Skip to main content
CVE-2025-6218 HIGH POC KEV PATCH THREAT Act Now

WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users extract crafted archives. KEV-listed with EPSS 4.7% and public PoC, this vulnerability allows archive files to write outside the extraction directory, placing malicious files in startup folders or other sensitive locations. Given WinRAR's 500+ million user base, this is a high-impact social engineering vector.

RCE Path Traversal Winrar
NVD
CVSS 3.0
7.8
EPSS
4.7%
Threat
4.7
CVE-2025-6216 CRITICAL POC THREAT Emergency

Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators.

Authentication Bypass Allegra
NVD GitHub
CVSS 3.0
9.8
EPSS
25.4%
Threat
4.2
CVE-2025-52488 HIGH POC PATCH THREAT Act Now

DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party SMB server. Through a specially crafted series of interactions, an attacker can force the DNN server to authenticate to an attacker-controlled SMB server, capturing NTLM credential hashes for offline cracking.

Microsoft Information Disclosure Dotnetnuke
NVD GitHub
CVSS 3.1
8.6
EPSS
14.8%
CVE-2025-6393 HIGH POC This Week

CVE-2025-6393 is a critical buffer overflow vulnerability in the HTTP POST request handler of TOTOLINK routers affecting models A702R, A3002R, A3002RU, and EX1200T across multiple firmware versions. An authenticated attacker can exploit this vulnerability by manipulating the 'submit-url' parameter in requests to /boafrm/formIPv6Addr to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). The exploit has been publicly disclosed and may be actively exploited in the wild.

Buffer Overflow TP-Link RCE A3002r Firmware A702r Firmware +3
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.6%
CVE-2025-6400 HIGH POC This Week

CVE-2025-6400 is a critical buffer overflow vulnerability in TOTOLINK N300RH router firmware version 6.1c.1390_B20191101, exploitable via HTTP POST requests to the /boafrm/formPortFw endpoint through manipulation of the service_type parameter. An authenticated attacker can remotely trigger this vulnerability to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability meets criteria for active exploitation risk due to disclosed POC and remote exploitability from an authenticated state.

Buffer Overflow TP-Link RCE N300rh Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-6399 HIGH POC This Week

CVE-2025-6399 is a critical buffer overflow vulnerability in TOTOLINK X15 router (firmware version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formIPv6Addr endpoint. An authenticated attacker can exploit the improper handling of the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with full system compromise (confidentiality, integrity, and availability). A public exploit has been disclosed and the vulnerability is likely to see active exploitation given its criticality and ease of exploitation.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-6402 HIGH POC This Week

CVE-2025-6402 is a critical buffer overflow vulnerability in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the IPv6 setup HTTP POST handler. An authenticated remote attacker can exploit improper input validation on the 'submit-url' parameter to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code exists for this vulnerability, increasing real-world exploitation risk.

Buffer Overflow TP-Link RCE X15 Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6374 HIGH POC This Week

CVE-2025-6374 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L version 2.06B01, affecting the formSetACLFilter function's curTime parameter. An authenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. Public exploit code exists for this end-of-life product, making it an immediate concern for organizations still operating legacy D-Link equipment.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6373 HIGH POC This Week

CVE-2025-6373 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01 affecting the formSetWizard1 function via the /goform/formWlSiteSurvey endpoint. An authenticated remote attacker can exploit this vulnerability by manipulating the 'curTime' parameter to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the affected product is end-of-life with no vendor support.

Buffer Overflow D-Link Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-5034 HIGH POC PATCH This Week

CVE-2025-5034 is a Reflected Cross-Site Scripting (XSS) vulnerability in the wp-file-download WordPress plugin versions before 6.2.6, caused by failure to sanitize and escape user-supplied parameters before output. Attackers can craft malicious URLs containing JavaScript payloads that execute in victims' browsers when clicked, potentially stealing session cookies, hijacking accounts, or performing unauthorized actions. The vulnerability requires user interaction (clicking a link) but affects all users without authentication requirements, making it a moderate-to-significant risk for WordPress installations using this plugin.

WordPress XSS PHP Wp File Download
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52552 MEDIUM POC PATCH This Month

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.

XSS Open Redirect Fastgpt
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-6403 MEDIUM POC This Month

CVE-2025-6403 is a critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /student.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of student and payment records. The vulnerability has been publicly disclosed with working exploits available, and while the CVSS score of 7.3 indicates medium-to-high severity, the SQL injection vector combined with public PoC availability presents significant real-world risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.9%
CVE-2025-6421 MEDIUM POC This Month

A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_account.php file where the 'name' or 'admin_id' parameters are not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available and the vulnerability is actively being disclosed, increasing exploitation risk in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6420 MEDIUM POC This Month

A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_room.php file where the 'room_type' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of hotel reservation system data. A proof-of-concept exploit has been publicly disclosed, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6419 MEDIUM POC This Month

CVE-2025-6419 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_room.php endpoint, where the 'room_type' parameter is improperly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.3 with public proof-of-concept code available, indicating active exploitation risk and widespread discoverability.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6446 MEDIUM POC This Month

A critical SQL injection vulnerability exists in code-projects Client Details System version 1.0, specifically in the /clientdetails/admin/index.php file where the Username parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and demonstrates moderate real-world risk despite the critical classification, with a CVSS score of 7.3 indicating concrete but not maximum severity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6418 MEDIUM POC This Month

CVE-2025-6418 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_query_account.php endpoint, where the 'Name' parameter is improperly sanitized, allowing remote attackers to execute arbitrary SQL queries without authentication. The vulnerability has been publicly disclosed with exploit code availability, making it a high-priority threat for organizations running this system in production; attackers can manipulate database queries to extract sensitive data, modify records, or potentially escalate privileges.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6409 MEDIUM POC This Month

CVE-2025-6409 is a critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.1 affecting the /admin/forgot-password.php endpoint. An unauthenticated remote attacker can manipulate the 'email' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with proof-of-concept availability, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6408 MEDIUM POC This Month

A critical SQL injection vulnerability exists in Campcodes Online Hospital Management System version 1.0 affecting the /doctor/search.php endpoint via the 'searchdata' parameter. An unauthenticated remote attacker can execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the hospital database. Public exploit disclosure and lack of authentication requirements significantly elevate real-world risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6407 MEDIUM POC This Month

A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6406 MEDIUM POC This Month

CVE-2025-6406 is a critical SQL injection vulnerability in Campcodes Online Hospital Management System version 1.0, specifically in the /hms/forgot-password.php endpoint where the 'fullname' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive hospital patient and administrative data. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6405 MEDIUM POC This Month

CVE-2025-6405 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, affecting the /admin/edit-teacher-detail.php endpoint through an unsanitized 'editid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of teacher records and sensitive educational data. Public disclosure and proof-of-concept availability indicate active exploitation risk, though CVSS 7.3 reflects moderate actual impact (read/write/availability) rather than complete system compromise.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6404 MEDIUM POC This Month

CVE-2025-6404 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, specifically in the /admin/search.php file's searchdata parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the database. Public disclosure and available proof-of-concept code indicate active exploitation is possible and likely occurring.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6394 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5478 HIGH PATCH This Week

CVE-2025-5478 is a critical integer overflow vulnerability in the Bluetooth SDP (Service Discovery Protocol) implementation of Sony XAV-AX8500 in-vehicle infotainment systems that allows unauthenticated, network-adjacent attackers to execute arbitrary code with root privileges. The vulnerability stems from insufficient input validation in buffer allocation logic, enabling remote code execution without user interaction. Given the automotive infotainment context and lack of authentication requirements, this represents a significant risk to connected vehicle security, particularly for vehicles with Bluetooth connectivity within network proximity.

RCE Xav Ax8500 Firmware
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2025-5820 HIGH PATCH This Week

CVE-2025-5820 is a critical Bluetooth ERTM (Enhanced Retransmission Mode) channel authentication bypass vulnerability in Sony XAV-AX8500 infotainment systems that allows network-adjacent attackers to completely bypass authentication without any privileges or user interaction. Attackers can achieve high-impact compromise of confidentiality, integrity, and availability through improper channel data initialization in the Bluetooth implementation. The vulnerability has a CVSS 3.1 score of 8.8 (High) and represents a significant risk to vehicles using this aftermarket receiver, though exploitation requires physical proximity and the specific technical conditions of ERTM channel manipulation.

Authentication Bypass Xav Ax8500 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-5476 HIGH PATCH This Week

CVE-2025-5476 is an authentication bypass vulnerability in Sony XAV-AX8500 Bluetooth car audio systems caused by improper L2CAP channel isolation in ACL-U links. A network-adjacent attacker can completely bypass authentication without user interaction to gain full control (read, modify, execute) of the device. This is a critical vulnerability affecting in-vehicle infotainment systems with potential safety and privacy implications.

Authentication Bypass Xav Ax8500 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-52557 HIGH This Week

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Information Disclosure XSS Session Fixation
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-3221 HIGH This Week

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a denial of service vulnerability caused by insufficient validation of incoming request resources (CWE-770: Allocation of Resources Without Limits or Throttling). A remote, unauthenticated attacker can exploit this over the network to exhaust server resources and cause service unavailability. The CVSS 7.5 score reflects high availability impact with no authentication required and low attack complexity.

IBM Denial Of Service Infosphere Information Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-52487 HIGH PATCH This Week

CVE-2025-52487 is an authentication bypass vulnerability in DNN (DotNetNuke) versions 7.0.0 through 10.0.0 that allows attackers to circumvent IP-based login filters by crafting specially designed requests or using proxy techniques. An unauthenticated remote attacker can bypass IP whitelist restrictions to attempt logins from unauthorized locations, potentially gaining unauthorized access to administrative accounts. The vulnerability has been patched in version 10.0.1 and carries a CVSS 7.5 score reflecting high integrity impact, though no public exploitation or active KEV listing has been reported at this time.

Microsoft Authentication Bypass Dotnetnuke
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-5475 HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Xav Ax8500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-5479 HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Buffer Overflow Xav Ax8500 Firmware
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-5477 HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Buffer Overflow Xav Ax8500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-36016 MEDIUM This Month

IBM Process Mining 2.0.1 IF001 and 2.0.1 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

IBM Open Redirect Process Mining
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-5289 MEDIUM PATCH This Month

The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.

WordPress XSS 3d Flipbook PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5143 MEDIUM PATCH This Month

The TableOn - WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Tableon Wordpress Posts Table Filterable PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6422 LOW POC Monitor

A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_settings of the component About Content Page. The manipulation of the argument img leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6417 LOW POC Monitor

A vulnerability has been found in PHPGurukul Art Gallery Management System 1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-artist.php. The manipulation of the argument awarddetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6416 LOW POC Monitor

A vulnerability, which was classified as critical, was found in PHPGurukul Art Gallery Management System 1.1. Affected is an unknown function of the file /admin/changeimage4.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6415 LOW POC Monitor

A vulnerability, which was classified as critical, has been found in PHPGurukul Art Gallery Management System 1.1. This issue affects some unknown processing of the file /admin/changeimage3.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6414 LOW POC Monitor

A vulnerability classified as critical was found in PHPGurukul Art Gallery Management System 1.1. This vulnerability affects unknown code of the file /admin/changeimage2.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6413 LOW POC Monitor

A vulnerability classified as critical has been found in PHPGurukul Art Gallery Management System 1.1. This affects an unknown part of the file /admin/changeimage1.php. The manipulation of the argument editid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6412 LOW POC Monitor

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6411 LOW POC Monitor

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/changepropic.php. The manipulation of the argument imageid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6410 LOW POC Monitor

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been classified as critical. Affected is an unknown function of the file /admin/edit-art-medium-detail.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-1987 MEDIUM PATCH This Month

A Cross-Site Scripting (XSS) vulnerability has been identified in Psono-Client’s handling of vault entries of type website_password and bookmark, as used in Bitdefender SecurePass. The client does not properly sanitize the URL field in these entries. As a result, an attacker can craft a malicious vault entry (or trick a user into creating or importing one) with a javascript:URL. When the user interacts with this entry (for example, by clicking or opening it), the application will execute the malicious JavaScript in the context of the Psono vault. This allows an attacker to run arbitrary code in the victim’s browser, potentially giving them access to the user’s password vault and sensitive data.

RCE XSS Information Disclosure Securepass Psono Client
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52486 MEDIUM PATCH This Month

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.

Microsoft XSS Dotnetnuke
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-6401 LOW POC Monitor

A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-6375 LOW POC PATCH Monitor

A vulnerability was found in poco up to 1.14.1. It has been rated as problematic. Affected by this issue is the function MultipartInputStream of the file Net/src/MultipartReader.cpp. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.14.2 is able to address this issue. The patch is identified as 6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade the affected component.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-52485 MEDIUM PATCH This Month

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.

Microsoft XSS Dotnetnuke
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy