Skip to main content
CVE-2025-50585 HIGH POC This Week

SQL injection in DayCloud StudentManage v1.0 lets an authenticated attacker inject arbitrary SQL through the /admin/adminStudentUrl component, exposing the full backing database. Rated CVSS 8.8, the flaw yields complete confidentiality, integrity, and availability impact against the application data store. Publicly available exploit code exists (referenced GitHub issue), though the product is an obscure open-source project on Gitee with no evidence of active exploitation.

SQLi Studentmanage
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-6718 HIGH This Week

SQL injection in the B1.lt WordPress plugin (versions ≤2.2.57) allows authenticated users with Subscriber-level privileges to execute arbitrary database commands via the b1_run_query AJAX action. The vulnerability stems from a missing capability check (CWE-862), enabling low-privileged authenticated attackers to access database functionality normally restricted to administrators. With CVSS 8.8 (network-accessible, low complexity, high impact on confidentiality/integrity/availability) and successful exploitation requiring only subscriber credentials, this represents a critical privilege escalation vector. No public exploit identified at time of analysis, though the technical details disclosed increase weaponization risk.

Authentication Bypass WordPress SQLi
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-52164 HIGH This Week

Plaintext credential storage in agorum core open versions 11.9.2 and 11.10.1 exposes stored account credentials to anyone able to read the underlying storage, undermining the confidentiality of any account whose secrets are persisted by this German enterprise content and document management platform. The flaw, tracked as CWE-256 and reported in usd HeroLab advisory usd-2025-0023, carries a vendor/NVD CVSS of 8.2 but no public exploit identified at time of analysis and no CISA KEV listing. Disclosed credentials can be reused to impersonate users or pivot into connected systems.

Information Disclosure
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-52169 HIGH This Week

Reflected cross-site scripting in agorum core open versions 11.9.2 and 11.10.1 allows attackers to inject and execute arbitrary JavaScript in a victim's browser session by luring an authenticated or unauthenticated user into clicking a crafted link. The flaw was disclosed in usd HeroLab advisory usd-2025-0026 and carries a CVSS 7.1 rating driven by a scope change (S:C). No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy