Skip to main content
CVE-2025-34059 HIGH This Week

An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

PHP SQLi
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-53100 HIGH PATCH This Week

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

Command Injection
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-6297 HIGH PATCH This Week

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

Denial Of Service Dpkg
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2024-46992 HIGH PATCH This Week

A remote code execution vulnerability in Electron (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Microsoft Apple Authentication Bypass Debian Windows +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-37098 HIGH This Week

A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

Path Traversal Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53099 HIGH PATCH This Week

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.

Microsoft Information Disclosure Sentry
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-34081 HIGH PATCH This Week

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.

PHP Information Disclosure Conprosys Hmi System
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53107 HIGH PATCH This Week

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

RCE Command Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-49480 HIGH This Week

Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Buffer Overflow Kestrel Falcon Linux Lapwing Linux
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-49492 HIGH This Week

Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun.  This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Buffer Overflow Memory Corruption Kestrel Lapwing Linux Falcon Linux
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-6952 LOW POC PATCH Monitor

A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The identifier of the patch is 53e9e059ed96b940f7ddcd9a2b68cb512524d5db. It is recommended to apply a patch to fix this issue.

Denial Of Service Debian
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-6081 MEDIUM This Month

Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service.

Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-27153 MEDIUM PATCH This Month

A security vulnerability in is a ticket escalation process helper for GLPI. (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-6756 MEDIUM PATCH This Month

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Ultimate Addons For Contact Form 7 PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-5314 MEDIUM This Month

The Dear Flipbook - PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the ‘pdf-source’ parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-34080 MEDIUM PATCH This Month

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.

PHP XSS Conprosys Hmi System
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-2141 MEDIUM This Month

IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.17, R6.0 8.60.0.115, 3948 VED R5.4 8.54.2.17, R6.0 8.60.0.115, and 3948 VEF R6.0 8.60.0.115 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS IBM 3948 Vef Firmware 3948 Ved Firmware 3957 Ved Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45083 MEDIUM This Month

CVE-2025-45083 is a security vulnerability (CVSS 6.1) that allows attackers. Remediation should follow standard vulnerability management procedures.

Google Apple Authentication Bypass Android iOS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53103 MEDIUM PATCH This Month

A security vulnerability in JUnit (CVSS 5.8). Remediation should follow standard vulnerability management procedures.

Information Disclosure Java Ubuntu Debian Red Hat +1
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-52294 MEDIUM This Month

Insufficient validation of the screen lock mechanism in Trust Wallet v8.45 allows physically proximate attackers to bypass the lock screen and view the wallet balance.

Authentication Bypass
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-34062 MEDIUM PATCH This Month

An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token-which may be retrievable from host registry keys or improperly secured logs-can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration.

Information Disclosure
NVD
CVSS 4.0
5.7
EPSS
0.0%
CVE-2025-49483 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr069_uci.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Kestrel Lapwing Linux Falcon Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49482 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr098.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Kestrel Lapwing Linux Falcon Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49481 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router modules allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pbwork-queue.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Lapwing Linux Kestrel Falcon Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49491 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (traffic_stat modules) allows Resource Leak Exposure. This vulnerability is associated with program files traffic_stat/traffic_service/traffic_service.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Kestrel Falcon Linux Lapwing Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49488 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router components allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pb.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Falcon Linux Kestrel Lapwing Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49490 MEDIUM This Month

Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure. This vulnerability is associated with program files router/sms/sms.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Lapwing Linux Kestrel Falcon Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-49489 MEDIUM This Month

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Falcon Linux Lapwing Linux Kestrel
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-5072 MEDIUM This Month

Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Kestrel Falcon Linux Lapwing Linux
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-46259 MEDIUM PATCH This Month

Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-53096 MEDIUM PATCH This Month

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.

XSS Sunshine
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36056 MEDIUM This Month

IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.17, R6.0 8.60.0.115, 3948 VED R5.4 8.54.2.17, R6.0 8.60.0.115, and 3948 VEF R6.0 8.60.0.115 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS IBM 3948 Vef Firmware 3948 Ved Firmware 3957 Ved Firmware
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-6920 MEDIUM This Month

A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/* endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows unauthorized users to access the same inference features available on protected endpoints, potentially exposing sensitive functionality or allowing unintended access to backend resources.

Authentication Bypass Ai Inference Server Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-5967 MEDIUM This Month

A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data.

XSS Information Disclosure
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-36582 MEDIUM PATCH This Month

Dell NetWorker, versions 19.12.0.1 and prior, contains a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

Dell Information Disclosure Networker
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-6600 MEDIUM This Month

An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.

Information Disclosure Enterprise Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-6951 LOW Monitor

A security vulnerability in SAFECAM X300 (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-53003 PATCH This Week

The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.

Information Disclosure
NVD GitHub
EPSS
0.1%
CVE-2024-49364 PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2024-49365 PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS
0.0%
CVE-2024-46993 PATCH This Week

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue.

Heap Overflow Buffer Overflow Debian
NVD GitHub
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy