Skip to main content
CVE-2025-47827 MEDIUM POC KEV THREAT This Month

In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

Authentication Bypass Windows 11 24h2 Igel Os Windows Server 2016 Windows 11 22h2 +13
NVD GitHub
CVSS 3.1
4.6
EPSS
1.8%
Threat
4.0
CVE-2025-5680 MEDIUM POC This Month

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Deserialization Java Agilebpm
NVD VulDB
CVSS 3.1
6.3
EPSS
0.4%
CVE-2025-5679 MEDIUM POC This Month

A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Deserialization Java Agilebpm
NVD VulDB
CVSS 3.1
6.3
EPSS
0.4%
CVE-2025-5670 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Medical Card Generation System 1.0. This issue affects some unknown processing of the file /admin/manage-card.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Medical Card Generation System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5669 MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Medical Card Generation System 1.0. This vulnerability affects unknown code of the file /admin/unreadenq.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Medical Card Generation System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5668 MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Medical Card Generation System 1.0. This affects an unknown part of the file /admin/readenq.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Medical Card Generation System
NVD VulDB GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5660 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Complaint Management System 2.0. Affected by this issue is some unknown functionality of the file /user/register-complaint.php. The manipulation of the argument noc leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5659 MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Complaint Management System 2.0. Affected by this vulnerability is an unknown functionality of the file /user/profile.php. The manipulation of the argument pincode leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5652 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Complaint Management System 2.0. Affected is an unknown function of the file /admin/between-date-complaintreport.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5638 MEDIUM POC This Month

A vulnerability has been found in PHPGurukul Notice Board System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin-profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

PHP SQLi Notice Board System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5633 MEDIUM POC This Month

A vulnerability was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/users.php. The manipulation of the argument delete leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi News Buzz Content Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5632 MEDIUM POC This Month

A vulnerability was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/users.php. The manipulation of the argument change_to_admin leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Content Management System News Buzz
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5694 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5693 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-result.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5674 MEDIUM POC This Month

A vulnerability was found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file urinalysis_form.php. The manipulation of the argument urinalysis_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Patient Record Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5658 MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Complaint Management System 2.0. Affected is an unknown function of the file /admin/updatecomplaint.php. The manipulation of the argument Status leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5657 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Complaint Management System 2.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/manage-users.php. The manipulation of the argument uid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5656 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Complaint Management System 2.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/edit-category.php. The manipulation of the argument description leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5654 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Complaint Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/edit-state.php. The manipulation of the argument description leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5653 MEDIUM POC This Month

A vulnerability has been found in PHPGurukul Complaint Management System 2.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/between-date-userreport.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5655 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Complaint Management System 2.0. It has been classified as critical. This affects an unknown part of the file /admin/edit-subcategory.php. The manipulation of the argument subcategory leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Complaint Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5627 MEDIUM POC This Month

A vulnerability classified as critical was found in code-projects Patient Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /sputum_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Patient Record Management System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-5704 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/User.php file's txtUserName parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation risk make this a high-priority remediation target.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5649 MEDIUM POC This Month

A remote code execution vulnerability in A vulnerability classified as critical (CVSS 5.3). Risk factors: public PoC available.

Information Disclosure Student Result Management System
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-5382 MEDIUM This Month

Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.

Authentication Bypass Devolutions Server
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-48133 MEDIUM This Month

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48493 MEDIUM PATCH This Month

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.

Redis Information Disclosure Yii2 Redis
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-27754 MEDIUM This Month

A stored XSS vulnerability in RSBlog! component 1.11.6 - 1.14.4 for Joomla was discovered. The vulnerability allows authenticated users to inject malicious JavaScript into the plugin's resource. The injected payload is stored by the application and later executed when other users view the affected content.

XSS Joomla
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-27753 MEDIUM This Month

A SQLi vulnerability in RSMediaGallery component 1.7.4 - 2.1.6 for Joomla was discovered. The vulnerability is due to the use of unescaped user-supplied parameters in SQL queries within the dashboard component. This allows an authenticated attacker to inject malicious SQL code through unsanitized input fields, which are used directly in SQL queries. Exploiting this flaw can lead to unauthorized database access, data leakage, or modification of records.

SQLi Joomla
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5341 MEDIUM PATCH This Month

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Forminator Forms PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5698 MEDIUM This Month

A vulnerability, which was classified as critical, was found in Brilliance Golden Link Secondary System up to 20250424. Affected is an unknown function of the file /sysframework/logSelect.htm. The manipulation of the argument nodename leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

SQLi Golden Link Secondary System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5697 MEDIUM This Month

A vulnerability, which was classified as critical, has been found in Brilliance Golden Link Secondary System up to 20250424. This issue affects some unknown processing of the file /reprotframework/tcCustDeferPosiQuery.htm. The manipulation of the argument custTradeId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

SQLi Golden Link Secondary System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-5696 MEDIUM This Month

A vulnerability classified as critical was found in Brilliance Golden Link Secondary System up to 20250424. This vulnerability affects unknown code of the file /storagework/rentChangeCheckInfoPage.htm. The manipulation of the argument clientname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

SQLi Golden Link Secondary System
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-49009 MEDIUM PATCH This Month

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.

Information Disclosure
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-30084 MEDIUM This Month

A stored XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or other input points, which is subsequently executed in the browser of any user who clicks on the crafted text in the dashboard.

XSS Joomla
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49466 MEDIUM PATCH This Month

aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,

Path Traversal Ubuntu Debian Suse
NVD
CVSS 3.1
5.8
EPSS
0.5%
CVE-2025-5702 MEDIUM PATCH This Month

A security vulnerability in the GNU C Library (CVSS 5.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure Ubuntu Debian Glibc Red Hat +1
NVD
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-5745 MEDIUM PATCH This Month

A security vulnerability in the GNU C Library (CVSS 5.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure Ubuntu Debian Glibc Red Hat +1
NVD
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-5683 MEDIUM PATCH This Month

When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.

Denial Of Service Ubuntu Debian Qt Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-27445 MEDIUM This Month

A path traversal vulnerability in RSFirewall component 2.9.7 - 3.1.5 for Joomla was discovered. This vulnerability allows authenticated users to read arbitrary files outside the Joomla root directory. The flaw is caused by insufficient sanitization of user-supplied input in file path parameters, allowing attackers to exploit directory traversal sequences (e.g., ../) to access sensitive files

Path Traversal Joomla
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-49012 MEDIUM PATCH This Month

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API-even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `"Allow-Linux-Login"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names using the Microsoft Graph API.

Microsoft Privilege Escalation Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-46258 MEDIUM PATCH This Month

Missing Authorization vulnerability in BdThemes Element Pack Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Pack Pro: from n/a before 8.0.0.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-3768 MEDIUM This Month

Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.

Authentication Bypass Devolutions Server
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-0691 MEDIUM This Month

Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.

Authentication Bypass Devolutions Server
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-46257 MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in BdThemes Element Pack Pro allows Cross Site Request Forgery.This issue affects Element Pack Pro: from n/a before 8.0.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-48432 MEDIUM PATCH This Month

A security vulnerability in Django 5.2 (CVSS 4.0) that allows remote attackers. Remediation should follow standard vulnerability management procedures.

Python Code Injection Ubuntu Debian Django +3
NVD GitHub
CVSS 3.1
4.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy