Skip to main content
CVE-2025-60306 CRITICAL POC Act Now

Privilege escalation in code-projects Simple Car Rental System 1.0 lets an authenticated low-privilege user forge a high-privilege (administrator) session and invoke sensitive operations reserved for privileged accounts. The flaw is a broken access-control / authentication-bypass issue (CWE-284) with a publicly available exploit, though it is not listed in CISA KEV and carries a low EPSS probability (0.38%, 30th percentile), indicating limited real-world exploitation to date. Any user able to authenticate at a basic level can effectively take over administrative functionality.

Authentication Bypass Simple Car Rental System
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-60307 CRITICAL POC Act Now

Authentication bypass via SQL injection in code-projects Computer Laboratory System 1.0 allows a remote unauthenticated attacker to log in as a valid user by submitting a crafted 'universal password' in the login form's Password field. The injected SQL manipulates the login query so the authentication check always evaluates true, granting access without valid credentials. Publicly available exploit code exists (PoC published on GitHub), though the low EPSS score (0.42%, 34th percentile) and absence from CISA KEV indicate no confirmed active exploitation at time of analysis.

SQLi Computer Laboratory System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-60305 HIGH POC This Week

Privilege escalation in SourceCodester Online Student Clearance System 1.0 allows an authenticated low-privilege user to forge a high-privileged (administrator) session through a broken access-control logic flaw and then perform sensitive administrative operations. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and carries a modest EPSS score of 0.40% (32nd percentile), indicating no evidence of widespread active exploitation yet. The flaw is authenticated (PR:L) but network-reachable and low-complexity, yielding full confidentiality, integrity, and availability impact.

Authentication Bypass Online Student Clearance System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-60378 HIGH POC This Week

Stored HTML/script injection in RISE Ultimate Project Manager & CRM (vendor fairsketch) lets authenticated low-privilege users embed attacker-controlled markup into invoices and messages that later renders in outbound emails, generated PDFs, and the in-app messaging/chat modules delivered to clients and staff. Because injected content is stored server-side and redistributed-amplified by automated recurring invoices-it functions as a persistent phishing and credential-harvesting vector rather than a memory-corruption bug. Publicly available exploit code exists (GitHub PoC), but there is no public exploit identified as actively used in the wild, and the EPSS probability is modest at 1.06% (61st percentile).

XSS Rise Ultimate Project Manager
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2025-11585 MEDIUM POC This Month

A vulnerability was found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /useredit.php. The manipulation of the argument uid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

PHP SQLi Project Monitoring System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11584 MEDIUM POC This Month

A vulnerability has been found in code-projects Online Job Search Engine 1.0. The affected element is an unknown function of the file /searchjob.php. The manipulation of the argument txtspecialization leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

PHP SQLi Online Job Search Engine
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11583 MEDIUM POC This Month

A flaw has been found in code-projects Online Job Search Engine 1.0. Impacted is an unknown function of the file /postjob.php. Executing manipulation of the argument txtjobID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

PHP SQLi Online Job Search Engine
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11582 MEDIUM POC This Month

A vulnerability was detected in code-projects Online Job Search Engine 1.0. This issue affects some unknown processing of the file /registration.php. Performing manipulation of the argument txtusername results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

PHP SQLi Online Job Search Engine
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-48043 HIGH GHSA This Week

Authentication bypass in Ash framework (Elixir) allows authenticated users to escalate privileges and access unauthorized data by exploiting incorrect authorization checks in the policy authorizer. Affects all versions before 3.6.2. EPSS data not yet available for this recent CVE. No confirmed active exploitation (CISA KEV status: not listed), though the issue is tagged as Authentication Bypass with a GitHub security advisory indicating vendor awareness and patching.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-52650 HIGH This Week

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

Information Disclosure Aion
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-60308 MEDIUM POC This Month

Stored Cross-Site Scripting in code-projects Simple Online Hotel Reservation System 1.0 allows a low-privileged attacker to inject persistent malicious JavaScript into the Add Room Description field, which executes in the administrator's browser session when room information is viewed, resulting in session cookie theft. The CVSS vector (PR:L/UI:R/S:C) confirms the attack requires authenticated access to add rooms and administrator interaction to trigger, but scope change to C:L reflects the realistic impact of session hijacking. A publicly available proof-of-concept exploit exists on GitHub, though no public exploitation has been confirmed and EPSS sits at a low 0.24th-percentile probability.

XSS Simple Online Hotel Reservation System
NVD GitHub
CVSS 3.1
4.1
EPSS
0.2%
CVE-2025-8886 MEDIUM This Month

Privilege abuse and authentication bypass in Aybs Interaktif (by Usta Information Systems Inc.) expose high-confidentiality and high-integrity impacts to local attackers who require no prior privileges. The vulnerability cluster - spanning incorrect permission assignment, missing authorization, incorrect authorization, and sensitive data exposure (CWE-200) - enables an actor with local system access to bypass access controls, potentially reading sensitive resources and modifying data without authorization. No public exploit or CISA KEV listing is identified at time of analysis, but the Turkish National CERT (USOM) has issued advisory TR-25-0329 covering all versions from 2024 through build 28082025.

Information Disclosure Authentication Bypass
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-60838 MEDIUM This Month

Arbitrary file upload in Mingsoft MCMS v6.0.1 enables remote code execution on the underlying server by uploading a crafted file - likely a JSP web shell - to a reachable endpoint. The NVD-assigned CVSS score of 6.5 with C:L/I:L impact subscores is materially inconsistent with the stated code execution impact, and this discrepancy should be independently verified. No public exploit has been confirmed as actively exploited per CISA KEV, though a Gist-based reference in NVD data may represent a proof-of-concept; EPSS is low at 0.28% (20th percentile), suggesting no widespread scanning or exploitation observed at time of analysis.

Command Injection File Upload RCE Mcms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-9551 MEDIUM PATCH This Month

Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.

Drupal PHP Brute Force Protected Pages
NVD HeroDevs VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52632 MEDIUM This Month

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-11589 LOW POC Monitor

SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the plan parameter in /admin/user-payment.php, resulting in limited data access. The vulnerability requires valid login credentials and has low real-world impact due to constrained scope (no server impact, no integrity violation), though publicly available exploit code exists and exploitation probability is minimal per EPSS analysis.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11588 LOW POC Monitor

SQL injection in CodeAstro Gym Management System 1.0 via the fullname parameter in /customer/index.php allows authenticated remote attackers to execute arbitrary SQL queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation despite public POC availability, likely due to authentication requirement and narrow deployment scope of this niche management application.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-8887 MEDIUM This Month

Authorization bypass and sensitive information disclosure in Usta Information Systems Inc. Aybs Interaktif allows a locally authenticated low-privilege user to access unauthorized data through forceful browsing, parameter injection, and input data manipulation. The vulnerability chain - CWE-639 (user-controlled key bypass) combined with CWE-862 (missing authorization) and CWE-200 (information disclosure) - permits manipulation of application parameters to circumvent access controls and retrieve sensitive records belonging to other users or restricted contexts. No confirmed active exploitation (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation pressure at time of analysis.

Information Disclosure
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52624 MEDIUM This Month

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.

XSS Aion
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-52635 LOW Monitor

A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-52625 LOW Monitor

HCL AION 2.0 improperly caches sensitive SSL/HTTPS page content, allowing attackers or local users with device or browser access to retrieve cached credentials, system identifiers, and internal file paths. The vulnerability has a CVSS score of 3.7 (low severity) due to high attack complexity and local/physical access requirements, with no public exploit or active exploitation confirmed.

Information Disclosure Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-52634 LOW Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

Information Disclosure Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-52630 LOW Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-11570 LOW Monitor

Cross-site scripting (XSS) in drupal-pattern-lab/unified-twig-extensions (all versions from 0.0.0) allows authenticated users to inject malicious scripts through insufficient output filtering, but only when the code is executed outside of Drupal environments such as Pattern Lab. The package is unmaintained; the vulnerability is fixed in the successor drupal/unified_twig_ext version 1.1.1. EPSS exploitation probability is extremely low at 0.02%, and no public exploit code has been identified.

XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy