Skip to main content
CVE-2025-8348 MEDIUM POC This Month

A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass Charging Pile Cloud Platform
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-8338 MEDIUM POC This Month

A vulnerability was found in projectworlds Online Admission System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /adminac.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Online Admission System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8378 MEDIUM POC This Month

A vulnerability was found in Campcodes Online Hotel Reservation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8409 MEDIUM POC This Month

A vulnerability has been found in code-projects Vehicle Management 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /filter.php. The manipulation of the argument from leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8408 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /filter1.php. The manipulation of the argument vehicle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8407 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Vehicle Management 1.0. This issue affects some unknown processing of the file /filter2.php. The manipulation of the argument from leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8376 MEDIUM POC This Month

A vulnerability classified as critical has been found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /updatebal.php. The manipulation of the argument company leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8375 MEDIUM POC This Month

A vulnerability was found in code-projects Vehicle Management 1.0. It has been rated as critical. This issue affects some unknown processing of the file /addvehicle.php. The manipulation of the argument vehicle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8374 MEDIUM POC This Month

A vulnerability was found in code-projects Vehicle Management 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /addcompany.php. The manipulation of the argument company leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8373 MEDIUM POC This Month

A vulnerability was found in code-projects Vehicle Management 1.0. It has been classified as critical. This affects an unknown part of the file /print.php. The manipulation of the argument sno leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Vehicle Management
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8372 MEDIUM POC This Month

A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/update_s7.php. The manipulation of the argument credits leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Exam Form Submission
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8371 MEDIUM POC This Month

A vulnerability has been found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/update_s5.php. The manipulation of the argument credits leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Exam Form Submission
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8339 MEDIUM POC This Month

A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the file /student_login.php. The manipulation of the argument user_name/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Intern Membership Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-50572 HIGH This Week

Arbitrary code execution via CSV/formula injection in RSA Archer (Archer IRM) 6.11.00204.10014 lets an attacker plant spreadsheet formulas through system input fields that are later written into exported CSV files; when a victim opens the export in Excel or a compatible application, the embedded formula runs on their workstation. Publicly available exploit code exists (a proof-of-concept GitHub repository), but the issue is disputed by the vendor and is not listed in CISA KEV. Impact depends entirely on a victim opening the malicious export and bypassing modern spreadsheet warnings, so real-world severity is lower than the 8.8 CVSS suggests.

RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-50850 HIGH This Week

Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).

Authentication Bypass Cs Cart
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-50849 HIGH This Week

Insecure Direct Object Reference in CS-Cart 4.18.3 lets an authenticated shopper toggle the 'sticker' enable/disable setting on other users' accounts by tampering with the company_id (or similar object identifier) parameter in the user-profile request, because the server never verifies that the caller owns the referenced object. A public technical write-up documenting the request manipulation exists on GitHub, though the flaw is not in CISA KEV and carries a low EPSS score (0.26%, 17th percentile), indicating no confirmed active exploitation. The real-world impact is a low-severity authorization/integrity issue rather than the account takeover implied by the reported CVSS of 8.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-50847 MEDIUM This Month

Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated user's comparison list by tricking the victim into loading a crafted HTTP request. The impact is confined to unauthorized modification of the comparison list feature - no data exfiltration or account takeover is possible via this vector. No public exploit identified at time of analysis, and the EPSS score of 0.14% (4th percentile) reflects very low real-world exploitation interest.

CSRF Cs Cart
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-50848 MEDIUM This Month

Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users of affected storefronts. An attacker who can upload files to the platform may submit a crafted HTML document subsequently served from the trusted store domain, allowing arbitrary JavaScript execution in victims' browsers or presentation of convincing fake login pages for credential harvesting. Publicly available exploit code exists on GitHub; the EPSS score of 0.22% (13th percentile) reflects low observed exploitation pressure and the vulnerability is not listed in the CISA KEV catalog.

File Upload XSS RCE Cs Cart
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-8343 LOW POC Monitor

Path traversal in OpenViglet Shio up to version 0.3.8 allows authenticated remote attackers to read arbitrary files by manipulating the fileName parameter in the shStaticFilePreUpload API endpoint. The vulnerability has low practical impact (CVSS 2.1, EPSS 0.22%) despite being rated critical in severity classification, as it requires prior authentication and provides only limited confidentiality exposure. Public exploit code is available.

Java Path Traversal Shio
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-8370 LOW POC Monitor

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the descricao parameter in /intranet/educar_escolaridade_lst.php, requiring user interaction to execute. The vulnerability has a low CVSS score of 2.1 and EPSS exploitation probability of 0.11%, but publicly available exploit code exists and the vendor did not respond to early disclosure.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8369 LOW POC Monitor

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the titulo_avaliacao parameter in /intranet/educar_avaliacao_desempenho_lst.php. The vulnerability requires user interaction (clicking a malicious link) but has a low CVSS score of 2.1 and a minimal EPSS exploitation probability of 0.11%, placing it in the 29th percentile. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8368 LOW POC Monitor

Reflected cross-site scripting in Portabilis i-Educar 2.9 allows remote attackers to inject arbitrary JavaScript via the campo_busca and cpf parameters in /intranet/pesquisa_pessoa_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, or defacement of educational records. Publicly available exploit code exists; the vendor did not respond to disclosure.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8367 LOW POC Monitor

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote attackers to inject malicious scripts via the 'nome' parameter in /intranet/funcionario_vinculo_lst.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and unauthorized administrative actions. Public exploit code is available, though EPSS probability remains low at 0.11% percentile, suggesting limited real-world exploitation despite disclosure.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8366 LOW POC Monitor

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.9 allows remote unauthenticated attackers to inject arbitrary JavaScript via the nome or matricula_servidor parameters in /intranet/educar_servidor_lst.php. The vulnerability requires user interaction (clicking a malicious link) and has low confidentiality impact but can lead to session hijacking or credential theft. Publicly available exploit code exists, though exploitation likelihood remains low (EPSS 0.11%) due to user interaction requirement and limited real-world impact surface.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8344 LOW POC Monitor

Unrestricted file upload in OpenViglet Shio through version 0.3.8 allows authenticated remote attackers to upload arbitrary files via manipulation of the filename parameter in the ShStaticFileAPI.shStaticFileUpload function. The vulnerability requires valid authentication credentials but lacks proper input validation on uploaded filenames, enabling arbitrary file placement on the server. Publicly available exploit code exists, though EPSS score remains low at 0.11% (28th percentile), suggesting limited real-world exploitation despite public disclosure.

Java Authentication Bypass File Upload Shio
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8382 LOW POC Monitor

SQL injection in Campcodes Online Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the room_id parameter in /admin/edit_room.php, enabling data exfiltration and modification with low impact. The vulnerability requires valid login credentials (PR:L) and carries a CVSS 2.1 score reflecting limited scope; however, the public exploit disclosure and EPSS percentile 20 suggest limited real-world exploitation interest despite active availability of proof-of-concept code.

PHP SQLi Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8381 LOW POC Monitor

SQL injection in Campcodes Online Hotel Reservation System 1.0 via the room_id parameter in /add_reserve.php allows authenticated remote attackers to execute arbitrary SQL queries, but CVSS 2.1 and EPSS 0.07% (20th percentile) indicate minimal real-world risk despite public exploit availability. The vulnerability requires valid user authentication and produces only low confidentiality, integrity, and availability impact-inconsistent with the 'critical' classification in the initial report.

PHP SQLi Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8340 LOW POC Monitor

Reflected cross-site scripting (XSS) in Intern Membership Management System 1.0 allows remote attackers to inject malicious scripts via the email parameter in fill_details.php, executable only with user interaction. The vulnerability has a publicly available exploit and affects the error message handler, resulting in integrity impact (CVSS 2.1, EPSS 0.07%). While the attack vector is network-accessible and requires minimal complexity, the low CVSS and EPSS scores reflect the necessity for user interaction and limited technical impact.

PHP XSS Intern Membership Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8346 LOW POC Monitor

Reflected cross-site scripting (XSS) in Portabilis i-Educar 2.10 allows remote unauthenticated attackers to inject arbitrary JavaScript via the ref_cod_matricula parameter in /educar_aluno_lst.php, affecting users who click malicious links. The vulnerability has publicly available exploit code and a low CVSS score (2.1) due to requirement for user interaction, but represents a typical web application flaw in educational management systems with potential for credential theft or session hijacking.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8347 LOW POC Monitor

SQL injection in Kehua Charging Pile Cloud Platform 1.0 endpoint /sys/task/findAllTask allows authenticated remote attackers to execute arbitrary SQL queries with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and was disclosed to the vendor without response, though EPSS score of 0.04% suggests low real-world exploitation probability despite public POC availability.

SQLi Charging Pile Cloud Platform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-8379 LOW POC Monitor

Unrestricted file upload in Campcodes Online Hotel Reservation System 1.0 allows high-privileged authenticated administrators to upload arbitrary files via the photo parameter in /admin/edit_room.php, potentially leading to remote code execution. The vulnerability requires administrative credentials to exploit and has publicly available proof-of-concept code, but carries low real-world risk due to the high privilege requirement (PR:H) and limited confidentiality/integrity impact in the CVSS v4.0 vector.

PHP Authentication Bypass File Upload Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-8365 LOW POC Monitor

Stored cross-site scripting (XSS) in Portabilis i-Educar 2.10 via the atendidos_cad.php file allows authenticated remote attackers with user interaction to inject malicious scripts through the nome, nome_social, or email parameters, resulting in minor integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-8380 LOW POC Monitor

Cross-site scripting (XSS) in Campcodes Online Hotel Reservation System 1.0 allows authenticated users to inject malicious scripts via the Name parameter in /admin/add_query_account.php, affecting the integrity of admin-level functionality. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting direct remote exploitation to attackers with valid credentials; however, publicly available exploit code exists, and the CVSS 2.0 score with VI:L (integrity impact) reflects limited but confirmed damage potential in a stored XSS context.

PHP XSS Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2023-32251 LOW Monitor

A vulnerability has been identified in the Linux kernel's ksmbd component (kernel SMB/CIFS server). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Linux
NVD
CVSS 3.1
3.7
EPSS
0.4%
CVE-2025-8345 LOW Monitor

SQL injection in Lingdang CRM versions up to 8.6.4.7 allows authenticated remote attackers to execute arbitrary SQL queries via the function parameter in the delete_user function of crm/WeiXinApp/yunzhijia/yunzhijiaApi.php. Public exploit code exists, and vendor has released patched version 8.6.5.2 to remediate the vulnerability.

PHP SQLi Lingdang Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy