Skip to main content
CVE-2025-61666 HIGH POC PATCH This Week

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

Path Traversal Windows
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2025-54286 HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

CSRF Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-54289 HIGH POC PATCH This Week

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

Privilege Escalation Ubuntu Debian Lxd Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-61665 HIGH POC PATCH This Week

WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.

Information Disclosure PHP Wegia
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-56161 HIGH POC This Week

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.

Information Disclosure PHP Firefly Mall
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-34208 HIGH POC This Week

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.

Information Disclosure PHP Virtual Appliance Application Virtual Appliance Host
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60663 HIGH POC This Week

Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanMTU parameter in the fromAdvSetMacMtuWan function.

Buffer Overflow Memory Corruption Ac18 Firmware Tenda
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60662 HIGH POC This Week

Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanSpeed parameter in the fromAdvSetMacMtuWan function.

Buffer Overflow Memory Corruption Ac18 Firmware Tenda
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60660 HIGH POC This Week

Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the mac parameter in the fromAdvSetMacMtuWan function.

Buffer Overflow Memory Corruption Ac18 Firmware Tenda
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59405 HIGH POC This Week

The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.

Information Disclosure Flock Safety Android
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59409 HIGH POC This Week

Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.

Information Disclosure License Plate Reader Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-61604 HIGH POC PATCH This Week

WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery (CSRF) vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session. This issue is fixed in version 3.5.0.

CSRF Wegia
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-11221 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.

Path Traversal File Upload
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-11020 HIGH This Week

An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*.

SQLi Path Traversal File Upload Windows
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-40645 HIGH This Week

Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter.

Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-61668 HIGH PATCH This Week

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.

Denial Of Service Null Pointer Dereference
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-9587 HIGH This Week

The CTL Behance Importer Lite WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

SQLi WordPress PHP
NVD WPScan
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-10653 HIGH This Week

CVE-2025-10653 is a security vulnerability (CVSS 8.6) that allows access. High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-59835 HIGH PATCH This Week

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

Information Disclosure
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2024-58267 HIGH PATCH This Week

A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2023-28760 HIGH This Week

TP-Link AX1800 WiFi 6 Router (Archer AX21) devices allow unauthenticated attackers (on the LAN) to execute arbitrary code as root via the db_dir field to minidlnad. The attacker obtains the ability to modify files.db, and that can be used to reach a stack-based buffer overflow in minidlna-1.1.2/upnpsoap.c. Exploitation requires that a USB flash drive is connected to the router (customers often do this to make a \\192.168.0.1 share available on their local network).

Buffer Overflow TP-Link RCE Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2025-61692 HIGH This Week

VT STUDIO versions 8.53 and prior contain a use after free vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

Denial Of Service RCE Memory Corruption Use After Free Vt Studio
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61691 HIGH This Week

VT STUDIO versions 8.53 and prior contain an out-of-bounds read vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

Buffer Overflow Information Disclosure RCE Vt Studio
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61690 HIGH This Week

CVE-2025-61690 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.

RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-58777 HIGH This Week

VT Studio versions 8.53 and prior contain an access of uninitialized pointer vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

RCE Memory Corruption Vt Studio
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-58776 HIGH This Week

KV Studio versions 12.23 and prior contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

Buffer Overflow RCE Stack Overflow
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-58775 HIGH This Week

KV STUDIO and VT5-WX15/WX12 contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

Buffer Overflow RCE Stack Overflow
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-58260 HIGH PATCH This Week

A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-61600 HIGH PATCH This Week

Stalwart is a mail and collaboration server. Versions 0.13.3 and below contain an unbounded memory allocation vulnerability in the IMAP protocol parser which allows remote attackers to exhaust server memory, potentially triggering the system's out-of-memory (OOM) killer and causing a denial of service. The CommandParser implementation enforces size limits on its dynamic buffer in most parsing states, but several state handlers omit these validation checks. This issue is fixed in version 0.13.4. A workaround for this issue is to implement rate limiting and connection monitoring at the network level, however this does not provide complete protection.

Denial Of Service Debian
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61733 HIGH PATCH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Authentication Bypass Apache Kylin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61734 HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Information Disclosure Path Traversal Apache Kylin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59744 HIGH This Week

Path traversal vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to access files only within the web root using the “docurl” parameter in “/lib/asp/DOCSAVEASASP.ASP”.

Path Traversal E Tms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59745 HIGH This Week

Vulnerability in the cryptographic algorithm of AndSoft's e-TMS v25.03, which uses MD5 to encrypt passwords. MD5 is a cryptographically vulnerable hash algorithm and is no longer considered secure for storing or transmitting passwords. It is vulnerable to collision attacks and can be easily cracked with modern hardware, exposing user credentials to potential risks.

Information Disclosure E Tms
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-61735 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

SSRF Apache Kylin
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-11240 HIGH PATCH This Week

An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0.

Open Redirect Business Hub
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-32942 HIGH PATCH This Week

A security vulnerability in SSH Tectia Server before 6.6.6 sometimes (CVSS 7.2) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-49090 HIGH POC PATCH This Week

CVE-2025-49090 is a security vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-54315 HIGH POC PATCH This Week

CVE-2025-54315 is a security vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy