Skip to main content
CVE-2025-20673 MEDIUM This Month

In wlan STA driver, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413200; Issue ID: MSV-3304.

Null Pointer Dereference Denial Of Service Mt7927 Firmware Mt7921 Firmware Mt7925 Firmware +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-47272 MEDIUM PATCH This Month

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session (e.g., on a shared/public machine) could permanently delete the user’s account without knowledge of the password. This bypass of re-authentication puts users at risk of account loss and data disruption. Version 1.1.0.3 contains a patch for the issue.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-1440 MEDIUM PATCH This Month

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Open Redirect Identity Server Identity Server As Key Manager Api Manager
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-45387 MEDIUM PATCH This Month

osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.

PHP XSS Osticket
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-48494 MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users using a version prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A possible workaround would be to disable end-to-end encryption.

XSS Gokapi Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-48495 MEDIUM PATCH This Month

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users of versions prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A workaround would be to not open the API page if it is possible that another user might have injected code.

XSS Gokapi Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-48996 MEDIUM This Month

HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API endpoint, related to a flat present in open-apis versions up to and including 10.0.2. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. Commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 patches the vulnerability.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-48941 MEDIUM PATCH This Month

A remote code execution vulnerability in MyBB (CVSS 5.3) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Mybb
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-5437 MEDIUM This Month

A vulnerability classified as critical has been found in Multilaser Sirius RE016 MLT1.0. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-5436 MEDIUM This Month

A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has been rated as problematic. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-8008 MEDIUM PATCH This Month

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

XSS Identity Server Open Banking Iam Open Banking Am Identity Server As Key Manager +2
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-3454 MEDIUM PATCH This Month

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

Grafana Authentication Bypass Ubuntu Debian Red Hat +1
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-1235 MEDIUM This Month

A low privileged attacker can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes the date of the switch to be set back to January 1st, 1970.

Information Disclosure Integer Overflow
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-20297 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user.

XSS Splunk Splunk Cloud Platform
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-0325 MEDIUM PATCH This Month

CVE-2025-0325 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-3509 MEDIUM PATCH This Month

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

XSS Enterprise Integrator Identity Server As Key Manager Api Manager Identity Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49069 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through 1.9.8.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy