982511b55519c03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens. | 2025-09-15 | not yet calculated | CVE-2022-50243 | https://git.kernel.org/stable/c/b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40 https://git.kernel.org/stable/c/382ff44716603a54f5fd238ddec6a2468e217612 https://git.kernel.org/stable/c/f65955340e0044f5c41ac799a01698ac7dee8a4e https://git.kernel.org/stable/c/19d636b663e0e92951bba5fced929ca7fd25c552 https://git.kernel.org/stable/c/0f90099d18e3abdc01babf686f41f63fe04939c1 https://git.kernel.org/stable/c/3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d https://git.kernel.org/stable/c/022152aaebe116a25c39818a07e175a8cd3c1e11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() If device_register() fails in cxl_pci_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_device(), then goes to put dev when register fails. | 2025-09-15 | not yet calculated | CVE-2022-50244 | https://git.kernel.org/stable/c/82e68432668ae75b4c814d160f6987ecb0681273 https://git.kernel.org/stable/c/82e5481428faf11c79b9c094dd24a1849bbf64ac https://git.kernel.org/stable/c/c4b2e35df919d99bbbed033c2fa0b607f9f463b5 https://git.kernel.org/stable/c/361412dae1690d4b5df6f92fc943cdc773c95cbc https://git.kernel.org/stable/c/0f63c0ddc2ea20d783d29243f4dbe0f9e95dfdec https://git.kernel.org/stable/c/22511eefa61db26e12c97dd7ada3071dbdfcb004 https://git.kernel.org/stable/c/139abd4c626a6f7ce02789ed5f73aa2256e0542b https://git.kernel.org/stable/c/2f5fd31b2f24b9b8a80ab566fd8c4e1e94cb4339 https://git.kernel.org/stable/c/02cd3032b154fa02fdf90e7467abaeed889330b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when kfifo_alloc() fails If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list | 2025-09-15 | not yet calculated | CVE-2022-50245 | https://git.kernel.org/stable/c/2a6c75adf8192f07ddcdd4a1a13488c890a73919 https://git.kernel.org/stable/c/2dfd60724d271a6ab99f93f40f38f2ced1ddbb87 https://git.kernel.org/stable/c/a253dde0403a153075ffb254f6f7b2635e49e97a https://git.kernel.org/stable/c/311b488405ac45af46756b1c8f1d27007b68b07e https://git.kernel.org/stable/c/5ee850645e42f541ce1ea8130c2b27cc495f965c https://git.kernel.org/stable/c/2f5cc7fd73fd6253cc71214f0dd499cc62feb469 https://git.kernel.org/stable/c/2ba06e57f933f0eac242e8b389433da1cc00d4d5 https://git.kernel.org/stable/c/cb87af2c19c0993f6e21f75b963a5599c5a73e76 https://git.kernel.org/stable/c/02d7d89f816951e0862147d751b1150d67aaebdd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34/tcpc/connector The 'fwnode' set in tcpci_parse_config() which is called in tcpci_register_port(), its node refcount is increased in device_get_named_child_node(). It needs be put while exiting, so call fwnode_handle_put() in the error path of tcpci_register_port() and in tcpci_unregister_port() to avoid leak. | 2025-09-15 | not yet calculated | CVE-2022-50246 | https://git.kernel.org/stable/c/4f257e2eba419ab4cd880c822346450e4e7b2af3 https://git.kernel.org/stable/c/d3b6c28a71f111a6c67ddc3238aab95910fd86cf https://git.kernel.org/stable/c/ba75be6f0d9d028d20852564206565a4c03e3288 https://git.kernel.org/stable/c/e75a324409715bd71348f79a49aa61b69dbeb676 https://git.kernel.org/stable/c/5f125507d2270035dfcf83fbff6cff5a143e200c https://git.kernel.org/stable/c/0384e87e3fec735e47f1c133c796f32ef7a72a9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq Can not set the @shared_hcd to NULL before decrease the usage count by usb_put_hcd(), this will cause the shared hcd not released. | 2025-09-15 | not yet calculated | CVE-2022-50247 | https://git.kernel.org/stable/c/ffb14aac2658873050671198543b9b8194149c14 https://git.kernel.org/stable/c/05680a91ae60ddd0319e6618456f0883b5dd765d https://git.kernel.org/stable/c/c8e7463844888dc8344bbb9cbad88cdce9cb8077 https://git.kernel.org/stable/c/03a88b0bafbe3f548729d970d8366f48718c9b19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double free on tx path. We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. So, return 0 in that particular error case and do cleanup manually. BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000000 | tsf hi Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650 CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5 iwlwifi 0000:06:00.0: 0x00000000 | time gp1 Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019 Call Trace: <TASK> dump_stack_lvl+0x55/0x6d print_report.cold.12+0xf2/0x684 iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2 ? __list_del_entry_valid+0x12/0x90 kasan_report+0x8b/0x180 iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type ? __list_del_entry_valid+0x12/0x90 __list_del_entry_valid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000048 | uCode version major tcp_update_skb_after_send+0x5d/0x170 __tcp_transmit_skb+0xb61/0x15c0 iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor ? __tcp_select_window+0x490/0x490 iwlwifi 0000:06:00.0: 0x00000420 | hw version ? trace_kmalloc_node+0x29/0xd0 ? __kmalloc_node_track_caller+0x12a/0x260 ? memset+0x1f/0x40 ? __build_skb_around+0x125/0x150 ? __alloc_skb+0x1d4/0x220 ? skb_zerocopy_clone+0x55/0x230 iwlwifi 0000:06:00.0: 0x00489002 | board version ? kmalloc_reserve+0x80/0x80 ? rcu_read_lock_bh_held+0x60/0xb0 tcp_write_xmit+0x3f1/0x24d0 iwlwifi 0000:06:00.0: 0x034E001C | hcmd ? __check_object_size+0x180/0x350 iwlwifi 0000:06:00.0: 0x24020000 | isr0 tcp_sendmsg_locked+0x8a9/0x1520 iwlwifi 0000:06:00.0: 0x01400000 | isr1 ? tcp_sendpage+0x50/0x50 iwlwifi 0000:06:00.0: 0x48F0000A | isr2 ? lock_release+0xb9/0x400 ? tcp_sendmsg+0x14/0x40 iwlwifi 0000:06:00.0: 0x00C3080C | isr3 ? lock_downgrade+0x390/0x390 ? do_raw_spin_lock+0x114/0x1d0 iwlwifi 0000:06:00.0: 0x00200000 | isr4 ? rwlock_bug.part.2+0x50/0x50 iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id ? rwlock_bug.part.2+0x50/0x50 ? lockdep_hardirqs_on_prepare+0xe/0x200 iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event ? __local_bh_enable_ip+0x87/0xe0 ? inet_send_prepare+0x220/0x220 iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control tcp_sendmsg+0x22/0x40 sock_sendmsg+0x5f/0x70 iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration __sys_sendto+0x19d/0x250 iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid ? __ia32_sys_getpeername+0x40/0x40 iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_sched_held+0x5a/0xd0 ? lock_release+0xb9/0x400 ? lock_downgrade+0x390/0x390 ? ktime_get+0x64/0x130 ? ktime_get+0x8d/0x130 ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? rcu_read_lock_bh_held+0xb0/0xb0 __x64_sys_sendto+0x6f/0x80 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f1d126e4531 Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89 RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531 RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014 RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50248 | https://git.kernel.org/stable/c/0e1e311fd929c6a8dcfddcb4748c47b07e39821f https://git.kernel.org/stable/c/ae966649f665bc3868b935157dd4a3c31810dcc0 https://git.kernel.org/stable/c/d8e32f1bf1a9183a6aad560c6688500222d24299 https://git.kernel.org/stable/c/8fabe41fba907e4fd826acbbdb42e09c681c515e https://git.kernel.org/stable/c/3a2ecd1ec14075117ccb3e85f0fed224578ec228 https://git.kernel.org/stable/c/0473cbae2137b963bd0eaa74336131cb1d3bc6c3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decrease the refcount. | 2025-09-15 | not yet calculated | CVE-2022-50249 | https://git.kernel.org/stable/c/a4d0bd4388e1a39df47e8aaa044ef6a7ee626e48 https://git.kernel.org/stable/c/a4f7eb83852a65b6f8dea7dcc42b7c76d4d9b0a3 https://git.kernel.org/stable/c/68c9c4e6495b825be3a8946df1a0148399555fe4 https://git.kernel.org/stable/c/85a40bfb8e7a170abcf9dae2c0898a1983e48daa https://git.kernel.org/stable/c/daaec4b3fe2297b022c6b2d6bf48b6e5265a60b9 https://git.kernel.org/stable/c/2680690f9ce4e6abbb4f559e97271c15b7eeda97 https://git.kernel.org/stable/c/62ccab6e3376f8a22167c3b81468ae4f3e7d25f1 https://git.kernel.org/stable/c/1c6cac6fa4d08aea161f83d38117d733b3c3a000 https://git.kernel.org/stable/c/05215fb32010d4afb68fbdbb4d237df6e2d4567b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix use_count leakage when handling boot-on I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B) will increment inside regulator_enable(rdev->supply). Thus, B will acts like always-on, and further balanced regulator_enable/disable cannot actually disable it anymore. However, B was also configured with `regulator-boot-on', we wish it could be disabled afterwards. | 2025-09-15 | not yet calculated | CVE-2022-50250 | https://git.kernel.org/stable/c/dc3391d49479bc2bf8a2b88dbf86fdd800882fee https://git.kernel.org/stable/c/5bfc53df288e8ea54ca6866fb92034214940183f https://git.kernel.org/stable/c/4b737246ff50f810d6ab4be13c1388a07f0c14b1 https://git.kernel.org/stable/c/feb847e6591e8c7a09cc39721cc9ca74fd9a5d80 https://git.kernel.org/stable/c/4dd6e1cc9c7403f1ee1b7eee85bc31b797ae8347 https://git.kernel.org/stable/c/bc6c381df5793ebcf32db88a3e65acf7870379fc https://git.kernel.org/stable/c/0591b14ce0398125439c759f889647369aa616a0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes another missing call mmc_free_host() if usb_control_msg() fails. | 2025-09-15 | not yet calculated | CVE-2022-50251 | https://git.kernel.org/stable/c/41ed46bdbd2878cd6567abe0974a445f8b1b8ec8 https://git.kernel.org/stable/c/25f05d762ca5e1c685002a53dd44f68e78ca3feb https://git.kernel.org/stable/c/a46e681151bbdacdf6b89ee8c4e5bad0555142bb https://git.kernel.org/stable/c/3b29f8769d32016b2d89183db4d80c7a71b7e35e https://git.kernel.org/stable/c/3049a3b927a40d89d4582ff1033cd7953be773c7 https://git.kernel.org/stable/c/afc898019e7bf18c5eb7a0ac19852fcb1b341b3c https://git.kernel.org/stable/c/c9e85979b59cb86f0a15defa8199d740e2b36b90 https://git.kernel.org/stable/c/2044b2ea77945f372ef161d1bbf814e471767ff2 https://git.kernel.org/stable/c/0613ad2401f88bdeae5594c30afe318e93b14676 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position. | 2025-09-15 | not yet calculated | CVE-2022-50252 | https://git.kernel.org/stable/c/64ca1969599857143e91aeec4440640656100803 https://git.kernel.org/stable/c/0200f0fbb11e359cc35af72ab10b2ec224e6f633 https://git.kernel.org/stable/c/68e8adbcaf7a8743e473343b38b9dad66e2ac6f3 https://git.kernel.org/stable/c/f96bd8adc8adde25390965a8c1ee81b73cb62075 https://git.kernel.org/stable/c/3cb18dea11196fb4a06f78294cec5e61985e1aff https://git.kernel.org/stable/c/314f7092b27749bdde44c14095b5533afa2a3bc8 https://git.kernel.org/stable/c/6e399577bd397a517df4b938601108c63769ce0a https://git.kernel.org/stable/c/56483aecf6b22eb7dff6315b3a174688c6ad494c https://git.kernel.org/stable/c/0668716506ca66f90d395f36ccdaebc3e0e84801 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after __skb_pull? | 2025-09-15 | not yet calculated | CVE-2022-50253 | https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797 https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3 https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650 https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5 https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53 https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ov8865: Fix an error handling path in ov8865_probe() The commit in Fixes also introduced some new error handling which should goto the existing error handling path. Otherwise some resources leak. | 2025-09-15 | not yet calculated | CVE-2022-50254 | https://git.kernel.org/stable/c/1f55a2273a7b41895ea6272e51ccb1d797cfd39b https://git.kernel.org/stable/c/080e0b7404850406628674b07286f16cc389a892 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix reading strings from synthetic events The follow commands caused a crash: # cd /sys/kernel/tracing # echo 's:open char file[]' > dynamic_events # echo 'hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)' > events/syscalls/sys_enter_openat/trigger' # echo 1 > events/synthetic/open/enable BOOM! The problem is that the synthetic event field "char file[]" will read the value given to it as a string without any memory checks to make sure the address is valid. The above example will pass in the user space address and the sythetic event code will happily call strlen() on it and then strscpy() where either one will cause an oops when accessing user space addresses. Use the helper functions from trace_kprobe and trace_eprobe that can read strings safely (and actually succeed when the address is from user space and the memory is mapped in). Now the above can show: packagekitd-1721 [000] ...2. 104.597170: open: file=/usr/lib/rpm/fileattrs/cmake.attr in:imjournal-978 [006] ...2. 104.599642: open: file=/var/lib/rsyslog/imjournal.state.tmp packagekitd-1721 [000] ...2. 104.626308: open: file=/usr/lib/rpm/fileattrs/debuginfo.attr | 2025-09-15 | not yet calculated | CVE-2022-50255 | https://git.kernel.org/stable/c/d9c79fbcbdb6cb10c07c85040eaf615180b26c48 https://git.kernel.org/stable/c/149198d0b884e4606ed1d29b330c70016d878276 https://git.kernel.org/stable/c/f8bae1853196b52ede50950387f5b48cf83b9815 https://git.kernel.org/stable/c/0934ae9977c27133449b6dd8c6213970e7eece38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/meson: remove drm bridges at aggregate driver unbind time drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list. When loading the driver modules back in, the same functions would again call drm_bridge_add, and when traversing the global bridge_list, would end up peeking into freed memory. Once again KASAN revealed the problem: [ +0.000095] ============================================================= [ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120 [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483 [ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000006] dump_backtrace+0x1ec/0x280 [ +0.000012] show_stack+0x24/0x80 [ +0.000008] dump_stack_lvl+0x98/0xd4 [ +0.000011] print_address_description.constprop.0+0x80/0x520 [ +0.000011] print_report+0x128/0x260 [ +0.000008] kasan_report+0xb8/0xfc [ +0.000008] __asan_report_load8_noabort+0x3c/0x50 [ +0.000009] __list_add_valid+0x9c/0x120 [ +0.000009] drm_bridge_add+0x6c/0x104 [drm] [ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi] [ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi] [ +0.000014] component_bind+0x174/0x520 [ +0.000012] component_bind_all+0x1a8/0x38c [ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm] [ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm] [ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390 [ +0.000010] component_master_add_with_match+0x1c8/0x284 [ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm] [ +0.000026] platform_probe+0xd0/0x220 [ +0.000009] really_probe+0x3ac/0xa80 [ +0.000009] __driver_probe_device+0x1f8/0x400 [ +0.000009] driver_probe_device+0x68/0x1b0 [ +0.000009] __driver_attach+0x20c/0x480 [ +0.000008] bus_for_each_dev+0x114/0x1b0 [ +0.000009] driver_attach+0x48/0x64 [ +0.000008] bus_add_driver+0x390/0x564 [ +0.000009] driver_register+0x1a8/0x3e4 [ +0.000009] __platform_driver_register+0x6c/0x94 [ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm] [ +0.000027] do_one_initcall+0xc4/0x2b0 [ +0.000011] do_init_module+0x154/0x570 [ +0.000011] load_module+0x1a78/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000009] __arm64_sys_init_module+0x78/0xb0 [ +0.000009] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000012] el0t_64_sync_handler+0x11c/0x150 [ +0.000008] el0t_64_sync+0x18c/0x190 [ +0.000016] Allocated by task 879: [ +0.000008] kasan_save_stack+0x2c/0x5c [ +0.000011] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc+0x278/0x4a0 [ +0.000011] mpi_resize+0x13c/0x1d0 [ +0.000011] mpi_powm+0xd24/0x1570 [ +0.000009] rsa_enc+0x1a4/0x30c [ +0.000009] pkcs1pad_verify+0x3f0/0x580 [ +0.000009] public_key_verify_signature+0x7a8/0xba4 [ +0.000010] public_key_verify_signature_2+0x40/0x60 [ +0.000008] verify_signature+0xb4/0x114 [ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574 [ +0.000009] pkcs7_validate_trust+0xb8/0x15c [ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0 [ +0.000012] verify_pkcs7_signature+0x78/0xac [ +0.000007] mod_verify_sig+0x110/0x190 [ +0.000009] module_sig_check+0x114/0x1e0 [ +0.000009] load_module+0xa0/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000008] __arm64_sys_init_module+0x78/0xb0 [ +0.000008] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000009] el0t_64_sync_handler+0x11c/0x150 [ +0.000009] el0t_64 ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50256 | https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958 https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8 https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Prevent leaking grants Prior to this commit, if a grant mapping operation failed partially, some of the entries in the map_ops array would be invalid, whereas all of the entries in the kmap_ops array would be valid. This in turn would cause the following logic in gntdev_map_grant_pages to become invalid: for (i = 0; i < map->count; i++) { if (map->map_ops[i].status == GNTST_okay) { map->unmap_ops[i].handle = map->map_ops[i].handle; if (!use_ptemod) alloced++; } if (use_ptemod) { if (map->kmap_ops[i].status == GNTST_okay) { if (map->map_ops[i].status == GNTST_okay) alloced++; map->kunmap_ops[i].handle = map->kmap_ops[i].handle; } } } ... atomic_add(alloced, &map->live_grants); Assume that use_ptemod is true (i.e., the domain mapping the granted pages is a paravirtualized domain). In the code excerpt above, note that the "alloced" variable is only incremented when both kmap_ops[i].status and map_ops[i].status are set to GNTST_okay (i.e., both mapping operations are successful). However, as also noted above, there are cases where a grant mapping operation fails partially, breaking the assumption of the code excerpt above. The aforementioned causes map->live_grants to be incorrectly set. In some cases, all of the map_ops mappings fail, but all of the kmap_ops mappings succeed, meaning that live_grants may remain zero. This in turn makes it impossible to unmap the successfully grant-mapped pages pointed to by kmap_ops, because unmap_grant_pages has the following snippet of code at its beginning: if (atomic_read(&map->live_grants) == 0) return; /* Nothing to do */ In other cases where only some of the map_ops mappings fail but all kmap_ops mappings succeed, live_grants is made positive, but when the user requests unmapping the grant-mapped pages, __unmap_grant_pages_done will then make map->live_grants negative, because the latter function does not check if all of the pages that were requested to be unmapped were actually unmapped, and the same function unconditionally subtracts "data->count" (i.e., a value that can be greater than map->live_grants) from map->live_grants. The side effects of a negative live_grants value have not been studied. The net effect of all of this is that grant references are leaked in one of the above conditions. In Qubes OS v4.1 (which uses Xen's grant mechanism extensively for X11 GUI isolation), this issue manifests itself with warning messages like the following to be printed out by the Linux kernel in the VM that had granted pages (that contain X11 GUI window data) to dom0: "g.e. 0x1234 still pending", especially after the user rapidly resizes GUI VM windows (causing some grant-mapping operations to partially or completely fail, due to the fact that the VM unshares some of the pages as part of the window resizing, making the pages impossible to grant-map from dom0). The fix for this issue involves counting all successful map_ops and kmap_ops mappings separately, and then adding the sum to live_grants. During unmapping, only the number of successfully unmapped grants is subtracted from live_grants. The code is also modified to check for negative live_grants values after the subtraction and warn the user. | 2025-09-15 | not yet calculated | CVE-2022-50257 | https://git.kernel.org/stable/c/b043f2cab100bed3e0a999dcf38cc05b1e4a7e41 https://git.kernel.org/stable/c/49bb053b1ec367b6883030eb2cca696e91435679 https://git.kernel.org/stable/c/cb1ccfe7655380f77a58b340072f5f40bc285902 https://git.kernel.org/stable/c/3d056d81b93a787613eda44aeb21fc14c3392b34 https://git.kernel.org/stable/c/49db6cb81400ba863e1a85e55fcdf1031807c23f https://git.kernel.org/stable/c/1cb73704cb4778299609634a790a80daba582f7d https://git.kernel.org/stable/c/0bccddd9b8f03ad57bb738f0d3da8845d4e1e579 https://git.kernel.org/stable/c/273f6a4f71be12e2ec80a4919837d6e4fa933a04 https://git.kernel.org/stable/c/0991028cd49567d7016d1b224fe0117c35059f86 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware version string by memcpy() in brcmf_fil_iovar_data_get(). The patch ensures buf is null-terminated. Found by a modified version of syzkaller. [ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3 [ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available [ 47.601565][ T1897] ================================================================== [ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 [ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 [ 47.604336][ T1897] [ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 [ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event [ 47.607453][ T1897] Call Trace: [ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1 [ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334 [ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 [ 47.609863][ T1897] kasan_report.cold+0x83/0xdf [ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 [ 47.610882][ T1897] strsep+0x1b2/0x1f0 [ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0 [ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40 [ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100 [ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0 [ 47.614704][ T1897] ? find_held_lock+0x2d/0x110 [ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260 [ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0 [ 47.616288][ T1897] brcmf_attach+0x246/0xd40 [ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0 [ 47.617280][ T1897] ? kmemdup+0x43/0x50 [ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690 [ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 [ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760 [ 47.619429][ T1897] ? usb_probe_device+0x250/0x250 [ 47.619950][ T1897] really_probe+0x205/0xb70 [ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0 [ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.622209][ T1897] driver_probe_device+0x4e/0x150 [ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0 [ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0 [ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30 [ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160 [ 47.625437][ T1897] __device_attach+0x23f/0x3a0 [ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0 [ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0 [ 47.627057][ T1897] bus_probe_device+0x1da/0x290 [ 47.627557][ T1897] device_add+0xb7b/0x1eb0 [ 47.628027][ T1897] ? wait_for_completion+0x290/0x290 [ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 [ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0 [ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0 [ 47.630385][ T1897] usb_probe_device+0xbb/0x250 [ 47.630927][ T1897] ? usb_suspend+0x590/0x590 [ 47.631397][ T1897] really_probe+0x205/0xb70 [ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130 [ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0 [ 47.633002][ ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50258 | https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f https://git.kernel.org/stable/c/d481fd6064bf215d7c5068e15aa390c3b16c9cd0 https://git.kernel.org/stable/c/17dbe90e13f52848c460d253f15b765038ec6dc0 https://git.kernel.org/stable/c/d6ef66194bb4a6c18f5b9649bf62597909b040e4 https://git.kernel.org/stable/c/3a3a5e3f94068cd562d62a57da6983c8cd07d53c https://git.kernel.org/stable/c/881f50d76c3892262730ddf5c894eb00310e736c https://git.kernel.org/stable/c/ba166e0ebdde3dfa833f0a3edaf2b2934d4a87f7 https://git.kernel.org/stable/c/0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: fix race in sock_map_free() sock_map_free() calls release_sock(sk) without owning a reference on the socket. This can cause use-after-free as syzbot found [1] Jakub Sitnicki already took care of a similar issue in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") [1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] __sock_put include/net/sock.h:779 [inline] tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 release_sock+0xaf/0x1c0 net/core/sock.c:3468 sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> | 2025-09-15 | not yet calculated | CVE-2022-50259 | https://git.kernel.org/stable/c/4cabc3af4a6f36c222fecb15858c1060e59218e7 https://git.kernel.org/stable/c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c https://git.kernel.org/stable/c/a443c55d96dede82a724df6e70a318ad15c199e1 https://git.kernel.org/stable/c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62 https://git.kernel.org/stable/c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3 https://git.kernel.org/stable/c/0a182f8d607464911756b4dbef5d6cad8de22469 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Make .remove and .shutdown HW shutdown consistent Drivers' .remove and .shutdown callbacks are executed on different code paths. The former is called when a device is removed from the bus, while the latter is called at system shutdown time to quiesce the device. This means that some overlap exists between the two, because both have to take care of properly shutting down the hardware. But currently the logic used in these two callbacks isn't consistent in msm drivers, which could lead to kernel panic. For example, on .remove the component is deleted and its .unbind callback leads to the hardware being shutdown but only if the DRM device has been marked as registered. That check doesn't exist in the .shutdown logic and this can lead to the driver calling drm_atomic_helper_shutdown() for a DRM device that hasn't been properly initialized. A situation like this can happen if drivers for expected sub-devices fail to probe, since the .bind callback will never be executed. If that is the case, drm_atomic_helper_shutdown() will attempt to take mutexes that are only initialized if drm_mode_config_init() is called during a device bind. This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix shutdown hook in case GPU components failed to bind"), but unfortunately it still happens in some cases as the one mentioned above, i.e: systemd-shutdown[1]: Powering off. kvm: exiting hardware virtualization platform wifi-firmware.0: Removing from iommu group 12 platform video-firmware.0: Removing from iommu group 10 ------------[ cut here ]------------ WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0 ... Hardware name: Google CoachZ (rev3+) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0 lr : drm_modeset_lock_all_ctx+0x48/0x3d0 sp : ffff80000805bb80 x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030 x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800 x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034 x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000 x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0 Call trace: drm_modeset_lock_all_ctx+0x3c4/0x3d0 drm_atomic_helper_shutdown+0x70/0x134 msm_drv_shutdown+0x30/0x40 platform_shutdown+0x28/0x40 device_shutdown+0x148/0x350 kernel_power_off+0x38/0x80 __do_sys_reboot+0x288/0x2c0 __arm64_sys_reboot+0x28/0x34 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0x44/0xec do_el0_svc+0x2c/0xc0 el0_svc+0x2c/0x84 el0t_64_sync_handler+0x11c/0x150 el0t_64_sync+0x18c/0x190 ---[ end trace 0000000000000000 ]--- Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000 [0000000000000018] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 96000004 [#1] PREEMPT SMP ... Hardware name: Google CoachZ (rev3+) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ww_mutex_lock+0x28/0x32c lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0 sp : ffff80000805bb50 x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000 x26: 00000 ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50260 | https://git.kernel.org/stable/c/26f9a766f87b33c50ed400a9500cc1dc9aced953 https://git.kernel.org/stable/c/0e6649a2e31ac157c711d583ec8f5ec59da5de0e https://git.kernel.org/stable/c/0a58d2ae572adaec8d046f8d35b40c2c32ac7468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_hda_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_dvo_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_hdmi_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ->mode_valid() in 'struct drm_connector_helper_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Adjust the return type of sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to resolve the warning and CFI failure. | 2025-09-15 | not yet calculated | CVE-2022-50261 | https://git.kernel.org/stable/c/b2c92b2a3801b09b709cbefd9a9e4944b72400bf https://git.kernel.org/stable/c/b4307c7d35e346b909edfdc1f280902150570bb6 https://git.kernel.org/stable/c/8f9941dea3a70b73f2063f9dcc4aaae6af03c5ba https://git.kernel.org/stable/c/511b48ee8e4aec2d03d2af06b363d9eb3230b017 https://git.kernel.org/stable/c/6e3c4d3fa5d458d685561ecbaf8daa9dba14979e https://git.kernel.org/stable/c/a075c21ee026f4a74f9fce5928ea3c8d18a8af13 https://git.kernel.org/stable/c/e578b0906b6a81479cd5b5b6c848a7096addf5e9 https://git.kernel.org/stable/c/04371a75a58422a301a9ff9ae3babd310ac3bb3f https://git.kernel.org/stable/c/0ad811cc08a937d875cbad0149c1bab17f84ba05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate BOOT record_size When the NTFS BOOT record_size field < 0, it represents a shift value. However, there is no sanity check on the shift result and the sbi->record_bits calculation through blksize_bits() assumes the size always > 256, which could lead to NPD while mounting a malformed NTFS image. [ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 318.675682] #PF: supervisor read access in kernel mode [ 318.675869] #PF: error_code(0x0000) - not-present page [ 318.676246] PGD 0 P4D 0 [ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5 [ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 [ 318.685623] Call Trace: [ 318.686607] <TASK> [ 318.686872] ? ntfs_alloc_inode+0x1a/0x60 [ 318.687235] attr_load_runs_vcn+0x2b/0xa0 [ 318.687468] mi_read+0xbb/0x250 [ 318.687576] ntfs_iget5+0x114/0xd90 [ 318.687750] ntfs_fill_super+0x588/0x11b0 [ 318.687953] ? put_ntfs+0x130/0x130 [ 318.688065] ? snprintf+0x49/0x70 [ 318.688164] ? put_ntfs+0x130/0x130 [ 318.688256] get_tree_bdev+0x16a/0x260 [ 318.688407] vfs_get_tree+0x20/0xb0 [ 318.688519] path_mount+0x2dc/0x9b0 [ 318.688877] do_mount+0x74/0x90 [ 318.689142] __x64_sys_mount+0x89/0xd0 [ 318.689636] do_syscall_64+0x3b/0x90 [ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 318.690318] RIP: 0033:0x7fd9e133c48a [ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a [ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0 [ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020 [ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0 [ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff [ 318.693007] </TASK> [ 318.693271] Modules linked in: [ 318.693614] CR2: 0000000000000158 [ 318.694446] ---[ end trace 0000000000000000 ]--- [ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50262 | https://git.kernel.org/stable/c/af7a195deae349f15baa765d000a5188920d61dd https://git.kernel.org/stable/c/8702e0dc987014f6d77740b693340f91344fd0ae https://git.kernel.org/stable/c/db91a9c59162a9c56792ded88160442c0a2dabd5 https://git.kernel.org/stable/c/0b66046266690454dc04e6307bcff4a5605b42a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vdpasim: fix memory leak when freeing IOTLBs After commit bda324fd037a ("vdpasim: control virtqueue support"), vdpasim->iommu became an array of IOTLB, so we should clean the mappings of each free one by one instead of just deleting the ranges in the first IOTLB which may leak maps. | 2025-09-15 | not yet calculated | CVE-2022-50263 | https://git.kernel.org/stable/c/54b210c90d2803a9f1c8fd2f0d08e90172e9a06d https://git.kernel.org/stable/c/16b22e27fba6fd816d0dcb98f42cc71f0836c27e https://git.kernel.org/stable/c/0b7a04a30eef20e6b24926a45c0ce7906ae85bd6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: socfpga: Fix memory leak in socfpga_gate_init() Free @socfpga_clk and @ops on the error path to avoid memory leak issue. | 2025-09-15 | not yet calculated | CVE-2022-50264 | https://git.kernel.org/stable/c/6f2198914fb9aac286a6ff6cf09b23752141e04f https://git.kernel.org/stable/c/3e8fd1d0fab4d5c9a50d225dddc207deac12f13a https://git.kernel.org/stable/c/9de42116fc4540f6a1ceb51fd037b734ab7be12e https://git.kernel.org/stable/c/9f9bb9f5ba9fd501a90f255eb746b4cf2ceeaaae https://git.kernel.org/stable/c/bd72ab5e6fc1c4d3e6b84636141d26a41b977b03 https://git.kernel.org/stable/c/0b8ba891ad4d1ef6bfa4c72efc83f9f9f855f68b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: annotate data-races around kcm->rx_wait kcm->rx_psock can be read locklessly in kcm_rfree(). Annotate the read and writes accordingly. syzbot reported: BUG: KCSAN: data-race in kcm_rcv_strparser / kcm_rfree write to 0xffff88810784e3d0 of 1 bytes by task 1823 on cpu 1: reserve_rx_kcm net/kcm/kcmsock.c:283 [inline] kcm_rcv_strparser+0x250/0x3a0 net/kcm/kcmsock.c:363 __strp_recv+0x64c/0xd20 net/strparser/strparser.c:301 strp_recv+0x6d/0x80 net/strparser/strparser.c:335 tcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703 strp_read_sock net/strparser/strparser.c:358 [inline] do_strp_work net/strparser/strparser.c:406 [inline] strp_work+0xe8/0x180 net/strparser/strparser.c:415 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 worker_thread+0x618/0xa70 kernel/workqueue.c:2436 kthread+0x1a9/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 read to 0xffff88810784e3d0 of 1 bytes by task 17869 on cpu 0: kcm_rfree+0x121/0x220 net/kcm/kcmsock.c:181 skb_release_head_state+0x8e/0x160 net/core/skbuff.c:841 skb_release_all net/core/skbuff.c:852 [inline] __kfree_skb net/core/skbuff.c:868 [inline] kfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891 kfree_skb include/linux/skbuff.h:1216 [inline] kcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161 ____sys_recvmsg+0x16c/0x2e0 ___sys_recvmsg net/socket.c:2743 [inline] do_recvmmsg+0x2f1/0x710 net/socket.c:2837 __sys_recvmmsg net/socket.c:2916 [inline] __do_sys_recvmmsg net/socket.c:2939 [inline] __se_sys_recvmmsg net/socket.c:2932 [inline] __x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x01 -> 0x00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 17869 Comm: syz-executor.2 Not tainted 6.1.0-rc1-syzkaller-00010-gbb1a1146467a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 | 2025-09-15 | not yet calculated | CVE-2022-50265 | https://git.kernel.org/stable/c/dbc3a0b917c4f75292b1c0819c188e40fd3c8924 https://git.kernel.org/stable/c/9ae47f11493509cde707af8ecc7eee04c8b8e635 https://git.kernel.org/stable/c/f1f7122bb2ef056afc6f91ce4c35ab6df1207c8d https://git.kernel.org/stable/c/663682cd3192dd4f3547b7890a4391c72441001d https://git.kernel.org/stable/c/e2a28807b1ceaa309164b92c38d73d12feea33df https://git.kernel.org/stable/c/62086d1c4602e4f2ec07b975165afc2ed0ff1be9 https://git.kernel.org/stable/c/2733fb2ad5bfbe6538f2f93a21f2504e3dba9d6a https://git.kernel.org/stable/c/0c745b5141a45a076f1cb9772a399f7ebcb0948a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix check for probe enabled in kill_kprobe() In kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be called always fails. This is because before that we set the KPROBE_FLAG_GONE flag for kprobe so that "!kprobe_disabled(p)" is always false. The disarm_kprobe_ftrace() call introduced by commit: 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler") to fix the NULL pointer reference problem. When the probe is enabled, if we do not disarm it, this problem still exists. Fix it by putting the probe enabled check before setting the KPROBE_FLAG_GONE flag. | 2025-09-15 | not yet calculated | CVE-2022-50266 | https://git.kernel.org/stable/c/f20a067f13106565816b4b6a6b665b2088a63824 https://git.kernel.org/stable/c/c909985dd0c0f74b61e3f8f0e04bf8aa9c8b97c7 https://git.kernel.org/stable/c/0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: rtsx_pci: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path, beside, runtime PM also needs be disabled. | 2025-09-15 | not yet calculated | CVE-2022-50267 | https://git.kernel.org/stable/c/30dc645461dfc63e52b3af8ee4a98e17bf14bacf https://git.kernel.org/stable/c/5cd4e04eccaec140da6fa04db056a76282ee6852 https://git.kernel.org/stable/c/ffa9b2a79e3e959683efbad3f6db937eca9d38f5 https://git.kernel.org/stable/c/0c87db77423a282b3b38b8a6daf057b822680516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: moxart: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-09-15 | not yet calculated | CVE-2022-50268 | https://git.kernel.org/stable/c/a4c765f5d8e58138cff69f1510b2e8942ec37022 https://git.kernel.org/stable/c/a94d466f31a5201995d39bc1208e2c09ab04f0bf https://git.kernel.org/stable/c/c7e9a2059fb943fc3c3fa12261518fd72a0fc136 https://git.kernel.org/stable/c/b174f2b36c638fc7737df6c8aac1889a646be98f https://git.kernel.org/stable/c/7c3b301ca8b0cab392c71da8fcdfa499074f8e97 https://git.kernel.org/stable/c/f0502fe86a2db2336c9498d2de3e97f22dcf85ae https://git.kernel.org/stable/c/8f8bb62c7c5c833758ef1563fe738afd579c3efe https://git.kernel.org/stable/c/40aa73c70e8a5706f9cbe01409a5e51cc0f1750e https://git.kernel.org/stable/c/0ca18d09c744fb030ae9bc5836c3e357e0237dea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix memory leak in vkms_init() A memory leak was reported after the vkms module install failed. unreferenced object 0xffff88810bc28520 (size 16): comm "modprobe", pid 9662, jiffies 4298009455 (age 42.590s) hex dump (first 16 bytes): 01 01 00 64 81 88 ff ff 00 00 dc 0a 81 88 ff ff ...d............ backtrace: [<00000000e7561ff8>] kmalloc_trace+0x27/0x60 [<000000000b1954a0>] 0xffffffffc45200a9 [<00000000abbf1da0>] do_one_initcall+0xd0/0x4f0 [<000000001505ee87>] do_init_module+0x1a4/0x680 [<00000000958079ad>] load_module+0x6249/0x7110 [<00000000117e4696>] __do_sys_finit_module+0x140/0x200 [<00000000f74b12d2>] do_syscall_64+0x35/0x80 [<000000008fc6fcde>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 The reason is that the vkms_init() returns without checking the return value of vkms_create(), and if the vkms_create() failed, the config allocated at the beginning of vkms_init() is leaked. vkms_init() config = kmalloc(...) # config allocated ... return vkms_create() # vkms_create failed and config is leaked Fix this problem by checking return value of vkms_create() and free the config if error happened. | 2025-09-15 | not yet calculated | CVE-2022-50269 | https://git.kernel.org/stable/c/bad13de764888b765ceaa4668893b52bd16653cc https://git.kernel.org/stable/c/bebd60ec3bf21062f103e32e6203c6daabdbd51b https://git.kernel.org/stable/c/07ab77154d6fd2d67e465ab5ce30083709950f02 https://git.kernel.org/stable/c/0d0b368b9d104b437e1f4850ae94bdb9a3601e89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix the assign logic of iocb commit 18ae8d12991b ("f2fs: show more DIO information in tracepoint") introduces iocb field in 'f2fs_direct_IO_enter' trace event And it only assigns the pointer and later it accesses its field in trace print log. Unable to handle kernel paging request at virtual address ffffffc04cef3d30 Mem abort info: ESR = 0x96000007 EC = 0x25: DABT (current EL), IL = 32 bits pc : trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4 lr : trace_raw_output_f2fs_direct_IO_enter+0x2c/0xa4 sp : ffffffc0443cbbd0 x29: ffffffc0443cbbf0 x28: ffffff8935b120d0 x27: ffffff8935b12108 x26: ffffff8935b120f0 x25: ffffff8935b12100 x24: ffffff8935b110c0 x23: ffffff8935b10000 x22: ffffff88859a936c x21: ffffff88859a936c x20: ffffff8935b110c0 x19: ffffff8935b10000 x18: ffffffc03b195060 x17: ffffff8935b11e76 x16: 00000000000000cc x15: ffffffef855c4f2c x14: 0000000000000001 x13: 000000000000004e x12: ffff0000ffffff00 x11: ffffffef86c350d0 x10: 00000000000010c0 x9 : 000000000fe0002c x8 : ffffffc04cef3d28 x7 : 7f7f7f7f7f7f7f7f x6 : 0000000002000000 x5 : ffffff8935b11e9a x4 : 0000000000006250 x3 : ffff0a00ffffff04 x2 : 0000000000000002 x1 : ffffffef86a0a31f x0 : ffffff8935b10000 Call trace: trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4 print_trace_fmt+0x9c/0x138 print_trace_line+0x154/0x254 tracing_read_pipe+0x21c/0x380 vfs_read+0x108/0x3ac ksys_read+0x7c/0xec __arm64_sys_read+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common.llvm.1237943816091755067+0xb8/0xf8 do_el0_svc+0x28/0xa0 Fix it by copying the required variables for printing and while at it fix the similar issue at some other places in the same file. | 2025-09-15 | not yet calculated | CVE-2022-50270 | https://git.kernel.org/stable/c/d555aa37566c5c3728f2e52047a9722eae2aed93 https://git.kernel.org/stable/c/b4244ca341ea95c52ee8fa93d04f5af3e584dd37 https://git.kernel.org/stable/c/0db18eec0d9a7ee525209e31e3ac2f673545b12f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: Use kvmalloc/kvfree for larger packets. When copying a large file over sftp over vsock, data size is usually 32kB, and kmalloc seems to fail to try to allocate 32 32kB regions. vhost-5837: page allocation failure: order:4, mode:0x24040c0 Call Trace: [<ffffffffb6a0df64>] dump_stack+0x97/0xdb [<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138 [<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8 [<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d [<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19 [<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb [<ffffffffb66682f3>] __kmalloc+0x177/0x1f7 [<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d [<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock] [<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost] [<ffffffffb683ddce>] kthread+0xfd/0x105 [<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost] [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3 [<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80 [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3 Work around by doing kvmalloc instead. | 2025-09-15 | not yet calculated | CVE-2022-50271 | https://git.kernel.org/stable/c/0d720c3f0a03e97867deab7e480ba3d3e19837ba https://git.kernel.org/stable/c/7aac8c63f604e6a6a46560c0f0188cd0332cf320 https://git.kernel.org/stable/c/e6d0152c95108651f1880c1ddfab47cb9e3e62d0 https://git.kernel.org/stable/c/b4a5905fd2ef841cd61e969ea692c213c2e5c1f7 https://git.kernel.org/stable/c/e28a4e7f0296824c61a81e7fd54ab48bad3e75ad https://git.kernel.org/stable/c/a99fc6d818161d6f1ff3307de8bf5237f6cc34d8 https://git.kernel.org/stable/c/36c9f340c60413e28f980c0224c4e9d35851526b https://git.kernel.org/stable/c/0e3f72931fc47bb81686020cc643cde5d9cd0bb8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Wei Chen reports a kernel bug as blew: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] ... Call Trace: <TASK> __i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd834a8bded In az6027_i2c_xfer(), if msg[i].addr is 0x99, a null-ptr-deref will caused when accessing msg[i].buf. For msg[i].len is 0 and msg[i].buf is null. Fix this by checking msg[i].len in az6027_i2c_xfer(). | 2025-09-15 | not yet calculated | CVE-2022-50272 | https://git.kernel.org/stable/c/2b6a8a1a32746981044e7ab06649c804acb4068a https://git.kernel.org/stable/c/c712d1ccbfb787620422b437a5b8fac0802547bd https://git.kernel.org/stable/c/7abfe467cd685f5da7ecb415441e45e3e4e2baa8 https://git.kernel.org/stable/c/8b256d23361c51aa4b7fdb71176c1ca50966fb39 https://git.kernel.org/stable/c/559891d430e3f3a178040c4371ed419edbfa7d65 https://git.kernel.org/stable/c/210fcf64be4db82c0e190e74b5111e4eef661a7a https://git.kernel.org/stable/c/6fbc44731a4665cbe92a5090e9804a388a72214b https://git.kernel.org/stable/c/6b60cf73a931af34b7a0a3f467a79d9fe0df2d70 https://git.kernel.org/stable/c/0ed554fd769a19ea8464bb83e9ac201002ef74ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on destination blkaddr during recovery As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216456 loop5: detected capacity change from 0 to 131072 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 F2FS-fs (loop5): Bitmap was wrongly set, blk:5634 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1013 at fs/f2fs/segment.c:2198 RIP: 0010:update_sit_entry+0xa55/0x10b0 [f2fs] Call Trace: <TASK> f2fs_do_replace_block+0xa98/0x1890 [f2fs] f2fs_replace_block+0xeb/0x180 [f2fs] recover_data+0x1a69/0x6ae0 [f2fs] f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] f2fs_fill_super+0x4665/0x61e0 [f2fs] mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd If we enable CONFIG_F2FS_CHECK_FS config, it will trigger a kernel panic instead of warning. The root cause is: in fuzzed image, SIT table is inconsistent with inode mapping table, result in triggering such warning during SIT table update. This patch introduces a new flag DATA_GENERIC_ENHANCE_UPDATE, w/ this flag, data block recovery flow can check destination blkaddr's validation in SIT table, and skip f2fs_replace_block() to avoid inconsistent status. | 2025-09-15 | not yet calculated | CVE-2022-50273 | https://git.kernel.org/stable/c/68b1e607559d3dc85f94b0d738d7c4e8029b0cfa https://git.kernel.org/stable/c/73fb4bd2c055a393816f078f158cdd3025006f1d https://git.kernel.org/stable/c/ed854f10e6afd5cbd5c3274d4c4df4bfe0ab4362 https://git.kernel.org/stable/c/8f0a47def4722c5fd8d6b9268b5ffed8a249e2db https://git.kernel.org/stable/c/3a4d24d746866dd45d970bd565ff3886e839366a https://git.kernel.org/stable/c/0ef4ca04a3f9223ff8bc440041c524b2123e09a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: adopts refcnt to avoid UAF dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object. | 2025-09-15 | not yet calculated | CVE-2022-50274 | https://git.kernel.org/stable/c/ac521bbe3d00fa574e66a9361763f2b37725bc97 https://git.kernel.org/stable/c/219b44bf94203bd433aa91b7796475bf656348e5 https://git.kernel.org/stable/c/6d18b44bb44e1f4d97dfe0efe92ac0f0984739c2 https://git.kernel.org/stable/c/2abd73433872194bccdf1432a0980e4ec5273c2a https://git.kernel.org/stable/c/88a6f8a72d167294c0931c7874941bf37a41b6dd https://git.kernel.org/stable/c/a2f0a08aa613176c9688c81d7b598a7779974991 https://git.kernel.org/stable/c/9945d05d6693710574f354c5dbddc47f5101eb77 https://git.kernel.org/stable/c/0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Add the missed acpi_put_table() to fix memory leak When the radeon driver reads the bios information from ACPI table in radeon_acpi_vfct_bios(), it misses to call acpi_put_table() to release the ACPI memory after the init, so add acpi_put_table() properly to fix the memory leak. v2: fix text formatting (Alex) | 2025-09-15 | not yet calculated | CVE-2022-50275 | https://git.kernel.org/stable/c/4539e3211a9bd2418e76797718a4e60a7ae34fcf https://git.kernel.org/stable/c/4760fa67aff6bd8ef0b14c1fa04c295e734c7309 https://git.kernel.org/stable/c/a0f26560be2c566b62331cb0eeffa52929aa4d44 https://git.kernel.org/stable/c/b4b30f56ec512e2c35fc0761bc90b0e519d8fa6e https://git.kernel.org/stable/c/6d25bc63708145c10f9c099d5c005602a7f2ef5f https://git.kernel.org/stable/c/50113de0f1e913c0b733e21d3e61fe9c0f2e9d50 https://git.kernel.org/stable/c/9e203e437310f61fdf3c1107f41f85864cf4f6b1 https://git.kernel.org/stable/c/10276a20be1115e1f76c189330da2992df980eee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: fix null pointer dereferencing in power_supply_get_battery_info when kmalloc() fail to allocate memory in kasprintf(), propname will be NULL, strcmp() called by of_get_property() will cause null pointer dereference. So return ENOMEM if kasprintf() return NULL pointer. | 2025-09-15 | not yet calculated | CVE-2022-50276 | https://git.kernel.org/stable/c/8ea68b4e3fa9392ef9dae303abc8735a033c280f https://git.kernel.org/stable/c/5beadb55f4e36fafe5d6df5dcd5f85d803f3f134 https://git.kernel.org/stable/c/d21534ab4fd7883e1c8037a76671d4e8b6ea14cb https://git.kernel.org/stable/c/279af90e65cbdb3e5c4519b0043324d7876bc5ec https://git.kernel.org/stable/c/b8131efb89d9f837c9244f900f0fc2699fd1181d https://git.kernel.org/stable/c/104bb8a663451404a26331263ce5b96c34504049 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don't allow journal inode to have encrypt flag Mounting a filesystem whose journal inode has the encrypt flag causes a NULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt' mount option is used. The problem is that when jbd2_journal_init_inode() calls bmap(), it eventually finds its way into ext4_iomap_begin(), which calls fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if the inode is encrypted, then its encryption key must already be set up. That's not the case here, since the journal inode is never "opened" like a normal file would be. Hence the crash. A reproducer is: mkfs.ext4 -F /dev/vdb debugfs -w /dev/vdb -R "set_inode_field <8> flags 0x80808" mount /dev/vdb /mnt -o inlinecrypt To fix this, make ext4 consider journal inodes with the encrypt flag to be invalid. (Note, maybe other flags should be rejected on the journal inode too. For now, this is just the minimal fix for the above issue.) I've marked this as fixing the commit that introduced the call to fscrypt_limit_io_blocks(), since that's what made an actual crash start being possible. But this fix could be applied to any version of ext4 that supports the encrypt feature. | 2025-09-15 | not yet calculated | CVE-2022-50277 | https://git.kernel.org/stable/c/1f7a6626f611aa06d7907aa45b484708dd5ac8bc https://git.kernel.org/stable/c/bcc5057e1781a3ee889225480d995c3b5cbde555 https://git.kernel.org/stable/c/105c78e12468413e426625831faa7db4284e1fec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PNP: fix name memory leak in pnp_alloc_dev() After commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, move dev_set_name() after pnp_add_id() to avoid memory leak. | 2025-09-15 | not yet calculated | CVE-2022-50278 | https://git.kernel.org/stable/c/ea77b4b761cd75e5456f677311babfa0418f289a https://git.kernel.org/stable/c/693a0c13c1f0c0fcaa1e38cb806cc0789bd415aa https://git.kernel.org/stable/c/bbcf772216aa237036cc3ae3158288d0a95aaf4d https://git.kernel.org/stable/c/81b024df4755e6bb6993b786584eca6eabbb9791 https://git.kernel.org/stable/c/dac87e295cddc8ab316cff14ab2071b5221d84fa https://git.kernel.org/stable/c/c12b314bb23dc0c83e03402cc84574700947e3b2 https://git.kernel.org/stable/c/1f50c7497a5f89de0c31f2edf086af41ff834320 https://git.kernel.org/stable/c/290dd73b943c95c006df973257076ff163adf4d0 https://git.kernel.org/stable/c/110d7b0325c55ff3620073ba4201845f59e22ebf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() There is a global-out-of-bounds reported by KASAN: BUG: KASAN: global-out-of-bounds in _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D 6.1.0-rc8+ #144 e15588508517267d37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), Call Trace: <TASK> ... kasan_report+0xbb/0x1c0 _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] ... </TASK> The root cause of the problem is that the comparison order of "prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two strings from tail to head, which causes the problem. In the _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet this requirement by carefully designing the comparison order. For example, "pregulation" and "pbandwidth" are compared in order of length from small to large, first is 3 and last is 4. However, the comparison order of "prate_section" dose not obey such order requirement, therefore when "prate_section" is "HT", when comparing from tail to head, it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As mentioned above, the _rtl8812ae_eq_n_byte() has the same function as strcmp(), so just strcmp() is enough. Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. Although it can be fixed by adjusting the comparison order of "prate_section", this may cause the value of "rate_section" to not be from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver from staging to regular tree, but also added setting txpower limit function during the driver config phase, so the problem was introduced by this commit. | 2025-09-15 | not yet calculated | CVE-2022-50279 | https://git.kernel.org/stable/c/fc3442247716fc426bbcf62ed65e086e48a6d44f https://git.kernel.org/stable/c/28ea268d95e57cdf6394a058f0d854206d478772 https://git.kernel.org/stable/c/1e950b9a841bc96e98ee25680d5c7aa305120be1 https://git.kernel.org/stable/c/0c962dcd6bf64b78eaffc09e497a2beb4e48bc32 https://git.kernel.org/stable/c/f1fe40120de6ad4ffa8299fde035a5feba10d4fb https://git.kernel.org/stable/c/057b52461dc005ecd85a3e4998913b1492ec0f72 https://git.kernel.org/stable/c/117dbeda22ec5ea0918254d03b540ef8b8a64d53 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pnode: terminate at peers of source The propagate_mnt() function handles mount propagation when creating mounts and propagates the source mount tree @source_mnt to all applicable nodes of the destination propagation mount tree headed by @dest_mnt. Unfortunately it contains a bug where it fails to terminate at peers of @source_mnt when looking up copies of the source mount that become masters for copies of the source mount tree mounted on top of slaves in the destination propagation tree causing a NULL dereference. Once the mechanics of the bug are understood it's easy to trigger. Because of unprivileged user namespaces it is available to unprivileged users. While fixing this bug we've gotten confused multiple times due to unclear terminology or missing concepts. So let's start this with some clarifications: * The terms "master" or "peer" denote a shared mount. A shared mount belongs to a peer group. * A peer group is a set of shared mounts that propagate to each other. They are identified by a peer group id. The peer group id is available in @shared_mnt->mnt_group_id. Shared mounts within the same peer group have the same peer group id. The peers in a peer group can be reached via @shared_mnt->mnt_share. * The terms "slave mount" or "dependent mount" denote a mount that receives propagation from a peer in a peer group. IOW, shared mounts may have slave mounts and slave mounts have shared mounts as their master. Slave mounts of a given peer in a peer group are listed on that peers slave list available at @shared_mnt->mnt_slave_list. * The term "master mount" denotes a mount in a peer group. IOW, it denotes a shared mount or a peer mount in a peer group. The term "master mount" - or "master" for short - is mostly used when talking in the context of slave mounts that receive propagation from a master mount. A master mount of a slave identifies the closest peer group a slave mount receives propagation from. The master mount of a slave can be identified via @slave_mount->mnt_master. Different slaves may point to different masters in the same peer group. * Multiple peers in a peer group can have non-empty ->mnt_slave_lists. Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to ensure all slave mounts of a peer group are visited the ->mnt_slave_lists of all peers in a peer group have to be walked. * Slave mounts point to a peer in the closest peer group they receive propagation from via @slave_mnt->mnt_master (see above). Together with these peers they form a propagation group (see below). The closest peer group can thus be identified through the peer group id @slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave mount receives propagation from. * A shared-slave mount is a slave mount to a peer group pg1 while also a peer in another peer group pg2. IOW, a peer group may receive propagation from another peer group. If a peer group pg1 is a slave to another peer group pg2 then all peers in peer group pg1 point to the same peer in peer group pg2 via ->mnt_master. IOW, all peers in peer group pg1 appear on the same ->mnt_slave_list. IOW, they cannot be slaves to different peer groups. * A pure slave mount is a slave mount that is a slave to a peer group but is not a peer in another peer group. * A propagation group denotes the set of mounts consisting of a single peer group pg1 and all slave mounts and shared-slave mounts that point to a peer in that peer group via ->mnt_master. IOW, all slave mounts such that @slave_mnt->mnt_master->mnt_group_id is equal to @shared_mnt->mnt_group_id. The concept of a propagation group makes it easier to talk about a single propagation level in a propagation tree. For example, in propagate_mnt() the immediate peers of @dest_mnt and all slaves of @dest_mnt's peer group form a propagation group pr ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50280 | https://git.kernel.org/stable/c/cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c https://git.kernel.org/stable/c/cc997490be65da0af8c75a6244fc80bb66c53ce0 https://git.kernel.org/stable/c/7f57df69de7f05302fad584eb8e3f34de39e0311 https://git.kernel.org/stable/c/2dae4211b579ce98985876a73a78466e285238ff https://git.kernel.org/stable/c/b591b2919d018ef91b4a9571edca94105bcad3df https://git.kernel.org/stable/c/c24cc476acd8bccb5af54849aac5e779d8223bf5 https://git.kernel.org/stable/c/e7c9f10c44a8919cd8bbd51b228c84d0caf7d518 https://git.kernel.org/stable/c/784a4f995ee24460aa72e00b085612fad57ebce5 https://git.kernel.org/stable/c/11933cf1d91d57da9e5c53822a540bbdc2656c16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create() In error case in bridge_platform_create after calling platform_device_add()/platform_device_add_data()/ platform_device_add_resources(), release the failed 'pdev' or it will be leak, call platform_device_put() to fix this problem. Besides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd', use platform_device_unregister() to release sgi_w1 resources when xtalk-bridge registration fails. | 2025-09-15 | not yet calculated | CVE-2022-50281 | https://git.kernel.org/stable/c/da2aecef866b476438d02c662507a0e4e818da9d https://git.kernel.org/stable/c/93296e7ab774230b7c36541dead10b6da39b650f https://git.kernel.org/stable/c/d7ac29e60d0ff71e9e414af595b8c92800f7fa90 https://git.kernel.org/stable/c/48025893b3e31b917ad654d28d23fff66681cac4 https://git.kernel.org/stable/c/11bec9cba4de06b3c0e9e4041453c2caaa1cbec1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: chardev: fix error handling in cdev_device_add() While doing fault injection test, I got the following report: ------------[ cut here ]------------ kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kobject_put+0x23d/0x4e0 Call Trace: <TASK> cdev_device_add+0x15e/0x1b0 __iio_device_register+0x13b4/0x1af0 [industrialio] __devm_iio_device_register+0x22/0x90 [industrialio] max517_probe+0x3d8/0x6b4 [max517] i2c_device_probe+0xa81/0xc00 When device_add() is injected fault and returns error, if dev->devt is not set, cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt in error path. | 2025-09-15 | not yet calculated | CVE-2022-50282 | https://git.kernel.org/stable/c/5d2146889fad4cb9e6c13e790d4cfd871486eca8 https://git.kernel.org/stable/c/6acf8597c5b04f455ee0649e11e5f3bcd28f381e https://git.kernel.org/stable/c/34d17b39bceef25e4cf9805cd59250ae05d0a139 https://git.kernel.org/stable/c/d85b5247a79355b8432bfd9ac871f96117f750d4 https://git.kernel.org/stable/c/c46db6088bccff5115674d583fef46ede80077a2 https://git.kernel.org/stable/c/28dc61cc49c6e995121c6d86bef4b73df78dda80 https://git.kernel.org/stable/c/b5de1eac71fec1af7723f1083d23a24789fd795c https://git.kernel.org/stable/c/85a5660491b507d33662b8e81c142e6041e642eb https://git.kernel.org/stable/c/11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: core: add missing of_node_get() in dynamic partitions code This fixes unbalanced of_node_put(): [ 1.078910] 6 cmdlinepart partitions found on MTD device gpmi-nand [ 1.085116] Creating 6 MTD partitions on "gpmi-nand": [ 1.090181] 0x000000000000-0x000008000000 : "nandboot" [ 1.096952] 0x000008000000-0x000009000000 : "nandfit" [ 1.103547] 0x000009000000-0x00000b000000 : "nandkernel" [ 1.110317] 0x00000b000000-0x00000c000000 : "nanddtb" [ 1.115525] ------------[ cut here ]------------ [ 1.120141] refcount_t: addition on 0; use-after-free. [ 1.125328] WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0xdc/0x148 [ 1.133528] Modules linked in: [ 1.136589] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc7-next-20220930-04543-g8cf3f7 [ 1.146342] Hardware name: Freescale i.MX8DXL DDR3L EVK (DT) [ 1.151999] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.158965] pc : refcount_warn_saturate+0xdc/0x148 [ 1.163760] lr : refcount_warn_saturate+0xdc/0x148 [ 1.168556] sp : ffff800009ddb080 [ 1.171866] x29: ffff800009ddb080 x28: ffff800009ddb35a x27: 0000000000000002 [ 1.179015] x26: ffff8000098b06ad x25: ffffffffffffffff x24: ffff0a00ffffff05 [ 1.186165] x23: ffff00001fdf6470 x22: ffff800009ddb367 x21: 0000000000000000 [ 1.193314] x20: ffff00001fdfebe8 x19: ffff00001fdfec50 x18: ffffffffffffffff [ 1.200464] x17: 0000000000000000 x16: 0000000000000118 x15: 0000000000000004 [ 1.207614] x14: 0000000000000fff x13: ffff800009bca248 x12: 0000000000000003 [ 1.214764] x11: 00000000ffffefff x10: c0000000ffffefff x9 : 4762cb2ccb52de00 [ 1.221914] x8 : 4762cb2ccb52de00 x7 : 205d313431303231 x6 : 312e31202020205b [ 1.229063] x5 : ffff800009d55c1f x4 : 0000000000000001 x3 : 0000000000000000 [ 1.236213] x2 : 0000000000000000 x1 : ffff800009954be6 x0 : 000000000000002a [ 1.243365] Call trace: [ 1.245806] refcount_warn_saturate+0xdc/0x148 [ 1.250253] kobject_get+0x98/0x9c [ 1.253658] of_node_get+0x20/0x34 [ 1.257072] of_fwnode_get+0x3c/0x54 [ 1.260652] fwnode_get_nth_parent+0xd8/0xf4 [ 1.264926] fwnode_full_name_string+0x3c/0xb4 [ 1.269373] device_node_string+0x498/0x5b4 [ 1.273561] pointer+0x41c/0x5d0 [ 1.276793] vsnprintf+0x4d8/0x694 [ 1.280198] vprintk_store+0x164/0x528 [ 1.283951] vprintk_emit+0x98/0x164 [ 1.287530] vprintk_default+0x44/0x6c [ 1.291284] vprintk+0xf0/0x134 [ 1.294428] _printk+0x54/0x7c [ 1.297486] of_node_release+0xe8/0x128 [ 1.301326] kobject_put+0x98/0xfc [ 1.304732] of_node_put+0x1c/0x28 [ 1.308137] add_mtd_device+0x484/0x6d4 [ 1.311977] add_mtd_partitions+0xf0/0x1d0 [ 1.316078] parse_mtd_partitions+0x45c/0x518 [ 1.320439] mtd_device_parse_register+0xb0/0x274 [ 1.325147] gpmi_nand_probe+0x51c/0x650 [ 1.329074] platform_probe+0xa8/0xd0 [ 1.332740] really_probe+0x130/0x334 [ 1.336406] __driver_probe_device+0xb4/0xe0 [ 1.340681] driver_probe_device+0x3c/0x1f8 [ 1.344869] __driver_attach+0xdc/0x1a4 [ 1.348708] bus_for_each_dev+0x80/0xcc [ 1.352548] driver_attach+0x24/0x30 [ 1.356127] bus_add_driver+0x108/0x1f4 [ 1.359967] driver_register+0x78/0x114 [ 1.363807] __platform_driver_register+0x24/0x30 [ 1.368515] gpmi_nand_driver_init+0x1c/0x28 [ 1.372798] do_one_initcall+0xbc/0x238 [ 1.376638] do_initcall_level+0x94/0xb4 [ 1.380565] do_initcalls+0x54/0x94 [ 1.384058] do_basic_setup+0x1c/0x28 [ 1.387724] kernel_init_freeable+0x110/0x188 [ 1.392084] kernel_init+0x20/0x1a0 [ 1.395578] ret_from_fork+0x10/0x20 [ 1.399157] ---[ end trace 0000000000000000 ]--- [ 1.403782] ------------[ cut here ]------------ | 2025-09-15 | not yet calculated | CVE-2022-50283 | https://git.kernel.org/stable/c/9e54ce00505d291ef88f2c05e5eef46269daf83c https://git.kernel.org/stable/c/12b58961de0bd88b3c7dfa5d21f6d67f4678b780 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipc: fix memory leak in init_mqueue_fs() When setup_mq_sysctls() failed in init_mqueue_fs(), mqueue_inode_cachep is not released. In order to fix this issue, the release path is reordered. | 2025-09-15 | not yet calculated | CVE-2022-50284 | https://git.kernel.org/stable/c/86273624a68d07f129dc182b8394f487ed4de484 https://git.kernel.org/stable/c/28dad915abe46d38c5799a0c8130e9a2a1540385 https://git.kernel.org/stable/c/12b677f2c697d61e5ddbcb6c1650050a39392f54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages The h->*_huge_pages counters are protected by the hugetlb_lock, but alloc_huge_page has a corner case where it can decrement the counter outside of the lock. This could lead to a corrupted value of h->resv_huge_pages, which we have observed on our systems. Take the hugetlb_lock before decrementing h->resv_huge_pages to avoid a potential race. | 2025-09-15 | not yet calculated | CVE-2022-50285 | https://git.kernel.org/stable/c/3e50a07b6a5fcd39df1534d3fdaca4292a65efe6 https://git.kernel.org/stable/c/629c986e19fe9481227c7cdfd9a105bbc104d245 https://git.kernel.org/stable/c/2b35432d324898ec41beb27031d2a1a864a4d40e https://git.kernel.org/stable/c/11993652d0b49e27272db0a37aa828d8a3a4b92b https://git.kernel.org/stable/c/568e3812b1778b4c0c229649b59977d88f400ece https://git.kernel.org/stable/c/112a005d1ded04a4b41b6d01833cc0bda90625cc https://git.kernel.org/stable/c/c828fab903725279aa9dc6ae3d44bb7e4778f92c https://git.kernel.org/stable/c/12df140f0bdfae5dcfc81800970dd7f6f632e00c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline When converting files with inline data to extents, delayed allocations made on a file system created with both the bigalloc and inline options can result in invalid extent status cache content, incorrect reserved cluster counts, kernel memory leaks, and potential kernel panics. With bigalloc, the code that determines whether a block must be delayed allocated searches the extent tree to see if that block maps to a previously allocated cluster. If not, the block is delayed allocated, and otherwise, it isn't. However, if the inline option is also used, and if the file containing the block is marked as able to store data inline, there isn't a valid extent tree associated with the file. The current code in ext4_clu_mapped() calls ext4_find_extent() to search the non-existent tree for a previously allocated cluster anyway, which typically finds nothing, as desired. However, a side effect of the search can be to cache invalid content from the non-existent tree (garbage) in the extent status tree, including bogus entries in the pending reservation tree. To fix this, avoid searching the extent tree when allocating blocks for bigalloc + inline files that are being converted from inline to extent mapped. | 2025-09-15 | not yet calculated | CVE-2022-50286 | https://git.kernel.org/stable/c/6f4200ec76a0d31200c308ec5a71c68df5417004 https://git.kernel.org/stable/c/9404839e0c9db5a517ea83c0ca3388b39d105fdf https://git.kernel.org/stable/c/d440d6427a5e3a877c1c259b8d2b216ddb65e185 https://git.kernel.org/stable/c/c0c8edbc8abbe8f16d80a1d794d1ba2c12b6f193 https://git.kernel.org/stable/c/81b915181c630ee1cffa052e52874fe4e1ba91ac https://git.kernel.org/stable/c/131294c35ed6f777bd4e79d42af13b5c41bf2775 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs When (size != 0 || ptrs->lvds_ entries != 3), the program tries to free() the ptrs. However, the ptrs is not created by calling kzmalloc(), but is obtained by pointer offset operation. This may lead to memory leaks or undefined behavior. Fix this by replacing the arguments of kfree() with ptrs_block. (cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec) | 2025-09-15 | not yet calculated | CVE-2022-50287 | https://git.kernel.org/stable/c/4758d04014cfe6cdb6e9b4738d1d6728487bbb3a https://git.kernel.org/stable/c/7c852e8f93f04e57c1e3883caa72542469c6c4c4 https://git.kernel.org/stable/c/1382901f75a5a7dc8eac05059fd0c7816def4eae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure adapter->dcb would get silently freed inside qlcnic_dcb_enable() in case qlcnic_dcb_attach() would return an error, which always happens under OOM conditions. This would lead to use-after-free because both of the existing callers invoke qlcnic_dcb_get_info() on the obtained pointer, which is potentially freed at that point. Propagate errors from qlcnic_dcb_enable(), and instead free the dcb pointer at callsite using qlcnic_dcb_free(). This also removes the now unused qlcnic_clear_dcb_ops() helper, which was a simple wrapper around kfree() also causing memory leaks for partially initialized dcb. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. | 2025-09-15 | not yet calculated | CVE-2022-50288 | https://git.kernel.org/stable/c/36999236f0b12d5de21a6f40e93b570727b9ceb2 https://git.kernel.org/stable/c/d12a7510293d3370b234b0b7c5eda33e58786768 https://git.kernel.org/stable/c/8f97eeb02a553cdc78c83a0596448a370e1518c4 https://git.kernel.org/stable/c/513787ff9a331b461115e8a145a983d650a84fcb https://git.kernel.org/stable/c/95df720e64a6409d8152827a776c43f615e3321a https://git.kernel.org/stable/c/8df1dc04ce0e4c03b51a756749c250a9cb17d707 https://git.kernel.org/stable/c/a2a694e6edbdb3efb34e1613a31fdcf6cf444a55 https://git.kernel.org/stable/c/13a7c8964afcd8ca43c0b6001ebb0127baa95362 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix memory leak in ocfs2_stack_glue_init() ocfs2_table_header should be free in ocfs2_stack_glue_init() if ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak. BUG: memory leak unreferenced object 0xffff88810eeb5800 (size 128): comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s) hex dump (first 32 bytes): c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@.............. 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0 [<00000000c04f70f7>] 0xffffffffa0050037 [<000000001bd12912>] do_one_initcall+0xdb/0x480 [<0000000064f766c9>] do_init_module+0x1cf/0x680 [<000000002ba52db0>] load_module+0x6441/0x6f20 [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0 [<00000000380c1f22>] do_syscall_64+0x3f/0x90 [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-09-15 | not yet calculated | CVE-2022-50289 | https://git.kernel.org/stable/c/0000281f019111526f7abccc61f2746d2eb626ca https://git.kernel.org/stable/c/802abe2bc654e87334e6a0ab6c1adc2b6d5f6394 https://git.kernel.org/stable/c/b0822faebd79971617abd495beb2d6f5356b88bf https://git.kernel.org/stable/c/7c8bf45cea9c8d6fb3e14d8cd5ae60e0372f39b7 https://git.kernel.org/stable/c/f5f2682d3a34dd8350bf63f232d885fd95f25b92 https://git.kernel.org/stable/c/61d68cf2ba79128c48d4b3fa4d10c34dc18ba572 https://git.kernel.org/stable/c/6f6c13776cbee4b6a515f4cd3b859f046be4f6f9 https://git.kernel.org/stable/c/0b2128b70849f2728949babfc1c760096ef72f5d https://git.kernel.org/stable/c/13b6269dd022aaa69ca8d1df374ab327504121cf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: annotate data-races around kcm->rx_psock kcm->rx_psock can be read locklessly in kcm_rfree(). Annotate the read and writes accordingly. We do the same for kcm->rx_wait in the following patch. syzbot reported: BUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm write to 0xffff888123d827b8 of 8 bytes by task 2758 on cpu 1: unreserve_rx_kcm+0x72/0x1f0 net/kcm/kcmsock.c:313 kcm_rcv_strparser+0x2b5/0x3a0 net/kcm/kcmsock.c:373 __strp_recv+0x64c/0xd20 net/strparser/strparser.c:301 strp_recv+0x6d/0x80 net/strparser/strparser.c:335 tcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703 strp_read_sock net/strparser/strparser.c:358 [inline] do_strp_work net/strparser/strparser.c:406 [inline] strp_work+0xe8/0x180 net/strparser/strparser.c:415 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 worker_thread+0x618/0xa70 kernel/workqueue.c:2436 kthread+0x1a9/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 read to 0xffff888123d827b8 of 8 bytes by task 5859 on cpu 0: kcm_rfree+0x14c/0x220 net/kcm/kcmsock.c:181 skb_release_head_state+0x8e/0x160 net/core/skbuff.c:841 skb_release_all net/core/skbuff.c:852 [inline] __kfree_skb net/core/skbuff.c:868 [inline] kfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891 kfree_skb include/linux/skbuff.h:1216 [inline] kcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161 ____sys_recvmsg+0x16c/0x2e0 ___sys_recvmsg net/socket.c:2743 [inline] do_recvmmsg+0x2f1/0x710 net/socket.c:2837 __sys_recvmmsg net/socket.c:2916 [inline] __do_sys_recvmmsg net/socket.c:2939 [inline] __se_sys_recvmmsg net/socket.c:2932 [inline] __x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0xffff88812971ce00 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 5859 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-12189-g19d17ab7c68b-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 | 2025-09-15 | not yet calculated | CVE-2022-50291 | https://git.kernel.org/stable/c/13dba69e18d04c8eec7596369f2a0596b0260275 https://git.kernel.org/stable/c/bf46af730e58d340f6f740bc69a07c5f6b85c655 https://git.kernel.org/stable/c/1b8a5692ab25db4ef1c2cc8e5d21f7a65dc3d079 https://git.kernel.org/stable/c/e94395e916b48a5b912a0a04570981b5b091acb0 https://git.kernel.org/stable/c/c325f92d8d9b223d5842609ca067e898e9d34566 https://git.kernel.org/stable/c/342d918cf9a45df9cf11bbe7162b851adefd178f https://git.kernel.org/stable/c/12a0eb340c9a22e0f8c00d2c0c1a60695ead926a https://git.kernel.org/stable/c/15e4dabda11b0fa31d510a915d1a580f47dfc92e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix bridge lifetime Device-managed resources allocated post component bind must be tied to the lifetime of the aggregate DRM device or they will not necessarily be released when binding of the aggregate device is deferred. This can lead resource leaks or failure to bind the aggregate device when binding is later retried and a second attempt to allocate the resources is made. For the DP bridges, previously allocated bridges will leak on probe deferral. Fix this by amending the DP parser interface and tying the lifetime of the bridge device to the DRM device rather than DP platform device. Patchwork: https://patchwork.freedesktop.org/patch/502667/ | 2025-09-15 | not yet calculated | CVE-2022-50292 | https://git.kernel.org/stable/c/7eda6977e8058dd45607a5bbc6517a0f42ccd6c9 https://git.kernel.org/stable/c/16194958f888d63839042d1190f7001e5ddec47b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range If we get -ENOMEM while dropping file extent items in a given range, at btrfs_drop_extents(), due to failure to allocate memory when attempting to increment the reference count for an extent or drop the reference count, we handle it with a BUG_ON(). This is excessive, instead we can simply abort the transaction and return the error to the caller. In fact most callers of btrfs_drop_extents(), directly or indirectly, already abort the transaction if btrfs_drop_extents() returns any error. Also, we already have error paths at btrfs_drop_extents() that may return -ENOMEM and in those cases we abort the transaction, like for example anything that changes the b+tree may return -ENOMEM due to a failure to allocate a new extent buffer when COWing an existing extent buffer, such as a call to btrfs_duplicate_item() for example. So replace the BUG_ON() calls with proper logic to abort the transaction and return the error. | 2025-09-15 | not yet calculated | CVE-2022-50293 | https://git.kernel.org/stable/c/50f993da945074b2a069da099a0331b23a0c89a0 https://git.kernel.org/stable/c/7fbcb635c8fc927d139f3302babcf1b42c09265c https://git.kernel.org/stable/c/1baf3370e2dc5e6bd1368348736189457dab2a27 https://git.kernel.org/stable/c/162d053e15fe985f754ef495a96eb3db970c43ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix memory leak in lbs_init_adapter() When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not released. Add free memory to processing error path. | 2025-09-15 | not yet calculated | CVE-2022-50294 | https://git.kernel.org/stable/c/4c102ad59bfa66c0f6662af64fa3b9007b02c20f https://git.kernel.org/stable/c/98e0ff6980c89239d9e5d3da90d791c2383dc23a https://git.kernel.org/stable/c/23b34e08de5c2380414c9d3c33e8235094bcccae https://git.kernel.org/stable/c/9c8f50c7433bdfba1588831c413136ecc3f29f99 https://git.kernel.org/stable/c/037f84c0bfae5c436c651d0e804264e2648010ec https://git.kernel.org/stable/c/653d13a73e498d0bb6aeaf689aaa960defa7878b https://git.kernel.org/stable/c/d46c33f667b05c22bc5c5b69aa730349c4b6fe31 https://git.kernel.org/stable/c/16a03958618fb91bb1bc7077cf3211055162cc2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd() Syzkaller produced the below call trace: BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399 CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_msg_ring+0x3cb/0x9f0 kasan_report+0xbc/0xf0 ? io_msg_ring+0x3cb/0x9f0 kasan_check_range+0x140/0x190 io_msg_ring+0x3cb/0x9f0 ? io_msg_ring_prep+0x300/0x300 io_issue_sqe+0x698/0xca0 io_submit_sqes+0x92f/0x1c30 __do_sys_io_uring_enter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... We don't have a NULL check on file_ptr in io_msg_send_fd() function, so when file_ptr is NUL src_file is also NULL and get_file() dereferences a NULL pointer and leads to above crash. Add a NULL check to fix this issue. | 2025-09-15 | not yet calculated | CVE-2022-50295 | https://git.kernel.org/stable/c/0163e04ea64cc3dfaa12390286e5f2f481c3b2e3 https://git.kernel.org/stable/c/16bbdfe5fb0e78e0acb13e45fc127e9a296913f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- | 2025-09-15 | not yet calculated | CVE-2022-50296 | https://git.kernel.org/stable/c/8f96aa67c2ccbd7e41b8dc992b8d13cfe206d571 https://git.kernel.org/stable/c/dbd964a733db015bbb9dff592c259c736398140f https://git.kernel.org/stable/c/844748412be03a236dcf4a208b588162a275e189 https://git.kernel.org/stable/c/cd251d39b13485eb94ee65bb000d024e02c00e45 https://git.kernel.org/stable/c/6a73e6edcbf3cdd82796dcdf0c0f5fe5d91021af https://git.kernel.org/stable/c/7efe61dc6aa45aab8a40e304fa2dae21e33b0db4 https://git.kernel.org/stable/c/5177bdc38eaa1c1ca6302214ab06913540cd00a2 https://git.kernel.org/stable/c/2e3863cc02c156b51b50592d43ffa6a13b680b0d https://git.kernel.org/stable/c/16c546e148fa6d14a019431436a6f7b4087dbccd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: verify the expected usb_endpoints are present The bug arises when a USB device claims to be an ATH9K but doesn't have the expected endpoints. (In this case there was an interrupt endpoint where the driver expected a bulk endpoint.) The kernel needs to be able to handle such devices without getting an internal error. usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Modules linked in: CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events request_firmware_work_func RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Call Trace: ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline] ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019 ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline] ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242 request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097 process_one_work+0x9af/0x1600 kernel/workqueue.c:2279 worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425 kthread+0x3b4/0x4a0 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-09-15 | not yet calculated | CVE-2022-50297 | https://git.kernel.org/stable/c/932f0a5e829fb0b823f96d7fa9a0f4fc96660b77 https://git.kernel.org/stable/c/d008a202a0528a058bac658e657c010ce8534f4a https://git.kernel.org/stable/c/d64436af0bc3c9e579be761d7684f228fb95f3bb https://git.kernel.org/stable/c/ca57748593ddd8e46d033fbaeb9d01ec533a6bfe https://git.kernel.org/stable/c/1824ccabee5445347b83642e4087cc2eca070343 https://git.kernel.org/stable/c/c319196a0e34ed2e66d6f876f58d8d446335c2a7 https://git.kernel.org/stable/c/2d2eccf52ea0215c8d386b62af0b5fd4fc122bd5 https://git.kernel.org/stable/c/0b7e6d681e00a96cde2b32a15ffa70e1be2e3209 https://git.kernel.org/stable/c/16ef02bad239f11f322df8425d302be62f0443ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd: cleanup in probe error path Add proper error path in probe() to cleanup resources previously acquired/allocated to fix warnings visible during probe deferral: notifier callback qcom_slim_ngd_ssr_notify already registered WARNING: CPU: 6 PID: 70 at kernel/notifier.c:28 notifier_chain_register+0x5c/0x90 Modules linked in: CPU: 6 PID: 70 Comm: kworker/u16:1 Not tainted 6.0.0-rc3-next-20220830 #380 Call trace: notifier_chain_register+0x5c/0x90 srcu_notifier_chain_register+0x44/0x90 qcom_register_ssr_notifier+0x38/0x4c qcom_slim_ngd_ctrl_probe+0xd8/0x400 platform_probe+0x6c/0xe0 really_probe+0xbc/0x2d4 __driver_probe_device+0x78/0xe0 driver_probe_device+0x3c/0x12c __device_attach_driver+0xb8/0x120 bus_for_each_drv+0x78/0xd0 __device_attach+0xa8/0x1c0 device_initial_probe+0x18/0x24 bus_probe_device+0xa0/0xac deferred_probe_work_func+0x88/0xc0 process_one_work+0x1d4/0x320 worker_thread+0x2cc/0x44c kthread+0x110/0x114 ret_from_fork+0x10/0x20 | 2025-09-15 | not yet calculated | CVE-2022-50298 | https://git.kernel.org/stable/c/1d567179f27788925dc90fe5e905cdabfce7d190 https://git.kernel.org/stable/c/0c76110a3129c8d56d8fb7b6270dcc0c5c2f1a41 https://git.kernel.org/stable/c/ef5c42e6eb29a86abbcd4b2fd427e5194e51053c https://git.kernel.org/stable/c/16f14551d0df9e7cd283545d7d748829594d912f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: Replace snprintf with scnprintf Current code produces a warning as shown below when total characters in the constituent block device names plus the slashes exceeds 200. snprintf() returns the number of characters generated from the given input, which could cause the expression "200 - len" to wrap around to a large positive number. Fix this by using scnprintf() instead, which returns the actual number of characters written into the buffer. [ 1513.267938] ------------[ cut here ]------------ [ 1513.267943] WARNING: CPU: 15 PID: 37247 at <snip>/lib/vsprintf.c:2509 vsnprintf+0x2c8/0x510 [ 1513.267944] Modules linked in: <snip> [ 1513.267969] CPU: 15 PID: 37247 Comm: mdadm Not tainted 5.4.0-1085-azure #90~18.04.1-Ubuntu [ 1513.267969] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 1513.267971] RIP: 0010:vsnprintf+0x2c8/0x510 <-snip-> [ 1513.267982] Call Trace: [ 1513.267986] snprintf+0x45/0x70 [ 1513.267990] ? disk_name+0x71/0xa0 [ 1513.267993] dump_zones+0x114/0x240 [raid0] [ 1513.267996] ? _cond_resched+0x19/0x40 [ 1513.267998] raid0_run+0x19e/0x270 [raid0] [ 1513.268000] md_run+0x5e0/0xc50 [ 1513.268003] ? security_capable+0x3f/0x60 [ 1513.268005] do_md_run+0x19/0x110 [ 1513.268006] md_ioctl+0x195e/0x1f90 [ 1513.268007] blkdev_ioctl+0x91f/0x9f0 [ 1513.268010] block_ioctl+0x3d/0x50 [ 1513.268012] do_vfs_ioctl+0xa9/0x640 [ 1513.268014] ? __fput+0x162/0x260 [ 1513.268016] ksys_ioctl+0x75/0x80 [ 1513.268017] __x64_sys_ioctl+0x1a/0x20 [ 1513.268019] do_syscall_64+0x5e/0x200 [ 1513.268021] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | 2025-09-15 | not yet calculated | CVE-2022-50299 | https://git.kernel.org/stable/c/3b0a2bd51f60418ecd67493586a2bb2174199de3 https://git.kernel.org/stable/c/897b1450abe5a67c842a5d24173ce4449ccdfa94 https://git.kernel.org/stable/c/97238b88583c27c9d3b4a0cedb45f816523f17c3 https://git.kernel.org/stable/c/76694e9ce0b2238c0a5f3ba54f9361dd3770ec78 https://git.kernel.org/stable/c/5d8259c9d1915a50c60c7d6e9e7fb9b7da64a175 https://git.kernel.org/stable/c/41ca95033a0c47cd6dace1f0a36a6eb5ebe799e6 https://git.kernel.org/stable/c/f95825c4e51cf9a653b0ef947ac78401fc9d3a40 https://git.kernel.org/stable/c/1727fd5015d8f93474148f94e34cda5aa6ad4a43 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721 | 2025-09-15 | not yet calculated | CVE-2022-50300 | https://git.kernel.org/stable/c/b8e7ed42bc3ca0d0e4191ee394d34962d3624c22 https://git.kernel.org/stable/c/fce3713197ebba239e1c7e02174ed216ea1ee014 https://git.kernel.org/stable/c/169a4cf46882974d4db6d85eb623ec898e51bbc0 https://git.kernel.org/stable/c/1742e1c90c3da344f3bb9b1f1309b3f47482756a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/omap: Fix buffer overflow in debugfs There are two issues here: 1) The "len" variable needs to be checked before the very first write. Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a buffer overflow. 2) The snprintf() function returns the number of bytes that *would* have been copied if there were enough space. But we want to know the number of bytes which were *actually* copied so use scnprintf() instead. | 2025-09-15 | not yet calculated | CVE-2022-50301 | https://git.kernel.org/stable/c/706e359cf046c142db290244c3f4938b20fbe805 https://git.kernel.org/stable/c/ec53b99b6b9da8b501f001595a6260c03b42d5b7 https://git.kernel.org/stable/c/648472df221f2bbffb433b964bcb87baccc586d8 https://git.kernel.org/stable/c/4010a1afaae1c0fb9c2cac5de703bed29b1f1782 https://git.kernel.org/stable/c/2fee0dbfaeaaa4bda04279ce772c4572b1429d04 https://git.kernel.org/stable/c/0c7043a5b5c3b35f5dc8875757f71e7f491d64d4 https://git.kernel.org/stable/c/bd0438f534b2e31b12f0b39b355c5dc2bbdaf854 https://git.kernel.org/stable/c/9814cc350e0765ce69244bf55ae4c8b29facd27e https://git.kernel.org/stable/c/184233a5202786b20220acd2d04ddf909ef18f29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lockd: set other missing fields when unlocking files vfs_lock_file() expects the struct file_lock to be fully initialised by the caller. Re-exported NFSv3 has been seen to Oops if the fl_file field is NULL. | 2025-09-15 | not yet calculated | CVE-2022-50302 | https://git.kernel.org/stable/c/31c93ee5f1e4dc278b562e20f3c3274ac34997f3 https://git.kernel.org/stable/c/95d42a8d3d4ae84a0bd3ee23e1fee240cdf0a9f0 https://git.kernel.org/stable/c/688575aef211b0986fc51010116f5888a99d76a2 https://git.kernel.org/stable/c/d7aa9f7778316beb690f6e2763b6d672ad8b256f https://git.kernel.org/stable/c/18ebd35b61b4693a0ddc270b6d4f18def232e770 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix double release compute pasid If kfd_process_device_init_vm returns failure after vm is converted to compute vm and vm->pasid set to compute pasid, KFD will not take pdd->drm_file reference. As a result, drm close file handler maybe called to release the compute pasid before KFD process destroy worker to release the same pasid and set vm->pasid to zero, this generates below WARNING backtrace and NULL pointer access. Add helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step of kfd_process_device_init_vm, to ensure vm pasid is the original pasid if acquiring vm failed or is the compute pasid with pdd->drm_file reference taken to avoid double release same pasid. amdgpu: Failed to create process VM object ida_free called for id=32770 which is not allocated. WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140 RIP: 0010:ida_free+0x96/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:ida_free+0x76/0x140 Call Trace: amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu] amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu] drm_file_free.part.13+0x216/0x270 [drm] drm_close_helper.isra.14+0x60/0x70 [drm] drm_release+0x6e/0xf0 [drm] __fput+0xcc/0x280 ____fput+0xe/0x20 task_work_run+0x96/0xc0 do_exit+0x3d0/0xc10 | 2025-09-15 | not yet calculated | CVE-2022-50303 | https://git.kernel.org/stable/c/89f0d766c9e3fdeafbed6f855d433c2768cde862 https://git.kernel.org/stable/c/a02c07b619899179384fde06f951530438a3512d https://git.kernel.org/stable/c/1a799c4c190ea9f0e81028e3eb3037ed0ab17ff5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: core: fix possible resource leak in init_mtd() I got the error report while inject fault in init_mtd(): sysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0' Call Trace: <TASK> dump_stack_lvl+0x67/0x83 sysfs_warn_dup+0x60/0x70 sysfs_create_dir_ns+0x109/0x120 kobject_add_internal+0xce/0x2f0 kobject_add+0x98/0x110 device_add+0x179/0xc00 device_create_groups_vargs+0xf4/0x100 device_create+0x7b/0xb0 bdi_register_va.part.13+0x58/0x2d0 bdi_register+0x9b/0xb0 init_mtd+0x62/0x171 [mtd] do_one_initcall+0x6c/0x3c0 do_init_module+0x58/0x222 load_module+0x268e/0x27d0 __do_sys_finit_module+0xd5/0x140 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> kobject_add_internal failed for mtd-0 with -EEXIST, don't try to register things with the same name in the same directory. Error registering mtd class or bdi: -17 If init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered, as a result, we can't load the mtd module again, to fix this by calling bdi_unregister(mtd_bdi) after out_procfs label. | 2025-09-15 | not yet calculated | CVE-2022-50304 | https://git.kernel.org/stable/c/78816504100cbd8e6836df9f58cc4fbb8b262f1c https://git.kernel.org/stable/c/26c304a3f136009c5a2a04e2bf3ac6aa25aabcb4 https://git.kernel.org/stable/c/1aadf01e5076b9ab6bf294b9622335c651314895 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() sof_es8336_remove() calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. | 2025-09-15 | not yet calculated | CVE-2022-50305 | https://git.kernel.org/stable/c/b85102a3aa3810a09eb55692e8cd6ffbb304e57d https://git.kernel.org/stable/c/390a1a98288a53b2e7555097d83c6e55d579b166 https://git.kernel.org/stable/c/1b41beaa7a58467505ec3023af8aad74f878b888 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential out of bound read in ext4_fc_replay_scan() For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read when mounting corrupt file system image. ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this three tags will read data during scan, tag length couldn't less than data length which will read. | 2025-09-15 | not yet calculated | CVE-2022-50306 | https://git.kernel.org/stable/c/6969367c1500c15eddc38fda12f6d15518ad6d03 https://git.kernel.org/stable/c/f234294812c9b68d603650d28743eafb718e7ad5 https://git.kernel.org/stable/c/1b45cc5c7b920fd8bf72e5a888ec7abeadf41e09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix out-of-bounds access on cio_ignore free The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as: echo free >/proc/cio_ignore Since an I/O device scan might interfer with running I/Os, commit 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") introduced an optimization to exclude online devices from the scan. The newly added check for online devices incorrectly assumes that an I/O-subchannel's drvdata points to a struct io_subchannel_private. For devices that are bound to a non-default I/O subchannel driver, such as the vfio_ccw driver, this results in an out-of-bounds read access during each scan. Fix this by changing the scan logic to rely on a driver-independent online indication. For this we can use struct subchannel->config.ena, which is the driver's requested subchannel-enabled state. Since I/Os can only be started on enabled subchannels, this matches the intent of the original optimization of not scanning devices where I/O might be running. | 2025-09-15 | not yet calculated | CVE-2022-50307 | https://git.kernel.org/stable/c/0e501fd0f38e42304bfa0d46a812d93f80294a87 https://git.kernel.org/stable/c/106ab66cf5467726ca5ead51623043d37c06820a https://git.kernel.org/stable/c/1b6074112742f65ece71b0f299ca5a6a887d2db6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Add checks for devm_kcalloc As the devm_kcalloc may return NULL, the return value needs to be checked to avoid NULL poineter dereference. | 2025-09-15 | not yet calculated | CVE-2022-50308 | https://git.kernel.org/stable/c/4518d7cc38b7d1a7ce5a7878ca601c91e19fe47d https://git.kernel.org/stable/c/f849c116d320e85d1e2c2804c0edb0be3953b62d https://git.kernel.org/stable/c/7830e2289eb4b74970b6cd1b6cc68dcd021c2281 https://git.kernel.org/stable/c/b1e4f92dd0c1d3c162d7ca6c1196995565cca96d https://git.kernel.org/stable/c/1bf5ee979076ceb121ee51c95197d890b1cee7f4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. | 2025-09-15 | not yet calculated | CVE-2022-50309 | https://git.kernel.org/stable/c/7b0efe7534071e0153708886355d80db69525d50 https://git.kernel.org/stable/c/6e7b3b1e4e9f739800cd8010b75a9bee8d808cee https://git.kernel.org/stable/c/3c38467c3255c428cdbd3cefaccca4662f302dc9 https://git.kernel.org/stable/c/59b315353252abe7b8fdb8651ca31b8484ce287a https://git.kernel.org/stable/c/2630cc88327a5557aa0d9cc63be95e3c6e0a55b3 https://git.kernel.org/stable/c/2ea7caa9684687cf3adc1467cf4af3653a776192 https://git.kernel.org/stable/c/22b93530bbe6af9dce8e520bb6e978d1bda39d2b https://git.kernel.org/stable/c/3336210948b22c2db43e9df2ea403d251b4d24ab https://git.kernel.org/stable/c/1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed If the initialization fails in calling addrconf_init_net(), devconf_all is the pointer that has been released. Then ip6mr_sk_done() is called to release the net, accessing devconf->mc_forwarding directly causes invalid pointer access. The process is as follows: setup_net() ops_init() addrconf_init_net() all = kmemdup(...) ---> alloc "all" ... net->ipv6.devconf_all = all; __addrconf_sysctl_register() ---> failed ... kfree(all); ---> ipv6.devconf_all invalid ... ops_exit_list() ... ip6mr_sk_done() devconf = net->ipv6.devconf_all; //devconf is invalid pointer if (!devconf || !atomic_read(&devconf->mc_forwarding)) The following is the Call Trace information: BUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0 Read of size 4 at addr ffff888075508e88 by task ip/14554 Call Trace: <TASK> dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 kasan_check_range+0x35/0x1b0 ip6mr_sk_done+0x112/0x3a0 rawv6_close+0x48/0x70 inet_release+0x109/0x230 inet6_release+0x4c/0x70 sock_release+0x87/0x1b0 igmp6_net_exit+0x6b/0x170 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f7963322547 </TASK> Allocated by task 14554: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc_node_track_caller+0x4a/0xb0 kmemdup+0x28/0x60 addrconf_init_net+0x1be/0x840 ops_init+0xa5/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 14554: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 __kmem_cache_free+0xa4/0x360 addrconf_init_net+0x623/0x840 ops_init+0xa5/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-09-15 | not yet calculated | CVE-2022-50310 | https://git.kernel.org/stable/c/22a68c3b9362eaac7b035eba09e95e6b3f7a912c https://git.kernel.org/stable/c/1ca695207ed2271ecbf8ee6c641970f621c157cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cxl: Fix refcount leak in cxl_calc_capp_routing of_get_next_parent() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. This function only calls of_node_put() in normal path, missing it in the error path. Add missing of_node_put() to avoid refcount leak. | 2025-09-15 | not yet calculated | CVE-2022-50311 | https://git.kernel.org/stable/c/c9bebc503881c1391f6c4f820134884adecf1519 https://git.kernel.org/stable/c/ee870f72465015327ad96204b0e92450d04870cd https://git.kernel.org/stable/c/f2d60f6ba173cded65081cee690b67802395a479 https://git.kernel.org/stable/c/81c8bbf5b2b5f0c8030fff1716c00849cda8571a https://git.kernel.org/stable/c/6a310e8db5409676b4b3e6c1f54dff174e4fd04d https://git.kernel.org/stable/c/651e8bc9d0418c20a1989b7c078c64c2a6346fa3 https://git.kernel.org/stable/c/2d7b6580384e6d65419933ddc525bd176095da54 https://git.kernel.org/stable/c/1d09697ff22908ae487fc8c4fbde1811732be523 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: serial: jsm: fix some leaks in probe This error path needs to unwind instead of just returning directly. | 2025-09-15 | not yet calculated | CVE-2022-50312 | https://git.kernel.org/stable/c/ff9a5e50fb1910be33e62925bc7ee3bef474879e https://git.kernel.org/stable/c/3bf05c2650cf6b8d83bf0b0d808cc78c6ee7e84c https://git.kernel.org/stable/c/6066bd69ffba3a6abc7c0793ccba1da79b7d77e3 https://git.kernel.org/stable/c/744c2d33a88b082d9d504520f0132b3d688547b2 https://git.kernel.org/stable/c/71ffe5111f0ffa2fd43c14fd176c6f05d4e82212 https://git.kernel.org/stable/c/6be8e565a4a60530797a974d0a3d0e30656166a1 https://git.kernel.org/stable/c/737594536dc3ce732976c0d84bb1dcc842065521 https://git.kernel.org/stable/c/3ea1fd63fdf0e83b491c2a9f25b395aa0e4bf6e8 https://git.kernel.org/stable/c/1d5859ef229e381f4db38dce8ed58e4bf862006b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size As syzbot reported [1], the root cause is that i_size field is a signed type, and negative i_size is also less than EROFS_BLKSIZ. As a consequence, it's handled as fast symlink unexpectedly. Let's fall back to the generic path to deal with such unusual i_size. [1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com | 2025-09-15 | not yet calculated | CVE-2022-50313 | https://git.kernel.org/stable/c/17a0cdbd7b0cf0fc0d7ca4187a67f8f1c18c291f https://git.kernel.org/stable/c/0ab621fcdff1a58ff4de51a8590fa92a0ecd34be https://git.kernel.org/stable/c/acc2f40b980c61a9178b72cdedd150b829064997 https://git.kernel.org/stable/c/b6c8330f5b0f22149957a2e4977fd0f01a9db7cd https://git.kernel.org/stable/c/6235fb899b25fd287d5e42635ff82196395708cc https://git.kernel.org/stable/c/1dd73601a1cba37a0ed5f89a8662c90191df5873 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: Fix hung when signal interrupts nbd_start_device_ioctl() syzbot reported hung task [1]. The following program is a simplified version of the reproducer: int main(void) { int sv[2], fd; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) return 1; if ((fd = open("/dev/nbd0", 0)) < 0) return 1; if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0) return 1; if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0) return 1; if (ioctl(fd, NBD_DO_IT) < 0) return 1; return 0; } When signal interrupt nbd_start_device_ioctl() waiting the condition atomic_read(&config->recv_threads) == 0, the task can hung because it waits the completion of the inflight IOs. This patch fixes the issue by clearing queue, not just shutdown, when signal interrupt nbd_start_device_ioctl(). | 2025-09-15 | not yet calculated | CVE-2022-50314 | https://git.kernel.org/stable/c/3ba3846cb3e2fb3c6fbf79e998472821b298419e https://git.kernel.org/stable/c/c7b4641bd2395c2f3cd3b0a0cbf292ed9d489398 https://git.kernel.org/stable/c/3575949513ea3b387b30dac1e69468a923c86caf https://git.kernel.org/stable/c/b2700f98b3f4dd19fb4315b70581e5caff89eb49 https://git.kernel.org/stable/c/c0d73be0af8c1310713bc39a8d7a22e35084e14f https://git.kernel.org/stable/c/62006a72b05e0d38727eef5188700f2488be5e89 https://git.kernel.org/stable/c/35fb7d4a53d9e36d1b91161ea9870d9c6d57dccf https://git.kernel.org/stable/c/1de7c3cf48fc41cd95adb12bd1ea9033a917798a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS UBSAN complains about array-index-out-of-bounds: [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 [ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]' [ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu [ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010 [ 1.980718] kernel: Call Trace: [ 1.980721] kernel: <TASK> [ 1.980723] kernel: show_stack+0x52/0x58 [ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f [ 1.980734] kernel: dump_stack+0x10/0x12 [ 1.980736] kernel: ubsan_epilogue+0x9/0x45 [ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49 [ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci] [ 1.980748] kernel: ata_qc_issue+0x135/0x240 [ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580 [ 1.980754] kernel: ? vprintk_default+0x1d/0x20 [ 1.980759] kernel: ata_exec_internal+0x67/0xa0 [ 1.980762] kernel: sata_pmp_read+0x8d/0xc0 [ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90 [ 1.980768] kernel: sata_pmp_attach+0x8b/0x310 [ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0 [ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30 [ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci] [ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci] [ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci] [ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0 [ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560 [ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40 [ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci] [ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600 [ 1.980810] kernel: ata_scsi_error+0x9c/0xd0 [ 1.980813] kernel: scsi_error_handler+0xa1/0x180 [ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0 [ 1.980820] kernel: kthread+0x12a/0x150 [ 1.980823] kernel: ? set_kthread_struct+0x50/0x50 [ 1.980826] kernel: ret_from_fork+0x22/0x30 [ 1.980831] kernel: </TASK> This happens because sata_pmp_init_links() initialize link->pmp up to SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array. I can't find the maximum Enclosure Management ports specified in AHCI spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier Information" can utilize 4 bits, which implies it can support up to 16 ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the issue. BugLink: https://bugs.launchpad.net/bugs/1970074 | 2025-09-15 | not yet calculated | CVE-2022-50315 | https://git.kernel.org/stable/c/f70bd4339cb68bc7e206af4c922bc0d249244403 https://git.kernel.org/stable/c/da2ea4a961d9f89ed248734e7032350c260dc3a3 https://git.kernel.org/stable/c/67a00c299c5c143817c948fbc7de1a2fa1af38fb https://git.kernel.org/stable/c/383b7c50f5445ff8dbbf03080905648d6980c39d https://git.kernel.org/stable/c/303d0f761431d848dd8d7ff9fd9b8c101879cabe https://git.kernel.org/stable/c/8fbe13de1cc7cef2564be3cbf60400b33eee023b https://git.kernel.org/stable/c/d6314d5f68764550c84d732ce901ddd3ac6b415f https://git.kernel.org/stable/c/1e41e693f458eef2d5728207dbd327cd3b16580a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: Fix kmemleak in orangefs_sysfs_init() When insert and remove the orangefs module, there are kobjects memory leaked as below: unreferenced object 0xffff88810f95af00 (size 64): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................ 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005a6e4dfe>] orangefs_sysfs_init+0x42/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ae80 (size 64): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................ 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000001a4841fa>] orangefs_sysfs_init+0xc7/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ae00 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.511s) hex dump (first 32 bytes): 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `............... 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005915e797>] orangefs_sysfs_init+0x12b/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ad80 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.511s) hex dump (first 32 bytes): 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x............... 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000007a14eb35>] orangefs_sysfs_init+0x1ac/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ac00 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.531s) hex dump (first 32 bytes): e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g............. 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000001f38adcb>] orangefs_sysfs_init+0x291/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/ ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50316 | https://git.kernel.org/stable/c/9ce4ba7fff5af36da82dc5964221367630621b99 https://git.kernel.org/stable/c/22409490294180c39be7dd0e5b2667d41556307d https://git.kernel.org/stable/c/1f2c0e8a587bcafad85019a2d80f158d8d41a868 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: megachips: Fix a null pointer dereference bug When removing the module we will get the following warning: [ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered [ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI [ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130 [ 31.921825] Call Trace: [ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw] [ 31.923139] i2c_device_remove+0x181/0x1f0 The two bridges (stdp2690, stdp4028) do not probe at the same time, so the driver does not call ge_b850v3_resgiter() when probing, causing the driver to try to remove the object that has not been initialized. Fix this by checking whether both the bridges are probed. | 2025-09-15 | not yet calculated | CVE-2022-50317 | https://git.kernel.org/stable/c/aaa512ad1e59f2edf8a9e4f2b167a44b24670679 https://git.kernel.org/stable/c/5bc20bafcd87ba0858ab772cefc7047cb51bc249 https://git.kernel.org/stable/c/1daf69228e310938177119c4eadcd30fc75c81e0 https://git.kernel.org/stable/c/877e92e9b1bdeb580b31a46061005936be902cd4 https://git.kernel.org/stable/c/4610e7a4111fa3f3ce27c09d6d94008c55f1cd31 https://git.kernel.org/stable/c/21764467ab396d9f08921e0a5ffa1214244e1ad9 https://git.kernel.org/stable/c/7371fad5cfe6eada6bb5523c895fd6074b15c2b9 https://git.kernel.org/stable/c/1ff673333d46d2c1b053ebd0c1c7c7c79e36943e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() pci_get_device() will increase the reference count for the returned 'dev'. We need to call pci_dev_put() to decrease the reference count. Since 'dev' is only used in pci_read_config_dword(), let's add pci_dev_put() right after it. | 2025-09-15 | not yet calculated | CVE-2022-50318 | https://git.kernel.org/stable/c/5a96c10a56037db006ba6769307a9731cf6073be https://git.kernel.org/stable/c/e293263248f25c6b8aa1caf7c1103d40aa03311e https://git.kernel.org/stable/c/c0539d5d474ee6fa4ebc41f927a0f98f81244f25 https://git.kernel.org/stable/c/3485f197518061371568f842405159aa9e4df551 https://git.kernel.org/stable/c/48f32b9a74e2ac8e854bb87bfefdbc745125a123 https://git.kernel.org/stable/c/bd66877c0b3b42eed0ecee0bd2a2a505c1e54177 https://git.kernel.org/stable/c/1ff9dd6e7071a561f803135c1d684b13c7a7d01d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: remove cpuhp instance node before remove cpuhp state cpuhp_state_add_instance() and cpuhp_state_remove_instance() should be used in pairs. Or there will lead to the warn on cpuhp_remove_multi_state() since the cpuhp_step list is not empty. The following is the error log with 'rmmod coresight-trbe': Error: Removing state 215 which has instances left. Call trace: __cpuhp_remove_state_cpuslocked+0x144/0x160 __cpuhp_remove_state+0xac/0x100 arm_trbe_device_remove+0x2c/0x60 [coresight_trbe] platform_remove+0x34/0x70 device_remove+0x54/0x90 device_release_driver_internal+0x1e4/0x250 driver_detach+0x5c/0xb0 bus_remove_driver+0x64/0xc0 driver_unregister+0x3c/0x70 platform_driver_unregister+0x20/0x30 arm_trbe_exit+0x1c/0x658 [coresight_trbe] __arm64_sys_delete_module+0x1ac/0x24c invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0x58/0x1a0 do_el0_svc+0x38/0xd0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0x1ac/0x1b0 el0t_64_sync+0x19c/0x1a0 ---[ end trace 0000000000000000 ]--- | 2025-09-15 | not yet calculated | CVE-2022-50319 | https://git.kernel.org/stable/c/18b9202188a4e59923834c60b5c82ea1da7d1811 https://git.kernel.org/stable/c/2ea334960afcd49385840c7afd59fc5f8d3ce682 https://git.kernel.org/stable/c/3c18888bc0b51835c74123b1e04d5df11543724c https://git.kernel.org/stable/c/20ee8c223f792947378196307d8e707c9cdc2d61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table which contains invalid physical addresses, with high bits set which fall outside the range of the CPU-s supported physical address range. Calling acpi_os_map_memory() on such an invalid phys address leads to the below WARN_ON in ioremap triggering resulting in an oops/stacktrace. Add code to verify the physical address before calling acpi_os_map_memory() to fix / avoid the oops. [ 1.226900] ioremap: invalid physical address 3001000000000000 [ 1.226949] ------------[ cut here ]------------ [ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f [ 1.226996] Modules linked in: [ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490 [ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013 [ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f [ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 <0f> 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00 [ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286 [ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000 [ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff [ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18 [ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008 [ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000 [ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000 [ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0 [ 1.227167] Call Trace: [ 1.227176] <TASK> [ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0 [ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370 [ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0 [ 1.227288] acpi_init_fpdt+0xa8/0x253 [ 1.227308] ? acpi_debugfs_init+0x1f/0x1f [ 1.227339] do_one_initcall+0x5a/0x300 [ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80 [ 1.227442] kernel_init_freeable+0x28b/0x2cc [ 1.227512] ? rest_init+0x170/0x170 [ 1.227538] kernel_init+0x16/0x140 [ 1.227552] ret_from_fork+0x1f/0x30 [ 1.227639] </TASK> [ 1.227647] irq event stamp: 186819 [ 1.227656] hardirqs last enabled at (186825): [<ffffffff98184a6e>] __up_console_sem+0x5e/0x70 [ 1.227672] hardirqs last disabled at (186830): [<ffffffff98184a53>] __up_console_sem+0x43/0x70 [ 1.227686] softirqs last enabled at (186576): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160 [ 1.227701] softirqs last disabled at (186569): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160 [ 1.227715] ---[ end trace 0000000000000000 ]--- | 2025-09-15 | not yet calculated | CVE-2022-50320 | https://git.kernel.org/stable/c/30eca146c89d216dda95868ce00a2d35cf73d5a4 https://git.kernel.org/stable/c/90bfc9ae875dfbed2e6089516520204cd431dba3 https://git.kernel.org/stable/c/16046a716c8e1f447909bec9b478d58e6e25e513 https://git.kernel.org/stable/c/211391bf04b3c74e250c566eeff9cf808156c693 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it. Compile tested only. | 2025-09-15 | not yet calculated | CVE-2022-50321 | https://git.kernel.org/stable/c/4c55fdebc1c358de96bfab52ed309d58a3ba66ef https://git.kernel.org/stable/c/e5d01e85cf46628647cd696cb72ba4659b18967f https://git.kernel.org/stable/c/d869a189505224601e310c7769cb90b0e2f60b31 https://git.kernel.org/stable/c/e08e6812efb6a8c676e733de0518594d1517e0d9 https://git.kernel.org/stable/c/e8ef89e5b89ee041a94eecfb6c31fcc237f9168c https://git.kernel.org/stable/c/7f159116d620615779adbf88a5d94713702216d8 https://git.kernel.org/stable/c/3a4d18318f473e97d628f410215b3fac32d07aed https://git.kernel.org/stable/c/212fde3fe76e962598ce1d47b97cc78afdfc71b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. msc313_rtc_probe() was passing clk_disable_unprepare() directly, which did not have matching prototypes for devm_add_action_or_reset()'s callback argument. Refactor to use devm_clk_get_enabled() instead. This was found as a result of Clang's new -Wcast-function-type-strict flag, which is more sensitive than the simpler -Wcast-function-type, which only checks for type width mismatches. | 2025-09-15 | not yet calculated | CVE-2022-50322 | https://git.kernel.org/stable/c/5affaaf3334c9274131dae889ed79ea0553d61b4 https://git.kernel.org/stable/c/ba50fee6b41bcbafaeed3c51f90d37d1480ff9a0 https://git.kernel.org/stable/c/21b8a1dd56a163825e5749b303858fb902ebf198 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not sense pfmemalloc status in skb_append_pagefrags() skb_append_pagefrags() is used by af_unix and udp sendpage() implementation so far. In commit 326140063946 ("tcp: TX zerocopy should not sense pfmemalloc status") we explained why we should not sense pfmemalloc status for pages owned by user space. We should also use skb_fill_page_desc_noacc() in skb_append_pagefrags() to avoid following KCSAN report: BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0: __list_add include/linux/list.h:73 [inline] list_add include/linux/list.h:88 [inline] lruvec_add_folio include/linux/mm_inline.h:323 [inline] lru_add_fn+0x327/0x410 mm/swap.c:228 folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246 lru_add_drain_cpu+0x73/0x250 mm/swap.c:669 lru_add_drain+0x21/0x60 mm/swap.c:773 free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:256 [inline] tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263 tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363 exit_mmap+0x190/0x4d0 mm/mmap.c:3098 __mmput+0x27/0x1b0 kernel/fork.c:1185 mmput+0x3d/0x50 kernel/fork.c:1207 copy_process+0x19fc/0x2100 kernel/fork.c:2518 kernel_clone+0x166/0x550 kernel/fork.c:2671 __do_sys_clone kernel/fork.c:2812 [inline] __se_sys_clone kernel/fork.c:2796 [inline] __x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1: page_is_pfmemalloc include/linux/mm.h:1817 [inline] __skb_fill_page_desc include/linux/skbuff.h:2432 [inline] skb_fill_page_desc include/linux/skbuff.h:2453 [inline] skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974 unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338 kernel_sendpage+0x184/0x300 net/socket.c:3561 sock_sendpage+0x5a/0x70 net/socket.c:1054 pipe_to_sendpage+0x128/0x160 fs/splice.c:361 splice_from_pipe_feed fs/splice.c:415 [inline] __splice_from_pipe+0x222/0x4d0 fs/splice.c:559 splice_from_pipe fs/splice.c:594 [inline] generic_splice_sendpage+0x89/0xc0 fs/splice.c:743 do_splice_from fs/splice.c:764 [inline] direct_splice_actor+0x80/0xa0 fs/splice.c:931 splice_direct_to_actor+0x305/0x620 fs/splice.c:886 do_splice_direct+0xfb/0x180 fs/splice.c:974 do_sendfile+0x3bf/0x910 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x0000000000000000 -> 0xffffea00058fc188 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 | 2025-09-15 | not yet calculated | CVE-2022-50323 | https://git.kernel.org/stable/c/92b4c5c3fa810212da20088bcc6c0a77fc8607bd https://git.kernel.org/stable/c/847a2859814b31392340a2b16604b25afaa92dcc https://git.kernel.org/stable/c/228ebc41dfab5b5d34cd76835ddb0ca8ee12f513 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: maps: pxa2xx-flash: fix memory leak in probe Free 'info' upon remapping error to avoid a memory leak. [<miquel.raynal@bootlin.com>: Reword the commit log] | 2025-09-15 | not yet calculated | CVE-2022-50324 | https://git.kernel.org/stable/c/cb3f35f44887a8486737fe88d58050f1df290758 https://git.kernel.org/stable/c/e2324a0912ad26a0ea5baaf81aed0ca880804158 https://git.kernel.org/stable/c/6fa9550ef3e13d7e9b2d4db6dd57292ccd072a90 https://git.kernel.org/stable/c/cf9c4c25caad05c6b492cbba739a467511814279 https://git.kernel.org/stable/c/1d0c2b762dad2b8dd166e17c0e90b88b86a3284f https://git.kernel.org/stable/c/f35981083cb3fc1ba6427c1543152c5e3f59d104 https://git.kernel.org/stable/c/932baf593eb63dff40e40d7674f076fb7932cd5b https://git.kernel.org/stable/c/a1b061cafdbcb1ff259731f30e2bdc1de64dcaba https://git.kernel.org/stable/c/2399401feee27c639addc5b7e6ba519d3ca341bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix potential RX buffer overflow If an event caused firmware to return invalid RX size for LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes. Fix by utilizing min_t(). | 2025-09-15 | not yet calculated | CVE-2022-50325 | https://git.kernel.org/stable/c/ec1f0c12cb2e614c3fa8e9402f7ffcf82166078a https://git.kernel.org/stable/c/0bad12fee5ae16ab439d97c66c4238f5f4cc7f68 https://git.kernel.org/stable/c/23ae34e033b2c0e5e88237af82b163b296fd6aa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: airspy: fix memory leak in airspy probe The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency rules") moves variable buf from stack to heap, however, it only frees buf in the error handling code, missing deallocation in the success path. Fix this by freeing buf in the success path since this variable does not have any references in other code. | 2025-09-15 | not yet calculated | CVE-2022-50326 | https://git.kernel.org/stable/c/f4285dd02b6b2ca3435b65fb62c053dd9408fd71 https://git.kernel.org/stable/c/23bc5eb55f8c9607965c20d9ddcc13cb1ae59568 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ] | 2025-09-15 | not yet calculated | CVE-2022-50327 | https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9 https://git.kernel.org/stable/c/fdee7a0acc566c4194d40a501b8a1584e86cc208 https://git.kernel.org/stable/c/ad1190744da9d812da55b76f2afce750afb0a3bd https://git.kernel.org/stable/c/2ecd629c788bbfb96be058edade2e934d3763eaf https://git.kernel.org/stable/c/b85f0e292f73f353eea915499604fbf50c8238b4 https://git.kernel.org/stable/c/2437513a814b3e93bd02879740a8a06e52e2cf7d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential use-after-free in jbd2_fc_wait_bufs In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count which may lead to use-after-free. So judge buffer if uptodate before put buffer head reference count. | 2025-09-15 | not yet calculated | CVE-2022-50328 | https://git.kernel.org/stable/c/1d4d16daec2a6689b6d3fbfc7d2078643adc6619 https://git.kernel.org/stable/c/d11d2ded293976a1a0d9d9471827a44dc9e3c63f https://git.kernel.org/stable/c/2e6d9f381c1ed844531a577783fc352de7a44c8a https://git.kernel.org/stable/c/effd9b3c029ecdd853a11933dcf857f5a7ca8c3d https://git.kernel.org/stable/c/243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). | 2025-09-15 | not yet calculated | CVE-2022-50329 | https://git.kernel.org/stable/c/1425f1bb5df5239021fd09ebc2a5e8070e705d36 https://git.kernel.org/stable/c/7949b0df3dd9f4817ed4a4e989fa9ee81df6205f https://git.kernel.org/stable/c/cfe5b38c37720313eff0dec5517442c7ab3c9a20 https://git.kernel.org/stable/c/1ed959fef5b1c6f1a7a3fbea543698c30ebd6678 https://git.kernel.org/stable/c/246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: cavium - prevent integer overflow loading firmware The "code_length" value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The "ntohl(ucode->code_length) * 2" multiplication can have an integer overflow. | 2025-09-15 | not yet calculated | CVE-2022-50330 | https://git.kernel.org/stable/c/c4d4c2afd08dfb3cd1c880d1811ede2568e81a6d https://git.kernel.org/stable/c/90e483e7f20c32287d2a9da967e122938f52737a https://git.kernel.org/stable/c/584561e94260268abe1c83e00d9c205565cb7bc5 https://git.kernel.org/stable/c/3a720eb89026c5241b8c4abb33370dc6fb565eee https://git.kernel.org/stable/c/172c8a24fc8312cf6b88d3c88469653fdcb1c127 https://git.kernel.org/stable/c/371fa5129af53a79f6dddc90fe5bb0825cbe72a4 https://git.kernel.org/stable/c/e29fd7a6852376d2cfb95ad5d6d3eeff93f815e9 https://git.kernel.org/stable/c/2526d6bf27d15054bb0778b2f7bc6625fd934905 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new() Inject fault while probing module, if device_register() fails, but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). unreferenced object 0xffff88810152ad20 (size 8): comm "modprobe", pid 252, jiffies 4294849206 (age 22.713s) hex dump (first 8 bytes): 68 77 73 69 6d 30 00 ff hwsim0.. backtrace: [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0 [<00000000c0228a5e>] kvasprintf+0xb5/0x140 [<00000000cff8c21f>] kvasprintf_const+0x55/0x180 [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150 [<000000000a80b139>] dev_set_name+0xab/0xe0 | 2025-09-15 | not yet calculated | CVE-2022-50331 | https://git.kernel.org/stable/c/50c31fa952309536c6e4461ff815ddccc8dff9d5 https://git.kernel.org/stable/c/d87973314aba6de80a49f4271dd9be4ddc08e729 https://git.kernel.org/stable/c/258ad2fe5ede773625adfda88b173f4123e59f45 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: video/aperture: Call sysfb_disable() before removing PCI devices Call sysfb_disable() from aperture_remove_conflicting_pci_devices() before removing PCI devices. Without, simpledrm can still bind to simple-framebuffer devices after the hardware driver has taken over the hardware. Both drivers interfere with each other and results are undefined. Reported modesetting errors [1] are shown below. ---- snap ---- rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 7 jiffies s: 165 root: 0x2000/. rcu: blocking rcu_node structures (internal RCU debug): Task dump for CPU 13: task:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x00000008 Call Trace: <TASK> ? commit_tail+0xd7/0x130 ? drm_atomic_helper_commit+0x126/0x150 ? drm_atomic_commit+0xa4/0xe0 ? drm_plane_get_damage_clips.cold+0x1c/0x1c ? drm_atomic_helper_dirtyfb+0x19e/0x280 ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? drm_ioctl_kernel+0xc4/0x150 ? drm_ioctl+0x246/0x3f0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? __x64_sys_ioctl+0x91/0xd0 ? do_syscall_64+0x60/0xd0 ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5 </TASK> ... rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 30 jiffies s: 169 root: 0x2000/. rcu: blocking rcu_node structures (internal RCU debug): Task dump for CPU 13: task:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x0000400e Call Trace: <TASK> ? memcpy_toio+0x76/0xc0 ? memcpy_toio+0x1b/0xc0 ? drm_fb_memcpy_toio+0x76/0xb0 ? drm_fb_blit_toio+0x75/0x2b0 ? simpledrm_simple_display_pipe_update+0x132/0x150 ? drm_atomic_helper_commit_planes+0xb6/0x230 ? drm_atomic_helper_commit_tail+0x44/0x80 ? commit_tail+0xd7/0x130 ? drm_atomic_helper_commit+0x126/0x150 ? drm_atomic_commit+0xa4/0xe0 ? drm_plane_get_damage_clips.cold+0x1c/0x1c ? drm_atomic_helper_dirtyfb+0x19e/0x280 ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? drm_ioctl_kernel+0xc4/0x150 ? drm_ioctl+0x246/0x3f0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? __x64_sys_ioctl+0x91/0xd0 ? do_syscall_64+0x60/0xd0 ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5 </TASK> The problem was added by commit 5e0137612430 ("video/aperture: Disable and unregister sysfb devices via aperture helpers") to v6.0.3 and does not exist in the mainline branch. The mainline commit 5e0137612430 ("video/aperture: Disable and unregister sysfb devices via aperture helpers") has been backported from v6.0-rc1 to stable v6.0.3 from a larger patch series [2] that reworks fbdev framebuffer ownership. The backport misses a change to aperture_remove_conflicting_pci_devices(). Mainline itself is fine, because the function does not exist there as a result of the patch series. Instead of backporting the whole series, fix the additional function. | 2025-09-15 | not yet calculated | CVE-2022-50332 | https://git.kernel.org/stable/c/25a6688f27ff54f97adf7cce1d7e18c38bf51eb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: jfs: fix shift-out-of-bounds in dbDiscardAG This should be applied to most URSAN bugs found recently by syzbot, by guarding the dbMount. As syzbot feeding rubbish into the bmap descriptor. | 2025-09-15 | not yet calculated | CVE-2022-50333 | https://git.kernel.org/stable/c/f8d4d0bac603616e2fa4a3907e81ed13f8f3c380 https://git.kernel.org/stable/c/0183c8f46ab5bcd0740f41c87f5141c6ca2bf1bb https://git.kernel.org/stable/c/624843f1bac448150f6859999c72c4841c14a2e3 https://git.kernel.org/stable/c/50163a115831ef4e6402db5a7ef487d1989d7249 https://git.kernel.org/stable/c/911999b193735cd378517b6cd5fe585ee345d49c https://git.kernel.org/stable/c/10b87da8fae79c7daf5eda6a9e4f1d31b85b4d92 https://git.kernel.org/stable/c/ab5cd3d62c2493eca3337e7d0178cc7bd819ca64 https://git.kernel.org/stable/c/3d340b684dcec5e34efc470227cd1c7d2df121ad https://git.kernel.org/stable/c/25e70c6162f207828dd405b432d8f2a98dbf7082 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() Syzkaller reports a null-ptr-deref bug as follows: ====================================================== KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380 [...] Call Trace: <TASK> vfs_parse_fs_param fs/fs_context.c:148 [inline] vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129 vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191 generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231 do_new_mount fs/namespace.c:3036 [inline] path_mount+0x12de/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> ====================================================== According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, hugetlbfs_parse_param() will dereference the param->string, without checking whether it is a null pointer. To be more specific, if hugetlbfs_parse_param() parses an illegal mount parameter, such as "size=,", kernel will constructs struct fs_parameter with null pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug. This patch solves it by adding sanity check on param->string in hugetlbfs_parse_param(). | 2025-09-15 | not yet calculated | CVE-2022-50334 | https://git.kernel.org/stable/c/fa71639873518e3587632ae58e25e4a96b57fa90 https://git.kernel.org/stable/c/dcd28191be9bbf307ba51a5b485773a55b0037c4 https://git.kernel.org/stable/c/9a8862820cbf1f18dca4f3b4c289d88561b3a384 https://git.kernel.org/stable/c/965e8f8ae0f642b5528f5a82b7bcaf15a659d5bd https://git.kernel.org/stable/c/f2207145693ae5697a7b59e2add4b92f9e5b0e3c https://git.kernel.org/stable/c/26215b7ee923b9251f7bb12c4e5f09dc465d35f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 9p: set req refcount to zero to avoid uninitialized usage When a new request is allocated, the refcount will be zero if it is reused, but if the request is newly allocated from slab, it is not fully initialized before being added to idr. If the p9_read_work got a response before the refcount initiated. It will use a uninitialized req, which will result in a bad request data struct. Here is the logs from syzbot. Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 0x00 0x00 . . . . . . . . ] (in kfence-#110): p9_fcall_fini net/9p/client.c:248 [inline] p9_req_put net/9p/client.c:396 [inline] p9_req_put+0x208/0x250 net/9p/client.c:390 p9_client_walk+0x247/0x540 net/9p/client.c:1165 clone_fid fs/9p/fid.h:21 [inline] v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 v9fs_xattr_set fs/9p/xattr.c:100 [inline] v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 __vfs_setxattr+0x119/0x180 fs/xattr.c:182 __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 vfs_setxattr+0x143/0x340 fs/xattr.c:309 setxattr+0x146/0x160 fs/xattr.c:617 path_setxattr+0x197/0x1c0 fs/xattr.c:636 __do_sys_setxattr fs/xattr.c:652 [inline] __se_sys_setxattr fs/xattr.c:648 [inline] __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Below is a similar scenario, the scenario in the syzbot log looks more complicated than this one, but this patch can fix it. T21124 p9_read_work ======================== second trans ================================= p9_client_walk p9_client_rpc p9_client_prepare_req p9_tag_alloc req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); tag = idr_alloc << preempted >> req->tc.tag = tag; /* req->[refcount/tag] == uninitialized */ m->rreq = p9_tag_lookup(m->client, m->rc.tag); /* increments uninitalized refcount */ refcount_set(&req->refcount, 2); /* cb drops one ref */ p9_client_cb(req) /* reader thread drops its ref: request is incorrectly freed */ p9_req_put(req) /* use after free and ref underflow */ p9_req_put(req) To fix it, we can initialize the refcount to zero before add to idr. | 2025-09-15 | not yet calculated | CVE-2022-50335 | https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8 https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539 https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add null pointer check to attr_load_runs_vcn Some metadata files are handled before MFT. This adds a null pointer check for some corner cases that could lead to NPD while reading these metadata files for a malformed NTFS image. [ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 240.191583] #PF: supervisor read access in kernel mode [ 240.191956] #PF: error_code(0x0000) - not-present page [ 240.192391] PGD 0 P4D 0 [ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17 [ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300 [ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f [ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286 [ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a [ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60 [ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed [ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000 [ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 [ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0 [ 240.200839] Call Trace: [ 240.201104] <TASK> [ 240.201502] ? ni_load_mi+0x80/0x80 [ 240.202297] ? ___slab_alloc+0x465/0x830 [ 240.202614] attr_load_runs_vcn+0x8c/0x1a0 [ 240.202886] ? __kasan_slab_alloc+0x32/0x90 [ 240.203157] ? attr_data_write_resident+0x250/0x250 [ 240.203543] mi_read+0x133/0x2c0 [ 240.203785] mi_get+0x70/0x140 [ 240.204012] ni_load_mi_ex+0xfa/0x190 [ 240.204346] ? ni_std5+0x90/0x90 [ 240.204588] ? __kasan_kmalloc+0x88/0xb0 [ 240.204859] ni_enum_attr_ex+0xf1/0x1c0 [ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0 [ 240.205600] ? ntfs_load_attr_list+0xbe/0x300 [ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180 [ 240.206157] ntfs_iget5+0x56c/0x1870 [ 240.206510] ? ntfs_get_block_bmap+0x70/0x70 [ 240.206776] ? __kasan_kmalloc+0x88/0xb0 [ 240.207030] ? set_blocksize+0x95/0x150 [ 240.207545] ntfs_fill_super+0xb8f/0x1e20 [ 240.207839] ? put_ntfs+0x1d0/0x1d0 [ 240.208069] ? vsprintf+0x20/0x20 [ 240.208467] ? mutex_unlock+0x81/0xd0 [ 240.208846] ? set_blocksize+0x95/0x150 [ 240.209221] get_tree_bdev+0x232/0x370 [ 240.209804] ? put_ntfs+0x1d0/0x1d0 [ 240.210519] ntfs_fs_get_tree+0x15/0x20 [ 240.210991] vfs_get_tree+0x4c/0x130 [ 240.211455] path_mount+0x645/0xfd0 [ 240.211806] ? putname+0x80/0xa0 [ 240.212112] ? finish_automount+0x2e0/0x2e0 [ 240.212559] ? kmem_cache_free+0x110/0x390 [ 240.212906] ? putname+0x80/0xa0 [ 240.213329] do_mount+0xd6/0xf0 [ 240.213829] ? path_mount+0xfd0/0xfd0 [ 240.214246] ? __kasan_check_write+0x14/0x20 [ 240.214774] __x64_sys_mount+0xca/0x110 [ 240.215080] do_syscall_64+0x3b/0x90 [ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 240.215811] RIP: 0033:0x7f233b4e948a [ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a [ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0 [ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020 [ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0 [ 240.220803] R13: 000 ---truncated--- | 2025-09-15 | not yet calculated | CVE-2022-50336 | https://git.kernel.org/stable/c/ea6b3598406c58c5d09b6f4328e09616c077597f https://git.kernel.org/stable/c/26425414bfe5d302413b956ab2469176d4ff53aa https://git.kernel.org/stable/c/1621734cd3047f7979da1d7d5c5444d583d8b0ed https://git.kernel.org/stable/c/2681631c29739509eec59cc0b34e977bb04c6cf1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocxl: fix pci device refcount leak when calling get_function_0() get_function_0() calls pci_get_domain_bus_and_slot(), as comment says, it returns a pci device with refcount increment, so after using it, pci_dev_put() needs be called. Get the device reference when get_function_0() is not called, so pci_dev_put() can be called in the error path and callers unconditionally. And add comment above get_dvsec_vendor0() to tell callers to call pci_dev_put(). | 2025-09-15 | not yet calculated | CVE-2022-50337 | https://git.kernel.org/stable/c/a40e1b0a922a53fa925ea8b296e3de30a31ed028 https://git.kernel.org/stable/c/37a13b274e4513c757e50c002ddcbf4bc89adbb2 https://git.kernel.org/stable/c/9a1b3148975b71fdc194e62612478346bbe618cd https://git.kernel.org/stable/c/40ff4c2335a98f0ee96b099bfd70b8e6644f321f https://git.kernel.org/stable/c/27158c72678b39ee01cc01de1aba6b51c71abe2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. Note this patch is specific to stable branches 5.4 and 5.10. Since in newer kernel releases binder no longer caches a pointer to the vma. Instead, it has been refactored to use vma_lookup() which avoids the issue described here. This switch was introduced in commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA"). | 2025-09-15 | not yet calculated | CVE-2022-50338 | https://git.kernel.org/stable/c/27a594bc7a7c8238d239e3cdbcf2edfa3bbe9a1b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() syzbot is again reporting attempt to cancel uninitialized work at mgmt_index_removed() [1], for setting of HCI_MGMT flag from mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can race with testing of HCI_MGMT flag from mgmt_index_removed() from hci_sock_bind() due to lack of serialization via hci_dev_lock(). Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag after INIT_DELAYED_WORK() completed. This is a local fix based on mgmt_chan_list_lock. Lack of serialization via hci_dev_lock() might be causing different race conditions somewhere else. But a global fix based on hci_dev_lock() should deserve a future patch. | 2025-09-16 | not yet calculated | CVE-2022-50339 | https://git.kernel.org/stable/c/e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6 https://git.kernel.org/stable/c/f74ca25d6d6629ffd4fd80a1a73037253b57d06b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vimc: Fix wrong function called when vimc_init() fails In vimc_init(), when platform_driver_register(&vimc_pdrv) fails, platform_driver_unregister(&vimc_pdrv) is wrongly called rather than platform_device_unregister(&vimc_pdev), which causes kernel warning: Unexpected driver unregister! WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0 RIP: 0010:driver_unregister+0x8f/0xb0 Call Trace: <TASK> vimc_init+0x7d/0x1000 [vimc] do_one_initcall+0xd0/0x4e0 do_init_module+0x1cf/0x6b0 load_module+0x65c2/0x7820 | 2025-09-16 | not yet calculated | CVE-2022-50340 | https://git.kernel.org/stable/c/14d85b600bb1f6f8ef61fa8fc1907e2e623d8350 https://git.kernel.org/stable/c/9c9ff35d68691aaea85b2e93763772e23930b3a3 https://git.kernel.org/stable/c/681ac2902039d9b497b3ae18fdc204314979e61e https://git.kernel.org/stable/c/f38df8984ef1b45ba23888d0e232cc21a95bd04b https://git.kernel.org/stable/c/f74d3f326d1d5b8951ce263c59a121ecfa65e7c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix oops during encryption When running xfstests against Azure the following oops occurred on an arm64 system Unable to handle kernel write to read-only memory at virtual address ffff0001221cf000 Mem abort info: ESR = 0x9600004f EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x0f: level 3 permission fault Data abort info: ISV = 0, ISS = 0x0000004f CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000 [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003, pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787 Internal error: Oops: 9600004f [#1] PREEMPT SMP ... pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) pc : __memcpy+0x40/0x230 lr : scatterwalk_copychunks+0xe0/0x200 sp : ffff800014e92de0 x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008 x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008 x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000 x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014 x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058 x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590 x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580 x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005 x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001 x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000 Call trace: __memcpy+0x40/0x230 scatterwalk_map_and_copy+0x98/0x100 crypto_ccm_encrypt+0x150/0x180 crypto_aead_encrypt+0x2c/0x40 crypt_message+0x750/0x880 smb3_init_transform_rq+0x298/0x340 smb_send_rqst.part.11+0xd8/0x180 smb_send_rqst+0x3c/0x100 compound_send_recv+0x534/0xbc0 smb2_query_info_compound+0x32c/0x440 smb2_set_ea+0x438/0x4c0 cifs_xattr_set+0x5d4/0x7c0 This is because in scatterwalk_copychunks(), we attempted to write to a buffer (@sign) that was allocated in the stack (vmalloc area) by crypt_message() and thus accessing its remaining 8 (x2) bytes ended up crossing a page boundary. To simply fix it, we could just pass @sign kmalloc'd from crypt_message() and then we're done. Luckily, we don't seem to pass any other vmalloc'd buffers in smb_rqst::rq_iov... Instead, let's map the correct pages and offsets from vmalloc buffers as well in cifs_sg_set_buf() and then avoiding such oopses. | 2025-09-16 | not yet calculated | CVE-2022-50341 | https://git.kernel.org/stable/c/e8e2861cc3258dbe407d01ea8c59bb5a53132301 https://git.kernel.org/stable/c/fe6ea044c4f05706cb71040055b1c70c6c8275e0 https://git.kernel.org/stable/c/bf0543b93740916ee91956f9a63da6fc0d79daaa https://git.kernel.org/stable/c/a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9 https://git.kernel.org/stable/c/e8d16a54842d609fd4a3ed2d81d4333d6329aa94 https://git.kernel.org/stable/c/f7f291e14dde32a07b1f0aa06921d28f875a7b54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: floppy: Fix memory leak in do_floppy_init() A memory leak was reported when floppy_alloc_disk() failed in do_floppy_init(). unreferenced object 0xffff888115ed25a0 (size 8): comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) hex dump (first 8 bytes): 00 ac 67 5b 81 88 ff ff ..g[.... backtrace: [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 [<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180 [<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130 [<0000000066007fd7>] 0xffffffffc06b8b08 [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 [<00000000e26d04ee>] do_init_module+0x1a4/0x680 [<000000001bb22407>] load_module+0x6249/0x7110 [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 [<000000007bddca46>] do_syscall_64+0x35/0x80 [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810fc30540 (size 32): comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 [<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130 [<0000000066007fd7>] 0xffffffffc06b8b08 [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 [<00000000e26d04ee>] do_init_module+0x1a4/0x680 [<000000001bb22407>] load_module+0x6249/0x7110 [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 [<000000007bddca46>] do_syscall_64+0x35/0x80 [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 If the floppy_alloc_disk() failed, disks of current drive will not be set, thus the lastest allocated set->tag cannot be freed in the error handling path. A simple call graph shown as below: floppy_module_init() floppy_init() do_floppy_init() for (drive = 0; drive < N_DRIVE; drive++) blk_mq_alloc_tag_set() blk_mq_alloc_tag_set_tags() blk_mq_realloc_tag_set_tags() # set->tag allocated floppy_alloc_disk() blk_mq_alloc_disk() # error occurred, disks failed to allocated ->out_put_disk: for (drive = 0; drive < N_DRIVE; drive++) if (!disks[drive][0]) # the last disks is not set and loop break break; blk_mq_free_tag_set() # the latest allocated set->tag leaked Fix this problem by free the set->tag of current drive before jump to error handling path. [efremov: added stable list, changed title] | 2025-09-16 | not yet calculated | CVE-2022-50342 | https://git.kernel.org/stable/c/f36d8c8651506aea5f09899f5356ece5d1384f50 https://git.kernel.org/stable/c/75d8c8851a4da0190c2480e84315b5fd3d0356c5 https://git.kernel.org/stable/c/55b3c66a0d441cd37154ae95e44d0b82ccfd580e https://git.kernel.org/stable/c/f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible name leaks when rio_add_device() fails Patch series "rapidio: fix three possible memory leaks". This patchset fixes three name leaks in error handling. - patch #1 fixes two name leaks while rio_add_device() fails. - patch #2 fixes a name leak while rio_register_mport() fails. This patch (of 2): If rio_add_device() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and the 'rdev' can be freed in rio_release_dev(). | 2025-09-16 | not yet calculated | CVE-2022-50343 | https://git.kernel.org/stable/c/3b4676f274a6b5d001176f15d0542100bbf4b59a https://git.kernel.org/stable/c/c482cb0deb57924335103fe592c379a076d867f8 https://git.kernel.org/stable/c/80fad2e53eaed2b3a2ff596575f65669e13ceda5 https://git.kernel.org/stable/c/440afd7fd9b164fdde6fc9da8c47d3d7f20dcce8 https://git.kernel.org/stable/c/88fa351b20ca300693a206ccd3c4b0e0647944d8 https://git.kernel.org/stable/c/ec3f04f74f50d0b6bac04d795c93c2b852753a7a https://git.kernel.org/stable/c/c413f65011ff8caffabcde0e1c3ceede48a48d6f https://git.kernel.org/stable/c/85fbf58b15c09d3a6a03098c1e42ebfe9002f39d https://git.kernel.org/stable/c/f9574cd48679926e2a569e1957a5a1bcc8a719ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix null-ptr-deref in ext4_write_info I caught a null-ptr-deref bug as follows: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339 RIP: 0010:ext4_write_info+0x53/0x1b0 [...] Call Trace: dquot_writeback_dquots+0x341/0x9a0 ext4_sync_fs+0x19e/0x800 __sync_filesystem+0x83/0x100 sync_filesystem+0x89/0xf0 generic_shutdown_super+0x79/0x3e0 kill_block_super+0xa1/0x110 deactivate_locked_super+0xac/0x130 deactivate_super+0xb6/0xd0 cleanup_mnt+0x289/0x400 __cleanup_mnt+0x16/0x20 task_work_run+0x11c/0x1c0 exit_to_user_mode_prepare+0x203/0x210 syscall_exit_to_user_mode+0x5b/0x3a0 do_syscall_64+0x59/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================== Above issue may happen as follows: ------------------------------------- exit_to_user_mode_prepare task_work_run __cleanup_mnt cleanup_mnt deactivate_super deactivate_locked_super kill_block_super generic_shutdown_super shrink_dcache_for_umount dentry = sb->s_root sb->s_root = NULL <--- Here set NULL sync_filesystem __sync_filesystem sb->s_op->sync_fs > ext4_sync_fs dquot_writeback_dquots sb->dq_op->write_info > ext4_write_info ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2) d_inode(sb->s_root) s_root->d_inode <--- Null pointer dereference To solve this problem, we use ext4_journal_start_sb directly to avoid s_root being used. | 2025-09-16 | not yet calculated | CVE-2022-50344 | https://git.kernel.org/stable/c/dc451578446afd03c0c21913993c08898a691435 https://git.kernel.org/stable/c/f4b5ff0b794aa94afac7269c494550ca2f66511b https://git.kernel.org/stable/c/947264e00c46de19a016fd81218118c708fed2f3 https://git.kernel.org/stable/c/3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4 https://git.kernel.org/stable/c/f34ab95162763cd7352f46df169296eec28b688d https://git.kernel.org/stable/c/533c60a0b97cee5daab376933f486207e6680fb7 https://git.kernel.org/stable/c/4a657319cfabd6199fd0b7b65bbebf6ded7a11c1 https://git.kernel.org/stable/c/bb420e8afc854d2a1caaa23a0c129839acfb7888 https://git.kernel.org/stable/c/f9c1f248607d5546075d3f731e7607d5571f2b60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READ Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. | 2025-09-16 | not yet calculated | CVE-2022-50345 | https://git.kernel.org/stable/c/c23687911f82a63fa2977ce9c992b395e90f8ba0 https://git.kernel.org/stable/c/75d9de25a6f833dd0701ca546ac926cabff2b5af https://git.kernel.org/stable/c/bc6c0ed253cd4763dba7541d558e4b704f33176f https://git.kernel.org/stable/c/309f29361b6bfae96936317376f1114568c5de19 https://git.kernel.org/stable/c/fa6be9cc6e80ec79892ddf08a8c10cabab9baf38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: init quota for 'old.inode' in 'ext4_rename' Syzbot found the following issue: ext4_parse_param: s_want_extra_isize=128 ext4_inode_info_init: s_want_extra_isize=32 ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828 __ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128 __ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128 ext4_xattr_block_set: inode=ffff88823869a2c8 ------------[ cut here ]------------ WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980 Modules linked in: RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980 RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000 RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178 RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000 R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000 FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? ext4_xattr_set_entry+0x3b7/0x2320 ? ext4_xattr_block_set+0x0/0x2020 ? ext4_xattr_set_entry+0x0/0x2320 ? ext4_xattr_check_entries+0x77/0x310 ? ext4_xattr_ibody_set+0x23b/0x340 ext4_xattr_move_to_block+0x594/0x720 ext4_expand_extra_isize_ea+0x59a/0x10f0 __ext4_expand_extra_isize+0x278/0x3f0 __ext4_mark_inode_dirty.cold+0x347/0x410 ext4_rename+0xed3/0x174f vfs_rename+0x13a7/0x2510 do_renameat2+0x55d/0x920 __x64_sys_rename+0x7d/0xb0 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty, which may trigger expand 'extra_isize' and allocate block. If inode didn't init quota will lead to warning. To solve above issue, init 'old.inode' firstly in 'ext4_rename'. | 2025-09-16 | not yet calculated | CVE-2022-50346 | https://git.kernel.org/stable/c/67f6d5a4043f3db0c6bb0e14a0d97a7be8bfb8b5 https://git.kernel.org/stable/c/33fd7031d634f3b46e59f61adfbb0ea9fe514fef https://git.kernel.org/stable/c/7dfb8259f66faafa68d23a261b284d2c2c67649b https://git.kernel.org/stable/c/f263e349bacc2f303526dcfa61c4bc50132418b1 https://git.kernel.org/stable/c/84a2f2ed49d6a4d92b354219077434c57d334620 https://git.kernel.org/stable/c/def7a39091e60e1c4a2f623629082a00092602be https://git.kernel.org/stable/c/135ba9146f4d38abed48a540ef8a8770ff0bd34f https://git.kernel.org/stable/c/13271fbbe85d73a7c47058f56a52f2a7f00d6e39 https://git.kernel.org/stable/c/fae381a3d79bb94aa2eb752170d47458d778b797 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path, besides, led_classdev_unregister() and pm_runtime_disable() also need be called. | 2025-09-16 | not yet calculated | CVE-2022-50347 | https://git.kernel.org/stable/c/d7ad7278be401b09c9f9a9f522cf4c449c7fd489 https://git.kernel.org/stable/c/e598c9683fe1cf97c2b11b800cc3cee072108220 https://git.kernel.org/stable/c/89303ddbb502c3bc8edbf864f9f85500c8fe07e9 https://git.kernel.org/stable/c/937112e991ed25d1727d878734adcbef3b900274 https://git.kernel.org/stable/c/7fa922c7a3dd623fd59f1af50e8896fd9ca7f654 https://git.kernel.org/stable/c/df683201c7ffbd21a806a7cad657b661c5ebfb6f https://git.kernel.org/stable/c/1491667d5450778a265eddddd294219acfd648cb https://git.kernel.org/stable/c/a522e26a20a43dcfbef9ee9f71ed803290e852b0 https://git.kernel.org/stable/c/fc38a5a10e9e5a75eb9189854abeb8405b214cc9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix a memory leak in an error handling path If this memdup_user() call fails, the memory allocated in a previous call a few lines above should be freed. Otherwise it leaks. | 2025-09-16 | not yet calculated | CVE-2022-50348 | https://git.kernel.org/stable/c/acc393aecda05bf64ed13b732931462e07a1bf08 https://git.kernel.org/stable/c/e060c4b9f33c1fca74df26d57a98e784295327e6 https://git.kernel.org/stable/c/aed8816305575b38dcc77feb6f1bc1d0ed32f5b8 https://git.kernel.org/stable/c/733dd17158f96aaa25408dc39bbb2738fda9300e https://git.kernel.org/stable/c/cc3bca2110ac85cd964da997ef83d84cab0d49fb https://git.kernel.org/stable/c/fd1ef88049de09bc70d60b549992524cfc0e66ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() If device_register() returns error in tifm_7xx1_switch_media(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. Never directly free @dev after calling device_register(), even if it returned an error! Always use put_device() to give up the reference initialized. | 2025-09-16 | not yet calculated | CVE-2022-50349 | https://git.kernel.org/stable/c/2bbb222a54ff501f77ce593d21b76b79c905045e https://git.kernel.org/stable/c/d861b7d41b17942b337d4b87a70de7cd1dc44d4e https://git.kernel.org/stable/c/1695b1adcc3a7d985cd22fa3b55761edf3fab50d https://git.kernel.org/stable/c/ee2715faf7e7153f5142ed09aacfa89a64d45dcb https://git.kernel.org/stable/c/57c857353d5020bdec8284d9c0fee447484fe5e0 https://git.kernel.org/stable/c/848c45964ded537107e010aaf353aa30a0855387 https://git.kernel.org/stable/c/35abbc8406cc39e72d3ce85f6e869555afe50d54 https://git.kernel.org/stable/c/ef843ee20576039126d34d6eb5f45d14c3e6ce18 https://git.kernel.org/stable/c/fd2c930cf6a5b9176382c15f9acb1996e76e25ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix a race condition between login_work and the login thread In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are required to complete the login). The login has been completed but the login_work function will find the LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling itself; at this point, if the initiator drops the connection, the iscsit_conn structure will be freed, login_work will dereference a released socket structure and the kernel crashes. BUG: kernel NULL pointer dereference, address: 0000000000000230 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] RIP: 0010:_raw_read_lock_bh+0x15/0x30 Call trace: iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] process_one_work+0x1e8/0x3c0 Fix this bug by forcing login_work to stop after the login has been completed and the socket callbacks have been restored. Add a comment to clearify the return values of iscsi_target_do_login() | 2025-09-16 | not yet calculated | CVE-2022-50350 | https://git.kernel.org/stable/c/1533b8b3058db618409f41554ebe768c2e3acfae https://git.kernel.org/stable/c/3ecdca49ca49d4770639d81503c873b6d25887c4 https://git.kernel.org/stable/c/fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_create() If the cifs already shutdown, we should free the xid before return, otherwise, the xid will be leaked. | 2025-09-16 | not yet calculated | CVE-2022-50351 | https://git.kernel.org/stable/c/593d877c39aa9f3fe1a4b5b022492886d7d700ec https://git.kernel.org/stable/c/92aa09c86ef297976a3c27c6574c0839418dc2c4 https://git.kernel.org/stable/c/fee0fb1f15054bb6a0ede452acb42da5bef4d587 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns: fix possible memory leak in hnae_ae_register() Inject fault while probing module, if device_register() fails, but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). unreferenced object 0xffff00c01aba2100 (size 128): comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s) hex dump (first 32 bytes): 68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000034783f26>] slab_post_alloc_hook+0xa0/0x3e0 [<00000000748188f2>] __kmem_cache_alloc_node+0x164/0x2b0 [<00000000ab0743e8>] __kmalloc_node_track_caller+0x6c/0x390 [<000000006c0ffb13>] kvasprintf+0x8c/0x118 [<00000000fa27bfe1>] kvasprintf_const+0x60/0xc8 [<0000000083e10ed7>] kobject_set_name_vargs+0x3c/0xc0 [<000000000b87affc>] dev_set_name+0x7c/0xa0 [<000000003fd8fe26>] hnae_ae_register+0xcc/0x190 [hnae] [<00000000fe97edc9>] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf] [<00000000c36ff1eb>] hns_dsaf_probe+0x548/0x748 [hns_dsaf] | 2025-09-16 | not yet calculated | CVE-2022-50352 | https://git.kernel.org/stable/c/a3c148955c22fe1d94d7a2096005679c1f22eddf https://git.kernel.org/stable/c/3b78453cca046d3b03853f0d077ad3ad130db886 https://git.kernel.org/stable/c/7ae1345f6ad715acbcdc9e1ac28153684fd498bb https://git.kernel.org/stable/c/dfc0337c6dceb6449403b33ecb141f4a1458a1e9 https://git.kernel.org/stable/c/2974f3b330ef25f5d34a4948d04290c2cd7802cf https://git.kernel.org/stable/c/91f8f5342bee726ed5692583d58f69e7cc9ae60e https://git.kernel.org/stable/c/02dc0db19d944b4a90941db505ecf1aaec714be4 https://git.kernel.org/stable/c/ff2f5ec5d009844ec28f171123f9e58750cef4bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: wmt-sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, clk_disable_unprepare() also needs be called. | 2025-09-17 | not yet calculated | CVE-2022-50353 | https://git.kernel.org/stable/c/70b0620afab3c69d95a7e2dd7ceff162a21c4009 https://git.kernel.org/stable/c/ecd6f77af3478f5223aa4011642a891b7dc91228 https://git.kernel.org/stable/c/c7a328cea791cc2769b6417943939420913b4a46 https://git.kernel.org/stable/c/9bedf64dda84b29151e41591d8ded9ff0e6d336a https://git.kernel.org/stable/c/58c3a8d0f1abeb1ca5c2df948be58ad4f7bb6f67 https://git.kernel.org/stable/c/b40ac3b696a9c84b36211ef0c3f5a422650c101b https://git.kernel.org/stable/c/eb7a2d516d4fbd165c07877a20feccb047342b1f https://git.kernel.org/stable/c/29276d56f6ed138db0f38cd31aedc0b725c8c76c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd_process_device_init_vm error handling Should only destroy the ib_mem and let process cleanup worker to free the outstanding BOs. Reset the pointer in pdd->qpd structure, to avoid NULL pointer access in process destroy worker. BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: amdgpu_amdkfd_gpuvm_unmap_gtt_bo_from_kernel+0x46/0xb0 [amdgpu] kfd_process_device_destroy_cwsr_dgpu+0x40/0x70 [amdgpu] kfd_process_destroy_pdds+0x71/0x190 [amdgpu] kfd_process_wq_release+0x2a2/0x3b0 [amdgpu] process_one_work+0x2a1/0x600 worker_thread+0x39/0x3d0 | 2025-09-17 | not yet calculated | CVE-2022-50354 | https://git.kernel.org/stable/c/b6e78bd3bf2eb964c95eb2596d3cd367307a20b5 https://git.kernel.org/stable/c/9d74d1f52e16d8e07f7fbe52e96d6391418a2fe9 https://git.kernel.org/stable/c/29d48b87db64b6697ddad007548e51d032081c59 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix some erroneous memory clean-up loops In some initialization functions of this driver, memory is allocated with 'i' acting as an index variable and increasing from 0. The commit in "Fixes" introduces some clean-up codes in case of allocation failure, which free memory in reverse order with 'i' decreasing to 0. However, there are some problems: - The case i=0 is left out. Thus memory is leaked. - In case memory allocation fails right from the start, the memory freeing loops will start with i=-1 and invalid memory locations will be accessed. One of these loops has been fixed in commit c8ff91535880 ("staging: vt6655: fix potential memory leak"). Fix the remaining erroneous loops. | 2025-09-17 | not yet calculated | CVE-2022-50355 | https://git.kernel.org/stable/c/637672a71f5016a40b0a6c0f3c8ad25eacedc8c3 https://git.kernel.org/stable/c/88b9cc60f26e8a05d1ddbddf91b09ca2915f20e0 https://git.kernel.org/stable/c/95ac62e8545be2b0a8cae0beef7c682e2e470e48 https://git.kernel.org/stable/c/f19e5b7df54590c831f350381963f25585c8f7d5 https://git.kernel.org/stable/c/a9e9806d1c315bc50dce05479a079b9a104474b8 https://git.kernel.org/stable/c/ed11b73c963292e7b49c0f37025c58ed3b7921d6 https://git.kernel.org/stable/c/2a2db520e3ca5aafba7c211abfd397666c9b5f9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_create+0x3eb/0x1000 tc_modify_qdisc+0x408/0x1720 rtnetlink_rcv_msg+0x38e/0xac0 netlink_rcv_skb+0x12d/0x3a0 netlink_unicast+0x4a2/0x740 netlink_sendmsg+0x826/0xcc0 sock_sendmsg+0xc5/0x100 ____sys_sendmsg+0x583/0x690 ___sys_sendmsg+0xe8/0x160 __sys_sendmsg+0xbf/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f2164122d04 </TASK> | 2025-09-17 | not yet calculated | CVE-2022-50356 | https://git.kernel.org/stable/c/ded86c4191a3c17f8200d17a7d8a6f63b74554ae https://git.kernel.org/stable/c/c2e1e59d59fafe297779ceae1fe0e6fbebc3e745 https://git.kernel.org/stable/c/723399af2795fb95687a531c9480464b5f489333 https://git.kernel.org/stable/c/2a3fc78210b9f0e85372a2435368962009f480fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: fix some leaks in probe The dwc3_get_properties() function calls: dwc->usb_psy = power_supply_get_by_name(usb_psy_name); so there is some additional clean up required on these error paths. | 2025-09-17 | not yet calculated | CVE-2022-50357 | https://git.kernel.org/stable/c/79c3afb55942368921237d7b5355d48c52bdde20 https://git.kernel.org/stable/c/3a213503f483173e7eea76f2e7e3bdd6df7fd6f8 https://git.kernel.org/stable/c/2a735e4b5580a2a6bbd6572109b4c4f163c57462 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: brcmfmac: return error when getting invalid max_flowrings from dongle When firmware hit trap at initialization, host will read abnormal max_flowrings number from dongle, and it will cause kernel panic when doing iowrite to initialize dongle ring. To detect this error at early stage, we directly return error when getting invalid max_flowrings(>256). | 2025-09-17 | not yet calculated | CVE-2022-50358 | https://git.kernel.org/stable/c/3cc9299036bdb647408e11e41de3eb1ff6d428cd https://git.kernel.org/stable/c/2e8bb402b060a6c22160de3d72cee057698177c8 https://git.kernel.org/stable/c/10c4b63d09a5b0ebf1b61af1dae7f25555cf58b6 https://git.kernel.org/stable/c/87f126b25fa8562196f0f4c0aa46a446026199bf https://git.kernel.org/stable/c/200347eb3b2608cc8b54c13dd1d5e03809ba2eb2 https://git.kernel.org/stable/c/2aca4f3734bd717e04943ddf340d49ab62299a00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() When the driver calls cx88_risc_buffer() to prepare the buffer, the function call may fail, resulting in a empty buffer and null-ptr-deref later in buffer_queue(). The following log can reveal it: [ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 [ 41.836311] Call Trace: [ 41.836945] __enqueue_in_driver+0x141/0x360 [ 41.837262] vb2_start_streaming+0x62/0x4a0 [ 41.838216] vb2_core_streamon+0x1da/0x2c0 [ 41.838516] __vb2_init_fileio+0x981/0xbc0 [ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 [ 41.840072] vb2_fop_read+0x20e/0x400 [ 41.840346] v4l2_read+0x215/0x290 [ 41.840603] vfs_read+0x162/0x4c0 Fix this by checking the return value of cx88_risc_buffer() [hverkuil: fix coding style issues] | 2025-09-17 | not yet calculated | CVE-2022-50359 | https://git.kernel.org/stable/c/c76d04d2079a4b7369ce9a0e859c0f3f2250bcc1 https://git.kernel.org/stable/c/10c99d1c46ea9cd940029e17bab11d021f315c21 https://git.kernel.org/stable/c/4befc7ffa18ef9a4b70d854465313a345a06862f https://git.kernel.org/stable/c/9181af2dbf06e7f432e5dbe88d10b22343e851b9 https://git.kernel.org/stable/c/c2257c8a501537afab276c306cb717b7260276e1 https://git.kernel.org/stable/c/6f21976095c1e92454ab030976f95f40d652351b https://git.kernel.org/stable/c/704838040f3bdb4aa07ff4f26505a666a3defcfe https://git.kernel.org/stable/c/644d5a87ab1863eb606526ea743021752a17e9cb https://git.kernel.org/stable/c/2b064d91440b33fba5b452f2d1b31f13ae911d71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix aux-bus EP lifetime Device-managed resources allocated post component bind must be tied to the lifetime of the aggregate DRM device or they will not necessarily be released when binding of the aggregate device is deferred. This can lead resource leaks or failure to bind the aggregate device when binding is later retried and a second attempt to allocate the resources is made. For the DP aux-bus, an attempt to populate the bus a second time will simply fail ("DP AUX EP device already populated"). Fix this by tying the lifetime of the EP device to the DRM device rather than DP controller platform device. Patchwork: https://patchwork.freedesktop.org/patch/502672/ | 2025-09-17 | not yet calculated | CVE-2022-50360 | https://git.kernel.org/stable/c/8768663188e4169333f66583e4d2432e65c421df https://git.kernel.org/stable/c/2b57f726611e294dc4297dd48eb8c98ef1938e82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init() Fault injection test reports this issue: kernel BUG at net/core/dev.c:10731! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI Call Trace: <TASK> wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5] wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5] wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff] spi_probe+0xe4/0x140 really_probe+0x17e/0x3f0 __driver_probe_device+0xe3/0x170 driver_probe_device+0x49/0x120 The root case here is alloc_ordered_workqueue() fails, but cfg80211_unregister_netdevice() or unregister_netdev() not be called in error handling path. To fix add unregister_netdev goto lable to add the unregister operation in error handling path. | 2025-09-17 | not yet calculated | CVE-2022-50361 | https://git.kernel.org/stable/c/a1bdecedc7ad0512365267cd1a26bfc2ae455c59 https://git.kernel.org/stable/c/6da6ce086221803ed6c3b1db11096cecd3e58ec8 https://git.kernel.org/stable/c/2b88974ecb358990e1c33fabcd0b9e142bab7f21 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: hisilicon: Add multi-thread support for a DMA channel When we get a DMA channel and try to use it in multiple threads it will cause oops and hanging the system. % echo 100 > /sys/module/dmatest/parameters/threads_per_chan % echo 100 > /sys/module/dmatest/parameters/iterations % echo 1 > /sys/module/dmatest/parameters/run [383493.327077] Unable to handle kernel paging request at virtual address dead000000000108 [383493.335103] Mem abort info: [383493.335103] ESR = 0x96000044 [383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits [383493.335107] SET = 0, FnV = 0 [383493.335108] EA = 0, S1PTW = 0 [383493.335109] FSC = 0x04: level 0 translation fault [383493.335110] Data abort info: [383493.335111] ISV = 0, ISS = 0x00000044 [383493.364739] CM = 0, WnR = 1 [383493.367793] [dead000000000108] address between user and kernel address ranges [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP [383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump: loaded Tainted: GO 5.17.0-rc4+ #2 [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [383493.465331] pc : vchan_tx_submit+0x64/0xa0 [383493.469957] lr : vchan_tx_submit+0x34/0xa0 This occurs because the transmission timed out, and that's due to data race. Each thread rewrite channels's descriptor as soon as device_issue_pending is called. It leads to the situation that the driver thinks that it uses the right descriptor in interrupt handler while channels's descriptor has been changed by other thread. The descriptor which in fact reported interrupt will not be handled any more, as well as its tx->callback. That's why timeout reports. With current fixes channels' descriptor changes it's value only when it has been used. A new descriptor is acquired from vc->desc_issued queue that is already filled with descriptors that are ready to be sent. Threads have no direct access to DMA channel descriptor. In case of channel's descriptor is busy, try to submit to HW again when a descriptor is completed. In this case, vc->desc_issued may be empty when hisi_dma_start_transfer is called, so delete error reporting on this. Now it is just possible to queue a descriptor for further processing. | 2025-09-17 | not yet calculated | CVE-2022-50362 | https://git.kernel.org/stable/c/af12e209a9d559394d35875ba0e6c80407605888 https://git.kernel.org/stable/c/7cb9b20941e1fb20d22d0a2f460a3d4fa417274c https://git.kernel.org/stable/c/d4a8ec5cc7ff5d442bd49a44f26d74b2021ba4c8 https://git.kernel.org/stable/c/f4cee0b385cd0348e071d4d80c4c13cfe547c70d https://git.kernel.org/stable/c/2cbb95883c990d0002a77e13d3278913ab26ad79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: skmsg: pass gfp argument to alloc_sk_msg() syzbot found that alloc_sk_msg() could be called from a non sleepable context. sk_psock_verdict_recv() uses rcu_read_lock() protection. We need the callers to pass a gfp_t argument to avoid issues. syzbot report was: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3613, name: syz-executor414 preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 PID: 3613 Comm: syz-executor414 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 __might_resched+0x538/0x6a0 kernel/sched/core.c:9877 might_alloc include/linux/sched/mm.h:274 [inline] slab_pre_alloc_hook mm/slab.h:700 [inline] slab_alloc_node mm/slub.c:3162 [inline] slab_alloc mm/slub.c:3256 [inline] kmem_cache_alloc_trace+0x59/0x310 mm/slub.c:3287 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:733 [inline] alloc_sk_msg net/core/skmsg.c:507 [inline] sk_psock_skb_ingress_self+0x5c/0x330 net/core/skmsg.c:600 sk_psock_verdict_apply+0x395/0x440 net/core/skmsg.c:1014 sk_psock_verdict_recv+0x34d/0x560 net/core/skmsg.c:1201 tcp_read_skb+0x4a1/0x790 net/ipv4/tcp.c:1770 tcp_rcv_established+0x129d/0x1a10 net/ipv4/tcp_input.c:5971 tcp_v4_do_rcv+0x479/0xac0 net/ipv4/tcp_ipv4.c:1681 sk_backlog_rcv include/net/sock.h:1109 [inline] __release_sock+0x1d8/0x4c0 net/core/sock.c:2906 release_sock+0x5d/0x1c0 net/core/sock.c:3462 tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1483 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] __sys_sendto+0x46d/0x5f0 net/socket.c:2117 __do_sys_sendto net/socket.c:2129 [inline] __se_sys_sendto net/socket.c:2125 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2125 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-09-17 | not yet calculated | CVE-2022-50363 | https://git.kernel.org/stable/c/693ddd6ffc05b228ea1638f9d757c5d3541f9446 https://git.kernel.org/stable/c/2d1f274b95c6e4ba6a813b3b8e7a1a38d54a0a08 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: mux: reg: check return value after calling platform_get_resource() It will cause null-ptr-deref in resource_size(), if platform_get_resource() returns NULL, move calling resource_size() after devm_ioremap_resource() that will check 'res' to avoid null-ptr-deref. And use devm_platform_get_and_ioremap_resource() to simplify code. | 2025-09-17 | not yet calculated | CVE-2022-50364 | https://git.kernel.org/stable/c/61df25c41b8e0d2c988ccf17139f70075a2e1ba4 https://git.kernel.org/stable/c/8212800943997fab61874550278d653cb378c60c https://git.kernel.org/stable/c/f5049b3ad9446203b916ee375f30fa217735f63a https://git.kernel.org/stable/c/f7a440c89b6d460154efeb058272760e41bdfea8 https://git.kernel.org/stable/c/2d47b79d2bd39cc6369eccf94a06568d84c906ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: skbuff: Account for tail adjustment during pull operations Extending the tail can have some unexpected side effects if a program uses a helper like BPF_FUNC_skb_pull_data to read partial content beyond the head skb headlen when all the skbs in the gso frag_list are linear with no head_frag - kernel BUG at net/core/skbuff.c:4219! pc : skb_segment+0xcf4/0xd2c lr : skb_segment+0x63c/0xd2c Call trace: skb_segment+0xcf4/0xd2c __udp_gso_segment+0xa4/0x544 udp4_ufo_fragment+0x184/0x1c0 inet_gso_segment+0x16c/0x3a4 skb_mac_gso_segment+0xd4/0x1b0 __skb_gso_segment+0xcc/0x12c udp_rcv_segment+0x54/0x16c udp_queue_rcv_skb+0x78/0x144 udp_unicast_rcv_skb+0x8c/0xa4 __udp4_lib_rcv+0x490/0x68c udp_rcv+0x20/0x30 ip_protocol_deliver_rcu+0x1b0/0x33c ip_local_deliver+0xd8/0x1f0 ip_rcv+0x98/0x1a4 deliver_ptype_list_skb+0x98/0x1ec __netif_receive_skb_core+0x978/0xc60 Fix this by marking these skbs as GSO_DODGY so segmentation can handle the tail updates accordingly. | 2025-09-17 | not yet calculated | CVE-2022-50365 | https://git.kernel.org/stable/c/ff3743d00f41d803e6ab9334962b674f3b7fd0cb https://git.kernel.org/stable/c/6ac417d71b80e74b002313fcd73f7e9008e8e457 https://git.kernel.org/stable/c/2d59f0ca153e9573ec4f140988c0ccca0eb4181b https://git.kernel.org/stable/c/668dc454bcbd1da73605201ff43f988c70848215 https://git.kernel.org/stable/c/821be5a5ab09a40ba09cb5ba354f18cf7996fea0 https://git.kernel.org/stable/c/8fb773eed4909ef5dc1bbeb3629a337d3336df7e https://git.kernel.org/stable/c/946dd5dc4fcc4123cdfe3942b20012c4448cf89a https://git.kernel.org/stable/c/331615d837f4979eb91a336a223a5c7f7886ecd5 https://git.kernel.org/stable/c/2d7afdcbc9d32423f177ee12b7c93783aea338fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue When value < time_unit, the parameter of ilog2() will be zero and the return value is -1. u64(-1) is too large for shift exponent and then will trigger shift-out-of-bounds: shift exponent 18446744073709551615 is too large for 32-bit type 'int' Call Trace: rapl_compute_time_window_core rapl_write_data_raw set_time_window store_constraint_time_window_us | 2025-09-17 | not yet calculated | CVE-2022-50366 | https://git.kernel.org/stable/c/42f79dbb9514f726ff21df25f09cb0693b0b2445 https://git.kernel.org/stable/c/3eb0ba70376f6ee40fa843fc9cee49269370b0b3 https://git.kernel.org/stable/c/4ebba43384722adbd325baec3a12c572d94488eb https://git.kernel.org/stable/c/49a6ffdaed60f0eb52c198fafebc05994e16e305 https://git.kernel.org/stable/c/708b9abe1b4a2f050a483db4b7edfc446b13df1f https://git.kernel.org/stable/c/139bbbd01114433b80fe59f5e1330615aadf9752 https://git.kernel.org/stable/c/6216b685b8f48ab7b721a6fd5acbf526b41c13e8 https://git.kernel.org/stable/c/1d94af37565e4d3c26b0d63428e093a37d5b4c32 https://git.kernel.org/stable/c/2d93540014387d1c73b9ccc4d7895320df66d01b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) | 2025-09-17 | not yet calculated | CVE-2022-50367 | https://git.kernel.org/stable/c/d1ff475d7c83289d0a7faef346ea3bbf90818bad https://git.kernel.org/stable/c/c0aa76b0f17f59dd9c9d3463550a2986a1d592e4 https://git.kernel.org/stable/c/ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48 https://git.kernel.org/stable/c/70e4f70d54e0225f91814e8610477d65f33cefe4 https://git.kernel.org/stable/c/1e555c3ed1fce4b278aaebe18a64a934cece57d8 https://git.kernel.org/stable/c/64b79e632869ad3ef6c098a4731d559381da1115 https://git.kernel.org/stable/c/81de80330fa6907aec32eb54c5619059e6e36452 https://git.kernel.org/stable/c/2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 https://git.kernel.org/stable/c/2e488f13755ffbb60f307e991b27024716a33b29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: fix memory corruption with too many bridges Add the missing sanity check on the bridge counter to avoid corrupting data beyond the fixed-sized bridge array in case there are ever more than eight bridges. Patchwork: https://patchwork.freedesktop.org/patch/502668/ | 2025-09-17 | not yet calculated | CVE-2022-50368 | https://git.kernel.org/stable/c/4e5587cddb334f7a5bb1c49ea8bbfc966fafe1b8 https://git.kernel.org/stable/c/f649ed0e1b7a1545f8e27267d3c468b3cb222ece https://git.kernel.org/stable/c/21c4679af01f1027cb559330c2e7d410089b2b36 https://git.kernel.org/stable/c/9f035d1fb30648fe70ee01627eb131c56d699b35 https://git.kernel.org/stable/c/e83b354890a3c1d5256162f87a6cc38c47ae7f20 https://git.kernel.org/stable/c/2e786eb2f9cebb07e317226b60054df510b60c65 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix null-ptr-deref in vkms_release() A null-ptr-deref is triggered when it tries to destroy the workqueue in vkms->output.composer_workq in vkms_release(). KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] CPU: 5 PID: 17193 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf #24 RIP: 0010:destroy_workqueue+0x2f/0x710 ... Call Trace: <TASK> ? vkms_config_debugfs_init+0x50/0x50 [vkms] __devm_drm_dev_alloc+0x15a/0x1c0 [drm] vkms_init+0x245/0x1000 [vkms] do_one_initcall+0xd0/0x4f0 do_init_module+0x1a4/0x680 load_module+0x6249/0x7110 __do_sys_finit_module+0x140/0x200 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The reason is that an OOM happened which triggers the destroy of the workqueue, however, the workqueue is alloced in the later process, thus a null-ptr-deref happened. A simple call graph is shown as below: vkms_init() vkms_create() devm_drm_dev_alloc() __devm_drm_dev_alloc() devm_drm_dev_init() devm_add_action_or_reset() devm_add_action() # an error happened devm_drm_dev_init_release() drm_dev_put() kref_put() drm_dev_release() vkms_release() destroy_workqueue() # null-ptr-deref happened vkms_modeset_init() vkms_output_init() vkms_crtc_init() # where the workqueue get allocated Fix this by checking if composer_workq is NULL before passing it to the destroy_workqueue() in vkms_release(). | 2025-09-17 | not yet calculated | CVE-2022-50369 | https://git.kernel.org/stable/c/0b8f390e2251191f1b179cc87f65d54c96565f0d https://git.kernel.org/stable/c/1f9836f95271e7acf016667eee0aeae3386f9645 https://git.kernel.org/stable/c/596f1ba3987e601e31a5abf1f75ce1d2635aceac https://git.kernel.org/stable/c/57031c474c3a920ea73afeb5dc352e537f5793ee https://git.kernel.org/stable/c/2fe2a8f40c21161ffe7653cc234e7934db5b7cc5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: designware: Fix handling of real but unexpected device interrupts Commit c7b79a752871 ("mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI IDs") caused a regression on certain Gigabyte motherboards for Intel Alder Lake-S where system crashes to NULL pointer dereference in i2c_dw_xfer_msg() when system resumes from S3 sleep state ("deep"). I was able to debug the issue on Gigabyte Z690 AORUS ELITE and made following notes: - Issue happens when resuming from S3 but not when resuming from "s2idle" - PCI device 00:15.0 == i2c_designware.0 is already in D0 state when system enters into pci_pm_resume_noirq() while all other i2c_designware PCI devices are in D3. Devices were runtime suspended and in D3 prior entering into suspend - Interrupt comes after pci_pm_resume_noirq() when device interrupts are re-enabled - According to register dump the interrupt really comes from the i2c_designware.0. Controller is enabled, I2C target address register points to a one detectable I2C device address 0x60 and the DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and TX_EMPTY bits are set indicating completed I2C transaction. My guess is that the firmware uses this controller to communicate with an on-board I2C device during resume but does not disable the controller before giving control to an operating system. I was told the UEFI update fixes this but never the less it revealed the driver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device is supposed to be idle and state variables are not set (especially the dev->msgs pointer which may point to NULL or stale old data). Introduce a new software status flag STATUS_ACTIVE indicating when the controller is active in driver point of view. Now treat all interrupts that occur when is not set as unexpected and mask all interrupts from the controller. | 2025-09-17 | not yet calculated | CVE-2022-50370 | https://git.kernel.org/stable/c/7fa5304c4b5b425d4a0b3acf10139a7f6108a85f https://git.kernel.org/stable/c/a206f7fbe9589c60fafad12884628c909ecb042f https://git.kernel.org/stable/c/aa59ac81e859006d3a1df035a19b3f2089110f93 https://git.kernel.org/stable/c/301c8f5c32c8fb79c67539bc23972dc3ef48024c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: led: qcom-lpg: Fix sleeping in atomic lpg_brighness_set() function can sleep, while led's brightness_set() callback must be non-blocking. Change LPG driver to use brightness_set_blocking() instead. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0 preempt_count: 101, expected: 0 INFO: lockdep is turned off. CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.1.0-rc1-00014-gbe99b089c6fc-dirty #85 Hardware name: Qualcomm Technologies, Inc. DB820c (DT) Call trace: dump_backtrace.part.0+0xe4/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x88/0xb4 dump_stack+0x18/0x34 __might_resched+0x170/0x254 __might_sleep+0x48/0x9c __mutex_lock+0x4c/0x400 mutex_lock_nested+0x2c/0x40 lpg_brightness_single_set+0x40/0x90 led_set_brightness_nosleep+0x34/0x60 led_heartbeat_function+0x80/0x170 call_timer_fn+0xb8/0x340 __run_timers.part.0+0x20c/0x254 run_timer_softirq+0x3c/0x7c _stext+0x14c/0x578 ____do_softirq+0x10/0x20 call_on_irq_stack+0x2c/0x5c do_softirq_own_stack+0x1c/0x30 __irq_exit_rcu+0x164/0x170 irq_exit_rcu+0x10/0x40 el1_interrupt+0x38/0x50 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x64/0x68 cpuidle_enter_state+0xc8/0x380 cpuidle_enter+0x38/0x50 do_idle+0x244/0x2d0 cpu_startup_entry+0x24/0x30 rest_init+0x128/0x1a0 arch_post_acpi_subsys_init+0x0/0x18 start_kernel+0x6f4/0x734 __primary_switched+0xbc/0xc4 | 2025-09-17 | not yet calculated | CVE-2022-50371 | https://git.kernel.org/stable/c/9deba7b51d5ee7a2d93fabb69f9b8189241f90e3 https://git.kernel.org/stable/c/380304391fa7fb084745f26b4b9a59f4666520c1 https://git.kernel.org/stable/c/3031993b3474794ecb71b6f969a3e60e4bda9d8a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory leak when build ntlmssp negotiate blob failed There is a memory leak when mount cifs: unreferenced object 0xffff888166059600 (size 448): comm "mount.cifs", pid 51391, jiffies 4295596373 (age 330.596s) hex dump (first 32 bytes): fe 53 4d 42 40 00 00 00 00 00 00 00 01 00 82 00 .SMB@........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000060609a61>] mempool_alloc+0xe1/0x260 [<00000000adfa6c63>] cifs_small_buf_get+0x24/0x60 [<00000000ebb404c7>] __smb2_plain_req_init+0x32/0x460 [<00000000bcf875b4>] SMB2_sess_alloc_buffer+0xa4/0x3f0 [<00000000753a2987>] SMB2_sess_auth_rawntlmssp_negotiate+0xf5/0x480 [<00000000f0c1f4f9>] SMB2_sess_setup+0x253/0x410 [<00000000a8b83303>] cifs_setup_session+0x18f/0x4c0 [<00000000854bd16d>] cifs_get_smb_ses+0xae7/0x13c0 [<000000006cbc43d9>] mount_get_conns+0x7a/0x730 [<000000005922d816>] cifs_mount+0x103/0xd10 [<00000000e33def3b>] cifs_smb3_do_mount+0x1dd/0xc90 [<0000000078034979>] smb3_get_tree+0x1d5/0x300 [<000000004371f980>] vfs_get_tree+0x41/0xf0 [<00000000b670d8a7>] path_mount+0x9b3/0xdd0 [<000000005e839a7d>] __x64_sys_mount+0x190/0x1d0 [<000000009404c3b9>] do_syscall_64+0x35/0x80 When build ntlmssp negotiate blob failed, the session setup request should be freed. | 2025-09-17 | not yet calculated | CVE-2022-50372 | https://git.kernel.org/stable/c/fa5a70bdd5e565c8696fb04dfe18a4e8aff4695d https://git.kernel.org/stable/c/30b2d7f8f13664655480d6af45f60270b3eb6736 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix race in lowcomms This patch fixes a race between queue_work() in _dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can take the final reference of a dlm_msg and so msg->idx can contain garbage which is signaled by the following warning: [ 676.237050] ------------[ cut here ]------------ [ 676.237052] WARNING: CPU: 0 PID: 1060 at include/linux/srcu.h:189 dlm_lowcomms_commit_msg+0x41/0x50 [ 676.238945] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common iTCO_wdt iTCO_vendor_support qxl kvm_intel drm_ttm_helper vmw_vsock_virtio_transport kvm vmw_vsock_virtio_transport_common ttm irqbypass crc32_pclmul joydev crc32c_intel serio_raw drm_kms_helper vsock virtio_scsi virtio_console virtio_balloon snd_pcm drm syscopyarea sysfillrect sysimgblt snd_timer fb_sys_fops i2c_i801 lpc_ich snd i2c_smbus soundcore pcspkr [ 676.244227] CPU: 0 PID: 1060 Comm: lock_torture_wr Not tainted 5.19.0-rc3+ #1546 [ 676.245216] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014 [ 676.246460] RIP: 0010:dlm_lowcomms_commit_msg+0x41/0x50 [ 676.247132] Code: fe ff ff ff 75 24 48 c7 c6 bd 0f 49 bb 48 c7 c7 38 7c 01 bd e8 00 e7 ca ff 89 de 48 c7 c7 60 78 01 bd e8 42 3d cd ff 5b 5d c3 <0f> 0b eb d8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 [ 676.249253] RSP: 0018:ffffa401c18ffc68 EFLAGS: 00010282 [ 676.249855] RAX: 0000000000000001 RBX: 00000000ffff8b76 RCX: 0000000000000006 [ 676.250713] RDX: 0000000000000000 RSI: ffffffffbccf3a10 RDI: ffffffffbcc7b62e [ 676.251610] RBP: ffffa401c18ffc70 R08: 0000000000000001 R09: 0000000000000001 [ 676.252481] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000005 [ 676.253421] R13: ffff8b76786ec370 R14: ffff8b76786ec370 R15: ffff8b76786ec480 [ 676.254257] FS: 0000000000000000(0000) GS:ffff8b7777800000(0000) knlGS:0000000000000000 [ 676.255239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 676.255897] CR2: 00005590205d88b8 CR3: 000000017656c003 CR4: 0000000000770ee0 [ 676.256734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 676.257567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 676.258397] PKRU: 55555554 [ 676.258729] Call Trace: [ 676.259063] <TASK> [ 676.259354] dlm_midcomms_commit_mhandle+0xcc/0x110 [ 676.259964] queue_bast+0x8b/0xb0 [ 676.260423] grant_pending_locks+0x166/0x1b0 [ 676.261007] _unlock_lock+0x75/0x90 [ 676.261469] unlock_lock.isra.57+0x62/0xa0 [ 676.262009] dlm_unlock+0x21e/0x330 [ 676.262457] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] [ 676.263183] torture_unlock+0x5a/0x90 [dlm_locktorture] [ 676.263815] ? preempt_count_sub+0xba/0x100 [ 676.264361] ? complete+0x1d/0x60 [ 676.264777] lock_torture_writer+0xb8/0x150 [dlm_locktorture] [ 676.265555] kthread+0x10a/0x130 [ 676.266007] ? kthread_complete_and_exit+0x20/0x20 [ 676.266616] ret_from_fork+0x22/0x30 [ 676.267097] </TASK> [ 676.267381] irq event stamp: 9579855 [ 676.267824] hardirqs last enabled at (9579863): [<ffffffffbb14e6f8>] __up_console_sem+0x58/0x60 [ 676.268896] hardirqs last disabled at (9579872): [<ffffffffbb14e6dd>] __up_console_sem+0x3d/0x60 [ 676.270008] softirqs last enabled at (9579798): [<ffffffffbc200349>] __do_softirq+0x349/0x4c7 [ 676.271438] softirqs last disabled at (9579897): [<ffffffffbb0d54c0>] irq_exit_rcu+0xb0/0xf0 [ 676.272796] ---[ end trace 0000000000000000 ]--- I reproduced this warning with dlm_locktorture test which is currently not upstream. However this patch fix the issue by make a additional refcount between dlm_lowcomms_new_msg() and dlm_lowcomms_commit_msg(). In case of the race the kref_put() in dlm_lowcomms_commit_msg() will be the final put. | 2025-09-17 | not yet calculated | CVE-2022-50373 | https://git.kernel.org/stable/c/27d3e646dd83bafd7094890462eebfce3ac31e4a https://git.kernel.org/stable/c/eb97e60a9eae632ff9104a580dbc4fdc58dc23cb https://git.kernel.org/stable/c/de7fdff754bb4d01e38e19964c309b6df6a79472 https://git.kernel.org/stable/c/30ea3257e8766027c4d8d609dcbd256ff9a76073 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1], for rcu_sync_enter() is called without rcu_sync_init() due to hci_uart_tty_open() ignoring percpu_init_rwsem() failure. While we are at it, fix that hci_uart_register_device() ignores percpu_init_rwsem() failure and hci_uart_unregister_device() does not call percpu_free_rwsem(). | 2025-09-17 | not yet calculated | CVE-2022-50374 | https://git.kernel.org/stable/c/d7cc0d51ffcbfd1caaa809fcf9cff05c46d0fb4d https://git.kernel.org/stable/c/b8917dce2134739b39bc0a5648b18427f2cad569 https://git.kernel.org/stable/c/75b2c71ea581c7bb1303860d89366a42ad0506d2 https://git.kernel.org/stable/c/98ce10f3f345e61fc6c83bff9cd11cda252b05ac https://git.kernel.org/stable/c/3124d320c22f3f4388d9ac5c8f37eaad0cefd6b1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can still occur which in turn tries to access dma apis if lpuart_dma_tx_use flag is true. At this point since dma is torn down, these dma apis can abort. Set lpuart_dma_tx_use and the corresponding rx flag lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not accessed after they are relinquished. Otherwise, when try to kill btattach, kernel may panic. This patch may fix this issue. root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP [ 90.189806] Modules linked in: moal(O) mlan(O) [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60 [ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c [ 90.225237] sp : ffff800013f0bac0 [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 [ 90.299876] Call trace: [ 90.302321] fsl_edma3_disable_request+0x8/0x60 [ 90.306851] lpuart_flush_buffer+0x40/0x160 [ 90.311037] uart_flush_buffer+0x88/0x120 [ 90.315050] tty_driver_flush_buffer+0x20/0x30 [ 90.319496] hci_uart_flush+0x44/0x90 [ 90.323162] +0x34/0x12c [ 90.327253] tty_ldisc_close+0x38/0x70 [ 90.331005] tty_ldisc_release+0xa8/0x190 [ 90.335018] tty_release_struct+0x24/0x8c [ 90.339022] tty_release+0x3ec/0x4c0 [ 90.342593] __fput+0x70/0x234 [ 90.345652] ____fput+0x14/0x20 [ 90.348790] task_work_run+0x84/0x17c [ 90.352455] do_exit+0x310/0x96c [ 90.355688] do_group_exit+0x3c/0xa0 [ 90.359259] __arm64_sys_exit_group+0x1c/0x20 [ 90.363609] invoke_syscall+0x48/0x114 [ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc [ 90.372068] do_el0_svc+0x2c/0x94 [ 90.375379] el0_svc+0x28/0x80 [ 90.378438] el0t_64_sync_handler+0xa8/0x130 [ 90.382711] el0t_64_sync+0x1a0/0x1a4 [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- [ 90.397073] note: btattach[503] exited with preempt_count 1 [ 90.402636] Fixing recursive fault but reboot is needed! | 2025-09-18 | not yet calculated | CVE-2022-50375 | https://git.kernel.org/stable/c/29b897ac7b990882c74bd08605692214e7e58b83 https://git.kernel.org/stable/c/9a56ade124d4891a31ab1300c57665f07f5b24d5 https://git.kernel.org/stable/c/c4293def8860fd587a84400ccba5b49cec56e2c3 https://git.kernel.org/stable/c/d554c14eb73ee91d76fc9aece4616f0b687c295d https://git.kernel.org/stable/c/3953e7f261e2f4d9c35f0c025df9f166f46aa626 https://git.kernel.org/stable/c/316ae95c175a7d770d1bfe4c011192712f57aa4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() When insert and remove the orangefs module, there are memory leaked as below: unreferenced object 0xffff88816b0cc000 (size 2048): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f [<00000000e5a0085b>] 0xffffffffa02780f9 [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Use the golbal variable as the buffer rather than dynamic allocate to slove the problem. | 2025-09-18 | not yet calculated | CVE-2022-50376 | https://git.kernel.org/stable/c/bdc2d33fa2324b1f5ab5b701cda45ee0b2384409 https://git.kernel.org/stable/c/a076490b0211990ec6764328c22cb744dd782bd9 https://git.kernel.org/stable/c/c8853267289c55b1acbe4dc3641374887584834d https://git.kernel.org/stable/c/786e5296f9e3b045d5ff9098514ce7b8ba1d890d https://git.kernel.org/stable/c/0cd303aad220fafa595e0ed593e99aa51b90412b https://git.kernel.org/stable/c/31720a2b109b3080eb77e97b8f6f50a27b4ae599 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/meson: reorder driver deinit sequence to fix use-after-free bug Unloading the driver triggers the following KASAN warning: [ +0.006275] ============================================================= [ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0 [ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695 [ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000007] dump_backtrace+0x1ec/0x280 [ +0.000013] show_stack+0x24/0x80 [ +0.000008] dump_stack_lvl+0x98/0xd4 [ +0.000011] print_address_description.constprop.0+0x80/0x520 [ +0.000011] print_report+0x128/0x260 [ +0.000007] kasan_report+0xb8/0xfc [ +0.000008] __asan_report_load8_noabort+0x3c/0x50 [ +0.000010] __list_del_entry_valid+0xe0/0x1a0 [ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm] [ +0.000172] drm_bridge_detach+0x94/0x260 [drm] [ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm] [ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm] [ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm] [ +0.000144] drm_managed_release+0x170/0x414 [drm] [ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm] [ +0.000143] drm_dev_put+0x20/0x30 [drm] [ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm] [ +0.000028] take_down_aggregate_device+0xb0/0x160 [ +0.000016] component_del+0x18c/0x360 [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi] [ +0.000015] platform_remove+0x64/0xb0 [ +0.000009] device_remove+0xb8/0x154 [ +0.000009] device_release_driver_internal+0x398/0x5b0 [ +0.000009] driver_detach+0xac/0x1b0 [ +0.000009] bus_remove_driver+0x158/0x29c [ +0.000009] driver_unregister+0x70/0xb0 [ +0.000008] platform_driver_unregister+0x20/0x2c [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi] [ +0.000012] __do_sys_delete_module+0x288/0x400 [ +0.000011] __arm64_sys_delete_module+0x5c/0x80 [ +0.000009] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000009] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000012] el0t_64_sync_handler+0x11c/0x150 [ +0.000008] el0t_64_sync+0x18c/0x190 [ +0.000018] Allocated by task 0: [ +0.000007] (stack is not available) [ +0.000011] Freed by task 2695: [ +0.000008] kasan_save_stack+0x2c/0x5c [ +0.000011] kasan_set_track+0x2c/0x40 [ +0.000008] kasan_set_free_info+0x28/0x50 [ +0.000009] ____kasan_slab_free+0x128/0x1d4 [ +0.000008] __kasan_slab_free+0x18/0x24 [ +0.000007] slab_free_freelist_hook+0x108/0x230 [ +0.000011] kfree+0x110/0x35c [ +0.000008] release_nodes+0xf0/0x16c [ +0.000009] devres_release_group+0x180/0x270 [ +0.000008] component_unbind+0x128/0x1e0 [ +0.000010] component_unbind_all+0x1b8/0x264 [ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm] [ +0.000025] take_down_aggregate_device+0xb0/0x160 [ +0.000009] component_del+0x18c/0x360 [ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi] [ +0.000012] platform_remove+0x64/0xb0 [ +0.000008] device_remove+0xb8/0x154 [ +0.000009] device_release_driver_internal+0x398/0x5b0 [ +0.000009] driver_detach+0xac/0x1b0 [ +0.000009] bus_remove_driver+0x158/0x29c [ +0.000008] driver_unregister+0x70/0xb0 [ +0.000008] platform_driver_unregister+0x20/0x2c [ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi] [ +0.000011] __do_sys_delete_module+0x288/0x400 [ +0.000010] __arm64_sys_delete_module+0x5c/0x80 [ +0.000008] invoke_syscall+0x74/0x260 [ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000009] el0t_64_sync_handler+0x11c/0x150 [ +0.000009] el0t_64_sync+0x18c/0x190 [ +0.000014] The buggy address belongs to the object at ffff000020c39000 ---truncated--- | 2025-09-18 | not yet calculated | CVE-2022-50378 | https://git.kernel.org/stable/c/d76ff04a72f90767455059c8239b06042cd0ed23 https://git.kernel.org/stable/c/9190d287f7a6b02b50b510045b0edf448ed68e88 https://git.kernel.org/stable/c/9d33348513c36337f91f1991da23f41514d4de39 https://git.kernel.org/stable/c/31c519981eb141c7ec39bfd5be25d35f02edb868 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between quota enable and quota rescan ioctl When enabling quotas, at btrfs_quota_enable(), after committing the transaction, we change fs_info->quota_root to point to the quota root we created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try to start the qgroup rescan worker, first by initializing it with a call to qgroup_rescan_init() - however if that fails we end up freeing the quota root but we leave fs_info->quota_root still pointing to it, this can later result in a use-after-free somewhere else. We have previously set the flags BTRFS_FS_QUOTA_ENABLED and BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at btrfs_quota_enable(), which is possible if someone already called the quota rescan ioctl, and therefore started the rescan worker. So fix this by ignoring an -EINPROGRESS and asserting we can't get any other error. | 2025-09-18 | not yet calculated | CVE-2022-50379 | https://git.kernel.org/stable/c/c97f6d528c3f1c83a6b792a8a7928c236c80b8fe https://git.kernel.org/stable/c/26b7c0ac49a3eea15559c9d84863736a6d1164b4 https://git.kernel.org/stable/c/47b5ffe86332af95f0f52be0a63d4da7c2b37b55 https://git.kernel.org/stable/c/4b996a3014ef014af8f97b60c35f5289210a4720 https://git.kernel.org/stable/c/0efd9dfc00d677a1d0929319a6103cb2dfc41c22 https://git.kernel.org/stable/c/6c22f86dd221eba0c7af645b1af73dcbc04ee27b https://git.kernel.org/stable/c/331cd9461412e103d07595a10289de90004ac890 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: /proc/pid/smaps_rollup: fix no vma's null-deref Commit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value seq_file") introduced a null-deref if there are no vma's in the task in show_smaps_rollup. | 2025-09-18 | not yet calculated | CVE-2022-50380 | https://git.kernel.org/stable/c/33fc9e26b7cb39f0d4219c875a2451802249c225 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: fix a crash in mempool_free There's a crash in mempool_free when running the lvm test shell/lvchange-rebuild-raid.sh. The reason for the crash is this: * super_written calls atomic_dec_and_test(&mddev->pending_writes) and wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev) and bio_put(bio). * so, the process that waited on sb_wait and that is woken up is racing with bio_put(bio). * if the process wins the race, it calls bioset_exit before bio_put(bio) is executed. * bio_put(bio) attempts to free a bio into a destroyed bio set - causing a crash in mempool_free. We fix this bug by moving bio_put before atomic_dec_and_test. We also move rdev_dec_pending before atomic_dec_and_test as suggested by Neil Brown. The function md_end_flush has a similar bug - we must call bio_put before we decrement the number of in-progress bios. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 11557f0067 P4D 11557f0067 PUD 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: kdelayd flush_expired_bios [dm_delay] RIP: 0010:mempool_free+0x47/0x80 Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00 RSP: 0018:ffff88910036bda8 EFLAGS: 00010093 RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8 RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900 R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000 R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05 FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0 Call Trace: <TASK> clone_endio+0xf4/0x1c0 [dm_mod] clone_endio+0xf4/0x1c0 [dm_mod] __submit_bio+0x76/0x120 submit_bio_noacct_nocheck+0xb6/0x2a0 flush_expired_bios+0x28/0x2f [dm_delay] process_one_work+0x1b4/0x300 worker_thread+0x45/0x3e0 ? rescuer_thread+0x380/0x380 kthread+0xc2/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd] CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- | 2025-09-18 | not yet calculated | CVE-2022-50381 | https://git.kernel.org/stable/c/732cd66ec19a17f2b9183d7d5b7bdb9c39b0776e https://git.kernel.org/stable/c/cf06b162f5b6337b688072a1a47941280b8f7110 https://git.kernel.org/stable/c/b5be563b4356b3089b3245d024cae3f248ba7090 https://git.kernel.org/stable/c/384ef33d37cefb2ac539d44597d03f06c9b8975c https://git.kernel.org/stable/c/ae7793027766491c5f8635b12d15a5940d3b8698 https://git.kernel.org/stable/c/91bd504128a51776472445070e11a3b0f9348c90 https://git.kernel.org/stable/c/842f222fc42a9239831e15b1fd49a51c546902cb https://git.kernel.org/stable/c/97ce99984be12b9acb49ddce0f5d8ebb037adbb6 https://git.kernel.org/stable/c/341097ee53573e06ab9fc675d96a052385b851fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: padata: Always leave BHs disabled when running ->parallel() A deadlock can happen when an overloaded system runs ->parallel() in the context of the current task: padata_do_parallel ->parallel() pcrypt_aead_enc/dec padata_do_serial spin_lock(&reorder->lock) // BHs still enabled <interrupt> ... __do_softirq ... padata_do_serial spin_lock(&reorder->lock) It's a bug for BHs to be on in _do_serial as Steffen points out, so ensure they're off in the "current task" case like they are in padata_parallel_worker to avoid this situation. | 2025-09-18 | not yet calculated | CVE-2022-50382 | https://git.kernel.org/stable/c/8e0681dd4eee029eb1d533d06993f7cb091efb73 https://git.kernel.org/stable/c/17afa98bccec4f52203508b3f49b5f948c6fd6ac https://git.kernel.org/stable/c/7337adb20fcc0aebb50eaff2bc5a8dd9a7c6743d https://git.kernel.org/stable/c/6cfa9e60c0f88fdec6368e081ab968411cc706b1 https://git.kernel.org/stable/c/34c3a47d20ae55b3600fed733bf96eafe9c500d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Can't set dst buffer to done when lat decode error Core thread will call v4l2_m2m_buf_done to set dst buffer done for lat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to free dst buffer when lat decode error, core thread will access kernel NULL pointer dereference, then crash. | 2025-09-18 | not yet calculated | CVE-2022-50383 | https://git.kernel.org/stable/c/eeb090420f3477eb5011586709409fc655c2b16c https://git.kernel.org/stable/c/66d26ed30056e7d2da3e9c14125ffe6049a4f907 https://git.kernel.org/stable/c/3568ecd3f3a6d133ab7feffbba34955c8c79bbc4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: vme_user: Fix possible UAF in tsi148_dma_list_add Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). | 2025-09-18 | not yet calculated | CVE-2022-50384 | https://git.kernel.org/stable/c/5cc4eea715a3fcf4e516662f736dfee63979465f https://git.kernel.org/stable/c/51c0ad3b7c5b01f9314758335a13f157b05fa56d https://git.kernel.org/stable/c/e6b0adff99edf246ba1f8d464530a0438cb1cbda https://git.kernel.org/stable/c/a45ba33d398a821147d7e5f16ead7eb125e331e2 https://git.kernel.org/stable/c/5d2b286eb034af114f67d9967fc3fbc1829bb712 https://git.kernel.org/stable/c/1f5661388f43df3ac106ce93e67d8d22b16a78ff https://git.kernel.org/stable/c/cf138759a7e92c75cfc1b7ba705e4108fe330edf https://git.kernel.org/stable/c/85db68fc901da52314ded80aace99f8b684c7815 https://git.kernel.org/stable/c/357057ee55d3c99a5de5abe8150f7bca04f8e53b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix an Oops in nfs_d_automount() When mounting from a NFSv4 referral, path->dentry can end up being a negative dentry, so derive the struct nfs_server from the dentry itself instead. | 2025-09-18 | not yet calculated | CVE-2022-50385 | https://git.kernel.org/stable/c/5458bc0f9df639d83471ca384152cc62dbee0aeb https://git.kernel.org/stable/c/f12377abac15fb4e8698225ac386894f8ae63598 https://git.kernel.org/stable/c/b6fd25d64b0de27991d6bd677f0adf69ad6ff07a https://git.kernel.org/stable/c/6f3d56783fbed861e483736a7001bdafd0dddd53 https://git.kernel.org/stable/c/35e3b6ae84935d0d7ff76cbdaa83411b0ad5e471 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 | 2025-09-18 | not yet calculated | CVE-2022-50386 | https://git.kernel.org/stable/c/11e40d6c0823f699d8ad501e48d1c3ae4be386cd https://git.kernel.org/stable/c/843fc4e386dd84b806a7f07fb062d8c3a44e5364 https://git.kernel.org/stable/c/d91fc2836562f299f34e361e089e9fe154da4f73 https://git.kernel.org/stable/c/7d6f9cb24d2b2f6b6370eac074e2e6b1bafdad45 https://git.kernel.org/stable/c/0c108cf3ad386e0084277093b55a351c49e0be27 https://git.kernel.org/stable/c/d1e894f950ad48897d1a7cb05909ea29d8c3810e https://git.kernel.org/stable/c/6ffde6e03085874ae22263ff4cef4869f797e84f https://git.kernel.org/stable/c/15fc21695eb606bdc5d483b92118ee42610a952d https://git.kernel.org/stable/c/35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hinic: fix the issue of CMDQ memory leaks When hinic_set_cmdq_depth() fails in hinic_init_cmdqs(), the cmdq memory is not released correctly. Fix it. | 2025-09-18 | not yet calculated | CVE-2022-50387 | https://git.kernel.org/stable/c/6603843c80b16957f5d7d14d897faf13cef2b8b9 https://git.kernel.org/stable/c/6016d96a6adf66d61655d85da02e1a4c1deccbd6 https://git.kernel.org/stable/c/9145d512ddff76df88832b29575488199df544a1 https://git.kernel.org/stable/c/363cc87767f6ddcfb9158ad2e2afa2f8d5c4b94e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: fix multipath crash caused by flush request when blktrace is enabled The flush request initialized by blk_kick_flush has NULL bio, and it may be dealt with nvme_end_req during io completion. When blktrace is enabled, nvme_trace_bio_complete with multipath activated trying to access NULL pointer bio from flush request results in the following crash: [ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a [ 2517.835213] #PF: supervisor read access in kernel mode [ 2517.838724] #PF: error_code(0x0000) - not-present page [ 2517.842222] PGD 7b2d51067 P4D 0 [ 2517.845684] Oops: 0000 [#1] SMP NOPTI [ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1 [ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022 [ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp] [ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30 [ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba [ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286 [ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000 [ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000 [ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000 [ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8 [ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018 [ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000 [ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0 [ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2517.913761] PKRU: 55555554 [ 2517.917558] Call Trace: [ 2517.921294] <TASK> [ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core] [ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp] [ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp] [ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp] [ 2517.939830] tcp_read_sock+0x9c/0x260 [ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp] [ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp] [ 2517.950834] process_one_work+0x1e8/0x390 [ 2517.954473] worker_thread+0x53/0x3c0 [ 2517.958069] ? process_one_work+0x390/0x390 [ 2517.961655] kthread+0x10c/0x130 [ 2517.965211] ? set_kthread_struct+0x40/0x40 [ 2517.968760] ret_from_fork+0x1f/0x30 [ 2517.972285] </TASK> To avoid this situation, add a NULL check for req->bio before calling trace_block_bio_complete. | 2025-09-18 | not yet calculated | CVE-2022-50388 | https://git.kernel.org/stable/c/f13301a69ababa6c2236fb4f0393b7e914e7e1e0 https://git.kernel.org/stable/c/4df413d46960f11c8c105238cfc3f5ff4c95c003 https://git.kernel.org/stable/c/fcd2d199486033223e9b2a6a7f9a01dd0327eac3 https://git.kernel.org/stable/c/183c2aaef40a91acbaae45c3824d6cde7bb62b10 https://git.kernel.org/stable/c/3659fb5ac29a5e6102bebe494ac789fd47fb78f4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak In crb_acpi_add(), we get the TPM2 table to retrieve information like start method, and then assign them to the priv data, so the TPM2 table is not used after the init, should be freed, call acpi_put_table() to fix the memory leak. | 2025-09-18 | not yet calculated | CVE-2022-50389 | https://git.kernel.org/stable/c/08fd965521d0e172d540cf945517810895fcb199 https://git.kernel.org/stable/c/1af2232b13837ce0f3a082b9f43735b09aafc367 https://git.kernel.org/stable/c/927860dfa161ae8392a264197257dbdc52b26b0f https://git.kernel.org/stable/c/0bd9b4be721c776f77adcaf34105dfca3007ddb9 https://git.kernel.org/stable/c/986cd9a9b95423e35a2cbb8e9105aec0e0d7f337 https://git.kernel.org/stable/c/2fcd3dc8b97a14f1672729c86b7041a1a89b052a https://git.kernel.org/stable/c/b0785edaf649e5f04dc7f75533e810f4c00e4106 https://git.kernel.org/stable/c/37e90c374dd11cf4919c51e847c6d6ced0abc555 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ttm_bo_move_memcpy+0x3b4/0x460 [ttm] bo_driver_move+0x32/0x40 [drm_vram_helper] ttm_bo_handle_move_mem+0x118/0x200 [ttm] ttm_bo_validate+0xfa/0x220 [ttm] drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper] drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper] drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper] drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper] drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper] drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper] drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper] drm_atomic_commit+0x9c/0x160 [drm] drm_client_modeset_commit_atomic+0x33a/0x380 [drm] drm_client_modeset_commit_locked+0x77/0x220 [drm] drm_client_modeset_commit+0x31/0x60 [drm] __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper] drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper] fbcon_init+0x316/0x790 visual_init+0x113/0x1d0 do_bind_con_driver+0x2a3/0x5c0 do_take_over_console+0xa9/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> | 2025-09-18 | not yet calculated | CVE-2022-50390 | https://git.kernel.org/stable/c/2ff0309b73d86e8591881ac035af06e01c112e89 https://git.kernel.org/stable/c/6528971fdce0dfc0a28fec42c151a1eccdabadf5 https://git.kernel.org/stable/c/387659939c00156f8d6bab0fbc55b4eaf2b6bc5b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leak in set_mempolicy_home_node system call When encountering any vma in the range with policy other than MPOL_BIND or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on the policy just allocated with mpol_dup(). This allows arbitrary users to leak kernel memory. | 2025-09-18 | not yet calculated | CVE-2022-50391 | https://git.kernel.org/stable/c/4ca0eb6b2f3add8c5daefb726ce57dc95d103d33 https://git.kernel.org/stable/c/0ce4cc6d269ddc448a825955b495f662f5d9e153 https://git.kernel.org/stable/c/38ce7c9bdfc228c14d7621ba36d3eebedd9d4f76 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe() The node returned by of_parse_phandle() with refcount incremented, of_node_put() needs be called when finish using it. So add it in the error path in mt8183_mt6358_ts3a227_max98357_dev_probe(). | 2025-09-18 | not yet calculated | CVE-2022-50392 | https://git.kernel.org/stable/c/82f7c814edda353b4781f356d3ab90e943d5eac4 https://git.kernel.org/stable/c/574bd4d14a9297a1c69ad41001caf00fdd17d305 https://git.kernel.org/stable/c/156b0c19c1a44153e34cfdfa5937546a93dcb288 https://git.kernel.org/stable/c/38eef3be38ab895959c442702864212cc3beb96c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: SDMA update use unlocked iterator SDMA update page table may be called from unlocked context, this generate below warning. Use unlocked iterator to handle this case. WARNING: CPU: 0 PID: 1475 at drivers/dma-buf/dma-resv.c:483 dma_resv_iter_next Call Trace: dma_resv_iter_first+0x43/0xa0 amdgpu_vm_sdma_update+0x69/0x2d0 [amdgpu] amdgpu_vm_ptes_update+0x29c/0x870 [amdgpu] amdgpu_vm_update_range+0x2f6/0x6c0 [amdgpu] svm_range_unmap_from_gpus+0x115/0x300 [amdgpu] svm_range_cpu_invalidate_pagetables+0x510/0x5e0 [amdgpu] __mmu_notifier_invalidate_range_start+0x1d3/0x230 unmap_vmas+0x140/0x150 unmap_region+0xa8/0x110 | 2025-09-18 | not yet calculated | CVE-2022-50393 | https://git.kernel.org/stable/c/b892c57a3a04c8de247ab9ee08a0a8cf53290e19 https://git.kernel.org/stable/c/4ff3d517cebe8a29b9f3c302b5292bb1ce291e00 https://git.kernel.org/stable/c/3913f0179ba366f7d7d160c506ce00de1602bbc4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds bug in ismt_access() When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first. | 2025-09-18 | not yet calculated | CVE-2022-50394 | https://git.kernel.org/stable/c/4a7bb1d93addb2f67e36fed00a53cb7f270d7b7a https://git.kernel.org/stable/c/03b7ef7a6c5ca1ff553470166b4919db88b810f6 https://git.kernel.org/stable/c/bfe41d966c860a8ad4c735639d616da270c92735 https://git.kernel.org/stable/c/cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd https://git.kernel.org/stable/c/9ac541a0898e8ec187a3fa7024b9701cffae6bf2 https://git.kernel.org/stable/c/96c12fd0ec74641295e1c3c34dea3dce1b6c3422 https://git.kernel.org/stable/c/a642469d464b2780a25a49b51ae56623c65eac34 https://git.kernel.org/stable/c/233348a04becf133283f0076e20b317302de21d9 https://git.kernel.org/stable/c/39244cc754829bf707dccd12e2ce37510f5b1f8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: integrity: Fix memory leakage in keyring allocation error path Key restriction is allocated in integrity_init_keyring(). However, if keyring allocation failed, it is not freed, causing memory leaks. | 2025-09-18 | not yet calculated | CVE-2022-50395 | https://git.kernel.org/stable/c/9b7c44885a07c5ee7f9bf3aa3c9c72fb110c8d22 https://git.kernel.org/stable/c/3bd737289c26be3cee4b9afaf61ef784a2af9d6e https://git.kernel.org/stable/c/29d6c69ba4b96a1de0376e44e5f8b38b13ec8803 https://git.kernel.org/stable/c/57e49ad12f8f5df0c48e1710c54b147a05a10c32 https://git.kernel.org/stable/c/c591c48842f08d30ec6b8416757831985ed9a315 https://git.kernel.org/stable/c/39419ef7af0916cc3620ecf1ed42d29659109bf3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: fix memory leak in tcindex_set_parms Syzkaller reports a memory leak as follows: ==================================== BUG: memory leak unreferenced object 0xffff88810c287f00 (size 256): comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline] [<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline] [<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline] [<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342 [<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553 [<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147 [<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082 [<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540 [<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] [<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 [<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline] [<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734 [<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482 [<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536 [<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622 [<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline] [<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline] [<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648 [<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd ==================================== Kernel uses tcindex_change() to change an existing filter properties. Yet the problem is that, during the process of changing, if `old_r` is retrieved from `p->perfect`, then kernel uses tcindex_alloc_perfect_hash() to newly allocate filter results, uses tcindex_filter_result_init() to clear the old filter result, without destroying its tcf_exts structure, which triggers the above memory leak. To be more specific, there are only two source for the `old_r`, according to the tcindex_lookup(). `old_r` is retrieved from `p->perfect`, or `old_r` is retrieved from `p->h`. * If `old_r` is retrieved from `p->perfect`, kernel uses tcindex_alloc_perfect_hash() to newly allocate the filter results. Then `r` is assigned with `cp->perfect + handle`, which is newly allocated. So condition `old_r && old_r != r` is true in this situation, and kernel uses tcindex_filter_result_init() to clear the old filter result, without destroying its tcf_exts structure * If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL according to the tcindex_lookup(). Considering that `cp->h` is directly copied from `p->h` and `p->perfect` is NULL, `r` is assigned with `tcindex_lookup(cp, handle)`, whose value should be the same as `old_r`, so condition `old_r && old_r != r` is false in this situation, kernel ignores using tcindex_filter_result_init() to clear the old filter result. So only when `old_r` is retrieved from `p->perfect` does kernel use tcindex_filter_result_init() to clear the old filter result, which triggers the above memory leak. Considering that there already exists a tc_filter_wq workqueue to destroy the old tcindex_d ---truncated--- | 2025-09-18 | not yet calculated | CVE-2022-50396 | https://git.kernel.org/stable/c/55ac68b53f1cea1926ee2313afc5d66b91daad71 https://git.kernel.org/stable/c/b314f6c3512108d7a656c5caf07c82d1bbbdc0f1 https://git.kernel.org/stable/c/6c55953e232ea668731091d111066521f3b7719b https://git.kernel.org/stable/c/c4de6057e7c6654983acb63d939d26ac0d7bbf39 https://git.kernel.org/stable/c/facc4405e8b7407e03216207b1d1d640127de0c8 https://git.kernel.org/stable/c/399ab7fe0fa0d846881685fd4e57e9a8ef7559f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: reject zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at raw_sendmsg() for ieee802154 socket. What commit dc633700f00f726e ("net/af_packet: check len when min_header_len equals to 0") does also applies to ieee802154 socket. | 2025-09-18 | not yet calculated | CVE-2022-50397 | https://git.kernel.org/stable/c/03ac583eefc9bc980213c53a79abc32a5539756e https://git.kernel.org/stable/c/67cb80a9d2c83edac0e42aaa91ed4dd527cec284 https://git.kernel.org/stable/c/77bfd26cbb61a9f49ecb83729f0fd1352c17ddd8 https://git.kernel.org/stable/c/51d4260585cf36106d29dcefeafa09d9cd5972cf https://git.kernel.org/stable/c/55043e109f435472b0663fa2a4df1cc308a978ad https://git.kernel.org/stable/c/3a4d061c699bd3eedc80dc97a4b2a2e1af83c6f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: add atomic_check to bridge ops DRM commit_tails() will disable downstream crtc/encoder/bridge if both disable crtc is required and crtc->active is set before pushing a new frame downstream. There is a rare case that user space display manager issue an extra screen update immediately followed by close DRM device while down stream display interface is disabled. This extra screen update will timeout due to the downstream interface is disabled but will cause crtc->active be set. Hence the followed commit_tails() called by drm_release() will pass the disable downstream crtc/encoder/bridge conditions checking even downstream interface is disabled. This cause the crash to happen at dp_bridge_disable() due to it trying to access the main link register to push the idle pattern out while main link clocks is disabled. This patch adds atomic_check to prevent the extra frame will not be pushed down if display interface is down so that crtc->active will not be set neither. This will fail the conditions checking of disabling down stream crtc/encoder/bridge which prevent drm_release() from calling dp_bridge_disable() so that crash at dp_bridge_disable() prevented. There is no protection in the DRM framework to check if the display pipeline has been already disabled before trying again. The only check is the crtc_state->active but this is controlled by usermode using UAPI. Hence if the usermode sets this and then crashes, the driver needs to protect against double disable. SError Interrupt on CPU7, code 0x00000000be000411 -- SError CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __cmpxchg_case_acq_32+0x14/0x2c lr : do_raw_spin_lock+0xa4/0xdc sp : ffffffc01092b6a0 x29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038 x26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000 x23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008 x20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000 x17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0 x14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4 x8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001 x5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) Call trace: dump_backtrace.part.0+0xbc/0xe4 show_stack+0x24/0x70 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 panic+0x14c/0x32c nmi_panic+0x58/0x7c arm64_serror_panic+0x78/0x84 do_serror+0x40/0x64 el1h_64_error_handler+0x30/0x48 el1h_64_error+0x68/0x6c __cmpxchg_case_acq_32+0x14/0x2c _raw_spin_lock_irqsave+0x38/0x4c lock_timer_base+0x40/0x78 __mod_timer+0xf4/0x25c schedule_timeout+0xd4/0xfc __wait_for_common+0xac/0x140 wait_for_completion_timeout+0x2c/0x54 dp_ctrl_push_idle+0x40/0x88 dp_bridge_disable+0x24/0x30 drm_atomic_bridge_chain_disable+0x90/0xbc drm_atomic_helper_commit_modeset_disables+0x198/0x444 msm_atomic_commit_tail+0x1d0/0x374 commit_tail+0x80/0x108 drm_atomic_helper_commit+0x118/0x11c drm_atomic_commit+0xb4/0xe0 drm_client_modeset_commit_atomic+0x184/0x224 drm_client_modeset_commit_locked+0x58/0x160 drm_client_modeset_commit+0x3c/0x64 __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac drm_fb_helper_set_par+0x74/0x80 drm_fb_helper_hotplug_event+0xdc/0xe0 __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c drm_fb_helper_lastclose+0x20/0x2c drm_lastclose+0x44/0x6c drm_release+0x88/0xd4 __fput+0x104/0x220 ____fput+0x1c/0x28 task_work_run+0x8c/0x100 d ---truncated--- | 2025-09-18 | not yet calculated | CVE-2022-50398 | https://git.kernel.org/stable/c/d106b866439c63a618d020477bfbe7b46c759657 https://git.kernel.org/stable/c/3a661247967a6f3c99a95a8ba4c8073c5846ea4b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: atomisp: prevent integer overflow in sh_css_set_black_frame() The "height" and "width" values come from the user so the "height * width" multiplication can overflow. | 2025-09-18 | not yet calculated | CVE-2022-50399 | https://git.kernel.org/stable/c/a560aeac2f2d284903b5900774765d7fc61547bc https://git.kernel.org/stable/c/a549517e4b761f3940011db30320cb8c9badde54 https://git.kernel.org/stable/c/3ad290194bb06979367622e47357462836c1d3b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: greybus: audio_helper: remove unused and wrong debugfs usage In the greybus audio_helper code, the debugfs file for the dapm has the potential to be removed and memory will be leaked. There is also the very real potential for this code to remove ALL debugfs entries from the system, and it seems like this is what will really happen if this code ever runs. This all is very wrong as the greybus audio driver did not create this debugfs file, the sound core did and controls the lifespan of it. So remove all of the debugfs logic from the audio_helper code as there's no way it could be correct. If this really is needed, it can come back with a fixup for the incorrect usage of the debugfs_lookup() call which is what caused this to be noticed at all. | 2025-09-18 | not yet calculated | CVE-2022-50400 | https://git.kernel.org/stable/c/d0febad83e29d85bb66e4f5cac0115b022403338 https://git.kernel.org/stable/c/4dab0d27a4211a27135a6899d6c737e6e0759a11 https://git.kernel.org/stable/c/5699afbff1fa2972722e863906c0320d55dd4d58 https://git.kernel.org/stable/c/d835fa49d9589a780ff0d001bb7e6323238a4afb https://git.kernel.org/stable/c/d517cdeb904ddc0cbebcc959d43596426cac40b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure On error situation `clp->cl_cb_conn.cb_xprt` should not be given a reference to the xprt otherwise both client cleanup and the error handling path of the caller call to put it. Better to delay handing over the reference to a later branch. [ 72.530665] refcount_t: underflow; use-after-free. [ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120 [ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc] [ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 [ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 [ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd] [ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120 [ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 [ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 [ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 [ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 [ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff [ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 [ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 [ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 [ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 [ 72.554874] Call Trace: [ 72.555278] <TASK> [ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc] [ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd] [ 72.557087] ? update_load_avg+0x82/0x610 [ 72.557652] ? cpuacct_charge+0x60/0x70 [ 72.558212] ? dequeue_entity+0xdb/0x3e0 [ 72.558765] ? queued_spin_unlock+0x9/0x20 [ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd] [ 72.560031] process_one_work+0x1df/0x390 [ 72.560600] worker_thread+0x37/0x3b0 [ 72.561644] ? process_one_work+0x390/0x390 [ 72.562247] kthread+0x12f/0x150 [ 72.562710] ? set_kthread_struct+0x50/0x50 [ 72.563309] ret_from_fork+0x22/0x30 [ 72.563818] </TASK> [ 72.564189] ---[ end trace 031117b1c72ec616 ]--- [ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). [ 72.567647] ------------[ cut here ]------------ | 2025-09-18 | not yet calculated | CVE-2022-50401 | https://git.kernel.org/stable/c/707bcca9616002d204091ca7c4d1d91151104332 https://git.kernel.org/stable/c/15fc60aa5bdcf6d5f93000d3d00579fc67632ee0 https://git.kernel.org/stable/c/9b4ae8c42d2ff09ed7c5832ccce5684c55e5ed23 https://git.kernel.org/stable/c/fddac3b4578d302ac9e51e7f03a9aae6254ae2a3 https://git.kernel.org/stable/c/c1207219a4bfa50121c9345d5d165470d0a82531 https://git.kernel.org/stable/c/a472f069ced8601979f53c13c0cf20236074ed46 https://git.kernel.org/stable/c/e2f9f03e4537f3fcc8fd2bdd3248530c3477a371 https://git.kernel.org/stable/c/d843ebd860c58a38e45527e8ec6516059f4c97f3 https://git.kernel.org/stable/c/3bc8edc98bd43540dbe648e4ef91f443d6d20a24 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Check the return value of md_bitmap_get_counter() in case it returns NULL pointer, which will result in a null pointer dereference. v2: update the check to include other dereference | 2025-09-18 | not yet calculated | CVE-2022-50402 | https://git.kernel.org/stable/c/21e9aac9a74d30907d44bae0d24c036cb3819406 https://git.kernel.org/stable/c/5d8d046f3dba939e74e2414f009df426700430ed https://git.kernel.org/stable/c/100caacfa0ed26e061954c90cdc835d42f709536 https://git.kernel.org/stable/c/b621d17fe8b079574c773800148fb86907f3445d https://git.kernel.org/stable/c/ff3b7e12bc9f50de05c9d82b5b79e23e5be888f1 https://git.kernel.org/stable/c/99bef41f8e8d1d52b5cb34f2f193f1346192752b https://git.kernel.org/stable/c/3bd548e5b819b8c0f2c9085de775c5c7bff9052f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix undefined behavior in bit shift for ext4_check_flag_values Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in fs/ext4/ext4.h:591:2 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ext4_init_fs+0x5a/0x277 do_one_initcall+0x76/0x430 kernel_init_freeable+0x3b3/0x422 kernel_init+0x24/0x1e0 ret_from_fork+0x1f/0x30 </TASK> | 2025-09-18 | not yet calculated | CVE-2022-50403 | https://git.kernel.org/stable/c/dd5639d36a5e4e42fd0fe05cc0b2ad9ddd3fca9d https://git.kernel.org/stable/c/d7f93fc6fba8ff017be871be7edf8614a785ccad https://git.kernel.org/stable/c/743e9d708743d98464ccbd56e820d87dc6d1d629 https://git.kernel.org/stable/c/4690a4bdcf1470cb161aff1be30bd143b9dffd89 https://git.kernel.org/stable/c/f9cd6980800bbfd11bf94eb5f942049d4d4eaa52 https://git.kernel.org/stable/c/205ac16628aca9093931fcbdb4bcd00d0eb94132 https://git.kernel.org/stable/c/5da9e607547f73dc7a643f35b0487992fd66910f https://git.kernel.org/stable/c/7753d6657873a2523a9989e6c09090cd503bbcda https://git.kernel.org/stable/c/3bf678a0f9c017c9ba7c581541dbc8453452a7ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: fbcon: release buffer when fbcon_do_set_font() failed syzbot is reporting memory leak at fbcon_do_set_font() [1], for commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") missed that the buffer might be newly allocated by fbcon_set_font(). | 2025-09-18 | not yet calculated | CVE-2022-50404 | https://git.kernel.org/stable/c/88ec6d11052da527eb9268831e7a9bc5bbad02f6 https://git.kernel.org/stable/c/06926607b9fddf7ce8017493899ce6eb7e79a123 https://git.kernel.org/stable/c/a609bfc1e644a8467cb31945ed1488374ebdc013 https://git.kernel.org/stable/c/3c3bfb8586f848317ceba5d777e11204ba3e5758 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/tunnel: wait until all sk_user_data reader finish before releasing the sock There is a race condition in vxlan that when deleting a vxlan device during receiving packets, there is a possibility that the sock is released after getting vxlan_sock vs from sk_user_data. Then in later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got NULL pointer dereference. e.g. #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 [exception RIP: vxlan_ecn_decapsulate+0x3b] RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3 Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh Fix this by waiting for all sk_user_data reader to finish before releasing the sock. | 2025-09-18 | not yet calculated | CVE-2022-50405 | https://git.kernel.org/stable/c/e8316584b0a6c61c9c407631040c22712b26e38c https://git.kernel.org/stable/c/84e566d157cc22ad2da8bdd970495855fbf13d92 https://git.kernel.org/stable/c/be34e79e0ae6adbf6e7e75ddaee9ad84795ab933 https://git.kernel.org/stable/c/303000c793f705d07b551eb7c1c27001c5b33c8d https://git.kernel.org/stable/c/91f09a776ae335ca836ed864b8f2a9461882a280 https://git.kernel.org/stable/c/9a6544343bba7da929d6d4a2dc44ec0f15970081 https://git.kernel.org/stable/c/b38aa7465411795e9e744b8d94633910497fec2a https://git.kernel.org/stable/c/588d0b8462f5ffed3e677e65639825b2678117ab https://git.kernel.org/stable/c/3cf7203ca620682165706f70a1b12b5194607dce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: iomap: fix memory corruption when recording errors during writeback Every now and then I see this crash on arm64: Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 Buffer I/O error on dev dm-0, logical block 8733687, async page read Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 64k pages, 42-bit VAs, pgdp=0000000139750000 [00000000000000f8] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Buffer I/O error on dev dm-0, logical block 8733688, async page read Dumping ftrace buffer: Buffer I/O error on dev dm-0, logical block 8733689, async page read (ftrace buffer empty) XFS (dm-0): log I/O error -5 Modules linked in: dm_thin_pool dm_persistent_data XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ec/0x590 [xfs] (fs/xfs/xfs_trans_buf.c:296). dm_bio_prison XFS (dm-0): Please unmount the filesystem and rectify the problem(s) XFS (dm-0): xfs_imap_lookup: xfs_ialloc_read_agi() returned error -5, agno 0 dm_bufio dm_log_writes xfs nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT potentially unexpected fatal signal 6. nf_reject_ipv6 potentially unexpected fatal signal 6. ipt_REJECT nf_reject_ipv4 CPU: 1 PID: 122166 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7 rpcsec_gss_krb5 auth_rpcgss xt_tcpudp ip_set_hash_ip ip_set_hash_net xt_set nft_compat ip_set_hash_mac ip_set nf_tables Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021 pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) ip_tables pc : 000003fd6d7df200 x_tables lr : 000003fd6d7df1ec overlay nfsv4 CPU: 0 PID: 54031 Comm: u4:3 Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7405 Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021 Workqueue: writeback wb_workfn sp : 000003ffd9522fd0 (flush-253:0) pstate: 60401005 (nZCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--) pc : errseq_set+0x1c/0x100 x29: 000003ffd9522fd0 x28: 0000000000000023 x27: 000002acefeb6780 x26: 0000000000000005 x25: 0000000000000001 x24: 0000000000000000 x23: 00000000ffffffff x22: 0000000000000005 lr : __filemap_set_wb_err+0x24/0xe0 x21: 0000000000000006 sp : fffffe000f80f760 x29: fffffe000f80f760 x28: 0000000000000003 x27: fffffe000f80f9f8 x26: 0000000002523000 x25: 00000000fffffffb x24: fffffe000f80f868 x23: fffffe000f80fbb0 x22: fffffc0180c26a78 x21: 0000000002530000 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000001 x13: 0000000000470af3 x12: fffffc0058f70000 x11: 0000000000000040 x10: 0000000000001b20 x9 : fffffe000836b288 x8 : fffffc00eb9fd480 x7 : 0000000000f83659 x6 : 0000000000000000 x5 : 0000000000000869 x4 : 0000000000000005 x3 : 00000000000000f8 x20: 000003fd6d740020 x19: 000000000001dd36 x18: 0000000000000001 x17: 000003fd6d78704c x16: 0000000000000001 x15: 000002acfac87668 x2 : 0000000000000ffa x1 : 00000000fffffffb x0 : 00000000000000f8 Call trace: errseq_set+0x1c/0x100 __filemap_set_wb_err+0x24/0xe0 iomap_do_writepage+0x5e4/0xd5c write_cache_pages+0x208/0x674 iomap_writepages+0x34/0x60 xfs_vm_writepages+0x8c/0xcc [xfs 7a861f39c43631f15d3a5884246ba5035d4ca78b] x14: 0000000000000000 x13: 2064656e72757465 x12: 0000000000002180 x11: 000003fd6d8a82d0 x10: 0000000000000000 x9 : 000003fd6d8ae288 x8 : 0000000000000083 x7 : 00000000ffffffff x6 : 00000000ffffffee x5 : 00000000fbad2887 x4 : 000003fd6d9abb58 x3 : 000003fd6d740020 x2 : 0000000000000006 x1 : 000000000001dd36 x0 : 0000000000000000 CPU: ---truncated--- | 2025-09-18 | not yet calculated | CVE-2022-50406 | https://git.kernel.org/stable/c/82c66c46f73b88be74c869e2cbfef45281adf3c6 https://git.kernel.org/stable/c/7308591d9c7787aec58f6a01a7823f14e90db7a2 https://git.kernel.org/stable/c/3d5f3ba1ac28059bdf7000cae2403e4e984308d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - increase the memory of local variables Increase the buffer to prevent stack overflow by fuzz test. The maximum length of the qos configuration buffer is 256 bytes. Currently, the value of the 'val buffer' is only 32 bytes. The sscanf does not check the dest memory length. So the 'val buffer' may stack overflow. | 2025-09-18 | not yet calculated | CVE-2022-50407 | https://git.kernel.org/stable/c/34c4f8ad45b4ea814c7ecc3f23a2d292959d5a52 https://git.kernel.org/stable/c/fc521abb6ee4b8f06fdfc52646140dab6a2ed334 https://git.kernel.org/stable/c/3efe90af4c0c46c58dba1b306de142827153d9c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou ---truncated--- | 2025-09-18 | not yet calculated | CVE-2022-50408 | https://git.kernel.org/stable/c/1613a7b24f1a7467cb727ba3ec77c9a808383560 https://git.kernel.org/stable/c/d79f4d903e14dde822c60b5fd3bedc5a289d25df https://git.kernel.org/stable/c/49c742afd60f552fce7799287080db02bffe1db2 https://git.kernel.org/stable/c/e01d96494a9de0f48b1167f0494f6d929fa773ed https://git.kernel.org/stable/c/232d59eca07f6ea27307022a33d226aff373bd02 https://git.kernel.org/stable/c/27574a3f421c3a1694d0207f37c6bbf23d66978e https://git.kernel.org/stable/c/c369836cff98d3877f98c98e15c0151462812d96 https://git.kernel.org/stable/c/3f42faf6db431e04bf942d2ebe3ae88975723478 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Fixes the below NULL pointer dereference: [...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] ___sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] The test scenario has the following flow: thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue. | 2025-09-18 | not yet calculated | CVE-2022-50409 | https://git.kernel.org/stable/c/1f48ab20b80f39c0d85119243109d02946fde6d5 https://git.kernel.org/stable/c/5fe03917bb017d9af68a95f989f1c122eebc69a6 https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762 https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5 https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv2 READ Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. | 2025-09-18 | not yet calculated | CVE-2022-50410 | https://git.kernel.org/stable/c/2007867c5874134f2271eb276398208070049dd3 https://git.kernel.org/stable/c/2be9331ca6061bc6ea32247266f45b8b21030244 https://git.kernel.org/stable/c/ea4c3eee0fd72fcedaa238556044825639cd3607 https://git.kernel.org/stable/c/1868332032eccbab8c1878a0d918193058c0a905 https://git.kernel.org/stable/c/401bc1f90874280a80b93f23be33a0e7e2d1f912 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in acpi_ds_call_control_method() A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state() is freed on errors, but it is not popped from the thread beforehand. Thus acpi_ds_get_current_walk_state() called by acpi_ps_parse_aml() subsequently returns it as the new walk state which is incorrect. To address this, make acpi_ds_call_control_method() call acpi_ds_pop_walk_state() to pop next_walk_state from the thread before returning an error. | 2025-09-18 | not yet calculated | CVE-2022-50411 | https://git.kernel.org/stable/c/38e251d356a01b61a86cb35213cafd7e8fe7090c https://git.kernel.org/stable/c/f520d181477ec29a496c0b3bbfbdb7e2606c2713 https://git.kernel.org/stable/c/2deb42c4f9776e59bee247c14af9c5e8c05ca9a6 https://git.kernel.org/stable/c/9ef353c92f9d04c88de3af1a46859c1fb76db0f8 https://git.kernel.org/stable/c/b0b83d3f3ffa96e8395c56b83d6197e184902a34 https://git.kernel.org/stable/c/5777432ebaaf797e24f059979b42df3139967163 https://git.kernel.org/stable/c/0462fec709d51762ba486245bc344f44cc6cfa97 https://git.kernel.org/stable/c/799881db3e03b5e98fe6a900d9d7de8c7d61e7ee https://git.kernel.org/stable/c/404ec60438add1afadaffaed34bb5fe4ddcadd40 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: bridge: adv7511: unregister cec i2c device after cec adapter cec_unregister_adapter() assumes that the underlying adapter ops are callable. For example, if the CEC adapter currently has a valid physical address, then the unregistration procedure will invalidate the physical address by setting it to f.f.f.f. Whence the following kernel oops observed after removing the adv7511 module: Unable to handle kernel execution of user memory at virtual address 0000000000000000 Internal error: Oops: 86000004 [#1] PREEMPT_RT SMP Call trace: 0x0 adv7511_cec_adap_log_addr+0x1ac/0x1c8 [adv7511] cec_adap_unconfigure+0x44/0x90 [cec] __cec_s_phys_addr.part.0+0x68/0x230 [cec] __cec_s_phys_addr+0x40/0x50 [cec] cec_unregister_adapter+0xb4/0x118 [cec] adv7511_remove+0x60/0x90 [adv7511] i2c_device_remove+0x34/0xe0 device_release_driver_internal+0x114/0x1f0 driver_detach+0x54/0xe0 bus_remove_driver+0x60/0xd8 driver_unregister+0x34/0x60 i2c_del_driver+0x2c/0x68 adv7511_exit+0x1c/0x67c [adv7511] __arm64_sys_delete_module+0x154/0x288 invoke_syscall+0x48/0x100 el0_svc_common.constprop.0+0x48/0xe8 do_el0_svc+0x28/0x88 el0_svc+0x1c/0x50 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x15c/0x160 Code: bad PC value ---[ end trace 0000000000000000 ]--- Protect against this scenario by unregistering i2c_cec after unregistering the CEC adapter. Duly disable the CEC clock afterwards too. | 2025-09-18 | not yet calculated | CVE-2022-50412 | https://git.kernel.org/stable/c/3747465c5da7a11957a34bbb9485d9fc253b91cc https://git.kernel.org/stable/c/f369fb4deed7ab997cfa703dc85ec08b3adc1af8 https://git.kernel.org/stable/c/4d4d5bc659206b187263190ad9a03513f625659d https://git.kernel.org/stable/c/86ae5170786aea3e1751123ca55700fb9b37b623 https://git.kernel.org/stable/c/40cdb02cb9f965732eb543d47f15bef8d10f0f5f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix use-after-free We've already freed the assoc_data at this point, so need to use another copy of the AP (MLD) address instead. | 2025-09-18 | not yet calculated | CVE-2022-50413 | https://git.kernel.org/stable/c/aebef10affe16228462af680b88751bf137e2856 https://git.kernel.org/stable/c/40fb87129049ec5876dabf4a4d4aed6642b31f1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed &fcoe_sw_transport on fcoe_transports list. This causes panic when reinserting module. BUG: unable to handle page fault for address: fffffbfff82e2213 RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe] Call Trace: <TASK> do_one_initcall+0xd0/0x4e0 load_module+0x5eee/0x7210 ... | 2025-09-18 | not yet calculated | CVE-2022-50414 | https://git.kernel.org/stable/c/d581303d6f8d4139513105d73dd65f26c6707160 https://git.kernel.org/stable/c/b5cc59470df64f26ad397dbb71cbf130cf489edf https://git.kernel.org/stable/c/cf74d1197c0e3d2f353faa333e9e2847c73713f1 https://git.kernel.org/stable/c/be5f1a82ad6056db22c86005dc4cac22a20deeef https://git.kernel.org/stable/c/22e8c7a56bb1cd2ed0beaaccb34282ac9cbbe27e https://git.kernel.org/stable/c/09a60f908d8b6497f618113b7c3c31267dc90911 https://git.kernel.org/stable/c/1dc499c615aa87dc46a3f2d1f91d2d358e55f3e3 https://git.kernel.org/stable/c/aef82d16be5a353d913163f26fc4385e296be2b8 https://git.kernel.org/stable/c/4155658cee394b22b24c6d64e49247bf26d95b92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: led: Fix potential null-ptr-deref in start_task() start_task() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: start_task() create_singlethread_workqueue() # failed, led_wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref Check the ret value and return -ENOMEM if it is NULL. | 2025-09-18 | not yet calculated | CVE-2022-50415 | https://git.kernel.org/stable/c/c6db0c32f39684c89c97bc1ba1c9c4249ca09e48 https://git.kernel.org/stable/c/fc6d0f65f22040c6cc8a5ce032bf90252629de50 https://git.kernel.org/stable/c/fc307b2905a3dd75c50a53b4d87ac9c912fb7c4e https://git.kernel.org/stable/c/5e4500454d75dd249be4695d83afa3ba0724c37e https://git.kernel.org/stable/c/3505c187b86136250b39e62c72a3a70435277af6 https://git.kernel.org/stable/c/ac838c663ba1fd6bff35a817fd89a47ab55e88e0 https://git.kernel.org/stable/c/77f8b628affaec692d83ad8bfa3520db8a0cc493 https://git.kernel.org/stable/c/67c98fec87ed76b1feb2ae810051afd88dfa9df6 https://git.kernel.org/stable/c/41f563ab3c33698bdfc3403c7c2e6c94e73681e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init() If of_iomap() failed, 'aic' should be freed before return. Otherwise there is a memory leak. | 2025-09-18 | not yet calculated | CVE-2022-50416 | https://git.kernel.org/stable/c/740efb64ca5e8f2b30ac843bc4ab07950479fed4 https://git.kernel.org/stable/c/bcbcb396e1a8bd4dcaabfb0d5b98abae70880470 https://git.kernel.org/stable/c/773c9d7f127f7a599d42ceed831de69f5aa22f03 https://git.kernel.org/stable/c/4208d4faf36573a507b5e5de17abe342e9276759 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix GEM handle creation ref-counting panfrost_gem_create_with_handle() previously returned a BO but with the only reference being from the handle, which user space could in theory guess and release, causing a use-after-free. Additionally if the call to panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then a(nother) reference on the BO was dropped. The _create_with_handle() is a problematic pattern, so ditch it and instead create the handle in panfrost_ioctl_create_bo(). If the call to panfrost_gem_mapping_get() fails then this means that user space has indeed gone behind our back and freed the handle. In which case just return an error code. | 2025-09-18 | not yet calculated | CVE-2022-50417 | https://git.kernel.org/stable/c/0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c https://git.kernel.org/stable/c/4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a https://git.kernel.org/stable/c/3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2 https://git.kernel.org/stable/c/ba3d2c2380e7129b525a787489c0b7e819a3b898 https://git.kernel.org/stable/c/4217c6ac817451d5116687f3cc6286220dc43d49 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register() mhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets some error, mhi_ctrl should be freed with mhi_free_controller(). But when ath11k_mhi_read_addr_from_dt() fails, the function returns without calling mhi_free_controller(), which will lead to a memory leak. We can fix it by calling mhi_free_controller() when ath11k_mhi_read_addr_from_dt() fails. | 2025-09-18 | not yet calculated | CVE-2022-50418 | https://git.kernel.org/stable/c/72ef896e80b6ec7cdc1dd42577045f8e7c9c32b3 https://git.kernel.org/stable/c/015ced9eb63b8b19cb725a1d592d150b60494ced https://git.kernel.org/stable/c/43e7c3505ec70db3d3c6458824d5fa40f62e3e7b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times device_add shall not be called multiple times as stated in its documentation: 'Do not call this routine or device_register() more than once for any device structure' Syzkaller reports a bug as follows [1]: ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:33! invalid opcode: 0000 [#1] PREEMPT SMP KASAN [...] Call Trace: <TASK> __list_add include/linux/list.h:69 [inline] list_add_tail include/linux/list.h:102 [inline] kobj_kset_join lib/kobject.c:164 [inline] kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 kobject_add_varg lib/kobject.c:358 [inline] kobject_add+0x150/0x1c0 lib/kobject.c:410 device_add+0x368/0x1e90 drivers/base/core.c:3452 hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 hci_event_func net/bluetooth/hci_event.c:7440 [inline] hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> | 2025-09-18 | not yet calculated | CVE-2022-50419 | https://git.kernel.org/stable/c/4bcefec3636208b4c97536b26014d5935d5c10a0 https://git.kernel.org/stable/c/6144423712d570247b8ca26e50a277c30dd13702 https://git.kernel.org/stable/c/671fee73e08ff415d36a7c16bdf238927df83884 https://git.kernel.org/stable/c/6e85d2ad958c6f034b1b158d904019869dbb3c81 https://git.kernel.org/stable/c/7b674dce4162bb46d396586e30e4653427023875 https://git.kernel.org/stable/c/3423a50fa018e88aed4c900d59c3c8334d8ad583 https://git.kernel.org/stable/c/ef055094df4c10b73cfe67c8d43f9de1fb608a8b https://git.kernel.org/stable/c/1b6c89571f453101251201f0fad1c26f7256e937 https://git.kernel.org/stable/c/448a496f760664d3e2e79466aa1787e6abc922b5 |
| Kyocera Printer Web Panel – Command Center RX – ExoSys M5521 cdn | An issue in user interface in Kyocera Command Center RX EXOSYS M5521cdn allows remote to obtain sensitive information via inspecting sent packages by user. | 2025-09-18 | not yet calculated | CVE-2023-49367 | http://kyocera.com https://github.com/barisbaydur/CVE-2023-49367 |
| Nokia--CBIS,NCS | The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall. | 2025-09-18 | not yet calculated | CVE-2023-49564 | https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CVE-2023-49564/ |
| Nokia--CBIS,NCS | The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command injection. These headers are directly utilized within the subprocess.Popen Python function without adequate validation, enabling a remote attacker to execute arbitrary commands on the underlying system by crafting malicious header values within an HTTP request to the affected endpoint. The web service executes with root privileges within the container environment, the demonstrated remote code execution permits an attacker to acquire elevated privileges for the command execution. Restricting access to the management network with an external firewall can partially mitigate this risk. | 2025-09-18 | not yet calculated | CVE-2023-49565 | https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CVE-2023-49565/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: add NULL check in xfrm_update_ae_params Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_r |