Skip to main content
CVE-2025-3745 MEDIUM POC PATCH This Month

The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks.

WordPress XSS Wp Lightbox 2 PHP
NVD WPScan
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-49493 MEDIUM POC PATCH This Month

CVE-2025-49493 is a security vulnerability (CVSS 5.8) that allows file inclusion. Remediation should follow standard vulnerability management procedures.

XXE
NVD GitHub
CVSS 3.1
5.8
EPSS
1.1%
CVE-2025-52997 MEDIUM POC PATCH This Month

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.

Information Disclosure Filebrowser Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-6917 MEDIUM POC This Month

A vulnerability has been found in code-projects Online Hotel Booking 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/registration.php. The manipulation of the argument uname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6906 MEDIUM POC This Month

A vulnerability classified as critical has been found in code-projects Car Rental System 1.0. This affects an unknown part of the file /login.php. The manipulation of the argument uname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6905 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Car Rental System 1.0. This issue affects some unknown processing of the file /signup.php. The manipulation of the argument fname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6904 MEDIUM POC This Month

A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_cars.php. The manipulation of the argument car_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6903 MEDIUM POC This Month

A vulnerability was found in code-projects Car Rental System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6902 MEDIUM POC This Month

A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /php_action/editUser.php. The manipulation of the argument edituserName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6901 MEDIUM POC This Month

A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/removeUser.php. The manipulation of the argument userid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6891 MEDIUM POC This Month

A vulnerability classified as critical has been found in code-projects Inventory Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6889 MEDIUM POC This Month

A vulnerability was found in code-projects Movie Ticketing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /logIn.php. The manipulation of the argument postName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6888 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Teachers Record Management System 2.1. It has been classified as critical. This affects an unknown part of the file /admin/changeimage.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6885 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Teachers Record Management System 2.1. Affected is an unknown function of the file /admin/edit-teacher-detail.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-6907 MEDIUM POC This Month

A vulnerability classified as critical was found in code-projects Car Rental System 1.0. This vulnerability affects unknown code of the file /book_car.php. The manipulation of the argument fname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-38089 MEDIUM POC PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble. The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531 says that if authentication fails that the RPC should be rejected instead with a status of AUTH_ERR. Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This sidesteps the whole problem of touching the rpc_accept_statp pointer in this situation and avoids the crash.

Linux Null Pointer Dereference Denial Of Service Ubuntu Debian +3
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-6925 MEDIUM POC This Month

A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java Path Traversal Ruoyi Vue Plus
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-52901 MEDIUM POC PATCH This Month

CVE-2025-52901 is a security vulnerability (CVSS 4.5). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Filebrowser Suse
NVD GitHub
CVSS 3.1
4.5
EPSS
0.1%
CVE-2025-5730 MEDIUM POC PATCH This Month

The Contact Form Plugin WordPress plugin before 1.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.

WordPress XSS Contact Form PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-4407 MEDIUM This Month

Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.

Information Disclosure
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2023-47310 MEDIUM This Month

A security vulnerability in the default settings of MikroTik RouterOS 7 and fixed in (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Mikrotik
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-41439 MEDIUM This Month

A reflected cross-site scripting vulnerability via a specific parameter exists in SLNX Help Documentation of RICOH Streamline NX. If this vulnerability is exploited, an arbitrary script may be executed in the web browser of the user who accessed the product.

XSS
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2025-40734 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to execute JavaScript code by sending a POST request through the password and confirm_password parameters in /register.php.

PHP XSS Daily Expense Manager
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-40733 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to execute JavaScript code by sending a POST request through the username parameter in /login.php.

PHP XSS Daily Expense Manager
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52491 MEDIUM PATCH This Month

Akamai CloudTest before 60 2025.06.09 (12989) allows SSRF.

SSRF
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-38090 MEDIUM PATCH This Month

CVE-2025-38090 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Information Disclosure Ubuntu Debian Linux Kernel +3
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46702 MEDIUM PATCH This Month

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.

Authentication Bypass Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-52896 MEDIUM PATCH This Month

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading.

XSS Frappe
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-2895 MEDIUM This Month

IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, 2.3.4.1, and 2.3.4.1 iFix1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

XSS IBM Cloud Pak System
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-12915 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Devinim Software Library Software allows Reflected XSS.This issue affects Library Software: before 24.11.02.

XSS
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-47871 MEDIUM PATCH This Month

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

Authentication Bypass Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy