Skip to main content
CVE-2025-11330 LOW POC Monitor

SQL injection in PHPGurukul Beauty Parlour Management System 1.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulated fromdate and todate parameters in /admin/sales-reports-detail.php. The vulnerability has low real-world impact (CVSS 2.1, EPSS 0.04%) despite public exploit availability, as it requires valid admin authentication and yields only limited data disclosure without full database manipulation capability.

PHP SQLi Beauty Parlour Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11331 LOW POC Monitor

Command injection in IdeaCMS up to version 1.8 allows high-privileged remote attackers to execute arbitrary system commands via manipulation of the 网站名称 (website name) parameter in the Website Name Handler component. The vulnerability exists in app/common/logic/admin/Config.php and requires high-privilege credentials but has publicly available exploit code and carries notable risk given the vendor's non-responsiveness to early disclosure.

PHP Command Injection Ideacms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-11342 LOW POC Monitor

SQL injection in code-projects Online Course Registration 1.0 allows high-privileged remote attackers to manipulate the coursecode parameter in /admin/edit-course.php, potentially extracting or modifying database contents. CVSS 4.0 reflects limited scope (only confidentiality/integrity impact to database layer with no system scope expansion), but the vulnerability requires administrative authentication (PR:H), significantly constraining real-world risk despite public exploit availability and 0.03% EPSS indicating minimal spontaneous exploitation likelihood.

PHP SQLi Online Course Registration Site
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11332 LOW POC Monitor

Reflected cross-site scripting (XSS) in CmsEasy up to version 7.7.7 allows authenticated remote attackers to inject malicious scripts via manipulation of the PHP_SELF argument in the URL handler component (lib/inc/view.php). The vulnerability requires user interaction (clicking a malicious link) and user login to trigger, resulting in limited integrity impact. Publicly available exploit code exists, though EPSS score remains low at 0.03%, reflecting the significant prerequisites (authentication and user click required) that limit real-world exploitation potential. The vendor has not responded to disclosure attempts.

PHP XSS Cmseasy
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11322 LOW Monitor

Weak password requirements in Mangati NovoSGA up to version 2.2.12 allow remote attackers to bypass password policy validation during user account creation via manipulation of the Senha/Confirmação da senha (password/password confirmation) parameters on the /novosga.users/new endpoint. The vulnerability is difficult to exploit (CVSS AC:H) and offers only low confidentiality impact, but public exploit code is available and enables brute-force attacks against weak user credentials. EPSS score of 0.04% (percentile 12%) indicates limited real-world exploitation likelihood despite CVE publication.

Information Disclosure Brute Force
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-11320 LOW Monitor

Unrestricted file upload in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to upload arbitrary files via the uploadFile function in UploadController.java, potentially enabling remote code execution or system compromise. The vulnerability has publicly disclosed exploit code available. Despite a low CVSS score of 2.1 reflecting limited direct impact scope, the presence of public exploits and authentication bypass tags suggests practical exploitation risk in environments where attacker access is feasible.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11321 LOW Monitor

Authorization bypass in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to manipulate the subjectId parameter in WrongBookController.java to access unauthorized resources. The vulnerability has a low CVSS score (2.1) due to limited confidentiality impact and requirement for prior authentication, but publicly available exploit code exists and the attack vector is entirely network-accessible.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11319 LOW Monitor

SQL injection in nahiduddinahammed Hospital-Management-System-Website allows authenticated remote attackers to execute arbitrary SQL queries via the ai parameter in /delete.php, with public exploit code available. The CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world risk despite network accessibility, as exploitation requires valid user authentication and produces only limited confidentiality impact. The vendor has not responded to disclosure attempts.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11335 LOW Monitor

Command injection in D-Link DI-7100G C1 firmware up to version 20250928 allows remote authenticated attackers to execute arbitrary commands via the iface parameter in the /msp_info.htm?flag=qos endpoint of the jhttpd component. The vulnerability requires high-level administrative privileges and publicly available exploit code exists, but EPSS score of 0.06% indicates exploitation is unlikely in real-world scenarios due to the privilege requirement.

Command Injection D-Link Di 7100g C1 Firmware
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-11333 LOW Monitor

Stored cross-site scripting (XSS) in Langley FCU Online Banking System via the First Name field on the Add Customer Page (/customer_add_action.php) allows high-privileged authenticated users to inject malicious scripts affecting other users. The CVSS score of 1.9 reflects the high privilege requirement (PR:H) and user interaction dependency (UI:P), limiting real-world risk despite public exploit availability. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy