THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 12, 2025

11 CVEs tracked today. 0 Critical, 0 High, 1 Medium, 10 Low.

CVE-2025-11649 MEDIUM CVSS 6.4
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high c...

Authentication Bypass Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11650 LOW CVSS 0.3
Weak cryptographic hash implementation in Tomofun Furbo 360 and Furbo Mini firmware allows local attackers with low privileges to compromise password security through use of insecure encryption algorithms in the password handler. The vulnerability affects Furbo 360 up to firmware version FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though real-world exploitation requires physical device access and high technical complexity.

Information Disclosure Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11648 LOW CVSS 2.9
Server-side request forgery in Tomofun Furbo 360 and Furbo Mini dog cameras allows remote attackers to manipulate the TF_FQDN.json configuration file via the GATT Interface URL Handler, enabling arbitrary internal network requests with low confidentiality and integrity impact. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the attack requires high complexity and is not actively exploited at scale per EPSS data (0.06%, percentile 18%).

SSRF Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11647 LOW CVSS 1.3
Information disclosure vulnerability in Tomofun Furbo 360 and Furbo Mini dog cameras allows local network attackers to extract sensitive DeviceToken data via manipulation of GATT Service arguments. The attack requires high technical complexity and adjacency to the target network. Publicly available exploit code exists; however, the extremely low EPSS score (0.03%) and requirement for local network access and high attack complexity suggest limited real-world exploitation likelihood despite POC availability.

Information Disclosure Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11646 LOW CVSS 2.1
Improper access controls in the GATT Service of Tomofun Furbo 360 and Furbo Mini dog cameras allow local network attackers to disclose sensitive information without authentication. Affected firmware versions are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. Publicly available exploit code exists, though the low CVSS score of 2.1 and minimal EPSS (0.03%) reflect the local network-only attack vector and information disclosure impact.

Information Disclosure Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11645 LOW CVSS 0.9
Insecure storage of authentication tokens in Tomofun Furbo Mobile App for Android up to version 7.57.0a allows local attackers with physical device access to extract sensitive credential information from the device storage. The vulnerability affects the Authentication Token Handler component and has been publicly disclosed with exploit details available. Despite early vendor contact, no patch or remediation response has been provided by Tomofun.

Information Disclosure Google
CVE-2025-11644 LOW CVSS 0.3
Insecure storage of sensitive information in Tomofun Furbo 360 and Furbo Mini dog cameras via UART interface allows physical attackers to extract unencrypted credentials and private data from firmware versions Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vulnerability requires physical device access and high technical complexity but publicly available exploit code exists. Vendor did not respond to early disclosure notification.

Information Disclosure Furbo Mini Firmware Furbo 360 Dog Camera Firmware
CVE-2025-11631 LOW CVSS 2.1
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the path argument in the /Doc/deleteDoc.do endpoint, enabling deletion or access to arbitrary files outside the intended directory. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not responded to early disclosure notifications. EPSS exploitation probability is low at 0.11%, and no active exploitation in CISA KEV has been reported.

Path Traversal Docsys
CVE-2025-11630 LOW CVSS 2.1
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the 'path' parameter in the updateRealDoc function (/Doc/uploadDoc.do) to write files outside intended directories. The vulnerability affects the file upload component and has publicly available exploit code, though the low CVSS score (2.1) and minimal EPSS (0.12%) indicate limited real-world impact despite confirmed public exploitability.

Path Traversal File Upload Docsys
CVE-2025-11629 LOW CVSS 2.1
SQL injection in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to execute arbitrary SQL queries via the getUserList function in /Manage/getUserList.do, enabling unauthorized data access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.

SQLi Docsys
CVE-2025-11628 LOW CVSS 2.0
SQL injection in jimit105 Project-Online-Shopping-Website allows high-privilege remote attackers to manipulate the product_code parameter in /delete.php, enabling unauthorized query execution against the backend database. The vulnerability affects an unknown function of the Product Inventory Handler component and requires administrative credentials (PR:H). Exploit code has been published, though active exploitation remains unconfirmed by CISA KEV. EPSS score of 0.02% indicates minimal real-world exploitation probability despite CVE assignment.

PHP SQLi

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities