Skip to main content
CVE-2025-8132 LOW POC Monitor

Path traversal in ChanCMS up to version 3.1.2 allows authenticated remote attackers to read or modify arbitrary files via the delfile function in app/extend/utils.js, with publicly available exploit code disclosed. CVSS score of 2.1 reflects low impact (integrity and availability limited to low confidentiality) and requirement for authenticated access, though the vulnerability affects a core file deletion utility. Vendor-released patch available in version 3.1.3.

Path Traversal Chancms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-8134 LOW POC Monitor

SQL injection in PHPGurukul BP Monitoring Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the fromdate/todate parameters in /bwdates-report-result.php. The vulnerability requires user authentication (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though real-world exploitation remains limited by authentication requirements and modest technical impact.

PHP SQLi Bp Monitoring Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8133 LOW POC Monitor

Server-side request forgery in ChanCMS up to version 3.1.2 allows authenticated remote attackers to manipulate the targetUrl argument in the getArticle function (app/modules/api/service/gather.js), enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, but the CVSS score of 2.1 reflects limited confidentiality, integrity, and availability impact despite network accessibility; exploitation is restricted to authenticated users with low privileges.

SSRF Chancms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8163 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/list endpoint. The vulnerability has a critically low CVSS score of 2.1 due to limited scope and integrity impact, but exploitation is confirmed possible with publicly available proof-of-concept code. Real-world risk is minimal given the requirement for prior authentication and constrained data access impact.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8162 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/dept/list endpoint. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a 2.1 score reflecting low impact across confidentiality, integrity, and availability. Publicly available exploit code exists; however, EPSS scoring at 0.07% (22nd percentile) suggests minimal real-world exploitation likelihood compared to the authorization requirement and limited information disclosure scope.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8161 LOW POC Monitor

SQL injection in Deer WMS 2 versions up to 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/export endpoint, leading to limited information disclosure. The vulnerability carries a CVSS score of 2.1 despite being classified critical in the original report, reflecting the CVSS v4.0 assessment of low confidentiality, integrity, and availability impact combined with required authentication. Publicly available exploit code exists, but real-world exploitation risk remains minimal due to the low EPSS score (0.07%, 22nd percentile) and authentication requirement.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8127 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/user/list endpoint, leading to arbitrary SQL query execution with limited information disclosure impact. The CVSS v4.0 score of 2.1 reflects low severity due to required authentication and constrained impact (confidentiality, integrity, and availability all rated low), though publicly available exploit code exists and the vulnerability has been disclosed.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8126 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the dataScope parameter in the /system/user/export endpoint, potentially compromising data confidentiality. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited scope, but publicly available exploit code exists and the attack surface is network-accessible.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8125 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/role/authUser/allocatedList endpoint, leading to limited information disclosure. The vulnerability requires valid user credentials and carries a low CVSS base score of 2.1 despite critical severity rating, with publicly available exploit code disclosed via Gitee issue tracker. EPSS exploitation probability is extremely low at 0.07%, indicating this is unlikely to be a widespread attack vector despite public POC availability.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8124 LOW POC Monitor

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] argument in the /system/role/authUser/unallocatedList endpoint. The vulnerability requires valid user credentials but has low overall impact (CVSS 2.1) and affects only data confidentiality and integrity with no system availability impact. Publicly available exploit code exists, though EPSS score (0.07%, 22nd percentile) indicates exploitation remains uncommon in practice despite public disclosure.

SQLi Deer Wms 2
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8164 LOW POC Monitor

SQL injection in code-projects Public Chat Room 1.0 via the ID parameter in send_message.php allows authenticated remote attackers to execute arbitrary SQL queries, despite a low CVSS 4.0 score of 2.1. The vulnerability requires prior authentication (PR:L) and offers only limited confidentiality impact (VC:L/VI:L/VA:L), but publicly available exploit code exists and the attack vector is network-accessible with low complexity, making it suitable for low-friction post-compromise lateral movement or information disclosure within authenticated environments.

PHP SQLi Public Chat Room
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8165 LOW POC Monitor

SQL injection in code-projects Food Review System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the occasion parameter in /admin/approve_reservation.php, resulting in limited data confidentiality and integrity impact. Despite a critical classification in the source database, the CVSS 4.0 score of 2.1 reflects the requirement for authenticated access (PR:L) and limited technical impact scope. Publicly available exploit code exists and the vulnerability has been publicly disclosed.

PHP SQLi Food Ordering Review System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8135 LOW POC Monitor

SQL injection in itsourcecode Insurance Management System 1.0 allows authenticated remote attackers to manipulate the agent_id parameter in /updateAgent.php, enabling unauthorized database queries with limited confidentiality and integrity impact. Despite critical classification in metadata, the CVSS 4.0 vector shows low severity (2.1 score) due to requirement for prior authentication and restricted scope. Public exploit code is available, though EPSS score of 0.06% (20th percentile) suggests minimal real-world exploitation likelihood.

PHP SQLi Insurance Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8157 LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/lastthirtyays-reg-users.php. Exploitation requires valid user credentials but no user interaction. Publicly available exploit code exists, though CVSS 2.1 and EPSS 0.06% suggest low real-world exploitation risk despite the critical classification.

PHP SQLi User Registration Login And User Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8156 LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to manipulate the ID parameter in /admin/lastsevendays-reg-users.php, leading to database query compromise with limited confidentiality and integrity impact. Public exploit code exists, though EPSS scoring (0.06%, 19th percentile) indicates exploitation remains unlikely in practice despite the low attack complexity and low privilege requirement.

PHP SQLi User Registration Login And User Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8158 LOW POC Monitor

SQL injection in PHPGurukul Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php. The vulnerability has a publicly available exploit but poses limited real-world risk due to authentication requirements and low CVSS impact scores (2.1/10). Exploitation is marked probable (E:P in CVSS4.0) but the EPSS score of 0.06% suggests minimal actual exploitation despite public disclosure.

PHP SQLi User Registration Login And User Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8129 LOW POC PATCH Monitor

Open redirect vulnerability in KoaJS Koa up to version 3.0.0 allows authenticated remote attackers to manipulate the Referrer HTTP header via the back() function in lib/response.js, enabling redirect to arbitrary external URLs with user interaction. The vulnerability has publicly available exploit code and affects the HTTP Header Handler component; EPSS exploitation probability is very low at 0.08% despite public POC availability, suggesting this is primarily a client-side social engineering vector rather than a widely exploitable server-side flaw.

Open Redirect Koa
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-8167 LOW POC Monitor

Cross-site scripting (XSS) in Church Donation System 1.0 allows authenticated remote attackers to inject arbitrary JavaScript via the fname parameter in /admin/edit_members.php, requiring user interaction to execute. The vulnerability has a publicly disclosed exploit and EPSS score of 0.05% (16th percentile), indicating low real-world exploitation probability despite public availability of proof-of-concept code.

PHP XSS Church Donation System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-8128 LOW Monitor

Unrestricted file upload vulnerability in zhousg letao allows authenticated remote attackers to upload arbitrary files via manipulation of the pictrdtz argument in routes/bf/product.js, leading to potential code execution or system compromise. The vulnerability affects rolling-release versions up to commit 7d8df0386a65228476290949e0413de48f7fbe98, with publicly available exploit code disclosed but limited real-world exploitation risk due to CVSS 2.1 score and low EPSS (0.07%, 20th percentile), suggesting this is primarily a design flaw rather than an actively weaponized threat.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8172 LOW Monitor

SQL injection in itsourcecode Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Username parameter in /admin/index.php, resulting in limited confidentiality and integrity impact. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a severity of 2.1 with low scope impact and requires authenticated access (PR:L), significantly reducing real-world risk. Public exploit code is available, but the extremely low EPSS score (0.06%, 19th percentile) suggests minimal practical exploitation despite disclosure.

PHP SQLi Employee Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8171 LOW Monitor

Unrestricted file upload in code-projects Document Management System 1.0 via the /insert.php endpoint allows authenticated remote attackers to upload arbitrary files by manipulating the uploaded_file parameter, potentially enabling remote code execution or data exfiltration. Publicly available exploit code exists, though EPSS score of 0.06% suggests limited real-world exploitation likelihood due to low attack impact and authenticated access requirement.

PHP Authentication Bypass File Upload Document Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8155 LOW Monitor

Cross-site scripting (XSS) vulnerability in D-Link DCS-6010L firmware 1.15.03 allows authenticated remote attackers to inject malicious scripts via the paratest argument in the Management Application's /vb.htm endpoint. The vulnerability requires user interaction (UI:P) and affects an end-of-life product with publicly available exploit code, though real-world risk is significantly limited by authentication requirement (PR:L) and very low EPSS score (0.05%).

XSS D-Link Dcs 6010L Firmware
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy