Skip to main content
CVE-2025-52363 MEDIUM POC This Month

Tenda CP3 Pro Firmware V22.5.4.93 contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access

Authentication Bypass Cp3 Pro Firmware Tenda
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-42649 MEDIUM POC This Month

NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.

Denial Of Service Nanomq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53640 MEDIUM POC PATCH This Month

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.

Information Disclosure Python Indico
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-42648 MEDIUM POC This Month

NanoMQ v0.22.10 was discovered to contain a heap overflow which allows attackers to cause a Denial of Service (DoS) via a crafted CONNECT message.

Buffer Overflow Memory Corruption Denial Of Service Nanomq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53822 MEDIUM POC PATCH This Month

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `relatorio_geracao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `tipo_relatorio` parameter. Version 3.4.5 has a patch for the issue.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53820 MEDIUM POC PATCH This Month

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `index.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `erro` parameter. Version 3.4.5 contains a patch for the issue.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-51650 MEDIUM POC This Month

An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to execute arbitrary code via uploading a crafted template file.

File Upload PHP RCE Command Injection Foxcms
NVD GitHub
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-7587 MEDIUM POC This Month

CVE-2025-7587 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /cover.php endpoint where uname and psw parameters are not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to data exfiltration, authentication bypass, and database manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7576 MEDIUM POC This Month

CVE-2025-7576 is a critical improper access control vulnerability affecting Teledyne FLIR thermal imaging devices (FB-Series O and FH-Series) running firmware version 1.3.2.16 and earlier. An unauthenticated remote attacker can exploit the vulnerable /priv/production/production.html endpoint to gain unauthorized access with low complexity, potentially reading, modifying, or disrupting system availability. Public exploit code exists and the vendor has not responded to disclosure, increasing real-world exploitation risk.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7604 MEDIUM POC This Month

PHPGurukul Hospital Management System 4.0 contains a critical SQL injection vulnerability in the /user-login.php file's Username parameter that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available, enabling unauthorized access to sensitive hospital patient data, user credentials, and potential system compromise. With a CVSS score of 7.3 and an attack vector requiring only network access and no authentication, this represents an immediate threat to healthcare organizations running affected versions.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7595 MEDIUM POC This Month

A critical SQL injection vulnerability exists in code-projects Job Diary 1.0 via the ID parameter in /view-cad.php, allowing unauthenticated remote attackers to execute arbitrary SQL commands and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, and while the CVSS score is 7.3 (High), the unauthenticated attack vector and low complexity suggest active exploitation is likely. No patch has been confirmed available as of this analysis.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7594 MEDIUM POC This Month

CVE-2025-7594 is a critical SQL injection vulnerability in code-projects Job Diary version 1.0 affecting the /view-emp.php endpoint's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the low attack complexity combined with network accessibility makes this a high-priority threat requiring immediate patching.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7593 MEDIUM POC This Month

CVE-2025-7593 is a critical SQL injection vulnerability in code-projects Job Diary 1.0 affecting the /view-all.php endpoint's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate sensitive data, modify records, or disrupt application availability. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate-to-high impact across confidentiality, integrity, and availability. This represents an active threat requiring immediate patching.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7612 MEDIUM POC This Month

CVE-2025-7612 is a critical SQL injection vulnerability in code-projects Mobile Shop 1.0 affecting the /login.php file's email parameter, allowing remote unauthenticated attackers to execute arbitrary SQL queries and potentially extract or modify sensitive data. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild. With a CVSS score of 7.3 and demonstrated public PoC availability, this represents an immediate threat to deployments of this product.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7611 MEDIUM POC This Month

CVE-2025-7611 is a critical SQL injection vulnerability in code-projects Wedding Reservation version 1.0, affecting the /global.php file's 'lu' parameter. Remote unauthenticated attackers can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, significantly increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7610 MEDIUM POC This Month

CVE-2025-7610 is a critical SQL injection vulnerability in code-projects Electricity Billing System 1.0 affecting the password change functionality at /user/change_password.php. An unauthenticated remote attacker can inject arbitrary SQL commands through the new_password parameter to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation highly probable.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7609 MEDIUM POC This Month

CVE-2025-7609 is a critical SQL injection vulnerability in code-projects Simple Shopping Cart 1.0 affecting the /register.php endpoint via the ruser_email parameter. An unauthenticated remote attacker can exploit this to read, modify, or delete database contents, potentially compromising user data and application integrity. Public exploit code exists, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7608 MEDIUM POC This Month

CVE-2025-7608 is a critical SQL injection vulnerability in code-projects Simple Shopping Cart 1.0 affecting the /userlogin.php endpoint's user_email parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept exploit code available, and while the CVSS score is 7.3 (moderate-to-high severity), the low attack complexity and lack of authentication requirements make this a high-priority exploit target for threat actors.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7607 MEDIUM POC This Month

CVE-2025-7607 is a critical SQL injection vulnerability in code-projects Simple Shopping Cart 1.0 affecting the /Customers/save_order.php file, where the order_price parameter is improperly sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has a public exploit disclosure and carries a CVSS score of 7.3 with demonstrated real-world exploitation potential, making it a high-priority security concern for affected deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7605 MEDIUM POC This Month

CVE-2025-7605 is a critical SQL injection vulnerability in code-projects AVL Rooms 1.0 affecting the /profile.php endpoint via the first_name parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. Public exploit code is available and the vulnerability is likely to be actively exploited given its network-accessible nature, low attack complexity, and lack of authentication requirements.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7606 MEDIUM POC This Month

CVE-2025-7606 is a critical SQL injection vulnerability in code-projects AVL Rooms 1.0 affecting the /city.php file, where the 'city' parameter is improperly sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.3 (High) with confirmed public exploit disclosure and active exploitation potential, enabling attackers to read, modify, or delete database contents without authentication.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-51651 MEDIUM POC This Month

A arbitrary file access vulnerability in the component /admin/Backups.php of Mccms (CVSS 5.5) that allows attackers. Risk factors: public PoC available.

PHP Information Disclosure Mccms
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-51660 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the lgid parameter at SEMCMS_Products.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51659 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_Products.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51658 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_InquiryView.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51657 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the lgid parameter at SEMCMS_Link.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51656 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_Link.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51655 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Quanxian.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51654 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Infocategories.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51653 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_ct.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-51652 MEDIUM POC This Month

SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Categories.php.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-53824 MEDIUM POC PATCH This Month

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the editar_permissoes.php endpoint of the WeGIA application prior to version 3.4.4. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. Version 3.4.4 fixes the issue.

PHP XSS Wegia
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-7565 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure Bl Ac3600 Firmware
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-7573 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This issue affects the function bs_GetManPwd in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-7572 MEDIUM POC This Month

A vulnerability classified as critical was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This vulnerability affects the function bs_GetHostInfo in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-53821 MEDIUM POC PATCH This Month

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Open Redirect vulnerability exists in the web application prior to version 3.4.5. The control.php endpoint allows to specify an arbitrary URL via the `nextPage` parameter, leading to an uncontrolled redirection. Version 3.4.5 contains a fix for the issue.

PHP Open Redirect Wegia
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-7519 MEDIUM PATCH This Month

A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.

RCE Buffer Overflow Memory Corruption Openshift Container Platform Enterprise Linux
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-7552 MEDIUM This Month

A remote code execution vulnerability in Dromara Northstar (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Java
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-53834 MEDIUM PATCH This Month

Caido is a web security auditing toolkit. A reflected cross-site scripting (XSS) vulnerability was discovered in Caido’s toast UI component in versions prior to 0.49.0. Toast messages may reflect unsanitized user input in certain tools such as Match&Replace and Scope. This could allow an attacker to craft input that results in arbitrary script execution. Version 0.49.0 fixes the issue.

XSS
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-24391 MEDIUM This Month

A security vulnerability in A vulnerability in the External Interface of OTRS (CVSS 5.3) that allows conclusions. Remediation should follow standard vulnerability management procedures.

Information Disclosure Suse
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-7578 MEDIUM This Month

A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been declared as critical. This vulnerability affects the function sendCommand of the file runcmd.sh. The manipulation of the argument cmd leads to command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The researcher highlights, that "[a]lthough this functionality is currently disabled due to server CGI configuration errors, it is essentially a 'time bomb' waiting to be activated". The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.4%
CVE-2025-7618 MEDIUM This Month

A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier.

XSS
NVD
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-7380 MEDIUM This Month

A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.

XSS Information Disclosure
NVD
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-7575 MEDIUM This Month

A vulnerability has been found in Zavy86 WikiDocs up to 1.0.77 and classified as critical. Affected by this vulnerability is the function image_drop_upload_ajax/image_delete_ajax of the file submit.php. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 1.0.78 is able to address this issue. The identifier of the patch is 98ea9ee4a2052c4327f89d2f7688cc1b5749450d. It is recommended to upgrade the affected component.

PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-29606 MEDIUM PATCH This Month

py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.

Denial Of Service
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy