Skip to main content
CVE-2025-11151 HIGH This Week

Information disclosure in Beyaz Bilgisayar CityPLus versions before V24.29500.1.0 allows remote unauthenticated attackers to discover unpublicized web pages and sensitive system information. The flaw is reported by Turkey's national CERT (USOM) and carries a CVSS 8.2 score reflecting network-reachable exposure of confidential data without authentication. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-61220 HIGH This Week

Unauthorized account access in AutoBizLine (Android package com.mysecondline.app) version 1.2.91 lets remote attackers authenticate as other users due to an incomplete identity-verification mechanism, exposing victims' personal information. The flaw is tagged as both an authentication bypass and information disclosure, and the affected user endpoint (/secondline/user/get_user/) suggests server-side access control that fails to bind a session to the correct account. No public exploit is confirmed in the input, though a third-party technical write-up exists on GitHub, and the EPSS score is low (0.33%, 25th percentile).

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-53066 HIGH PATCH CISA This Week

Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.

Authentication Bypass Oracle Information Disclosure Java Graalvm +5
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-10612 MEDIUM This Month

Reflected XSS in City Guide (giSoft Information Technologies) before version 1.4.45 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL. The CVSS Changed Scope (S:C) indicates the injected script can affect resources outside the vulnerable application's security domain - such as the user's broader browser session - enabling session theft, credential harvesting, or UI redirection. No public exploit identified at time of analysis, and an EPSS score of 0.03% at the 7th percentile reflects very low observed exploitation probability.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53057 MEDIUM PATCH CISA This Month

Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.

Authentication Bypass Oracle Java Graalvm Graalvm For Jdk +4
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2020-36855 LOW POC Monitor

A security vulnerability has been detected in DCMTK up to 3.6.5. Rated low severity (CVSS 1.9), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Dcmtk
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2022-4981 LOW POC Monitor

A vulnerability was detected in DCMTK up to 3.6.7. Rated low severity (CVSS 1.9), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Dcmtk
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-60511 MEDIUM This Month

Insecure Direct Object Reference in the Moodle OpenAI Chat Block plugin 3.0.1 allows any authenticated student to hijack administrator-configured AI block sessions by supplying an arbitrary blockId to the completion API endpoint. An attacker leveraging this flaw can read admin-only 'Source of Truth' prompt configurations, steer AI responses using privileged system instructions, and consume API quota tied to another user's block. A public proof-of-concept writeup and associated GitHub repository exist, though no confirmed active exploitation (CISA KEV) has been recorded; EPSS sits at 0.23% (14th percentile), indicating low but non-zero real-world exploitation interest.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-61748 LOW CISA Monitor

Unauthorized data modification in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows remote unauthenticated attackers to alter sensitive data through APIs and multiple protocols via difficult-to-exploit integrity bypass. Affected versions include Java SE 21.0.8 and 25, GraalVM for JDK 21.0.8, and GraalVM Enterprise Edition 21.3.15. The vulnerability carries a low EPSS score (0.03%, 10th percentile) and no active exploitation has been identified, indicating limited real-world priority despite network accessibility.

Authentication Bypass Oracle Java Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy