Skip to main content
CVE-2025-32876 MEDIUM POC This Month

An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.

Authentication Bypass Coros Pace 3 Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-46158 MEDIUM POC PATCH This Month

An issue in redoxOS kernel before commit 5d41cd7c allows a local attacker to cause a denial of service via the `setitimer` syscall

Denial Of Service Redox
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-6365 MEDIUM POC This Month

A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads to resource consumption. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Denial Of Service Kitten
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.1%
CVE-2025-6264 MEDIUM POC PATCH This Month

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

Privilege Escalation Velociraptor Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-6311 MEDIUM POC This Month

CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6355 MEDIUM POC This Month

CVE-2025-6355 is a critical SQL injection vulnerability in SourceCodester Online Hotel Reservation System version 1.0, specifically in the /admin/execeditroom.php file where the 'userid' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6339 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6314 MEDIUM POC This Month

CVE-2025-6314 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0, specifically in the /pages/cat_update.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has a publicly disclosed exploit (POC available), making it an active threat with immediate exploitation risk; the CVSS 7.3 score reflects moderate-to-high severity with network-based attack capability and no authentication required.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6313 MEDIUM POC This Month

CVE-2025-6313 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, affecting the /pages/cat_add.php endpoint where the 'Category' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6312 MEDIUM POC This Month

CVE-2025-6312 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/cash_transaction.php file where the 'cid' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploitation details available, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6360 MEDIUM POC This Month

CVE-2025-6360 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /portal.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6359 MEDIUM POC This Month

CVE-2025-6359 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /cashconfirm.php file where the 'transactioncode' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6358 MEDIUM POC This Month

CVE-2025-6358 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /saveorder.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. Public proof-of-concept code is available, increasing the immediate risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6357 MEDIUM POC This Month

CVE-2025-6357 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /paymentportal.php file where the 'person' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability with no user interaction required to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing the likelihood of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6356 MEDIUM POC This Month

CVE-2025-6356 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /addmem.php file that allows unauthenticated remote attackers to manipulate database queries. An attacker can exploit this vulnerability to read, modify, or delete sensitive data from the underlying database. The vulnerability has public exploit code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6354 MEDIUM POC This Month

CVE-2025-6354 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the customer signup functionality (/function/customer_signup.php). An unauthenticated remote attacker can manipulate the email parameter to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability and demonstrates active exploitation potential.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6344 MEDIUM POC This Month

CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6343 MEDIUM POC This Month

CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6342 MEDIUM POC This Month

CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6330 MEDIUM POC This Month

CVE-2025-6330 is a critical SQL injection vulnerability in PHPGurukul Directory Management System version 1.0, specifically in the /searchdata.php file's 'searchdata' parameter. An unauthenticated remote attacker can inject arbitrary SQL commands to compromise confidentiality, integrity, and availability of the underlying database. Public disclosure and proof-of-concept exploitation have occurred, making this an immediately actionable threat despite the moderate CVSS 7.3 score.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6323 MEDIUM POC This Month

CVE-2025-6323 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, specifically affecting the /enrollment.php file's 'fathername' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the enrollment database. The vulnerability has public proof-of-concept code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6322 MEDIUM POC This Month

CVE-2025-6322 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /visit.php file's 'gname' parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and confirmed POC availability significantly elevate real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6318 MEDIUM POC This Month

CVE-2025-6318 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /admin/check_availability.php file where the 'Username' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure of exploitation details and confirmed POC availability indicate active exploitation risk in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6317 MEDIUM POC This Month

CVE-2025-6317 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /admin/confirm.php file's ID parameter. An unauthenticated remote attacker can execute arbitrary SQL commands with low complexity, potentially leading to unauthorized data access, modification, or service disruption. Public exploit disclosure and active attack feasibility significantly elevate real-world risk despite the moderate CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6316 MEDIUM POC This Month

CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6315 MEDIUM POC This Month

CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6310 MEDIUM POC This Month

A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6307 MEDIUM POC This Month

CVE-2025-6307 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /function/edit_customer.php file, where the 'firstname' parameter is insufficiently sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept details available, and while rated 7.3 (High) in CVSS v3.1, the network-accessible attack vector combined with no authentication requirement and demonstrated public exploitation significantly elevates real-world risk. Other parameters in the same function are suspected to be vulnerable to the same injection pattern.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6306 MEDIUM POC This Month

CVE-2025-6306 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the admin authentication mechanism in /admin/admin_index.php. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data theft, or data manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6305 MEDIUM POC This Month

CVE-2025-6305 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /admin/admin_feature.php endpoint via the product_code parameter. An unauthenticated remote attacker can execute arbitrary SQL commands to read, modify, or delete database contents. The vulnerability has public exploit disclosure and carries a CVSS 7.3 score with confirmed exploitation potential.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6304 MEDIUM POC This Month

CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6303 MEDIUM POC This Month

CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6300 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6296 MEDIUM POC This Month

CVE-2025-6296 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /empty_rooms.php file's search_box parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially achieving unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploits available, making active exploitation highly probable in real-world deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6295 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6294 MEDIUM POC This Month

CVE-2025-6294 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /contact.php file's hostel_name parameter. An unauthenticated remote attacker can exploit this without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity with confidentiality, integrity, and availability impact, the simplicity of exploitation (network-accessible, no privileges required, low complexity) makes this a practical threat requiring immediate patching.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6293 MEDIUM POC This Month

CVE-2025-6293 is a critical SQL injection vulnerability in code-projects Hostel Management System v1.0 affecting the /contact_manager.php endpoint, where the student_roll_no parameter is inadequately sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database records. Public exploit disclosure and active exploitation signals indicate this is a high-priority threat requiring immediate remediation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6352 MEDIUM POC This Month

A security vulnerability in A vulnerability classified as problematic (CVSS 5.3). Risk factors: public PoC available.

PHP Information Disclosure Automated Voting System
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-5125 MEDIUM POC PATCH This Month

The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.

WordPress XSS Custom Post Carousels With Owl PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-4025 MEDIUM PATCH This Month

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.

Gitlab Denial Of Service Ubuntu Debian
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-50034 MEDIUM This Month

A security vulnerability in Missing Authorization vulnerability in Mahmudul (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-52733 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anonform Ab ANON::form embedded secure form allows DOM-Based XSS. This issue affects ANON::form embedded secure form: from n/a through 1.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52707 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirelightWP Firelight Lightbox allows Stored XSS. This issue affects Firelight Lightbox: from n/a through 2.3.16.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50051 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chad Butler WP-Members allows Stored XSS.This issue affects WP-Members: from n/a through 3.5.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50050 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress allows Stored XSS. This issue affects Jobs for WordPress: from n/a through 2.7.12.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50049 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in prismtechstudios Modern Footnotes allows Stored XSS. This issue affects Modern Footnotes: from n/a through 1.4.19.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50048 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atakan Au Automatically Hierarchic Categories in Menu allows Stored XSS. This issue affects Automatically Hierarchic Categories in Menu: from n/a through 2.0.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50047 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50046 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50045 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy