Skip to main content
CVE-2025-50946 MEDIUM POC PATCH This Month

OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Olivetin Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2025-45313 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hortusfox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45314 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hortusfox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-8925 MEDIUM POC This Month

A vulnerability has been found in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-8923 MEDIUM POC This Month

A vulnerability was determined in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-8922 MEDIUM POC This Month

A vulnerability was found in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-8921 MEDIUM POC This Month

A vulnerability has been found in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-8926 MEDIUM POC This Month

A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-8924 MEDIUM POC This Month

A vulnerability was identified in Campcodes Online Water Billing System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-45315 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hortusfox
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-54465 MEDIUM This Month

This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-0818 MEDIUM This Month

Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Path Traversal PHP
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-12303 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-1477 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-2937 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-2614 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-8770 MEDIUM This Month

An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-8907 MEDIUM This Month

A vulnerability was found in H3C M2 NAS V100R006. Rated high severity (CVSS 7.3). No vendor patch available.

Privilege Escalation
NVD VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2025-8916 MEDIUM PATCH CISA This Month

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-2181 MEDIUM This Month

A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-2182 MEDIUM This Month

A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. No vendor patch available.

Paloalto Information Disclosure
NVD
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-8911 MEDIUM This Month

Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Organization Portal System
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-8910 MEDIUM This Month

Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Organization Portal System
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-2184 MEDIUM This Month

A credential management flaw in Palo Alto Networks Cortex XDR® Broker VM causes different Broker VM images to share identical default credentials for internal services. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-2183 MEDIUM This Month

An insufficient certificate validation issue in the Palo Alto Networks GlobalProtect™ app enables attackers to connect the GlobalProtect app to arbitrary servers. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-8762 MEDIUM This Month

A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2025-5819 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-2180 MEDIUM This Month

An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto RCE Deserialization Hashicorp
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2025-8491 MEDIUM This Month

The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-55197 MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.1%
CVE-2025-55194 MEDIUM POC PATCH This Month

Part-DB is an open source inventory management system for electronic components. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Part Db
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-43989 MEDIUM This Month

The /goform/formJsonAjaxReq POST endpoint of Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices mishandles the set_timesetting action with the ntpserver0 parameter, which is used in a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-45317 MEDIUM POC This Week

A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Hortusfox
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-45316 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the TextBlockModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hortusfox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-10219 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54500 MEDIUM PATCH This Month

An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall Big Ip Analytics +24
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-53859 MEDIUM PATCH This Month

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Nginx Information Disclosure Nginx Plus Nginx Open Source +2
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-51691 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50690 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in SpatialReference.org (OSGeo/spatialreference.org) versions prior to 2025-05-17 (commit 2120adfa17ddd535bd0f539e6c4988fa3a2cb491). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-55668 MEDIUM PATCH This Month

Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Session Fixation Apache Red Hat +1
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-55160 MEDIUM POC PATCH This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Imagemagick Red Hat Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-55005 MEDIUM POC PATCH This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-54791 MEDIUM PATCH This Month

OMERO.web provides a web based client and plugin infrastructure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Omero Web
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-52392 MEDIUM POC This Month

Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
1.3%
CVE-2025-52386 MEDIUM This Month

CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-55280 MEDIUM This Month

This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2025-55279 MEDIUM This Month

This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-8891 MEDIUM POC PATCH Monitor

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Oceanwp PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-8881 MEDIUM PATCH This Month

Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Chrome Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy