Skip to main content
CVE-2025-48700 MEDIUM POC KEV THREAT This Month

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

XSS Authentication Bypass
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
Threat
4.2
CVE-2025-6502 MEDIUM POC This Month

CVE-2025-6502 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/changePassword.php file where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit details available, increasing immediate risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6500 MEDIUM POC This Month

CVE-2025-6500 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/editCategories.php file where the 'editCategoriesName' parameter is inadequately sanitized. An unauthenticated attacker can exploit this remotely to read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Public exploit disclosure and confirmed proof-of-concept availability increase real-world risk significantly.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6503 MEDIUM POC This Month

CVE-2025-6503 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/fetchSelectedCategories.php file where the 'categoriesId' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed and proof-of-concept code is available, significantly elevating exploitation risk in production environments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6501 MEDIUM POC This Month

CVE-2025-6501 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createCategories.php file, where the 'categoriesStatus' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and proof-of-concept availability indicate active threat potential with low barrier to exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6530 MEDIUM POC This Month

A vulnerability was found in 70mai M300 up to 20250611. It has been classified as problematic. This affects an unknown part of the file demo.sh of the component Telnet Service. The manipulation leads to denial of service. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
5.0
EPSS
0.1%
CVE-2025-52561 MEDIUM PATCH This Month

HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.

XSS
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-2172 MEDIUM This Month

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

Command Injection
NVD GitHub
CVSS 4.0
6.6
EPSS
0.3%
CVE-2025-52920 MEDIUM This Month

A security vulnerability in Innoshop through 0.4.1 (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-49574 MEDIUM PATCH This Month

A security vulnerability in versions (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure Java Red Hat
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-52967 MEDIUM PATCH This Month

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

SSRF Mlflow AI / ML
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2021-47688 MEDIUM PATCH This Month

A security vulnerability in WhiteBeam 0.2.0 (CVSS 5.7). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-52876 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2025-52875 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-52938 MEDIUM This Month

Out-of-bounds Read vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects NotepadNext: through v0.11. The singlevar() in lparser.c lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Information Disclosure Buffer Overflow
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-52877 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible

XSS Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-52879 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS Node.js Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2023-47298 MEDIUM This Month

An issue in NCR Terminal Handler 1.5.1 allows a low-level privileged authenticated attacker to query the SOAP API endpoint to obtain information about all of the users of the application including their usernames, roles, security groups and account statuses.

Information Disclosure Terminal Handler
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-3511 MEDIUM PATCH This Month

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.

Authentication Bypass Identity Server As Key Manager Open Banking Am Enterprise Integrator Identity Server +2
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-52878 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy