THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 11, 2025

28 CVEs tracked today. 0 Critical, 0 High, 12 Medium, 16 Low.

CVE-2025-11615 MEDIUM CVSS 5.5
A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/add_invoice.php. Performing manipulation of the argument ServiceId results in sql injection. Remote exploitation of the attack is possible. The exploit has been rel...

PHP SQLi Best Salon Management System
CVE-2025-11614 MEDIUM CVSS 5.5
A vulnerability was identified in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /panel/edit-appointment.php. Such manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit is public...

PHP SQLi Best Salon Management System
CVE-2025-11608 MEDIUM CVSS 5.5
A security vulnerability has been detected in code-projects E-Banking System 1.0. This affects an unknown function of the file /register.php of the component POST Parameter Handler. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remot...

PHP SQLi Simple E Banking System
CVE-2025-11604 MEDIUM CVSS 5.5
A vulnerability was determined in projectworlds Online Ordering Food System 1.0. This issue affects some unknown processing of the file /all-orders.php. This manipulation of the argument Status causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclos...

PHP SQLi Online Food Ordering System
CVE-2025-11601 MEDIUM CVSS 5.5
A vulnerability was detected in SourceCodester Online Student Result System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit is now publ...

PHP SQLi Online Student Result System
CVE-2025-11599 MEDIUM CVSS 5.5
A weakness has been identified in Campcodes Online Apartment Visitor Management System 1.0. This impacts an unknown function of the file /forgot-password.php. This manipulation of the argument email causes sql injection. It is possible to initiate the attack remotely. The exploit has been made avail...

PHP SQLi Online Apartment Visitor Management System
CVE-2025-11596 MEDIUM CVSS 5.5
A vulnerability was determined in code-projects E-Commerce Website 1.0. The affected element is an unknown function of the file /pages/delete_order_details.php. Executing manipulation of the argument order_id can lead to sql injection. The attack can be executed remotely. The exploit has been public...

PHP SQLi E Commerce Website
CVE-2025-10175 MEDIUM CVSS 6.5
SQL injection in WP Links Page plugin for WordPress (all versions up to 4.9.6) allows authenticated attackers with Subscriber-level access and above to extract sensitive database information via the unescaped 'id' parameter. The vulnerability stems from insufficient input sanitization and lack of prepared statements, enabling attackers to append arbitrary SQL queries to existing database operations. CVSS 6.5 reflects the high confidentiality impact for authenticated remote exploitation with low attack complexity; no public exploit code or active exploitation has been confirmed at analysis time.

WordPress SQLi
CVE-2025-10167 MEDIUM CVSS 6.4
Stored cross-site scripting (XSS) in Stock History & Reports Manager for WooCommerce plugin versions up to 2.2.2 allows authenticated contributors and above to inject arbitrary JavaScript through the 'alg_wc_stock_snapshot_restocked' shortcode attributes due to insufficient input sanitization and output escaping. When an injected page is accessed, the malicious script executes in the context of all visitors' browsers, potentially compromising site users and enabling credential theft, malware distribution, or account takeover. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
CVE-2025-9975 MEDIUM CVSS 6.8
Server-Side Request Forgery (SSRF) in WP Scraper WordPress plugin versions up to 5.8.1 allows authenticated administrators to make arbitrary web requests from the affected server, enabling reconnaissance of internal services, metadata theft on cloud instances, and potential information disclosure. The vulnerability exists in the wp_scraper_extract_content function and requires high-level administrative privileges to exploit, making it a post-authentication lateral movement and reconnaissance vector for compromised administrator accounts.

WordPress SSRF
CVE-2025-9950 MEDIUM CVSS 4.9
Directory traversal in the Error Log Viewer plugin for WordPress (versions up to 1.1.6) allows authenticated administrators to read arbitrary files on the server via the rrrlgvwr_get_file function. The vulnerability is rooted in insufficient path validation (CWE-22) and has a CVSS score of 4.9 due to high confidentiality impact but limited scope (administrator privilege requirement). No public exploit code or active exploitation has been identified at the time of analysis.

WordPress Path Traversal
CVE-2025-8484 MEDIUM CVSS 5.3
Unauthenticated attackers can access sensitive information through publicly exposed log files in the Code Quality Control Tool WordPress plugin versions 2.1 and earlier, due to inadequate access controls on the error_logger.php component. The vulnerability allows remote attackers to read potentially sensitive data without authentication or user interaction, presenting a confidentiality risk to WordPress installations using affected versions.

WordPress Information Disclosure
CVE-2025-11613 LOW CVSS 2.1
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in /addcategory.php, compromising data confidentiality and integrity. The vulnerability has publicly available exploit code and is confirmed to have limited scope impact (affecting only data confidentiality, integrity, and availability of specific queries); however, EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation likelihood despite public availability of proof-of-concept code.

PHP SQLi Simple Food Ordering System
CVE-2025-11612 LOW CVSS 2.1
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /addproduct.php. The vulnerability has low practical risk despite public exploit availability due to CVSS 2.1 scoring and minimal confidentiality/integrity impact, though it requires prior authentication. EPSS exploitation probability is extremely low at 0.03% percentile, suggesting limited real-world attack interest despite public POC availability.

PHP SQLi Simple Food Ordering System
CVE-2025-11611 LOW CVSS 2.1
SQL injection in SourceCodester Simple Inventory System 1.0 via the uemail parameter in /user.php allows authenticated remote attackers to manipulate database queries with low impact. CVSS 2.1 reflects the low severity due to authentication requirement and limited scope, but a public exploit exists and EPSS percentile of 8% indicates below-average real-world exploitation likelihood despite POC availability.

PHP SQLi Simple Inventory System
CVE-2025-11610 LOW CVSS 2.1
SQL injection in SourceCodester Simple Inventory System 1.0 via the editBrandName parameter in /brand.php allows authenticated remote attackers to manipulate database queries with low confidentiality, integrity, and availability impact. The CVSS 2.1 score reflects limited scope (authenticated access required, low impact to CIA triad), but publicly available exploit code exists despite minimal real-world exploitation probability (EPSS 0.03%, 8th percentile).

PHP SQLi Simple Inventory System
CVE-2025-11609 LOW CVSS 2.9
Hard-coded cryptographic key in express-session component of code-projects Hospital Management System 1.0 allows remote attackers to bypass session security and disclose sensitive information. The vulnerability stems from use of a fixed secret parameter in the session middleware, enabling attackers to forge or predict session tokens. While a public exploit exists, the attack requires high complexity and difficult exploitation, reflected in the low CVSS 2.9 score and minimal EPSS probability (0.19%), suggesting limited real-world risk despite information disclosure impact.

Information Disclosure Hospital Management System
CVE-2025-11607 LOW CVSS 2.1
Path traversal vulnerability in MoneyPrinterTurbo up to version 1.2.6 allows authenticated remote attackers to manipulate file upload parameters in the music API endpoint, enabling arbitrary file write operations with limited confidentiality and integrity impact. Publicly available exploit code exists and the vulnerability has low EPSS exploitation probability (0.09%, 26th percentile), suggesting limited real-world weaponization despite proof-of-concept availability.

Path Traversal Moneyprinterturbo
CVE-2025-11606 LOW CVSS 2.1
SQL injection in iPynch Social Network's Search component allows authenticated remote attackers to manipulate queries and access or modify database content with low complexity exploitation. The vulnerability affects the product up to commit b6933b6d7f82c84819abe458ccf0e59d61119541, and public exploit code has been released, though the EPSS score of 0.03% and CVSS base score of 2.1 suggest limited real-world exploitation probability despite the low attack complexity and public availability of proof-of-concept materials.

SQLi
CVE-2025-11605 LOW CVSS 2.1
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid parameter in /admin/update-profile.php, enabling arbitrary database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.04% and CVSS 2.1 severity indicate low real-world exploitation probability despite low barriers to attack (network-accessible, low complexity, no user interaction required).

PHP SQLi Client Details System
CVE-2025-11603 LOW CVSS 2.1
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /editproduct.php, with publicly available exploit code demonstrating the vulnerability. Despite a low CVSS score of 2.1, the vulnerability requires valid credentials and produces limited confidentiality impact, explaining the minimal EPSS exploitation probability of 0.03%.

PHP SQLi Simple Food Ordering System
CVE-2025-11600 LOW CVSS 2.1
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in editcategory.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite remote network accessibility and low attack complexity.

PHP SQLi Simple Food Ordering System
CVE-2025-11597 LOW CVSS 2.1
SQL injection in code-projects E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the prod_id parameter in /pages/product_add_qty.php, potentially leading to unauthorized database access or data disclosure. The vulnerability has a CVSS score of 2.1 with low impact across confidentiality, integrity, and availability, but public exploit code exists and may lower the exploitation barrier despite the requirement for prior authentication.

PHP SQLi E Commerce Website
CVE-2025-11595 LOW CVSS 2.0
SQL injection in Campcodes Online Apartment Visitor Management System 1.0 allows high-privileged remote attackers to manipulate the mobilenumber parameter in /admin-profile.php, potentially leading to unauthorized database access or modification. The vulnerability requires administrative privileges to exploit and has limited confidentiality and integrity impact; public exploit code is available but real-world exploitation risk remains low due to EPSS score of 0.03% and the administrative access prerequisite.

PHP SQLi Online Apartment Visitor Management System
CVE-2025-11593 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/actions/delete-equipment.php. The vulnerability requires valid user credentials (PR:L) and has publicly available exploit code; however, the EPSS score of 0.03% and limited impact scope (VC:L/VI:L/VA:L) indicate low real-world exploitation probability despite technical exploitability.

PHP SQLi Gym Management System
CVE-2025-11592 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/edit-equipmentform.php. The vulnerability requires valid user credentials (privilege level L) but no user interaction. Publicly available exploit code exists, though EPSS indicates very low real-world exploitation probability (0.03%, 8th percentile). Despite the public POC, the CVSS 2.1 score and minimal impact scope (VC:L/VI:L/VA:L with no scope change) suggest limited practical risk in most deployments.

PHP SQLi Gym Management System
CVE-2025-11591 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/delete-member.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires valid administrative credentials and carries a CVSS score of 2.1 with low confidentiality and integrity impact but no availability risk. Publicly available exploit code exists, though real-world exploitation remains extremely limited based on a 0.03% EPSS score.

PHP SQLi Gym Management System
CVE-2025-11590 LOW CVSS 2.1
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ename parameter in /admin/equipment-entry.php, enabling database query modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists but real-world risk is minimal due to low EPSS score (0.03%, 8th percentile), limited scope impact, and requirement for authenticated access despite the network attack vector.

PHP SQLi Gym Management System

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities