Skip to main content
CVE-2025-47171 MEDIUM POC PATCH This Month

Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.

Microsoft Information Disclosure 365 Apps Office Long Term Servicing Channel Office +1
NVD Exploit-DB
CVSS 3.1
6.7
EPSS
2.5%
CVE-2024-41502 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) via the form field "Observaces" (observances) in the "Pessoas" (persons) section when creating or editing either a legal or a natural person.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-41504 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS). In the "Oportunidades" (opportunities) section of the application when creating or editing an "Atividade" (activity), the form field "Descrico" allows injection of JavaScript.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-41505 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the "Pessoas" (persons) section via the field "Profisso" (professor).

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-41503 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the field "Ttulo" (title) inside the filter Save option in the "Busca" (search) function.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-5906 MEDIUM POC This Month

Critical authentication bypass vulnerability in code-projects Laundry System 1.0 affecting the /data/ endpoint, allowing unauthenticated remote attackers to read, modify, and potentially disrupt system availability. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity, the network-based attack vector (AV:N), lack of privilege requirement (PR:N), and absence of user interaction (UI:N) make this immediately exploitable in production environments. Active exploitation is likely given public POC availability and the ease of attack execution.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-5985 MEDIUM POC This Month

Critical improper authentication vulnerability in code-projects School Fees Payment System version 1.0 that allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to the system. The vulnerability has been publicly disclosed with proof-of-concept exploitation details available, making it an active threat with high likelihood of real-world exploitation against educational institutions and payment processing systems.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-5980 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Restaurant Order System 1.0 affecting the /order.php file, specifically the 'tabidNoti' parameter. Remote unauthenticated attackers can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5979 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /branch.php file's ID parameter, allowing remote unauthenticated attackers to execute arbitrary SQL commands. The vulnerability has been publicly disclosed with proof-of-concept exploitation available, and while the CVSS score is 7.3 (High), the unauthenticated network-accessible attack vector combined with confirmed public exploit disclosure indicates active exploitation risk. This affects all deployments of the vulnerable version without patches applied.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5977 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /datatable.php file where the sSortDir_0 parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the underlying database. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5913 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2024-57186 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-37396 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-37394 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-57189 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-37395 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-27505 MEDIUM POC PATCH This Month

{GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.

Authentication Bypass Geoserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-5935 MEDIUM POC PATCH This Month

A vulnerability was found in Open5GS up to 2.7.3. It has been declared as problematic. Affected by this vulnerability is the function common_register_state of the file src/mme/emm-sm.c of the component AMF/MME. The manipulation of the argument ran_ue_id leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5. It is recommended to apply a patch to fix this issue.

Denial Of Service Debian Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-38524 MEDIUM POC PATCH This Month

GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.

Information Disclosure Geoserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-48937 MEDIUM POC PATCH This Month

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-50562 MEDIUM POC This Month

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Fortinet Information Disclosure
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.4%
CVE-2025-33057 MEDIUM PATCH This Month

Null pointer dereference in Windows Local Security Authority (LSA) allows an authorized attacker to deny service over a network.

Microsoft Null Pointer Dereference Denial Of Service Windows 10 1809 Windows 11 24h2 +14
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2025-36578 MEDIUM PATCH This Month

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Authentication Bypass Dell Wyse Management Suite
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-42993 MEDIUM This Month

A remote code execution vulnerability (CVSS 6.7) that allows the attacker. Remediation should follow standard vulnerability management procedures.

SAP Authentication Bypass RCE
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2025-22254 MEDIUM This Month

An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Node.js Privilege Escalation Fortinet Fortiweb Fortios +1
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-32715 MEDIUM PATCH This Month

Out-of-bounds read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.

Buffer Overflow Information Disclosure Windows 10 1809 Windows Server 2022 23h2 Windows Server 2019 +15
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2025-0037 MEDIUM This Month

CVE-2025-0037 is a security vulnerability (CVSS 6.6) that allows access. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-2884 MEDIUM PATCH CISA This Month

TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0

Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-27207 MEDIUM This Month

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.

Adobe Privilege Escalation Authentication Bypass Commerce B2b
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3898 MEDIUM This Month

CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver.

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3116 MEDIUM This Month

CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends special malformed HTTPS request containing improper formatted body data to the controller.

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3112 MEDIUM This Month

CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-24471 MEDIUM This Month

An Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate.

Fortinet Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-40567 MEDIUM This Month

A security vulnerability in A vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Siemens Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-48879 MEDIUM PATCH This Month

A security vulnerability in OctoPrint versions up until and including 1.11.1 contain a vulnerability that (CVSS 6.5) that allows any unauthenticated attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Debian Octoprint
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-2918 MEDIUM This Month

The Ultimate Blocks - WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Ultimate Blocks PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4577 MEDIUM This Month

The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Smash Balloon Social Post Feed PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-4774 MEDIUM This Month

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Premium Addons For Elementor PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-3076 MEDIUM This Month

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Elementor Page Builder PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-22256 MEDIUM This Month

A security vulnerability in Fortinet FortiPAM 1.4.0 (CVSS 6.3) that allows attacker. Remediation should follow standard vulnerability management procedures.

Fortinet Information Disclosure Fortipam Fortisra
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-47049 MEDIUM This Month

Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.

Adobe XSS Experience Manager
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-47094 MEDIUM This Month

Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Adobe XSS Experience Manager
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-36577 MEDIUM PATCH This Month

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.

XSS Dell Wyse Management Suite
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-36580 MEDIUM PATCH This Month

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection

XSS Dell Wyse Management Suite
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49143 MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.

Information Disclosure Nautobot
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-49133 MEDIUM PATCH This Month

Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the ‘CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the ‘CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines - Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.

Buffer Overflow Information Disclosure Ubuntu Debian Libtpms +2
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2024-50568 MEDIUM This Month

A security vulnerability in Fortinet FortiOS (CVSS 5.9) that allows an unauthenticated attacker with the knowledge of device specific data. Remediation should follow standard vulnerability management procedures.

Fortinet Information Disclosure Fortiproxy Fortios
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-31325 MEDIUM This Month

Due to a Cross-Site Scripting vulnerability in SAP NetWeaver (ABAP Keyword Documentation), an unauthenticated attacker could inject malicious JavaScript into a web page through an unprotected parameter. When a victim accesses the affected page, the script executes in their browser, providing the attacker limited access to restricted information. The vulnerability does not affect data integrity or availability and operates entirely within the context of the client's browser.

SAP XSS
NVD
CVSS 3.1
5.8
EPSS
0.2%
CVE-2025-47956 MEDIUM PATCH This Month

A security vulnerability in External control of file name or path in Windows Security App (CVSS 5.5) that allows an authorized attacker. Remediation should follow standard vulnerability management procedures.

Microsoft Information Disclosure Windows Security App Windows
NVD
CVSS 3.1
5.5
EPSS
0.6%
CVE-2025-42996 MEDIUM This Month

SAP MDM Server allows an attacker to gain control of existing client sessions and execute certain functions without having to re-authenticate giving the ability to access or modify non-sensitive information or consume sufficient resources which could degrade the performance of the server causing low impact on confidentiality, integrity and availibility of the application.

SAP Information Disclosure
NVD
CVSS 3.1
5.6
EPSS
0.1%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy