Skip to main content
CVE-2025-60304 MEDIUM POC This Month

Stored Cross-Site Scripting in code-projects Simple Scheduling System 1.0 allows an attacker to inject arbitrary JavaScript via the Subject Description field, which executes in victims' browsers when they view the affected page. The scope change in the CVSS vector (S:C) confirms the script runs in a different security context than where the payload is injected, enabling session hijacking, credential theft, or malicious redirects against users of the application. A publicly available proof-of-concept exploit exists, though exploitation probability remains low (EPSS 0.22%) and no confirmed active exploitation is recorded.

XSS Simple Scheduling System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-60302 MEDIUM POC This Month

Stored cross-site scripting in code-projects Client Details System 1.0 allows an attacker who can submit customer records to persist malicious JavaScript in the username field, which then executes in the browser of any user who subsequently views that record. The CVSS scope change (S:C) indicates the payload crosses from the application's trust boundary into a victim's browser session, enabling session hijacking or credential theft against administrative users. A publicly available proof-of-concept exists, though no CISA KEV listing has been issued and the EPSS score of 0.22% (12th percentile) reflects low observed exploitation activity.

XSS Client Details System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-11550 MEDIUM POC This Month

A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.

Tenda Denial Of Service W12 Firmware
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2025-11529 MEDIUM POC PATCH This Month

A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.

PHP Authentication Bypass Churchcrm
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-11513 MEDIUM POC This Month

A vulnerability was determined in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/supplier_update.php. This manipulation of the argument supp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11557 MEDIUM POC This Month

A vulnerability has been found in projectworlds Gate Pass Management System 1.0. This issue affects some unknown processing of the file /add-pass.php. Such manipulation of the argument fullname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Gate Pass Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11558 MEDIUM POC This Month

A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/user_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11556 MEDIUM POC This Month

A flaw has been found in code-projects Simple Leave Manager 1.0. This vulnerability affects unknown code of the file /user.php. This manipulation of the argument table causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

PHP SQLi Simple Leave Manager
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11555 MEDIUM POC This Month

A vulnerability was detected in Campcodes Online Learning Management System 1.0. This affects an unknown part of the file /admin/calendar_of_events.php. The manipulation of the argument date_start results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-4615 MEDIUM This Month

Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.

Paloalto RCE Authentication Bypass Command Injection Pan Os
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy