A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2 and classified as critical. This issue affects some unknown processing of the file /request-details.php. The manipulation of the argument requestid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability has been found in PHPGurukul Online Fire Reporting System 1.2 and classified as critical. This vulnerability affects unknown code of the file /reporting.php. The manipulation of the argument fullname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /profile.php. The manipulation of the argument content leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /details.php. The manipulation of the argument requestid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been classified as critical. Affected is an unknown function of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, was found in CodeAstro Real Estate Management System 1.0. This affects an unknown part of the file /submitpropertyupdate.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical has been found in PHPGurukul Notice Board System 1.0. This affects an unknown part of the file /search-notice.php. The manipulation of the argument searchdata leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Teacher Subject Allocation Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability has been found in PHPGurukul Teacher Subject Allocation Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/edit-course.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, was found in PHPGurukul Teacher Subject Allocation Management System 1.0. This affects an unknown part of the file /admin/edit-teacher-info.php. The manipulation of the argument editid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, has been found in PHPGurukul Rail Pass Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/pass-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical was found in PHPGurukul Daily Expense Tracker System 1.1. This vulnerability affects unknown code of the file /expense-reports-detailed.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability, which was classified as critical, has been found in CodeAstro Real Estate Management System 1.0. Affected by this issue is some unknown functionality of the file /submitpropertydelete.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Cross Site Scripting vulnerability in Motivian Content Mangment System v.41.0.0 allows a remote attacker to execute arbitrary code via the Marketing/Forms, Marketing/Offers and Content/Pages components.
Auth bypass in Airleader MASTER. CVSS 10.0.
Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.
Prototype pollution in billboard.js before 3.15.1 via generate function.
A security vulnerability in Deno (CVSS 5.3). Risk factors: public PoC available. Vendor patch is available.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.
Path traversal in Airleader MASTER enables reading embedded sensitive data.
A remote code execution vulnerability in the MIM Admin service (CVSS 8.9). High severity vulnerability requiring prompt remediation.
Critical authentication bypass vulnerability in Cisco Integrated Management Controller (IMC) across multiple UCS server platforms that allows authenticated remote attackers to escalate privileges and access internal services with elevated permissions via crafted SSH syntax. The vulnerability affects UCS B-Series, C-Series, S-Series, and X-Series servers, enabling attackers to create administrator accounts and modify system configurations. With a CVSS score of 8.8 and low attack complexity requiring only valid credentials, this vulnerability poses significant risk to data center infrastructure and should be prioritized for patching.
The Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its password reset functionality, allowing authenticated attackers with Subscriber-level privileges to perform privilege escalation by resetting arbitrary user passwords, including administrators. With a CVSS score of 8.8 and a low attack complexity (network-accessible, no user interaction required), this vulnerability poses a critical threat to WordPress installations using this plugin. The vulnerability is likely to be actively exploited given the straightforward attack path and the high-value target (admin account takeover).
CVE-2024-13967 is an authentication bypass vulnerability in EIBPORT V3 KNX web server that allows unauthenticated attackers to access sensitive configuration pages through the integrated web interface. Affects EIBPORT V3 KNX and EIBPORT V3 KNX GSM through version 3.9.8. Successful exploitation enables complete compromise of the device including confidentiality, integrity, and availability of configuration settings and potentially the entire KNX installation.
Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).
A vulnerability classified as problematic has been found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. This affects the function image of the file src/main/java/cn/gson/oasys/controller/process/ProcedureController.java. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
A security vulnerability in FreshRSS (CVSS 4.3). Risk factors: public PoC available. Vendor patch is available.
FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.
The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Local privilege escalation vulnerability in Razer Synapse 4 (versions through 4.0.86.2502180127) affecting the razer_elevation_service.exe component. An authenticated local attacker can exploit a vulnerable COM interface to escalate from standard user privileges to SYSTEM/administrative level, gaining full control over the affected system. The vulnerability has a CVSS score of 7.8 (high severity) and requires local access but no user interaction, making it a significant risk for multi-user systems and enterprise deployments.
A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.
CVE-2018-25112 is an unauthenticated network-based Denial-of-Service vulnerability affecting IEC 61131-compliant Industrial Logic Controllers (ILCs). An attacker can exhaust device resources by flooding the controller with crafted network traffic, rendering it unresponsive. With a CVSS score of 7.5 (High severity), no authentication required, and network-accessible attack surface, this poses significant risk to industrial control systems; however, exploitation likelihood depends on network exposure and whether patches are available from affected vendors.
A denial of service vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
VMware NSX Manager UI is vulnerable to stored cross-site scripting (XSS) attacks via improper input validation in user-controllable fields (CWE-79). An authenticated attacker with high privileges can inject malicious scripts that persist in the application and execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. With a CVSS score of 7.5 and network-accessible attack vector, this vulnerability poses a moderate-to-high risk to NSX Manager deployments, particularly in multi-user environments.
Buffer overflow vulnerability (CWE-787: Out-of-bounds Write) in DNS name processing affecting systems running LLMNR or mDNS with Buffer Allocation Scheme 1 enabled. An attacker with local access can trigger out-of-bounds writes by crafting LLMNR/mDNS queries with excessively long DNS names, potentially achieving code execution or system compromise. The vulnerability requires local access (AV:L) but no user interaction or authentication, making it a significant privilege escalation vector on multi-user systems.
Local code execution vulnerability in Delta Electronics CNCSoft-G2 resulting from insufficient file validation when processing user-supplied files. An authenticated local attacker can craft a malicious file that, when opened by a user, executes arbitrary code with the privileges of the affected application. This vulnerability has a CVSS score of 7.3 (High) and requires local access and user interaction, making it a significant risk for organizations deploying CNCSoft-G2 in manufacturing or industrial control environments.
Local code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files. When a user opens a malicious file, an attacker can execute arbitrary code with the privileges of the current process. While no publicly disclosed POC or active exploitation in the wild has been confirmed, the high CVSS score (7.3) and the file-opening attack vector present moderate risk to users of affected CNCSoft versions.
Buffer overflow vulnerability (CWE-787) in Delta Electronics CNCSoft that allows local authenticated users to execute arbitrary code by opening a specially crafted malicious file. The vulnerability requires user interaction (file opening) but results in complete compromise of the affected process with high impact to confidentiality, integrity, and availability. No KEV status, EPSS score, or confirmed active exploitation data is available in the provided intelligence.
Local arbitrary code execution vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files. An attacker with local access can craft a malicious file that, when opened by a user, executes arbitrary code with the privileges of the CNCSoft process. With a CVSS score of 7.3 and CWE-787 (Out-of-bounds Write) classification, this represents a significant local privilege escalation risk, though exploitation requires user interaction and local access.
Local privilege escalation vulnerability in Delta Electronics CNCSoft caused by insufficient validation of user-supplied files. When a user opens a malicious file, an attacker can execute arbitrary code with the privileges of the current process. While the CVSS score of 7.3 is moderate-to-high, the attack requires local access and user interaction, limiting immediate widespread impact; however, the high integrity and confidentiality impact (CWE-787: Out-of-bounds Write) warrants prompt patching.
Local privilege escalation vulnerability in Acronis Cyber Protect 16 (Windows) caused by insecure folder permissions (CWE-732), allowing authenticated local users to escalate privileges with high confidentiality, integrity, and availability impact. The vulnerability affects Windows installations before build 39938, and while the CVSS score of 7.3 indicates significant risk, exploitation requires local access and user interaction. No public indicators confirm active exploitation in the wild or widespread POC availability at this time.
Privilege escalation vulnerability in Zscaler Client Connector for macOS versions prior to 4.2.0.241, caused by improper verification of loaded libraries. A local attacker with standard user privileges can exploit this weakness without user interaction to gain elevated system privileges, potentially compromising system integrity and confidentiality. The CVSS 7.3 score reflects the moderate-to-high severity of local privilege escalation with high impact on confidentiality and integrity.
VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation.
Incorrect default permission in Samsung Cloud for Galaxy Watch prior to SMR Jun-2025 Release 1 allows local attackers to access data in Samsung Cloud for Galaxy Watch.
Local privilege escalation due to insecure file permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40077.
PostgreSQL Anonymizer v2.0 and v2.1 contain a vulnerability that allows a masked user to bypass the masking rules defined on a table and read the original data using a database cursor or the --insert option of pg_dump. This problem occurs only when dynamic masking is enabled, which is not the default setting. The problem is resolved in version 2.2.1
An issue was discovered in Samsung Mobile Processor Exynos 2200, 1480, and 2400. A Use-After-Free in the mobile processor leads to privilege escalation.
An issue was discovered in Samsung Mobile Processor Exynos 1380. A Use-After-Free in the mobile processor leads to privilege escalation.
An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.