Skip to main content
CVE-2025-12207 LOW POC Monitor

Null pointer dereference in Kamailio 5.5.0's grammar rule handler (src/core/cfg.y, yyerror_at function) causes denial of service when processing malformed configuration files. Local authenticated attackers can trigger the vulnerability by manipulating config files, resulting in application crash. Publicly available exploit code exists, but exploitation requires local access and config file manipulation, limiting real-world attack surface. EPSS score of 0.03% indicates minimal exploitation probability despite disclosed POC.

Denial Of Service Kamailio
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12206 LOW POC Monitor

Kamailio 5.5.0 suffers a null pointer dereference in the rve_is_constant function (src/core/rvalue.c) triggered by manipulation of local configuration files, resulting in denial of service. The attack requires local access with low privileges and produces only availability impact. Publicly available exploit code exists, but active exploitation has not been confirmed by CISA KEV, and the vulnerability's genuine existence remains disputed by the original reporter. Real-world risk is minimal given the low EPSS score (0.03%), requirement for config file manipulation, and minimal impact surface.

Denial Of Service Kamailio
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12281 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated high-privilege users to inject malicious scripts into the /admin/clientview.php endpoint that execute in the context of other users' browsers. The vulnerability requires user interaction (victim must view affected content) and high administrative privileges to exploit, limiting real-world risk despite public exploit disclosure. EPSS score of 0.03% reflects the stringent authentication and interaction requirements that prevent widespread automated exploitation.

PHP XSS Client Details System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12280 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /update-clients.php endpoint, requiring user interaction to execute. The vulnerability carries a low CVSS score of 1.9 due to high privilege requirements (PR:H) and mandatory user interaction (UI:P), but publicly available exploit code exists, making it actionable for insider threats or social engineering scenarios targeting administrators.

PHP XSS Client Details System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12205 LOW POC Monitor

Use-after-free vulnerability in Kamailio 5.5.0 configuration file parser allows local authenticated attackers to cause denial of service or memory corruption via malformed configuration files. The vulnerability exists in the sr_push_yy_state function within the lexical analyzer (cfg.lex) and has publicly available exploit code, though the vendor has not responded to disclosure and practical exploitability remains uncertain due to the requirement for direct configuration file manipulation.

Buffer Overflow Denial Of Service Kamailio
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12204 LOW POC Monitor

Heap-based buffer overflow in Kamailio 5.5.0's rve_destroy function allows local authenticated attackers to cause limited data corruption through manipulation of configuration files, with publicly available exploit code but extremely low real-world risk due to local access requirement, authenticated privilege level, and acknowledged uncertainty about vulnerability existence.

Buffer Overflow Kamailio
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12266 LOW Monitor

Code injection in Zytec Dalian Zhuoyun Technology Central Authentication Service up to version 20251009 allows authenticated remote attackers to inject arbitrary code via manipulation of the get.layer, get.widget, and get.action parameters in the /index.php/auth/widget endpoint. Public exploit code is available, but real-world exploitation risk is low given the low CVSS score (2.1), requirement for prior authentication, and extremely low EPSS score (0.04%), suggesting limited practical exploitability despite proof-of-concept availability.

PHP Code Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12249 LOW Monitor

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 allows authenticated remote attackers to inject malicious CSV formulas via the Title argument on the Edit Ticket Page, potentially enabling formula execution or data exfiltration when exported. Public exploit code exists and the vendor has not responded to disclosure notifications despite early contact.

Code Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12304 LOW Monitor

Improper authorization in TIME-SEA-PLUS PayController.java alipayIsSucceed function allows authenticated remote attackers to disclose sensitive information related to order status handling. The vulnerability affects versions up to commit fb299162f18498dd9cf17da906886d80a077d53b, with publicly available exploit code disclosed but low real-world exploitation probability (EPSS 0.03%). Attack requires valid user credentials and network access but does not enable privilege escalation or data modification.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12290 LOW Monitor

Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the keywords parameter in the /i/359 endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited integrity impact. Although exploit code has been publicly disclosed and the vendor did not respond to early disclosure, the EPSS score of 0.03% and low CVSS impact (2.1) suggest minimal real-world exploitation probability.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12289 LOW Monitor

Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the category_id parameter in the /Point/index/activity_state endpoint. The vulnerability requires user interaction (UI:P) to trigger and has low integrity impact, but publicly available exploit code exists. The vendor did not respond to disclosure notifications.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12267 LOW Monitor

Cross-site scripting (XSS) vulnerability in abhicodebox ModernShop 20250922 allows remote attackers to inject malicious scripts via the 'q' parameter in the /search endpoint, requiring user interaction to execute. The vulnerability has a published exploit and low CVSS score (2.1) due to user interaction requirement, but affects the integrity of victim sessions with EPSS exploitation probability of 0.03% indicating minimal real-world exploitation likelihood.

XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12329 LOW Monitor

SQL injection in shawon100 RUET OJ through the ID parameter of /details.php allows authenticated remote attackers to manipulate database queries with low confidentiality, integrity, and availability impact. The vulnerability affects commits up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, with publicly available exploit code released. Despite moderate CVSS 2.1, the low EPSS score of 0.02% and requirement for prior authentication significantly limit real-world exploitation likelihood.

PHP SQLi Ruet Oj
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12328 LOW Monitor

SQL injection in RUET OJ via the Name parameter in /contestproblem.php allows authenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality and integrity. The vulnerability affects the rolling-release codebase up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, requires valid login credentials to exploit, and carries a very low CVSS score (2.1) despite publicly available exploit code, indicating minimal real-world risk due to authentication barriers and constrained database access.

PHP SQLi Ruet Oj
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12327 LOW Monitor

SQL injection in RUET OJ /description.php endpoint allows authenticated remote attackers to manipulate the ID parameter and inject arbitrary SQL commands, achieving limited confidentiality and integrity compromise. The vulnerability affects the rolling-release version up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, with publicly available exploit code disclosed. Despite the public disclosure, the extremely low EPSS score (0.02%) and high authentication barrier suggest minimal real-world exploitation risk, though the unresponsive vendor posture leaves the codebase unpatched.

PHP SQLi Ruet Oj
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12250 LOW Monitor

Path traversal vulnerability in OpenWGA 7.11.12 Build 737 TMLScript API WGA.File component allows high-privileged remote attackers to manipulate file paths and access unauthorized resources. The vulnerability has publicly available exploit code and an extremely low EPSS score (0.07%, percentile 22%), suggesting limited real-world exploitation despite network accessibility, likely due to the requirement for high-level authentication that restricts practical attack surface.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-12291 LOW Monitor

Unrestricted file upload vulnerability in Muzuro Ecommerce System and ashymuzuro Full-Ecommerce-Website up to version 1.1.0 allows remote authenticated high-privilege administrators to upload arbitrary files via the Add Product Page (/admin/index.php?add_product), with exploit code publicly disclosed. Despite low CVSS score (2.0) due to high privilege requirement, the vulnerability enables direct code execution risk in admin-controlled uploads and received no vendor response to disclosure.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12251 LOW Monitor

Stored cross-site scripting (XSS) in OpenWGA 7.11.12 Build 737 Admin UI allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users who view the affected interface. Exploitation requires user interaction (clicking a crafted link or visiting a manipulated page), limiting real-world impact despite remote accessibility. Public exploit disclosure exists, but EPSS scoring (0.03%, 7th percentile) and low CVSS severity (2.0) indicate minimal active exploitation likelihood in real deployments.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12224 LOW Monitor

Stored cross-site scripting (XSS) in Iqbolshoh php-business-website admin/contact.php allows authenticated attackers with user interaction to inject malicious scripts via the twitter parameter, affecting data integrity for other users. The vulnerability affects a rolling-release project up to commit 10677743a8dfc281f85291a27cf63a0bce043c24, has published exploit code available, but carries low real-world risk due to authentication requirement (PR:L), user interaction dependency (UI:P), and limited impact scope (VI:L only). EPSS exploitation probability is 0.03% (7th percentile), indicating minimal practical exploitation likelihood despite public POC availability.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy