Skip to main content
CVE-2025-12313 LOW POC Monitor

Command injection in D-Link DI-7001 MINI firmware versions 19.09.19A1 and 24.04.18B1 allows authenticated remote attackers to execute arbitrary commands via the cmd parameter in /msp_info.htm. The vulnerability has a public exploit available, though the extremely low CVSS score (2.1) and EPSS percentile (24th) indicate limited real-world exploitability despite network accessibility, as exploitation requires valid login credentials and results in low-impact information disclosure rather than system compromise.

Command Injection D-Link Di 7001Mini 8G Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12305 LOW POC Monitor

Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.

Java Deserialization Shiyi Blog
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12268 LOW POC Monitor

LearnHouse allows authenticated remote users to upload arbitrary files via unrestricted manipulation of the thumbnail parameter in the Course Thumbnail Handler endpoint (/api/v1/courses/), enabling potential malicious file storage and execution. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed despite vendor non-response to early notification. While CVSS is low (2.1) and EPSS exploitation probability is minimal (0.06%), the presence of public exploits and authentication-only barrier warrants prioritization in environments where account compromise or insider risk is elevated.

Authentication Bypass File Upload Learnhouse
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12223 LOW POC Monitor

Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 via the Package Information Module endpoint /b2c/package-information allows authenticated remote attackers to upload arbitrary files with low confidentiality and integrity impact. Publicly available exploit code exists; the vulnerability carries a low CVSS score (2.1) due to requiring prior authentication and limited scope, but the ease of exploitation (AC:L, public POC) and vendor non-responsiveness elevate practical risk for deployed instances.

Authentication Bypass File Upload Flight Booking Software
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12203 LOW POC PATCH Monitor

Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.

PHP Path Traversal Vvveb
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12270 LOW POC Monitor

LearnHouse allows authenticated remote attackers to access unauthorized student assignment files through improper control of resource identifiers in the Student Assignment Submission Handler API endpoint, enabling information disclosure of sensitive academic materials. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed. EPSS exploitation probability is 0.04% (13th percentile), indicating low real-world exploitation likelihood despite public POC availability.

Information Disclosure Learnhouse
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12334 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the prod_name, prod_desc, or prod_cost parameters in /pages/product_add.php. The vulnerability requires user interaction (UI:P per CVSS 4.0) but can be exploited remotely without authentication. Publicly available exploit code exists, though EPSS scoring (0.04%, percentile 11%) indicates low real-world exploitation probability despite public POC availability.

PHP XSS E Commerce Website
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12333 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name and supp_address parameters in /pages/supplier_add.php. The vulnerability requires user interaction (clicking a crafted link) but enables session hijacking, credential theft, and malware distribution. Publicly available exploit code exists; however, the EPSS score of 0.04% (11th percentile) indicates exploitation remains uncommon despite disclosure, likely due to limited deployment of this niche e-commerce platform.

PHP XSS E Commerce Website
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12202 LOW POC Monitor

Cross-site request forgery (CSRF) in ajayrandhawa User-Management-PHP-MYSQL allows remote attackers to perform unauthorized actions via crafted requests, requiring user interaction (UI:P). Publicly available exploit code exists, but the extremely low EPSS score (0.04%, 11th percentile) and vendor non-responsiveness suggest limited real-world exploitation despite public POC availability. CVSS 2.1 reflects low integrity impact and user-interaction requirement.

CSRF User Management Php Mysql
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12288 LOW POC Monitor

Authorization bypass in Bdtask Pharmacy Management System up to version 9.4 allows authenticated remote attackers to manipulate user profile data via the /user/edit_user/ endpoint, escalating privileges or modifying other users' accounts without proper access controls. The vulnerability has publicly available exploit code and affects the User Profile Handler component, though vendor response to disclosure has been absent.

Authentication Bypass Pharmacare
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12302 LOW POC Monitor

Cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via unsanitized input parameters (pname, category, price) in the /editproduct.php endpoint. The vulnerability requires user interaction (UI:P) but carries low integrity impact and has publicly available exploit code; EPSS probability remains minimal (0.03%) despite public POC availability, suggesting limited real-world adoption or exploitation barriers.

PHP XSS Simple Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12300 LOW POC Monitor

Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via the cname parameter in /addcategory.php, which are executed in the browsers of users viewing affected content. The vulnerability requires user interaction (UI:P) to exploit but has a public proof-of-concept available. Despite the low CVSS score (2.1) and minimal EPSS percentile (10%), the combination of remote network access and public exploit code necessitates prompt patching to prevent account compromise and session hijacking.

PHP XSS Simple Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12299 LOW POC Monitor

Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts through the pname, category, or price parameters in /addproduct.php, requiring user interaction to trigger payload execution. Public exploit code is available, and the vulnerability carries low severity (CVSS 2.1) due to the requirement for user interaction and limited scope of impact.

PHP XSS Simple Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12298 LOW POC Monitor

Reflected cross-site scripting (XSS) in Simple Food Ordering System 1.0 via the pname parameter in /editcategory.php allows remote attackers to inject malicious JavaScript that executes in users' browsers with minimal user interaction. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and publicly available exploit code, though active exploitation remains unconfirmed and real-world impact is limited by the low EPSS score of 0.03% despite public POC availability.

PHP XSS Simple Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12276 LOW POC Monitor

Information disclosure in LearnHouse Image Handler component allows authenticated remote attackers to access sensitive data via the image handling functionality. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code documented. Due to LearnHouse's rolling-release model, specific patched version numbers are unavailable, and the vendor has not responded to disclosure attempts.

Information Disclosure Learnhouse
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12244 LOW POC Monitor

Reflected cross-site scripting (XSS) in Simple E-Banking System 1.0 allows remote attackers to inject malicious scripts via the Username parameter in /eBank/register.php. The vulnerability requires user interaction (clicking a malicious link) but has low impact on confidentiality and integrity. Publicly available exploit code exists, though EPSS scoring (0.03%, 10th percentile) suggests limited real-world exploitation despite XSS being a common attack vector.

PHP XSS Simple E Banking System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12246 LOW POC Monitor

Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the Link argument in the IframeLoader.vue Admin Interface component, requiring user interaction to trigger. The vulnerability has a low CVSS score (2.1) and EPSS percentile (10%) but publicly available exploit code exists, indicating the attack is straightforward to execute once a victim clicks a crafted link.

XSS Chatwoot
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12297 LOW POC Monitor

Unauthenticated authenticated users can disclose sensitive information through an unknown function in UserApiController.java in atjiu pybbs up to version 6.0.0 via remote network access. The vulnerability has a CVSS score of 2.1 with low confidentiality impact and publicly available exploit code, but extremely low real-world exploitation probability (EPSS 0.03%, 8th percentile) and requires authenticated access, limiting practical risk despite public POC availability.

Information Disclosure Pybbs
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12256 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the contestant_id parameter in /edit_contestant.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a publicly available exploit and low EPSS score (0.03%), suggesting it poses minimal real-world risk despite public exploit availability.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12255 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_contestant.php, enabling database queries with limited data access. The vulnerability has low real-world risk despite public exploit availability, as it requires valid user authentication and produces only limited information disclosure (CVSS 2.1, EPSS 0.03%), though organizations running this application should apply fixes promptly to eliminate the attack vector entirely.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12254 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_judge.php, enabling limited data extraction with low confidentiality impact. The CVSS 2.1 score reflects the authentication requirement and bounded scope, but publicly available exploit code exists; however, the 0.03% EPSS percentile indicates minimal real-world exploitation probability despite public POC availability.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12252 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the content parameter in /ajax/action.php, resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS scoring (0.03%) suggests minimal real-world exploitation despite public POC availability. The vulnerability requires prior authentication, significantly limiting practical attack surface.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12242 LOW POC Monitor

SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/check-attendance.php, resulting in limited confidentiality and integrity compromise. The vulnerability requires valid administrator credentials, has publicly available exploit code, but carries very low real-world risk with an EPSS score of 0.03% due to authentication requirements and limited impact scope (CVE4.0 vector shows only partial confidentiality/integrity loss, no availability impact).

PHP SQLi Gym Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12263 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the judge_id parameter in /edit_judge.php, with publicly available exploit code demonstrating the vulnerability. The low CVSS score (2.1) reflects limited confidentiality impact and required authentication, but the SQL injection itself is a high-severity vulnerability class that could enable data exfiltration or modification depending on database permissions and downstream query construction.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12262 LOW POC Monitor

SQL injection in code-projects Online Event Judging System 1.0 via the crit_id parameter in /edit_criteria.php allows authenticated remote attackers to manipulate database queries with low confidentiality and integrity impact. Exploitation requires valid user authentication but can be executed remotely with no user interaction. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) indicates this vulnerability has minimal real-world exploitation probability despite public disclosure.

PHP SQLi Online Event Judging System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12243 LOW POC Monitor

SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID parameter in clientdetails/welcome.php, enabling database queries with limited scope impact. CVSS 2.1 reflects low severity due to authentication requirement (PR:L) and limited confidentiality/integrity exposure (VC:L/VI:L), though publicly available exploit code exists and EPSS scoring (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite public POC availability.

PHP SQLi Client Details System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12238 LOW POC Monitor

SQL injection in code-projects Automated Voting System 1.0 allows authenticated remote attackers to manipulate the Username parameter in /admin/user.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires valid login credentials (PR:L) and has publicly available exploit code, though real-world exploitation risk is minimal given the CVSS 2.1 score and 0.03% EPSS percentile.

PHP SQLi Automated Voting System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12222 LOW POC Monitor

Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 allows authenticated remote attackers to upload arbitrary files via the /admin/transaction/deposit endpoint. The vulnerability requires valid user credentials (PR:L in CVSS vector) but grants attackers capability to upload files with minimal scope impact. Public exploit code is available, though the very low EPSS score (0.02%) and lack of CISA KEV listing suggest limited real-world exploitation despite disclosure.

Authentication Bypass File Upload Flight Booking Software
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12283 LOW POC Monitor

Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthorized access to protected functionality via an unknown vector. The vulnerability has publicly available exploit code but is rated low-risk due to CVSS 2.1 score and 0.01% EPSS, indicating limited real-world exploitation potential despite remote attack capability.

Authentication Bypass Client Details System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12261 LOW POC Monitor

SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/remove-announcement.php, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, but EPSS exploitation probability is extremely low (0.01th percentile), suggesting the vulnerability requires authenticated access and offers minimal real-world payoff despite network accessibility.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12296 LOW POC Monitor

OS command injection in D-Link DAP-2695 firmware 2.00RC13 allows high-privileged remote attackers to execute arbitrary commands through the Firmware Update Handler function sub_4174B0. The vulnerability carries a low real-world risk despite network-accessible attack vector due to requiring administrative credentials (PR:H) and affecting only end-of-life hardware. Publicly available exploit code exists, though EPSS exploitation probability remains minimal at 0.09th percentile.

Command Injection D-Link Dap 2695 Firmware
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-12201 LOW POC Monitor

Unrestricted file upload in ajayrandhawa User-Management-PHP-MYSQL allows high-privilege attackers to upload arbitrary files via the image parameter in /admin/edit-user.php. Exploitation requires administrator credentials but publicly available exploit code exists. With an EPSS score of 0.06% and no active exploitation confirmed in CISA KEV, real-world risk is minimal despite the remote attack vector.

PHP Authentication Bypass File Upload User Management Php Mysql
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-12331 LOW POC Monitor

Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.

Authentication Bypass File Upload Willow Cms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12226 LOW POC Monitor

SQL injection in SourceCodester Best House Rental Management System 1.0 allows high-privilege remote attackers to manipulate the house_no parameter in the save_house function of /admin_class.php, achieving limited confidentiality and integrity impact. Publicly available exploit code exists but exploitation requires administrative credentials (PR:H), significantly restricting real-world attack surface despite the CVSS 4.0 network vector.

PHP SQLi Best House Rental Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12315 LOW POC Monitor

SQL injection in code-projects Food Ordering System 1.0 allows high-privileged remote attackers to manipulate the itemPrice parameter in /admin/menu.php, leading to limited data exposure and modification. The vulnerability requires administrative authentication and has publicly available exploit code, but carries low real-world exploitation risk due to administrative privilege requirement and minimal technical impact (CVSS 2.0, EPSS 0.03%).

PHP SQLi Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12314 LOW POC Monitor

SQL injection in code-projects Food Ordering System 1.0 allows remote attackers with high-level administrative privileges to execute arbitrary SQL commands via the itemID parameter in /admin/deleteitem.php. Despite public exploit availability, real-world risk is minimal due to requirement for authenticated administrator access and low CVSS impact scope (CVSS 2.0, EPSS 0.03%). The vulnerability affects only the administrative interface and does not escalate privileges or compromise confidentiality at scale.

PHP SQLi Food Ordering System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12294 LOW POC Monitor

SQL injection in SourceCodester Point of Sales 1.0 via the ID parameter in /delete_category.php allows high-privilege remote attackers to manipulate database queries. The vulnerability requires administrative credentials (PR:H) but carries low confidentiality, integrity, and availability impact. Public exploit code exists, though EPSS score (0.03%) suggests limited real-world exploitation despite public availability.

PHP SQLi Point Of Sales
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12269 LOW POC Monitor

Stored cross-site scripting (XSS) in LearnHouse Account Setting Page allows authenticated users to inject malicious scripts via the /dash/org/settings/previews endpoint, affecting all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. An attacker with valid credentials can craft a malicious request that, when viewed by another user (requiring user interaction), executes arbitrary JavaScript in their browser context with potential for data theft or session hijacking. Public exploit code exists, though exploitation requires both login credentials and victim interaction, limiting real-world impact despite the network-accessible vector.

XSS Learnhouse
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12227 LOW POC Monitor

Stored cross-site scripting (XSS) in projectworlds Gate Pass Management System 1.0 allows authenticated users to inject malicious scripts via the /add-pass.php endpoint, which execute in the browsers of other users who view the affected content. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its scope to reflected or stored XSS within an authenticated session. Publicly available exploit code exists, though EPSS exploitation probability remains very low at 0.03%, suggesting limited real-world weaponization despite public disclosure.

PHP XSS Gate Pass Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12287 LOW POC Monitor

SQL injection in Bdtask Wholesale Inventory Control and Inventory Management System up to version 20251013 allows high-privileged remote attackers to manipulate the first_name and last_name parameters in the /Admin_dashboard/edit_profile endpoint, leading to unauthorized database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SQLi Wholesale
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12282 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privileges to inject malicious scripts via the /admin/manage-users.php endpoint, which are then executed in the browsers of other users who interact with the managed user data. The vulnerability requires administrative privileges and user interaction (UI:P) to exploit, resulting in limited integrity impact (VI:L). Public exploit code is available, though the extremely low CVSS score (1.9) and EPSS probability (0.04%) reflect the high privilege barrier and user interaction requirement that significantly constrain real-world risk.

PHP XSS Client Details System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12330 LOW POC Monitor

Stored cross-site scripting (XSS) in Willow CMS up to version 1.4.0 allows authenticated administrative users to inject malicious scripts via the title or body parameters in the Add Post Page (/admin/articles/add), which are then executed in the browsers of other users who view the post. The vulnerability requires high-privilege authentication and user interaction (visiting the affected page) to trigger, resulting in limited integrity impact. Public exploit code is available, though EPSS analysis indicates minimal real-world exploitation probability at 0.03%.

XSS Willow Cms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12312 LOW POC Monitor

Reflected cross-site scripting in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the Fullname or Category parameters in view-pass-detail.php, exploitable only when a victim with sufficient privileges views a crafted link. The CVSS score of 1.9 reflects severe exploitation constraints: high privilege requirement, user interaction dependency, and limited impact scope, despite a public exploit being available.

PHP XSS Curfew E Pass Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12311 LOW POC Monitor

Stored or reflected cross-site scripting (XSS) in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the catname parameter in edit-category-detail.php, affecting application integrity with low severity (CVSS 1.9, EPSS 0.03%). Publicly available exploit code exists; however, exploitation requires user interaction and high-level administrative credentials, significantly limiting real-world attack surface.

PHP XSS Curfew E Pass Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12303 LOW POC Monitor

Stored cross-site scripting (XSS) in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the adminname or email parameters in admin-profile.php, affecting user interface integrity and enabling credential theft or malware delivery. The vulnerability requires high-privilege access and user interaction (UI:P), resulting in a CVSS score of 1.9 despite network accessibility. Public exploit code exists but exploitation probability is exceptionally low (EPSS 0.03%, 9th percentile), suggesting this is primarily a demonstration or proof-of-concept rather than an active threat.

PHP XSS Curfew E Pass Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12279 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and user interaction to inject malicious scripts via the /welcome.php file, resulting in limited integrity impact. The vulnerability has been publicly disclosed with exploit code available, though real-world exploitation is constrained by the requirement for high administrative privileges and user interaction, reflected in the exceptionally low CVSS score of 1.9 and EPSS probability of 0.03%.

PHP XSS Client Details System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12231 LOW POC Monitor

Stored cross-site scripting in projectworlds Expense Management System 1.0 allows high-privileged authenticated users to inject malicious scripts via the Expense Categories creation page, affecting other users who view the poisoned content. The vulnerability requires administrator-level access and user interaction (rendering the page), limiting real-world impact despite remote network delivery. Publicly available exploit code exists; EPSS exploitation probability is very low at 0.03%, suggesting this is primarily a proof-of-concept risk rather than an actively exploited threat.

XSS Expense Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12230 LOW POC Monitor

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the Currency Page create function (/public/admin/currencies/create), which are then reflected to other users who interact with that page. The vulnerability requires user interaction and high-level administrative privileges to exploit, resulting in limited real-world risk despite public exploit availability and low EPSS score.

XSS Expense Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12229 LOW POC Monitor

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the Roles Page create endpoint (/public/admin/roles/create), which are then reflected to other users. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting real-world exploitation despite public POC availability and network accessibility.

XSS Expense Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12228 LOW POC Monitor

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /public/admin/users/create endpoint, which are executed in the browsers of other users viewing the affected page. The vulnerability requires administrator privileges and user interaction (clicking a link), significantly limiting exploitation scope despite remote accessibility and publicly available proof-of-concept code.

XSS Expense Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy