Skip to main content
CVE-2025-7135 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Campcodes Online Recruitment Management System 1.0. This issue affects some unknown processing of the file /admin/ajax.php?action=save_vacancy. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7134 MEDIUM POC This Month

A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_application. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7132 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_payroll. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7131 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_employee_attendance. The manipulation of the argument employee_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7130 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /ajax.php?action=delete_payroll. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7129 MEDIUM POC This Month

A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_employee_attendance_single. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7128 MEDIUM POC This Month

A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=calculate_payroll. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7122 MEDIUM POC This Month

A vulnerability was found in Campcodes Complaint Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7120 MEDIUM POC This Month

A vulnerability was found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /users/check_availability.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7119 MEDIUM POC This Month

A vulnerability has been found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /users/index.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-3467 MEDIUM POC PATCH This Month

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.

XSS Mozilla Dify Firefox
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-7107 MEDIUM POC PATCH This Month

A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue.

Path Traversal Sim
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-3044 MEDIUM POC PATCH This Month

A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28.

Information Disclosure Llamaindex Red Hat
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-3264 MEDIUM POC PATCH This Month

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Python Denial Of Service Transformers Hugging Face AI / ML +1
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-3263 MEDIUM POC PATCH This Month

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Denial Of Service Transformers Hugging Face AI / ML Red Hat
NVD GitHub
CVSS 3.0
5.3
EPSS
0.0%
CVE-2025-3626 CRITICAL Act Now

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.

Command Injection
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-47202 CRITICAL Act Now

In RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400, the lack of a length check leads to out-of-bounds writes.

Samsung Buffer Overflow Memory Corruption Exynos W930 Firmware Exynos 2100 Firmware +17
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-53499 CRITICAL PATCH Act Now

Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-53495 CRITICAL PATCH Act Now

Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-53376 HIGH PATCH This Week

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.

Command Injection Docker Dokploy
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-53373 HIGH PATCH This Week

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-53540 HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

RCE CSRF
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-3920 HIGH PATCH This Week

A security vulnerability in A vulnerability (CVSS 8.5). High severity vulnerability requiring prompt remediation.

Authentication Bypass
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-36014 HIGH This Week

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

RCE Code Injection IBM Integration Bus
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-53536 HIGH PATCH This Week

Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6.

RCE PHP Information Disclosure Path Traversal Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-5987 HIGH PATCH This Week

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library.

OpenSSL Denial Of Service Libssh
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-6806 HIGH This Week

Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the decryptFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24979.

Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2025-6801 HIGH This Week

Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the saveNICParamsToFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24921.

Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2025-6663 HIGH PATCH This Week

GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability.

RCE Buffer Overflow Stack Overflow Gstreamer Red Hat
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-6807 HIGH This Week

Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getDriverTmpPath method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24980.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-6795 HIGH This Week

Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadSize method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24914.

Information Disclosure Path Traversal Qconvergeconsole
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-6713 HIGH PATCH This Week

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Authentication Bypass Ubuntu Debian MongoDB
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2023-51232 HIGH PATCH This Week

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.').

Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-53169 HIGH This Week

Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness.

Authentication Bypass Harmonyos
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-26780 HIGH This Week

An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. The lack of a length check leads to a Denial of Service via a malformed PDCP packet.

Samsung Denial Of Service Modem 5400 Firmware Exynos 2400 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-48367 HIGH PATCH This Week

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Redis Denial Of Service Ubuntu Debian Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-52492 HIGH This Week

A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services.

Information Disclosure Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6386 HIGH PATCH This Week

CVE-2025-6386 is a security vulnerability (CVSS 7.5) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Python
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-6714 HIGH PATCH This Week

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9 Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

Denial Of Service Ubuntu Debian MongoDB
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-3777 LOW POC PATCH Monitor

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Authentication Bypass Hugging Face AI / ML
NVD GitHub
CVSS 3.0
3.5
EPSS
0.0%
CVE-2025-7115 HIGH This Week

A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. It has been rated as critical. Affected by this issue is the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts of the component Session Handler. The manipulation of the argument params leads to missing authentication. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is expected that this issue will be fixed in the near future.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-53473 HIGH This Week

Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.

SSRF Red Hat
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-7145 HIGH This Week

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2024-43334 HIGH PATCH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavias Halpes allows Reflected XSS.This issue affects Halpes: from n/a before 1.2.5.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53167 MEDIUM This Month

CVE-2025-53167 is a security vulnerability (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Information Disclosure Harmonyos
NVD
CVSS 3.1
6.9
EPSS
0.0%
CVE-2025-3705 MEDIUM This Month

A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.

Command Injection
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-20319 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

Command Injection Splunk
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-1351 MEDIUM This Month

IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function.

Race Condition Privilege Escalation IBM Storage Virtualize
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-53185 MEDIUM This Month

Virtual address reuse issue in the memory management module, which can be exploited by non-privileged users to access released memory Impact: Successful exploitation of this vulnerability may affect service integrity.

Information Disclosure Use After Free Memory Corruption Emui Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-7259 MEDIUM PATCH This Month

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

Memory Corruption Denial Of Service Ubuntu Debian MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.1%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy