Skip to main content
CVE-2025-11441 LOW POC PATCH Monitor

OpnForm versions up to 1.9.3 fail to properly restrict excessive authentication attempts when the X-Forwarded-For HTTP header is manipulated, allowing remote attackers to bypass rate-limiting controls. An attacker can exploit this by spoofing their source IP address through header manipulation to conduct brute-force attacks against user credentials without triggering account lockout mechanisms. Publicly available exploit code exists; however, the CVSS score of 2.9 and EPSS percentile of 35% indicate low real-world exploitation likelihood despite the public POC, suggesting this requires specific application configurations or deployment contexts to be practically exploitable.

Information Disclosure Opnform
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-11443 LOW POC Monitor

OpnForm versions up to 1.9.3 expose sensitive information through a timing-based discrepancy in the forgotten password handler endpoint (/api/password/email), allowing remote unauthenticated attackers to enumerate valid email addresses or extract partial account information with high attack complexity. The vulnerability is rooted in a Laravel framework issue (Laravel #46465) for which the vendor has taken no mitigation action. Publicly available exploit code exists, though EPSS scoring (0.04%) indicates low real-world exploitation likelihood despite theoretical exploitability.

Information Disclosure Opnform
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-11490 LOW POC Monitor

OS command injection in DesktopCommanderMCP up to version 0.2.13 allows authenticated remote attackers to execute arbitrary operating system commands via the extractBaseCommand function in src/command-manager.ts when processing absolute file paths. The vulnerability requires authentication and has limited real-world impact scope, reflected in a low CVSS score of 2.1 and EPSS of 0.15%, though publicly available exploit code exists and the vendor acknowledges the issue remains unfixed pending real-world incident reports.

Command Injection Desktopcommandermcp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11491 LOW POC Monitor

OS command injection in DesktopCommanderMCP up to version 0.2.13 allows authenticated remote attackers to execute arbitrary system commands via manipulation of the CommandManager function in src/command-manager.ts. The vulnerability has a low CVSS score (2.1) due to authentication requirement and limited scope, but publicly available exploit code exists and the low EPSS score (0.14th percentile) suggests real-world exploitation risk is minimal despite public POC availability.

Command Injection Desktopcommandermcp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11442 LOW POC Monitor

OpnForm up to version 1.9.3 contains a cross-site request forgery vulnerability in an undisclosed API endpoint, though the practical exploitability is severely constrained by the vendor's mandatory use of JWT Bearer token authentication. The vulnerability requires an attacker to first obtain a valid JWT token through a separate XSS attack, which the vendor states has been mitigated in the product, making the CSRF itself a secondary concern rather than an independent attack vector. Publicly available exploit code exists, but real-world impact is minimal given the authentication and XSS mitigation barriers.

CSRF XSS Opnform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11436 LOW POC PATCH Monitor

Unrestricted file upload in JhumanJ OpnForm through version 1.9.3 allows authenticated users to bypass upload restrictions via the /answer endpoint, resulting in unauthorized file storage with limited confidentiality and integrity impact. The vulnerability requires valid authentication and has a publicly available exploit with low real-world exploitation probability (EPSS 0.05%), but the combination of low CVSS (2.1), authentication requirement, and limited impact suggests this is not a critical priority despite public exploit availability.

Authentication Bypass File Upload Opnform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11426 LOW POC Monitor

Unrestricted file upload in projectworlds Advanced Library Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /edit_book.php, resulting in low-impact confidentiality, integrity, and availability violations. Public exploit code is available, though EPSS exploitation probability remains very low at 0.05%, suggesting limited real-world attack incentive despite authentication requirement bypass potential.

PHP Authentication Bypass File Upload Advanced Library Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11435 LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in JhumanJ OpnForm up to version 1.9.3 allows remote attackers to inject malicious scripts via the /show/submissions endpoint, affecting all users who view affected submissions. The vulnerability requires user interaction (UI:P) to trigger but carries low integrity impact (VI:L). Public exploit code exists, and a patch has been released; however, the CVSS 2.1 score and 0.05% EPSS percentile indicate limited real-world exploitation despite public disclosure.

XSS Opnform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11417 LOW POC Monitor

Unrestricted file upload in Campcodes Advanced Online Voting System 1.0 allows authenticated attackers to upload arbitrary files via manipulation of the photo parameter in /admin/voters_add.php. The vulnerability requires valid login credentials (PR:L) but affects confidentiality, integrity, and availability with low severity. Publicly available exploit code exists; however, EPSS score of 0.04% indicates minimal real-world exploitation probability despite public POC availability.

PHP Authentication Bypass File Upload Advanced Online Voting System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11438 LOW POC PATCH Monitor

Missing authorization in OpnForm up to version 1.9.3 allows authenticated remote attackers to access the /custom-domains API endpoint without proper permission checks, potentially enabling unauthorized configuration changes. The vulnerability affects unknown code handling custom domain management and is confirmed to have publicly available exploit code, though with a low CVSS score (2.1) and minimal exploitation probability (EPSS 0.04%), indicating limited real-world risk despite the authentication bypass nature.

Authentication Bypass Opnform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11487 LOW POC Monitor

SQL injection in SourceCodester Farm Management System 1.0 allows authenticated remote attackers to manipulate the Type parameter in /uploadProduct.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a low CVSS score (2.1) and EPSS score (0.04%) despite public exploit availability, indicating minimal real-world exploitation risk due to the requirement for prior authentication and constrained impact scope.

PHP SQLi Farm Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11481 LOW POC Monitor

SQL injection in Blood Bank And Donation Management System allows authenticated remote attackers to manipulate the fullname parameter in /donate_blood.php, potentially leading to unauthorized data access or modification. The vulnerability affects all versions up to commit dc9e0393d826fbc85fad9755b5bc12cba1919df2, with publicly available exploit code and a low EPSS score of 0.03% despite CVSS 2.1, indicating exploitation is unlikely in practice due to authentication requirements and limited technical impact.

PHP SQLi Blood Bank And Donation Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11511 LOW POC Monitor

SQL injection in E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the supp_email parameter in /pages/supplier_add.php, achieving limited information disclosure and integrity violation. The vulnerability requires login credentials (PR:L in CVSS 4.0 vector) but can be exploited over the network with low complexity. Publicly available exploit code exists, though EPSS scoring (0.03%) suggests minimal real-world exploitation despite proof-of-concept availability.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11509 LOW POC Monitor

SQL injection in E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the prod_name parameter in /pages/product_add.php, leading to limited confidentiality, integrity, and availability impact. The vulnerability has low real-world risk despite public exploit availability due to low EPSS score (0.03%, 8th percentile) and requirement for prior authentication, suggesting exploitation is unlikely in typical deployments.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11431 LOW POC Monitor

SQL injection in code-projects Web-Based Inventory and POS System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the shopid parameter in /transaction.php, resulting in limited data confidentiality, integrity, and availability impact. The CVSS 2.1 score reflects low severity due to authentication requirement and constrained scope, but publicly available exploit code exists and the vulnerability has been publicly disclosed.

PHP SQLi Web Based Inventory And Pos System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11440 LOW POC PATCH Monitor

Improper access controls in OpnForm versions up to 1.9.3 allow authenticated remote attackers to manipulate the /edit function, gaining unauthorized access to resources or functionality. The CVSS score of 2.1 reflects low severity due to authentication requirements and limited confidentiality impact, though the exploit has been publicly disclosed and an upstream patch is available. Real-world risk is minimal given the low EPSS score (0.03%, 8th percentile) despite public POC availability.

Information Disclosure Opnform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11439 LOW POC PATCH Monitor

Missing authorization in OpnForm up to version 1.9.3 allows authenticated remote attackers to manipulate the /show/integrations endpoint, bypassing access controls and potentially exposing integration configurations with limited confidentiality impact. The vulnerability requires low-privilege authentication (PR:L per CVSS 4.0 vector), limiting its severity despite public exploit availability; EPSS score of 0.03% indicates minimal real-world exploitation likelihood despite POC publication.

Authentication Bypass Opnform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11486 LOW POC Monitor

SQL injection in SourceCodester Farm Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /buyNow.php, enabling data exfiltration or modification with limited impact. The vulnerability is exploitable via network access without elevated privileges, publicly available exploit code exists, but real-world risk remains low due to authentication requirement and constrained scope (limited confidentiality, integrity, and availability impact per CVSS4.0 scoring).

PHP SQLi Farm Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11478 LOW POC Monitor

SQL injection in SourceCodester Farm Management System 1.0 allows authenticated remote attackers to manipulate the pid parameter in /myCart.php, enabling database queries with limited confidentiality and integrity impact. Public exploit code exists, though the EPSS score of 0.03% suggests minimal real-world exploitation despite the availability of proof-of-concept.

PHP SQLi Farm Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11474 LOW POC Monitor

SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /edit_booking.php, resulting in limited confidentiality and integrity impact. The vulnerability has public exploit code available but carries exceptionally low EPSS exploitation probability (0.03%, 8th percentile), suggesting minimal real-world threat despite network accessibility and low attack complexity.

PHP SQLi Hotel And Lodge Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11469 LOW POC Monitor

SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the Contact parameter in /pages/save_customer.php, enabling data exfiltration or modification with limited scope impact. Publicly available exploit code exists and the vulnerability carries a low CVSS score (2.1) due to requirement for prior authentication and limited technical impact, though the public exploit availability increases practical exploitation risk for unpatched instances.

PHP SQLi Hotel And Lodge Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11470 LOW POC Monitor

Unrestricted file upload in SourceCodester Hotel and Lodge Management System version 1.0 allows high-privileged authenticated attackers to upload arbitrary files via the website_image or back_login_image parameters in /manage_website.php, potentially enabling remote code execution. Publicly available exploit code exists, though the low CVSS score of 2.0 reflects the requirement for high-level administrative privileges to trigger the vulnerability.

PHP Authentication Bypass File Upload Hotel And Lodge Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-11508 LOW POC Monitor

Unrestricted file upload in code-projects Voting System 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the photo parameter in /admin/voters_add.php, potentially leading to remote code execution. The vulnerability requires high-privilege credentials (PR:H) to exploit and affects only administrative functions; publicly available exploit code exists but exploitation is limited to admin-authenticated attackers with access to the administrative interface.

PHP Authentication Bypass File Upload Voting System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-11433 LOW POC Monitor

Reflected cross-site scripting (XSS) in itsourcecode Leave Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID query parameter in /module/employee/controller.php?action=reset, requiring user interaction to execute. Public exploit code is available, though the vulnerability carries low real-world risk (EPSS 0.03%, CVSS 2.0) due to authentication and user-interaction requirements limiting broad exploitation.

PHP XSS Leave Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11421 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Voting System 1.0 allows authenticated users with low privileges to inject malicious scripts via the Firstname, Lastname, or Platform parameters in /admin/candidates_edit.php, which execute in the context of other users' browsers when the edited candidate record is viewed. The vulnerability requires user interaction (UI:P) but affects integrity of data displayed to administrators. Exploit code is publicly available on GitHub, though EPSS score of 0.03% indicates limited real-world exploitation despite published POC.

PHP XSS Voting System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11494 LOW POC PATCH Monitor

Out-of-bounds read in GNU Binutils 2.45 linker component allows local authenticated attackers to trigger memory access violations via crafted input to the _bfd_x86_elf_late_size_sections function in bfd/elfxx-x86.c. The vulnerability has publicly available exploit code and requires local access with limited privileges; real-world impact is minimal availability loss (CVSS 1.9, EPSS 0.03%) rather than confidentiality or integrity compromise.

Buffer Overflow
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11485 LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the first_name or last_name parameters in the Manage Users Page (/admin.php), which are then executed when viewed by other users. The vulnerability requires administrator authentication and user interaction (page view), limiting real-world impact despite public exploit availability. EPSS exploitation probability is extremely low (0.03%, 9th percentile), reflecting the restrictive access controls (PR:H) and user interaction requirement (UI:P) despite network-accessible delivery.

PHP XSS Student Grades Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11437 LOW POC Monitor

Cross-site scripting vulnerability in JhumanJ OpnForm up to version 1.9.3 allows authenticated remote attackers with high privileges to inject malicious scripts via the Form Editor component at /api/open/forms/. The vulnerability requires user interaction to trigger and is mitigated by default when users configure their own domain. Publicly available exploit code exists, though real-world risk is severely constrained by the high privilege requirement, user interaction dependency, and vendor's default mitigation posture (CVSS 1.9, EPSS 0.03%).

XSS Opnform
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11425 LOW POC Monitor

Stored cross-site scripting in projectworlds Advanced Library Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the firstname parameter in /edit_admin.php, affecting other users who view admin profiles. Exploitation requires high-privilege authentication and user interaction (UI:P), limiting real-world impact despite network accessibility. Public exploit code exists and EPSS exploitation probability is minimal at 0.03%, suggesting this remains a low-priority vulnerability despite CVE assignment.

PHP XSS Advanced Library Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11495 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU Binutils 2.45 linker component affects the elf_x86_64_relocate_section function, allowing authenticated local attackers to cause availability impact with low complexity exploitation. CVSS score of 1.9 reflects limited scope (availability only, no confidentiality or integrity impact), though publicly available exploit code exists and patch has been released by the upstream project.

Buffer Overflow
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-11489 LOW POC Monitor

Symlink following in DesktopCommanderMCP up to version 0.2.13 allows local authenticated attackers to read files outside intended directory boundaries through the isPathAllowed function in filesystem.ts. The vulnerability requires local access and authenticated user privileges, with high attack complexity and low exploitability difficulty despite public availability of proof-of-concept code. This affects only unsupported product versions and carries minimal real-world risk (CVSS 1.1, EPSS 0.02%), though the vendor acknowledges the issue as a guardrail limitation rather than a hardened security boundary.

Docker Information Disclosure Desktopcommandermcp
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2025-11445 LOW Monitor

Code injection in the ClineProvider prompt handler of Kilo Code up to version 4.86.0 allows remote attackers with user interaction to manipulate input prompts and inject arbitrary code. The vulnerability affects the prompt processing component through insufficient input validation in src/core/webview/ClineProvider.ts. Public exploit code is available, and a patch has been released by the vendor, though the low CVSS score (2.1) and minimal EPSS percentile (12%) suggest limited real-world exploitation risk despite public availability.

Code Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy