Skip to main content
CVE-2025-11942 MEDIUM POC This Month

A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass X200 Firmware
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-11943 MEDIUM POC This Month

A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure X200 Firmware
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-11938 LOW POC Monitor

Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.

PHP Deserialization Churchcrm
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-11941 LOW POC Monitor

Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.

PHP Path Traversal E107
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11939 LOW POC Monitor

Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.

PHP Path Traversal Churchcrm
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-11944 LOW POC PATCH Monitor

SQL injection in Vvveb up to version 1.0.7.3 allows authenticated high-privileged remote attackers to execute arbitrary SQL queries through the Raw SQL Handler import function in admin/controller/tools/import.php. The vulnerability requires administrative credentials and has been publicly disclosed with exploit code available, though EPSS modeling indicates low real-world exploitation probability at 0.04%.

PHP SQLi Vvveb
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11946 LOW POC Monitor

Cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated attackers with user interaction to inject malicious scripts via contact form fields (First Name, Last Name, Company, Address, Phone, Mobile) on the /frontend.jsp Add Contact Page. Publicly available exploit code exists; EPSS score of 0.03% reflects low real-world exploitation probability despite public POC, likely due to authentication and user interaction requirements.

XSS Logicaldoc
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11945 LOW Monitor

Stored cross-site scripting (XSS) in AFFiNE up to version 0.24.1 allows authenticated users to inject malicious scripts via the Avatar Upload Image endpoint, which are executed in the browsers of other users viewing the attacker's profile. The vulnerability requires user interaction (victim must view the malicious avatar) and authenticated access, resulting in limited but confirmed integrity impact. Public exploit code exists; vendor contact attempts yielded no response.

XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-11947 LOW Monitor

Heap-based buffer overflow in bftpd up to version 6.2 within the expand_groups function of the configuration file handler allows local authenticated attackers to cause limited memory corruption with high attack complexity. Public exploit code is available, though the vulnerability requires local access and elevated privileges (PR:L), significantly limiting real-world exploitation potential compared to its CVSS score. The vendor did not respond to early disclosure.

Buffer Overflow
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy