THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 10, 2025

16 CVEs tracked today. 0 Critical, 2 High, 7 Medium, 7 Low.

CVE-2025-52650 HIGH CVSS 8.2
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

Information Disclosure Aion
CVE-2025-48043 HIGH CVSS 8.6
Authentication bypass in Ash framework (Elixir) allows authenticated users to escalate privileges and access unauthorized data by exploiting incorrect authorization checks in the policy authorizer. Affects all versions before 3.6.2. EPSS data not yet available for this recent CVE. No confirmed active exploitation (CISA KEV status: not listed), though the issue is tagged as Authentication Bypass with a GitHub security advisory indicating vendor awareness and patching.

Authentication Bypass
CVE-2025-52632 MEDIUM CVSS 6.5
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
CVE-2025-52624 MEDIUM CVSS 5.4
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.

XSS Aion
CVE-2025-11585 MEDIUM CVSS 5.5
A vulnerability was found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /useredit.php. The manipulation of the argument uid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

PHP SQLi Project Monitoring System
CVE-2025-11584 MEDIUM CVSS 5.5
A vulnerability has been found in code-projects Online Job Search Engine 1.0. The affected element is an unknown function of the file /searchjob.php. The manipulation of the argument txtspecialization leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclos...

PHP SQLi Online Job Search Engine
CVE-2025-11583 MEDIUM CVSS 5.5
A flaw has been found in code-projects Online Job Search Engine 1.0. Impacted is an unknown function of the file /postjob.php. Executing manipulation of the argument txtjobID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

PHP SQLi Online Job Search Engine
CVE-2025-11582 MEDIUM CVSS 5.5
A vulnerability was detected in code-projects Online Job Search Engine 1.0. This issue affects some unknown processing of the file /registration.php. Performing manipulation of the argument txtusername results in sql injection. The attack may be initiated remotely. The exploit is now public and may ...

PHP SQLi Online Job Search Engine
CVE-2025-9551 MEDIUM CVSS 6.5
Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.

PHP Drupal Brute Force Protected Pages
CVE-2025-52635 LOW CVSS 3.7
A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
CVE-2025-52634 LOW CVSS 3.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

Information Disclosure Aion
CVE-2025-52630 LOW CVSS 3.7
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.

Information Disclosure Aion
CVE-2025-52625 LOW CVSS 3.7
HCL AION 2.0 improperly caches sensitive SSL/HTTPS page content, allowing attackers or local users with device or browser access to retrieve cached credentials, system identifiers, and internal file paths. The vulnerability has a CVSS score of 3.7 (low severity) due to high attack complexity and local/physical access requirements, with no public exploit or active exploitation confirmed.

Information Disclosure Aion
CVE-2025-11589 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the plan parameter in /admin/user-payment.php, resulting in limited data access. The vulnerability requires valid login credentials and has low real-world impact due to constrained scope (no server impact, no integrity violation), though publicly available exploit code exists and exploitation probability is minimal per EPSS analysis.

PHP SQLi Gym Management System
CVE-2025-11588 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 via the fullname parameter in /customer/index.php allows authenticated remote attackers to execute arbitrary SQL queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation despite public POC availability, likely due to authentication requirement and narrow deployment scope of this niche management application.

PHP SQLi Gym Management System
CVE-2025-11570 LOW CVSS 1.9
Cross-site scripting (XSS) in drupal-pattern-lab/unified-twig-extensions (all versions from 0.0.0) allows authenticated users to inject malicious scripts through insufficient output filtering, but only when the code is executed outside of Drupal environments such as Pattern Lab. The package is unmaintained; the vulnerability is fixed in the successor drupal/unified_twig_ext version 1.1.1. EPSS exploitation probability is extremely low at 0.02%, and no public exploit code has been identified.

XSS

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities