Skip to main content
CVE-2025-7952 LOW POC Monitor

Command injection in TOTOLINK T6 firmware 4.1.5cu.748 allows authenticated remote attackers to execute arbitrary commands via the ckeckKeepAlive function in the MQTT Packet Handler component (wireless.so). The vulnerability requires valid user credentials and network access but results only in low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the CVSS 2.1 score and EPSS 3.01% indicate low practical exploitation probability despite public disclosure.

Command Injection T6 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
3.0%
CVE-2025-7947 LOW POC Monitor

Improper authorization in jshERP up to version 3.5 allows authenticated remote attackers to modify or delete user accounts via manipulation of the ID parameter in the /user/delete endpoint, potentially resulting in unauthorized account manipulation and information disclosure. Publicly available exploit code exists for this vulnerability.

Information Disclosure Jsherp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7946 LOW POC Monitor

Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows remote attackers to inject malicious scripts via the searchdata parameter in /search-visitor.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malware distribution. Publicly available exploit code exists; however, the low EPSS score (0.07%) and minimal scope impact suggest limited real-world exploitation pressure despite public disclosure.

PHP XSS Apartment Visitors Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7948 LOW POC Monitor

Weak password recovery in jshERP up to version 3.5 allows authenticated remote attackers to compromise user accounts via the /jshERP-boot/user/updatePwd endpoint. The vulnerability enables password reset functionality without adequate protection mechanisms, classified as problematic with CVSS 2.1 and EPSS 0.06%. Publicly available exploit code exists but active exploitation remains unconfirmed.

Information Disclosure Jsherp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8018 LOW POC Monitor

SQL injection in Food Ordering Review System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the reg_Id parameter in /user/reservation_page.php, with publicly available exploit code disclosed but low real-world exploitation risk due to CVSS 2.1 score, authentication requirement, and limited confidentiality impact.

PHP SQLi Food Ordering Review System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-7949 LOW POC PATCH Monitor

Open redirect vulnerability in Sanluan PublicCMS up to version 5.202506.a allows authenticated remote attackers with low privileges to redirect users to arbitrary external URLs via manipulation of the url parameter in the admin preview functionality. The vulnerability requires user interaction (clicking a malicious link) and impacts integrity but not confidentiality or availability. Publicly available exploit code exists, and vendor patches are available.

Open Redirect Publiccms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7953 LOW POC PATCH Monitor

Open redirect vulnerability in Sanluan PublicCMS up to version 5.202506.a allows authenticated remote attackers to redirect users to arbitrary URLs via manipulation of the File parameter in the PDF.js viewer component, requiring user interaction to trigger the redirect. The vulnerability has publicly available exploit code and affects the PDF viewer resource file, though real-world impact is limited by the requirement for prior authentication and user click interaction.

Open Redirect Publiccms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7951 LOW POC Monitor

Reflected cross-site scripting in Public Chat Room 1.0 allows authenticated remote attackers to inject malicious scripts via the chat_msg or your_name parameters in /send_message.php, requiring user interaction to trigger payload execution. The vulnerability has a low CVSS score (2.0) and EPSS exploitation probability (0.05th percentile), but publicly available exploit code exists, limiting attack complexity for threat actors with valid credentials.

PHP XSS Public Chat Room
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-4878 LOW Monitor

Uninitialized variable in libssh's privatekey_from_file() function can cause heap corruption or signing failures when a non-existent key file is specified, allowing local authenticated attackers to trigger memory corruption with potential for information disclosure. CVSS 3.6 reflects local attack vector and high complexity; exploitation requires authenticated access and specific file conditions.

Information Disclosure Use After Free Memory Corruption
NVD
CVSS 3.1
3.6
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy