Skip to main content
CVE-2025-8267 HIGH POC PATCH GHSA This Week

Server-side request forgery in ssrfcheck npm package versions before 1.2.0 enables attackers to bypass IP blocklist validation and craft requests to multicast IP addresses (224.0.0.0/4). The vulnerability stems from an incomplete denylist that fails to classify reserved multicast address space as invalid, allowing network-accessible exploitation with no authentication required. Public exploit code exists (Snyk gist, CVSS E:P) with EPSS indicating moderate exploitation probability. Vendor patch available in version 1.2.0 via GitHub commit 9507b49.

SSRF Ssrf Check
NVD GitHub
CVSS 4.0
7.8
EPSS
0.1%
CVE-2025-50489 HIGH POC This Week

Session hijacking in PHPGurukul Student Result Management System v2.0 stems from the /srms/change-password.php component failing to invalidate existing sessions after a password change, so an attacker holding a previously captured session token retains authenticated access even after the victim rotates their credentials. Publicly available exploit code exists on GitHub, though the flaw is not listed in CISA KEV and carries a modest EPSS score of 0.62% (45th percentile), indicating low observed exploitation activity. The vulnerability primarily undermines the account-recovery security guarantee that changing a password should terminate compromised sessions.

Information Disclosure PHP Student Result Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2025-50490 HIGH POC This Week

Session hijacking in PHPGurukul Student Result Management System v2.0 stems from improper session invalidation in the employee change-password handler (/elms/emp-changepassword.php), letting attackers reuse session tokens that should have been terminated to take over an authenticated account. A public proof-of-concept exists (VasilVK GitHub), but there is no public exploit identified as actively exploited; EPSS is low at 0.52% (40th percentile) and it is not on CISA KEV. This is a niche PHP educational application, so real-world exposure is limited despite the network-facing nature of the flaw.

Information Disclosure PHP Student Result Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-50494 HIGH POC This Week

Session hijacking in PHPGurukul Car Washing Management System v1.0 allows attackers to retain or reuse a doctor account session because the /doctor/change-password.php component fails to invalidate existing sessions after a credential change, publicly available exploit code exists (per the referenced GitHub PoC), though EPSS estimates only a 0.50% exploitation probability and the issue is not on CISA KEV. No public exploit identified as actively used in the wild; the flaw affects only the single unpatched v1.0 release of this niche PHP application.

Information Disclosure PHP Car Washing Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-50486 HIGH POC This Week

Session hijacking in PHPGurukul Car Rental Project v3.0 stems from the /carrental/update-password.php endpoint failing to invalidate existing sessions after a password change, allowing an attacker who has captured or been handed a valid session identifier to retain authenticated access even after the victim resets credentials. Publicly available exploit code exists (GitHub), but the issue is not in CISA KEV, and EPSS is modest at 0.40% (32nd percentile), indicating no evidence of widespread automated exploitation. Confidence is reduced by conflicting source metadata (see confidence notes).

Information Disclosure PHP E Diary Management System
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2025-50485 HIGH POC This Week

Session hijacking in PHPGurukul Online Course Registration v3.1 stems from the /crm/change-password.php component failing to invalidate existing sessions after a password change, letting an attacker who has captured or replayed a victim's session identifier retain authenticated access even after the credential is rotated. Publicly available exploit code exists (GitHub), but the flaw is not listed in CISA KEV and carries a low EPSS score of 0.40% (32nd percentile), indicating limited observed exploitation. The issue chiefly threatens confidentiality of the affected user's CRM account.

Information Disclosure PHP Online Course Registration
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2025-50488 HIGH POC This Week

Session hijacking in PHPGurukul Online Library Management System v3.0 stems from improper session invalidation in /library/change-password.php, where sessions are not properly terminated after credential changes, allowing an attacker who obtains or reuses a still-valid session token to impersonate a victim. Publicly available exploit code exists (GitHub, VasilVK), though there is no public exploit identified as actively exploited in the wild and it is not listed in CISA KEV. EPSS is low at 0.39% (31st percentile), indicating limited predicted mass-exploitation activity despite the available POC.

Information Disclosure PHP Online Library Management System
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2025-50487 HIGH POC This Week

Session hijacking in PHPGurukul Blood Bank & Donor Management System v2.4 stems from the /bbdms/change-password.php component failing to invalidate existing sessions after a password change, letting an attacker who obtains or captures a valid session token retain authenticated access even after the victim rotates credentials. Publicly available exploit code exists (GitHub, VasilVK), though the flaw is not listed in CISA KEV and carries a low EPSS score of 0.32% (24th percentile), indicating no evidence of widespread automated exploitation. The issue primarily threatens confidentiality of donor and blood-bank records in this niche PHP application.

Information Disclosure PHP Blood Bank Donor Management System
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-50484 HIGH POC This Week

Session hijacking in PHPGurukul Small CRM v3.0 stems from improper session invalidation in /crm/change-password.php, where existing session tokens are not revoked after a password change, letting an attacker who obtains or retains a valid session ID continue accessing the victim's authenticated account. Public exploit code exists (GitHub PoC by VasilVK), though there is no confirmed active exploitation (not in CISA KEV) and EPSS probability is low at 0.32% (24th percentile). Impact is primarily confidentiality of CRM data with limited integrity effect.

Information Disclosure PHP Small Crm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-29534 HIGH This Week

Authenticated OS command injection in the PowerStick Wave Dual-Band Wifi Extender V1.0 lets a user with valid credentials run arbitrary commands as root via the /cgi-bin/cgi_vista.cgi endpoint. Because the device firmware runs its web management logic with root privileges, successful exploitation yields complete takeover of the extender. The single NVD reference is a public researcher gist that very likely contains proof-of-concept detail, though the flaw is not listed in CISA KEV and EPSS risk is modest (0.66%, 47th percentile).

Command Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2025-5997 HIGH This Week

Privilege escalation in Beamsec PhishPro before version 7.5.4.2 allows authenticated low-privileged users to abuse privileged API calls, resulting in full confidentiality, integrity, and availability compromise (CVSS 8.8). The root cause is CWE-648 (Incorrect Use of Privileged APIs), meaning the application exposes or incorrectly gates privileged API operations that low-privileged users can invoke directly. No public exploit exists at time of analysis, and EPSS sits at 0.25% (49th percentile), but the network-accessible, low-complexity attack path warrants prioritized remediation for any internet-facing PhishPro deployment.

Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-38494 HIGH PATCH This Week

A vulnerability in the Linux kernel's HID (Human Interface Device) core subsystem allows local attackers with low privileges to bypass input validation checks when interacting with HID devices. The flaw occurs because certain code paths directly call low-level transport driver functions instead of using the hid_hw_raw_request() function, which performs critical buffer and length validation. With an EPSS score of only 0.01% and no known exploitation in the wild, this represents a local privilege escalation risk primarily concerning systems with untrusted local users.

Linux Buffer Overflow Debian Linux Linux Kernel Red Hat +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-38471 HIGH PATCH This Week

Use-after-free in Linux kernel TLS implementation allows local authenticated users to achieve high confidentiality, integrity, and availability impact through memory corruption. The vulnerability, triggered by aggressive TCP SKB compaction in net-next, causes TLS to operate on freed socket buffers when checking decrypt state. A vendor patch is available across multiple kernel versions (6.1-rc2 through 6.1-rc5 and later stable branches). No active exploitation confirmed, but CWE-416 use-after-free bugs are frequently targeted due to their code execution potential. EPSS data not provided.

Information Disclosure Use After Free Memory Corruption Linux Debian Linux +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-50492 HIGH This Week

Session hijacking in PHPGurukul e-Diary Management System v1.0 stems from the /edms/change-password.php endpoint failing to invalidate existing sessions after a password change, so a previously captured session identifier remains valid and grants continued authenticated access. Remote attackers who obtain a victim's session token can therefore retain or take over the account even after the legitimate user rotates their password. There is no CISA KEV listing and no confirmed active exploitation; a GitHub reference (VasilVK/CVE) tracking this CVE likely contains a proof-of-concept or write-up, though PoC status is not explicitly confirmed in the source data, and EPSS is low at 0.55% (42nd percentile).

Information Disclosure PHP E Diary Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-4056 HIGH This Week

Denial of service in GNOME GLib on Windows platforms occurs when an application uses GLib's process-spawning functions with excessively long command lines, causing the spawn operation to fail or crash the host process and disrupt availability. The flaw affects the GLib library's Windows command-line handling and impacts any Windows application that links GLib and passes attacker-influenced long argument strings to a child process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; despite Red Hat tags mentioning RCE/Code Injection, the CVSS impact metrics confirm availability-only impact (C:N/I:N/A:H).

Code Injection Denial Of Service Microsoft RCE Glib
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-50493 HIGH This Week

Session hijacking in PHPGurukul Doctor Appointment Management System v1.0.0 stems from improper session invalidation in /doctor/change-password.php, where doctor account sessions are not terminated after a password change. A publicly available exploit code exists (GitHub, VasilVK), but there is no public exploit identified as actively exploited and it is not in CISA KEV. EPSS is low at 0.41% (33rd percentile), indicating limited real-world exploitation interest to date.

Information Disclosure PHP Doctor Appointment Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-50491 HIGH This Week

Session hijacking in PHPGurukul Bank Locker Management System v1.0 lets remote attackers reuse valid session tokens because the /banker/change-password.php component fails to invalidate existing sessions after a password change. Any session token captured before the change (via a shared machine, network capture, or referrer/log leakage) remains usable, letting an attacker impersonate the banker account. A GitHub reference (VasilVK/CVE) is published for this issue, and EPSS risk is low at 0.34% (27th percentile) with no active exploitation reported.

Information Disclosure PHP Bank Locker Management System
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy