Skip to main content
CVE-2025-8266 LOW POC Monitor

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to achieve limited confidentiality, integrity, and availability impact via manipulation of the targetUrl parameter in the getArticle function of app/modules/cms/controller/collect.js. The CVSS score of 2.1 reflects constrained impact (low severity across all impact categories), but the low EPSS percentile (71%) and publicly available exploit code indicate real-world risk despite authentication requirement. Upgrading to version 3.1.3 resolves the issue.

Deserialization Chancms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.7%
CVE-2025-8256 LOW POC Monitor

Unrestricted file upload in code-projects Online Ordering System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /admin/product.php, potentially enabling remote code execution. Despite a critical severity classification, the CVSS 4.0 score of 2.1 reflects low actual impact due to required authentication and limited scope. Publicly available exploit code exists; however, the 0.10% EPSS score (27th percentile) indicates minimal real-world exploitation likelihood, suggesting this is a low-priority vulnerability in practice.

PHP Authentication Bypass File Upload Online Ordering System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8247 LOW POC Monitor

SQL injection in Projectworlds Online Admission System 1.0 allows authenticated remote attackers to manipulate the 'markof' parameter in /admin.php, leading to database queries with limited confidentiality and integrity impact. The vulnerability has publicly available exploit code, though actual exploitation appears limited given the low EPSS score (0.07%) and requirement for authenticated access, suggesting this affects only deployments where admin credentials are already compromised or accessible.

PHP SQLi Online Admission System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8258 LOW POC Monitor

Cool Mo Maigcal Number App versions 1.0.0 through 1.0.3 on Android contain improper export of application components in AndroidManifest.xml, allowing local authenticated attackers to access sensitive functionality of the com.sdmagic.number component. While CVSS severity is minimal (1.9), publicly available exploit code exists; exploitation requires local device access and authenticated privileges but carries information disclosure impact.

Information Disclosure Google Maigcal Number
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-8257 LOW POC Monitor

Improper export of Android application components in Lobby Universe Lobby App versions 2.0 through 2.8.0 allows local attackers with user-level privileges to access sensitive functionality via the com.maverick.lobby component. The vulnerability stems from AndroidManifest.xml misconfiguration that exposes internal application activities without proper permission protection, enabling local privilege escalation or information disclosure. Publicly available exploit code exists, though exploitation requires local device access and authenticated user privileges.

Information Disclosure Google Lobby
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-8260 LOW POC Monitor

A security flaw has been discovered in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. This affects an unknown part of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 5.1.1 and 5.4.1 is able to mitigate this issue. Upgrading the affected component is recommended.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-8283 LOW PATCH Monitor

DNS resolve confusion in netavark, the Rust-based network stack for Podman containers, causes container name lookups to be forwarded to unexpected external DNS servers due to a regression that removed the dns.podman search domain. Affected deployments on Red Hat Enterprise Linux 8/9/10 and OpenShift Container Platform 4.0 running netavark < 1.15.1 are subject to misdirected container DNS resolution when host resolv.conf search domains contain a record matching a running container's hostname. The impact is limited to information disclosure (CVSS 3.7, Low), with no confirmed active exploitation and no public exploit identified at time of analysis.

Information Disclosure Openshift Container Platform Enterprise Linux
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-8254 LOW Monitor

SQL injection in Campcodes Courier Management System 1.0 via the ID parameter in /view_parcel.php allows authenticated remote attackers to execute arbitrary SQL queries with limited data exposure impact. The CVSS score of 2.1 reflects constraints imposed by authentication requirements (PR:L) and restricted scope, but publicly available exploit code exists; however, the 0.06% EPSS score indicates minimal real-world exploitation likelihood despite public disclosure.

PHP SQLi Courier Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8265 LOW Monitor

File upload restriction bypass in 299Ko CMS 2.0.0 allows authenticated administrators to upload arbitrary files via the /admin/filemanager/view endpoint, classified as critical but constrained by high-privilege requirement. The vulnerability stems from improper access controls in the file management component (CWE-284). While a public exploit disclosure exists, the EPSS score of 0.06% and CVSS 2.0 reflect the mitigation factor of administrator-level privileges required (PR:H), making real-world exploitation practical only against compromised or malicious admin accounts.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-8275 LOW Monitor

Improper export of Android application components in bsc Peru Cocktails App 1.0.0 allows local authenticated attackers to access unexported activities, services, or broadcast receivers defined in AndroidManifest.xml, leading to information disclosure. The vulnerability has been publicly disclosed with exploit code available, though real-world risk is minimal given the low CVSS score (1.9) and EPSS exploitation probability (0.02%), indicating this affects only authenticated users with local device access and results in limited confidentiality impact.

Information Disclosure Google
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy