Skip to main content
CVE-2025-50693 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.

PHP Authentication Bypass Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-34032 MEDIUM POC This Month

A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

PHP XSS Jmol Moodle
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-56918 MEDIUM POC This Month

In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.

XSS Debian Netbox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-56916 MEDIUM POC This Month

In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to Add a new version, the XSS payload will trigger.

XSS Debian Netbox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50699 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php.

PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50695 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in /admin/view-booking-detail.php and /admin/invoice-generating.php.

PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-6580 MEDIUM POC This Month

CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6579 MEDIUM POC This Month

CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6578 MEDIUM POC This Month

CVE-2025-6578 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System version 1.0 affecting the /admin/delete_account.php file through unsanitized admin_id parameter manipulation. An unauthenticated remote attacker can execute arbitrary SQL queries to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6567 MEDIUM POC This Month

CVE-2025-6567 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, specifically in the Recruitment/admin/view_application.php file where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of recruitment records. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6566 MEDIUM POC This Month

A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-6428 MEDIUM POC PATCH This Month

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Google Mozilla Open Redirect
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-6429 MEDIUM PATCH This Month

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Authentication Bypass Mozilla
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1718 MEDIUM PATCH This Month

CVE-2025-1718 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-39204 MEDIUM This Month

A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web interface can be malformed, so returning data can leak unauthorized information to the user.

Information Disclosure Microscada X Sys600
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-39203 MEDIUM This Month

A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message content from IED or remote system can cause a denial of service resulting in disconnection loop.

Denial Of Service Microscada X Sys600
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-6431 MEDIUM PATCH This Month

When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Mozilla Google Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-39205 MEDIUM This Month

A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation.

Information Disclosure Microscada X Sys600
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-48467 MEDIUM This Month

Successful exploitation of the vulnerability could allow an attacker to cause repeated reboots, potentially leading to remote denial-of-service and system unavailability.

Denial Of Service Wise 4050lan Firmware Wise 4060lan Firmware Wise 4010lan Firmware
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-5258 MEDIUM This Month

The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-48468 MEDIUM This Month

A security vulnerability in Successful exploitation of the vulnerability could allow an attacker that (CVSS 6.4) that allows an attacker that has physical access. Remediation should follow standard vulnerability management procedures.

Code Injection Wise 4010lan Firmware Wise 4060lan Firmware Wise 4050lan Firmware
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-47943 MEDIUM PATCH This Month

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

RCE XSS Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-6430 MEDIUM PATCH This Month

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

XSS Mozilla
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-39201 MEDIUM This Month

A vulnerability exists in MicroSCADA X SYS600 product. If exploited this could allow a local unauthenticated attacker to tamper a system file, making denial of Notify service.

Privilege Escalation Microscada X Sys600
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-5087 MEDIUM PATCH This Month

Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.

Information Disclosure
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2025-6557 MEDIUM PATCH This Month

Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Microsoft Google XSS RCE Ubuntu +4
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-6555 MEDIUM PATCH This Month

Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Google Use After Free Memory Corruption Denial Of Service Ubuntu +3
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-43877 MEDIUM This Month

WRC-1167GHBK2-S contains a stored cross-site scripting vulnerability in WebGUI. If exploited, an arbitrary script may be executed on the web browser of the user who accessed WebGUI of the product.

XSS
NVD
CVSS 3.0
5.4
EPSS
0.0%
CVE-2025-6556 MEDIUM PATCH This Month

A remote code execution vulnerability in Loader in Google Chrome (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Google Authentication Bypass Ubuntu Debian Chrome +1
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-52883 MEDIUM PATCH This Month

A security vulnerability in Meshtastic-Android (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Google Information Disclosure Android
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-49147 MEDIUM PATCH This Month

A remote code execution vulnerability in versions 10.0.0 (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Umbraco Cms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-23260 MEDIUM This Month

NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure.

Information Disclosure Kubernetes Aistore
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-48461 MEDIUM This Month

A remote code execution vulnerability (CVSS 5.0) that allows an unauthenticated attacker. Remediation should follow standard vulnerability management procedures.

Information Disclosure Wise 4050lan Firmware Wise 4060lan Firmware Wise 4010lan Firmware
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-6425 MEDIUM PATCH This Month

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Information Disclosure Mozilla
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-36519 MEDIUM This Month

Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2, WRC-1167GST2, WRC-2533GST2, WRC-2533GS2V-B,WRC-2533GS2-B v1.69 and earlier, WRC-2533GS2-W, WRC-1167GST2, WRC-1167GS2-B, and WRC-1167GS2H-B. If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product.

File Upload RCE
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2025-6434 MEDIUM PATCH This Month

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.

XSS Mozilla
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53021 MEDIUM PATCH This Month

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Information Disclosure Ubuntu Debian Moodle
NVD GitHub
CVSS 3.1
4.2
EPSS
0.2%
CVE-2025-52880 MEDIUM PATCH This Month

Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

RCE XSS
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-53073 MEDIUM This Month

A security vulnerability in Sentry 25.1.0 (CVSS 4.2). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-48462 MEDIUM This Month

Successful exploitation of the vulnerability could allow an attacker to consume all available session slots and block other users from logging in, thereby preventing legitimate users from gaining access to the product.

Denial Of Service Wise 4060lan Firmware Wise 4010lan Firmware Wise 4050lan Firmware
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-48470 MEDIUM This Month

Successful exploitation of the stored cross-site scripting vulnerability could allow an attacker to inject malicious scripts into device fields and executed in other users’ browser, potentially leading to session hijacking, defacement, credential theft, or privilege escalation.

XSS Privilege Escalation Wise 4060lan Firmware Wise 4010lan Firmware Wise 4050lan Firmware
NVD
CVSS 3.1
4.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy