Skip to main content
CVE-2025-47188 MEDIUM POC This Month

A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
6.5
EPSS
3.3%
CVE-2025-47183 MEDIUM POC PATCH This Month

A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin (qtdemux_parse_tree function) when parsing MP4 files, affecting versions through 1.26.1. The vulnerability allows local attackers with user-level privileges who can trick a user into opening a malicious MP4 file to disclose sensitive heap memory contents and potentially cause application crashes. Publicly available proof-of-concept code exists, and while the EPSS score of 0.02% indicates low exploitation probability overall, the presence of public exploits and the information disclosure capability warrant prompt patching.

Information Disclosure Gstreamer Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2024-52680 MEDIUM POC This Month

EyouCMS 1.6.7 is vulnerable to Cross Site Scripting (XSS) in /login.php?m=admin&c=System&a=web&lang=cn. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Eyoucms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-47808 MEDIUM POC PATCH This Month

A null pointer dereference vulnerability exists in GStreamer's subparse plugin, specifically in the tmplayer_parse_line function when processing malformed subtitle files. This affects GStreamer through version 1.26.1 and can be triggered by an unauthenticated attacker over the network with moderate complexity, resulting in application crash (denial of service) and potential information disclosure. A public proof-of-concept exploit is available, but the EPSS score of 0.09% (25th percentile) indicates relatively low real-world exploitation probability despite POC availability.

Denial Of Service Gstreamer Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-47806 MEDIUM POC PATCH This Month

GStreamer's subparse plugin contains a stack-based buffer overflow in the parse_subrip_time function that allows attackers to write data past buffer boundaries, resulting in application crashes and potential information disclosure. Affected versions through 1.26.1 are vulnerable when processing specially crafted subtitle files. A proof-of-concept exploit is publicly available, and while the EPSS score of 0.07% suggests low exploitation probability overall, the availability of working exploit code elevates practical risk for systems processing untrusted subtitle content.

Denial Of Service Gstreamer Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-47807 MEDIUM POC PATCH This Month

A NULL pointer dereference vulnerability exists in GStreamer's subparse plugin, specifically in the subrip_unescape_formatting function, which can crash applications when processing maliciously crafted or malformed subtitle files. GStreamer versions through 1.26.1 are affected, and the vulnerability is exploitable through local attack vectors requiring user interaction to open a subtitle file. A public proof-of-concept is available, though the low EPSS score of 0.03% (7th percentile) suggests limited real-world exploitation likelihood despite the availability of exploit code.

Denial Of Service Gstreamer Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-55401 MEDIUM This Month

An issue in 4C Strategies Exonaut before v22.4 allows attackers to execute a directory traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Exonaut
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-40992 MEDIUM This Month

Hospital Management System 4 is vulnerable to a SQL injection in /Hospital-Management-System-master/func.php via the password2 parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-7195 MEDIUM PATCH This Month

Operator-SDK before version 0.15.2 scaffolds operator container images with an insecure user_setup script that leaves the /etc/passwd file with group-writable permissions (mode 664) and root group ownership, enabling any non-root container user who is a member of the root group to modify /etc/passwd and add arbitrary users with UID 0, achieving full container root compromise. Developers who used affected versions to build operators may still be deploying vulnerable container images if the insecure script persists in their build pipelines. The vulnerability carries a CVSS score of 6.4 with high complexity and high privilege requirements (CVSS:3.1/AV:L/AC:H/PR:H), but an EPSS score of 0.01% indicates minimal real-world exploitation likelihood; no public exploit code or active exploitation has been confirmed.

Privilege Escalation
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2023-41529 MEDIUM This Month

Hospital Management System v4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in func2.php via the fname and lname parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Hospital Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2023-41519 MEDIUM This Month

Student Attendance Management System v1 was discovered to contain a cross-site scripting (XSS) vulnerability via the sessionName parameter at createSessionTerm.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Student Attendance Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-8582 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-8580 MEDIUM PATCH This Month

Inappropriate implementation in Filesystems in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-8579 MEDIUM PATCH This Month

Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-8583 MEDIUM PATCH This Month

Inappropriate implementation in Permissions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-8581 MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53774 MEDIUM This Month

Microsoft 365 Copilot BizChat Information Disclosure Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Microsoft Information Disclosure 365 Copilot Chat
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48709 MEDIUM Monitor

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Control M Server Windows
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-55077 MEDIUM This Month

Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Erp Pro 9 Windows
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-51533 MEDIUM POC This Month

An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Sage Dpw
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-54397 MEDIUM Monitor

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Directory Manager
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54396 MEDIUM This Month

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows SQL Injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Directory Manager
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-54395 MEDIUM This Month

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication configuration data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Directory Manager
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-54394 MEDIUM This Month

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Directory Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-54393 MEDIUM This Month

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows Static Code Injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Directory Manager
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-54392 MEDIUM This Month

Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data, a different vulnerability than CVE-2025-47189. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Directory Manager
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-42048 MEDIUM This Month

OpenOrange Business Framework version 1.15.5 installs to a directory with overly permissive access control, allowing all authenticated users to write to the installation path. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Privilege Escalation
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-55136 MEDIUM This Month

ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-55135 MEDIUM This Month

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-55134 MEDIUM This Month

In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-55133 MEDIUM This Month

In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-44779 MEDIUM PATCH This Month

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ollama AI / ML Suse
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-50952 MEDIUM PATCH This Month

openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference via the component /openjp2/dwt.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference Openjpeg Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-8533 MEDIUM This Month

A vulnerability was identified in the XPC services of Fantastical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-32094 MEDIUM Monitor

An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Request Smuggling Information Disclosure
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-8577 MEDIUM PATCH Monitor

Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Chrome Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-54885 MEDIUM PATCH This Month

Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-54783 MEDIUM This Month

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Suitecrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-54786 MEDIUM This Month

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suitecrm
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy