Skip to main content
CVE-2025-11280 LOW POC Monitor

Information disclosure vulnerability in Frappe LMS 2.35.0 allows remote unauthenticated attackers to access sensitive assignment picture data through direct requests to the /files/ endpoint with high attack complexity. The vulnerability carries a CVSS score of 2.9 with low confidentiality impact, and publicly available exploit code exists, though real-world exploitation risk remains minimal given the high complexity requirement and low EPSS score of 0.04%.

Information Disclosure Learning
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-11285 LOW POC Monitor

OS command injection in MCPHub up to version 0.9.10 allows authenticated remote attackers to execute arbitrary system commands via manipulation of command/args parameters in serverController.ts. The vulnerability has a low CVSS score (2.1) due to requirement for authenticated access and limited scope impact, but carries elevated real-world risk given publicly available exploit code and vendor non-responsiveness. EPSS score of 0.25% suggests limited current exploitation activity despite POC availability.

Command Injection Mcphub
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2025-11303 LOW POC Monitor

Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the command argument in the /goform/mp endpoint. The vulnerability requires valid user credentials but offers minimal impact due to restricted capabilities (low confidentiality, integrity, and availability effects). Publicly available exploit code exists, though EPSS scoring (0.20%) indicates limited real-world exploitation probability despite public availability.

Command Injection F9K1015 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-11298 LOW POC Monitor

Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the m_wan_ipaddr parameter in the /goform/formSetWanStatic endpoint. The vulnerability has publicly available exploit code and has been disclosed despite vendor non-responsiveness. With a CVSS score of 2.1 and EPSS percentile of 42%, real-world risk is low due to authentication requirement and limited impact scope, though the public POC and command injection nature warrant monitoring.

Command Injection F9K1015 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-11292 LOW POC Monitor

Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the wan_ipaddr parameter in the /goform/formBSSetSitesurvey endpoint. The vulnerability requires valid credentials and has limited scope (low confidentiality, integrity, and availability impact on the vulnerable component), but publicly available exploit code exists and the vendor has not responded to disclosure efforts.

Command Injection F9K1015 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-11286 LOW POC Monitor

Server-side request forgery (SSRF) in MCPHub up to version 0.9.10 allows authenticated high-privilege users to manipulate the baseUrl argument in the MCPRouter Service, enabling arbitrary HTTP requests from the server. The vulnerability requires high privilege level and has publicly available proof-of-concept code, though EPSS analysis suggests limited real-world exploitation probability despite active public disclosure.

SSRF Mcphub
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11308 LOW POC Monitor

Stored cross-site scripting in Vanderlande Baggage 360 7.0.0 allows authenticated remote attackers to inject malicious scripts via the Message parameter in the /api-addons/v1/messages endpoint, affecting integrity of stored data and potentially compromising user sessions when victims view poisoned messages. Exploitation requires user interaction (victim must view the message) and valid login credentials. Publicly available exploit code exists; EPSS score of 0.03% indicates low baseline exploitation probability despite public POC, suggesting the vulnerability requires specific triggering conditions or limited exposure in real deployments.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11283 LOW POC Monitor

Cross-site scripting (XSS) in Frappe LMS 2.35.0 Course Handler allows authenticated users with high privileges to inject malicious scripts via the Description argument when course creation or modification requires user interaction, resulting in integrity impact to stored content. The vulnerability has publicly available exploit code and a CVSS score of 1.9, indicating minimal real-world risk despite XSS classification; however, active exploitation probability (EPSS 0.07%) remains very low, suggesting this is a low-priority vulnerability except in multi-tenant environments where malicious admins pose insider threats.

XSS Learning
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-11282 LOW POC Monitor

Frappe LMS versions 2.34.x and 2.35.0 contain a cross-site scripting (XSS) vulnerability in an incomplete fix for CVE-2025-55006, allowing authenticated remote attackers with high privileges to inject malicious scripts that execute in user browsers. Publicly available exploit code exists, and while the CVSS score of 4.8 is moderate, the low EPSS percentile (21%) and requirement for privileged user interaction suggest limited real-world exploitation likelihood despite public disclosure.

XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-11277 LOW POC Monitor

Heap-based buffer overflow in Assimp 6.0.2's Q3D file importer allows local authenticated users to cause memory corruption via crafted Q3D model files. The vulnerability affects the Q3DImporter::InternReadFile function and has publicly available exploit code, though real-world exploitation remains limited due to local access and low privilege requirement constraints. CVSS 1.9 reflects minimal confidentiality, integrity, and availability impact despite the presence of a public POC.

Buffer Overflow Assimp
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11289 LOW POC Monitor

Stored cross-site scripting (XSS) in westboy CicadasCMS Template Management Page allows high-privileged users to inject malicious scripts via the Save function in TemplateFileServiceImpl.java, affecting downstream users who interact with stored templates. The vulnerability requires high privileges and user interaction but carries CVSS 1.9 due to minimal integrity impact; however, publicly available exploit code exists, indicating real disclosure despite extremely low exploitation probability (EPSS 0.03%).

Java XSS Cicadascms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11274 LOW POC Monitor

Assimp 6.0.2 Q3D file parser mishandles resource allocation in the Q3DImporter::InternReadFile function, causing denial of service through uncontrolled memory consumption when processing malformed Q3D model files. A local authenticated attacker can trigger excessive memory allocation by providing a specially crafted Q3D file, leading to process crash or system resource exhaustion. Publicly available exploit code exists, though CVSS 1.9 and EPSS 0.03% indicate minimal real-world exploitation risk.

Denial Of Service Assimp
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11275 LOW POC Monitor

Heap-based buffer overflow in Open Asset Import Library Assimp 6.0.2 affects the ODDLParser::getNextSeparator function in OpenDDLParserUtils.h, allowing local attackers with low privileges to cause limited memory corruption. The vulnerability has a CVSS score of 1.9 with low confidentiality, integrity, and availability impact; however, publicly available exploit code exists and EPSS indicates minimal real-world exploitation probability (0.02% percentile 6%), suggesting this is a low-risk issue in practice despite the buffer overflow designation.

Buffer Overflow Assimp
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11281 LOW POC Monitor

Frappe LMS 2.35.0 contains improper access controls in the Unpublished Course Handler component at the /courses/ endpoint that allows authenticated remote attackers to access unauthorized information. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available exploit code. CVSS 1.3 and EPSS 0.04% (11th percentile) indicate low practical risk despite public POC availability.

Information Disclosure Learning
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-11290 LOW Monitor

CRMEB up to version 5.6.1 uses a hard-coded cryptographic key in its JWT HMAC Secret Handler when the secret argument defaults to a known value, allowing remote attackers to forge JWT tokens and bypass authentication. Despite a low CVSS score of 2.9 reflecting high attack complexity, public exploit code exists and the vendor has not responded to disclosure. The practical impact depends on how JWT validation is implemented in the application stack.

Information Disclosure Crmeb
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-11291 LOW Monitor

Cross-site scripting (XSS) in ixmaps website2017 via unsanitized trid parameter in /map.php HTTP GET requests allows remote attackers to inject arbitrary JavaScript that executes in users' browsers with user interaction. The vulnerability affects an unknown version up to commit 0c71cffa0162186bc057a76766bc97e9f5a3a2d0, exploit code has been publicly released, and the vendor has not responded to disclosure notifications. CVSS 2.1 (Low) reflects minimal confidentiality impact and required user interaction, though EPSS 0.03% indicates low real-world exploitation probability.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11288 LOW Monitor

SQL injection in CRMEB up to version 5.6 allows authenticated remote attackers to manipulate the cate_id parameter in GET requests to the /adminapi/product/product endpoint, potentially leading to unauthorized data access or modification. The vulnerability requires valid login credentials and has limited technical impact according to CVSS 4.0 (integrity and availability scope unchanged), but publicly available exploit code exists and the vendor has not responded to disclosure.

SQLi Crmeb
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11306 LOW Monitor

Reflected cross-site scripting (XSS) in qianfox FoxCMS up to version 1.2 allows remote unauthenticated attackers to inject malicious JavaScript through the keyword parameter in the Search Page component (/index.php/Search). The vulnerability requires user interaction (clicking a malicious link) and results in integrity impact via session hijacking or credential theft. Exploit code is publicly available on GitHub, though EPSS scoring (0.03%) suggests limited real-world exploitation activity.

PHP XSS Foxcms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11278 LOW Monitor

Cross-site scripting (XSS) vulnerability in AllStarLink Supermon up to version 6.2 component AllMon2 allows remote attackers to inject malicious scripts via unknown vectors, with user interaction required. The vulnerability affects end-of-life products no longer receiving vendor support, and publicly available exploit code exists; however, EPSS exploitation probability is minimal at 0.02%, indicating limited real-world attack likelihood despite public disclosure.

XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11304 LOW Monitor

Mentor LMS up to version 1.1.1 allows permissive cross-domain policies with untrusted domains through an unspecified API component, enabling information disclosure via remote unauthenticated requests with user interaction. The CVSS 2.1 score reflects limited confidentiality impact; however, EPSS indicates very low real-world exploitation probability (0.02nd percentile), and the vulnerability requires user interaction, substantially limiting practical risk despite publicly available exploit code.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11279 LOW Monitor

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 via the Title parameter on the Add Work Item Page allows authenticated users with UI interaction to inject malicious CSV formulas, resulting in low-impact data manipulation. The vulnerability requires user login and deliberate user interaction to exploit, limiting real-world risk despite public exploit availability and vendor non-responsiveness.

Code Injection
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy