Skip to main content
CVE-2025-48700 MEDIUM POC KEV THREAT This Month

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

XSS Authentication Bypass
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
Threat
4.2
CVE-2025-2828 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor patch is available.

Microsoft SSRF Langchain Red Hat AI / ML
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-46101 CRITICAL POC Act Now

A SQL injection vulnerability (CVSS 9.8) that allows a remote attacker. Risk factors: public PoC available.

PHP SQLi Learning Management System Sharable Content Object Reference Model
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-6511 HIGH POC This Week

CVE-2025-6511 is a critical stack-based buffer overflow vulnerability in Netgear EX6150 (version 1.0.0.46_1.0.76) affecting the sub_410090 function, allowing authenticated attackers to achieve remote code execution with high integrity, confidentiality, and availability impact. The vulnerability is publicly disclosed with proof-of-concept code available, and impacts only end-of-life products no longer receiving vendor support, elevating real-world exploitation risk for unpatched legacy deployments.

Buffer Overflow Netgear RCE Denial Of Service Ex6150 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6510 HIGH POC This Week

CVE-2025-6510 is a critical stack-based buffer overflow vulnerability in Netgear EX6100 WiFi extender (version 1.0.2.28_1.1.138) affecting the sub_415EF8 function. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and availability impact. The vulnerability has public exploit disclosure and affects only end-of-life products no longer receiving vendor support.

Buffer Overflow Netgear RCE Ex6100 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-50349 HIGH POC This Week

PHPGurukul Pre-School Enrollment System v1.0 contains a directory traversal vulnerability in the update-teacher-pic.php endpoint that allows unauthenticated remote attackers to read arbitrary files from the server with high confidence. An attacker can exploit this network-accessible vulnerability without any privileges or user interaction to disclose sensitive files, potentially exposing database credentials, configuration files, or other system information. The high CVSS score of 7.5 reflects the ease of exploitation (network-accessible, low complexity, no authentication required) and significant confidentiality impact, though this vulnerability does not permit file modification or denial of service.

PHP Path Traversal Pre School Enrollment System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-50348 HIGH POC This Week

CVE-2025-50348 is a Directory Traversal vulnerability in PHPGurukul Pre-School Enrollment System Project version 1.0, specifically in the update-class-pic.php file. An unauthenticated remote attacker can exploit this vulnerability to read sensitive files from the server, achieving high confidentiality impact without requiring user interaction or special privileges. The vulnerability has a CVSS score of 7.5 (High) with a network-based attack vector and low attack complexity, indicating it is easily exploitable by remote actors; however, exploitation is limited to information disclosure without modification capabilities.

PHP Path Traversal Pre School Enrollment System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-44528 HIGH POC This Week

CVE-2025-44528 is a network-based Denial of Service vulnerability in Texas Instruments LP-CC2652RB SimpleLink CC13XX CC26XX SDK version 7.41.00.17 that allows unauthenticated remote attackers to crash or disable affected devices by sending a maliciously crafted LL_Pause_Enc_Req packet during the Bluetooth Low Energy authentication and connection establishment phase. The vulnerability has a CVSS 3.1 score of 7.5 (High) with no authentication required and low attack complexity, making it readily exploitable against vulnerable deployments. No KEV status, EPSS score, or public POC availability data was provided, but the network-accessible attack vector and lack of prerequisite conditions indicate moderate real-world risk for exposed BLE devices.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-6529 HIGH POC This Week

Remote code execution via default Telnet credentials in 70mai M300 dashcam firmware (versions up to 20250611) allows adjacent network attackers to gain full device control without authentication. The vulnerability has public exploit code available on GitHub demonstrating malicious file upload and code execution capabilities. Despite CVSS 7.4 severity and public exploitation techniques, EPSS probability remains low at 0.18% (40th percentile), suggesting limited widespread targeting of consumer dashcam devices, though adjacent network requirement (AV:A) makes this exploitable in shared WiFi environments or vehicle networks.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.2%
CVE-2025-52562 CRITICAL PATCH Act Now

A path traversal vulnerability in versions 3.9.0-rc3 to (CVSS 10.0) that allows the attacker. Critical severity with potential for significant impact on affected systems.

PHP Path Traversal
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2025-6512 CRITICAL PATCH Act Now

CVE-2025-6512 is a critical privilege escalation vulnerability in BRAIN2 where unauthenticated attackers can inject malicious scripts into reports on non-admin client systems, which are then executed with administrator privileges on the BRAIN2 server. This represents a complete system compromise with CVSS 10.0 severity, affecting all users regardless of their local privilege level. No authentication is required to exploit this vulnerability, making it immediately exploitable in network environments.

RCE Code Injection Privilege Escalation
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2023-47029 CRITICAL Act Now

CVE-2023-47029 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code and exfiltrate sensitive information through a crafted POST request to the UserService component. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses an immediate threat to NCR point-of-sale and payment terminal environments. The vulnerability's status as actively exploited (KEV designation) and the existence of public proof-of-concept code indicate high real-world exploitation risk.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-47030 CRITICAL Act Now

CVE-2023-47030 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code and access sensitive information through improper input validation in the UserService SOAP API endpoint. The vulnerability affects point-of-sale and terminal systems used in retail and hospitality environments, enabling complete system compromise without authentication or user interaction.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-47032 CRITICAL Act Now

CVE-2023-47032 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code by sending malicious scripts to the UserService SOAP API endpoint. The vulnerability affects NCR's point-of-sale terminal handler software and carries a CVSS score of 9.8 (critical severity). There is no indication of active exploitation in the wild, but the network-accessible SOAP API, lack of authentication requirements, and high-severity CWE-94 (Improper Control of Generation of Code) suggest this poses significant risk to NCR terminal deployments.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-48978 CRITICAL Act Now

A remote code execution vulnerability (CVSS 9.8) that allows a remote attacker. Critical severity with potential for significant impact on affected systems.

RCE Itm Web Terminal
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-52921 CRITICAL Act Now

A remote code execution vulnerability in Innoshop (CVSS 9.9). Critical severity with potential for significant impact on affected systems.

PHP RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2023-47031 CRITICAL Act Now

CVE-2023-47031 is a critical privilege escalation vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to gain administrative privileges by crafting malicious POST requests to SOAP API endpoints (grantRolesToUsers, grantRolesToGroups, grantRolesToOrganization). With a CVSS score of 9.8 and attack vector requiring no authentication or user interaction, this vulnerability poses an immediate threat to exposed NCR Terminal Handler installations. The vulnerability has been confirmed with public disclosure and is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

Terminal Handler Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2023-47295 CRITICAL Act Now

CVE-2023-47295 is a critical CSV injection vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands through crafted payloads injected into any text input field. The vulnerability has a CVSS 9.8 score indicating maximum severity due to network accessibility, no authentication requirements, and complete system compromise potential (confidentiality, integrity, and availability impact). This represents a direct remote code execution risk affecting payment terminal infrastructure.

Code Injection Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2023-47297 CRITICAL Act Now

CVE-2023-47297 is a critical settings manipulation vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands and modify system security auditing configurations without authentication. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability poses an immediate threat to NCR terminal deployments in retail and financial environments. The vulnerability's presence in point-of-sale systems and payment terminals makes it particularly dangerous for organizations processing financial transactions.

Information Disclosure Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-45347 CRITICAL Act Now

CVE-2024-45347 is a critical authentication bypass vulnerability in Xiaomi Mi Connect Service APP caused by flawed validation logic that allows unauthenticated attackers on the same network segment to gain unauthorized access to victim devices with complete control (confidentiality, integrity, and availability compromise). With a CVSS score of 9.6 and CVSS vector indicating adjacent network access with no privileges or user interaction required, this vulnerability represents a severe risk to Xiaomi device users, particularly in shared network environments (corporate WiFi, home networks, public hotspots).

Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-6502 MEDIUM POC This Month

CVE-2025-6502 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/changePassword.php file where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit details available, increasing immediate risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6500 MEDIUM POC This Month

CVE-2025-6500 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/editCategories.php file where the 'editCategoriesName' parameter is inadequately sanitized. An unauthenticated attacker can exploit this remotely to read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Public exploit disclosure and confirmed proof-of-concept availability increase real-world risk significantly.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6503 MEDIUM POC This Month

CVE-2025-6503 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/fetchSelectedCategories.php file where the 'categoriesId' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed and proof-of-concept code is available, significantly elevating exploitation risk in production environments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6501 MEDIUM POC This Month

CVE-2025-6501 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createCategories.php file, where the 'categoriesStatus' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and proof-of-concept availability indicate active threat potential with low barrier to exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-52935 CRITICAL Act Now

CVE-2025-52935 is an integer overflow/wraparound vulnerability in DragonflyDB's Lua struct module (lua_struct.C) that allows authenticated attackers with low privileges to trigger memory corruption, information disclosure, and potential code execution. The vulnerability affects DragonflyDB versions 1.30.1, 1.30.0, and 1.28.18, and carries a critical CVSS v4.0 score of 9.4 with high impact across confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed at this time, but the authenticated attack vector and high severity warrant immediate patching.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-52939 CRITICAL Act Now

CVE-2025-52939 is an out-of-bounds write vulnerability in the Lua interpreter modules (ldebug.c, lvm.c) bundled with NotepadNext through version 0.11, allowing local attackers without privileges to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. With a CVSS score of 9.4 and local attack vector requiring no user interaction, this represents a critical local privilege escalation and code execution risk; KEV status and active exploitation data are not confirmed in available intelligence, but the high CVSS and presence of affected interpreter code suggest this warrants immediate patching.

Buffer Overflow
NVD GitHub
CVSS 4.0
9.4
EPSS
0.0%
CVE-2025-52936 CRITICAL PATCH Act Now

CVE-2025-52936 is a symlink following vulnerability (CWE-59) in sslh before version 2.2.2 that allows local attackers with low privileges to bypass file access controls and potentially achieve high-impact confidentiality and integrity violations. The vulnerability enables attackers to read, modify, or delete sensitive files through improper resolution of symbolic links during file operations. With a CVSS v4.0 score of 9.3 and an attack vector limited to local access requiring low privileges, this is a critical local privilege escalation risk for multi-user systems running vulnerable sslh versions.

Information Disclosure Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-6513 CRITICAL PATCH Act Now

CVE-2025-6513 is a local privilege escalation vulnerability in the BRAIN2 application where standard Windows users can access and decrypt the application's database configuration file without authentication. This allows unprivileged local users to obtain database credentials and potentially compromise sensitive data, with a CVSS score of 9.3 indicating critical severity. The vulnerability affects system confidentiality, integrity, and availability across trust boundaries.

Microsoft Information Disclosure Windows Privilege Escalation
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-6545 CRITICAL PATCH Act Now

CVE-2025-6545 is an improper input validation vulnerability in the pbkdf2 library (versions 3.0.10 through 3.1.2) affecting the lib/to-buffer.js file that enables signature spoofing through inadequate validation mechanisms. Attackers with network access and minimal attack complexity can compromise the integrity of PBKDF2-derived cryptographic signatures, potentially allowing unauthorized authentication or data tampering. The high CVSS score of 9.1 reflects critical integrity and scope impacts, though real-world exploitation likelihood depends on confirmation of active exploitation and proof-of-concept availability.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2025-6547 CRITICAL PATCH Act Now

CVE-2025-6547 is an improper input validation vulnerability in the pbkdf2 cryptographic library (versions ≤3.1.2) that allows attackers to spoof cryptographic signatures through inadequate validation mechanisms. This affects any application using vulnerable pbkdf2 versions for password hashing or key derivation, potentially compromising authentication and integrity verification. With a CVSS score of 9.1 and high integrity/signature impact ratings, this vulnerability has significant real-world implications for systems relying on pbkdf2 for security-critical operations.

Authentication Bypass Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.0%
CVE-2025-6530 MEDIUM POC This Month

A vulnerability was found in 70mai M300 up to 20250611. It has been classified as problematic. This affects an unknown part of the file demo.sh of the component Telnet Service. The manipulation leads to denial of service. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
5.0
EPSS
0.1%
CVE-2025-49126 HIGH PATCH This Week

Visionatrix versions 1.5.0 through 2.5.0 contain a Reflected XSS vulnerability in the /docs/flows endpoint that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers. The vulnerability stems from improper use of FastAPI's get_swagger_ui_html function with unsanitized user-controlled input, enabling session hijacking and exfiltration of application secrets. The CVSS 8.8 score reflects high severity due to network accessibility, low attack complexity, and no privilege requirements, though user interaction is required to trigger the exploit.

XSS Information Disclosure Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-23049 HIGH This Week

CVE-2025-23049 is an OS Command Injection vulnerability in Meridian Technique Materialise OrthoView through version 7.5.1 that allows unauthenticated remote attackers to execute arbitrary operating system commands when servlet sharing is enabled. The vulnerability has a CVSS score of 8.4 (High) and affects healthcare/dental imaging software used by medical professionals. Attackers can achieve high confidentiality impact and high availability impact, making this a significant threat to healthcare organizations relying on OrthoView for patient imaging workflows.

Command Injection
NVD
CVSS 4.0
8.4
EPSS
0.6%
CVE-2023-50450 HIGH This Week

A privilege escalation vulnerability in Sensopart VISOR Vision Sensors (CVSS 8.4) that allows local users. High severity vulnerability requiring prompt remediation.

Privilege Escalation Visor Vision Sensors Firmware
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2023-47294 HIGH This Week

CVE-2023-47294 is a session cookie validation flaw in NCR Terminal Handler v1.5.1 that permits authenticated attackers with low privileges to craft malicious session cookies to arbitrarily deactivate, lock, and delete user accounts, resulting in high integrity and availability impact. This vulnerability has a CVSS 8.1 score (High severity) and affects NCR's point-of-sale and terminal management infrastructure; while no public POC or active KEV listing is confirmed from the provided data, the network-accessible nature (AV:N) and low attack complexity (AC:L) make this a material risk for organizations deploying this terminal handler in production environments.

Information Disclosure Terminal Handler
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-2171 HIGH This Week

Aviatrix Controller versions before 7.1.4208, 7.2.5090, and 8.0.0 lack rate limiting on password reset PIN attempts, allowing unauthenticated attackers to brute force 6-digit PINs over the network without authentication or user interaction. This vulnerability is characterized as having exploitation probability (E:P in CVSS vector) and enables complete account takeover via password reset bypass, affecting all Aviatrix Controller deployments in vulnerable versions.

Information Disclosure
NVD GitHub
CVSS 4.0
7.8
EPSS
0.1%
CVE-2025-48026 HIGH This Week

CVE-2025-48026 is a path traversal vulnerability in the WebApl component of Mitel OpenScape Xpressions that allows unauthenticated attackers to read arbitrary files from the underlying operating system due to insufficient input validation. The vulnerability affects OpenScape Xpressions through version V7R1 FR5 HF43 P913, and successful exploitation could expose sensitive information without requiring authentication, elevated privileges, or user interaction. The CVSS 7.5 score reflects the high confidentiality impact, though integrity and availability are not affected.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-52922 HIGH This Week

CVE-2025-52922 is a directory traversal vulnerability in Innoshop through version 0.4.1 that allows authenticated administrators to abuse multiple FileManager API endpoints to map the filesystem, create/delete arbitrary directories and files, read sensitive files, and move files anywhere on the server. With a CVSS score of 7.4 and low attack complexity, this represents a significant integrity and confidentiality risk for affected deployments, though exploitation requires valid administrative credentials.

Path Traversal
NVD GitHub
CVSS 3.1
7.4
EPSS
0.3%
CVE-2025-27387 HIGH This Week

OPPO Clone Phone devices implement a WiFi hotspot file transfer feature that uses weak default or easily guessable passwords, allowing unauthenticated attackers on the local network to connect and access sensitive files without authentication. This vulnerability (CVE-2025-27387) carries a CVSS score of 7.4 with high confidentiality impact, though exploitation requires physical proximity to the affected device's WiFi network. No active exploitation in the wild has been confirmed in public KEV databases, but the attack surface is significant given the prevalence of file-sharing features in budget smartphone lines.

Information Disclosure
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-49144 HIGH PATCH This Week

CVE-2025-49144 is a privilege escalation vulnerability in Notepad++ v8.8.1 and earlier that exploits insecure executable search paths in the installer to allow unprivileged local users to execute arbitrary code with SYSTEM privileges. An attacker can leverage social engineering to colocate a malicious executable with the legitimate installer in a writable directory (e.g., Downloads), and upon installer execution, the malicious payload runs with elevated privileges. The vulnerability is fixed in version 8.8.2.

Privilege Escalation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-23092 HIGH This Week

A path traversal vulnerability (CVSS 7.2) that allows an authenticated attacker with administrative privileges. High severity vulnerability requiring prompt remediation.

Path Traversal
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-52558 HIGH PATCH This Week

CVE-2025-52558 is a reflected/stored cross-site scripting (XSS) vulnerability in changedetection.io prior to version 0.50.4, where error messages from website change detection filters are not properly sanitized before display. Attackers can inject malicious JavaScript through crafted filter configurations or monitored web pages, potentially compromising user sessions and data. The vulnerability requires user interaction (clicking a link/visiting a page) and affects all users of the open-source change detection service, though no CISA KEV listing or widespread active exploitation is currently documented.

XSS
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-52561 MEDIUM PATCH This Month

HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.

XSS
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-2172 MEDIUM This Month

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

Command Injection
NVD GitHub
CVSS 4.0
6.6
EPSS
0.3%
CVE-2025-52920 MEDIUM This Month

A security vulnerability in Innoshop through 0.4.1 (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-49574 MEDIUM PATCH This Month

A security vulnerability in versions (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure Java Red Hat
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6517 LOW POC Monitor

A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

SSRF Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6528 LOW POC Monitor

A vulnerability has been found in 70mai M300 up to 20250611 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /livestream/12 of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6509 LOW POC Monitor

A vulnerability was found in seaswalker spring-analysis up to 4379cce848af96997a9d7ef91d594aa129be8d71. It has been declared as problematic. Affected by this vulnerability is the function echo of the file /src/main/java/controller/SimpleController.java. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

XSS Java
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-6516 LOW POC PATCH Monitor

A vulnerability has been found in HDF5 up to 1.14.6 and classified as critical. This vulnerability affects the function H5F_addr_decode_len of the file /hdf5/src/H5Fint.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy