Skip to main content
CVE-2025-60305 HIGH POC This Week

Privilege escalation in SourceCodester Online Student Clearance System 1.0 allows an authenticated low-privilege user to forge a high-privileged (administrator) session through a broken access-control logic flaw and then perform sensitive administrative operations. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and carries a modest EPSS score of 0.40% (32nd percentile), indicating no evidence of widespread active exploitation yet. The flaw is authenticated (PR:L) but network-reachable and low-complexity, yielding full confidentiality, integrity, and availability impact.

Authentication Bypass Online Student Clearance System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-60378 HIGH POC This Week

Stored HTML/script injection in RISE Ultimate Project Manager & CRM (vendor fairsketch) lets authenticated low-privilege users embed attacker-controlled markup into invoices and messages that later renders in outbound emails, generated PDFs, and the in-app messaging/chat modules delivered to clients and staff. Because injected content is stored server-side and redistributed-amplified by automated recurring invoices-it functions as a persistent phishing and credential-harvesting vector rather than a memory-corruption bug. Publicly available exploit code exists (GitHub PoC), but there is no public exploit identified as actively used in the wild, and the EPSS probability is modest at 1.06% (61st percentile).

XSS Rise Ultimate Project Manager
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2025-48043 HIGH GHSA This Week

Authentication bypass in Ash framework (Elixir) allows authenticated users to escalate privileges and access unauthorized data by exploiting incorrect authorization checks in the policy authorizer. Affects all versions before 3.6.2. EPSS data not yet available for this recent CVE. No confirmed active exploitation (CISA KEV status: not listed), though the issue is tagged as Authentication Bypass with a GitHub security advisory indicating vendor awareness and patching.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-52650 HIGH This Week

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

Information Disclosure Aion
NVD
CVSS 3.1
8.2
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy