Skip to main content
CVE-2025-13803 HIGH This Week

A security vulnerability in A vulnerability (CVSS 7.3). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-45370 HIGH This Week

An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-20085 HIGH This Week

A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

Authentication Bypass Denial Of Service Diris M 70 Firmware
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2024-49572 HIGH This Week

A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

Authentication Bypass Denial Of Service Diris M 70 Firmware
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-63365 HIGH This Week

SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents.

Path Traversal Epub File Reader
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-66448 HIGH PATCH This Week

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

RCE Python Code Injection Debian Vllm +1
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-66205 HIGH PATCH This Week

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2.

SQLi Frappe
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13813 LOW POC Monitor

A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-13805 LOW POC Monitor

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.

Deserialization Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-66206 MEDIUM PATCH This Month

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2.

Nginx Path Traversal Frappe
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2024-32384 MEDIUM This Month

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device.

Information Disclosure Keros
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-11772 MEDIUM PATCH This Month

A privilege escalation vulnerability (CVSS 6.6) that allows a local user. Remediation should follow standard vulnerability management procedures.

RCE
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-49643 MEDIUM PATCH This Month

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.

PHP Denial Of Service Ubuntu Debian Frontend +1
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13836 MEDIUM PATCH This Month

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Denial Of Service
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-13798 LOW POC Monitor

A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.6%
CVE-2025-13797 LOW POC Monitor

A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.6%
CVE-2025-13800 LOW POC Monitor

A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-13799 LOW POC Monitor

A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-13816 LOW POC Monitor

A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-13815 LOW POC Monitor

A weakness has been identified in moxi159753 Mogu Blog v2 up to 5.2. The affected element is an unknown function of the file /file/pictures. This manipulation of the argument filedatas causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-13819 MEDIUM PATCH This Month

Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks.

Open Redirect
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13809 LOW POC Monitor

A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoController.java of the component SSH Connection Handler. Such manipulation of the argument host/sshPort/username/password/authType leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-13807 LOW POC Monitor

A security vulnerability in orionsec orion-ops (CVSS 4.3). Risk factors: public PoC available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-13811 LOW POC Monitor

A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing a manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

SQLi Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-13804 LOW POC Monitor

A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-41739 MEDIUM PATCH This Month

An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service.

Information Disclosure Denial Of Service Buffer Overflow
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-48894 MEDIUM This Month

A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

Information Disclosure Diris M 70 Firmware
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49642 MEDIUM PATCH This Month

CVE-2025-49642 is a security vulnerability (CVSS 5.8). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-58408 MEDIUM This Month

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use.

Denial Of Service Memory Corruption Use After Free Ddk
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13837 MEDIUM PATCH This Month

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Denial Of Service Ubuntu Debian Python Red Hat +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-66415 MEDIUM PATCH This Month

A security vulnerability in to forward the current HTTP request to another server. (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Reply From Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13296 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025.

CSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66400 MEDIUM PATCH This Month

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Information Disclosure Mdast Util To Hast Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-32388 MEDIUM This Month

CVE-2024-32388 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Keros
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-6349 MEDIUM This Month

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1.

Denial Of Service Memory Corruption Use After Free Valhall Gpu Kernel Driver 5th Gen Gpu Architecture Kernel Driver
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-2879 MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to expose sensitive data.This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0.

Information Disclosure Valhall Gpu Kernel Driver 5th Gen Gpu Architecture Kernel Driver
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-27232 MEDIUM PATCH This Month

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.

SSRF Ubuntu Debian Frontend Red Hat +1
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-41070 MEDIUM This Month

Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

PHP XSS
NVD
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-13129 MEDIUM This Month

A remote code execution vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13653 MEDIUM This Month

In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12756 MEDIUM This Month

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

Authentication Bypass Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-8045 MEDIUM This Month

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1.

Denial Of Service Memory Corruption Use After Free Valhall Gpu Kernel Driver 5th Gen Gpu Architecture Kernel Driver
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2024-51999 LOW POC PATCH Monitor

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 4.0
2.7
EPSS
1.0%
CVE-2025-13796 LOW Monitor

A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-13802 LOW Monitor

A vulnerability was determined in jairiidriss RestaurantWebsite up to e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. Impacted is an unknown function of the component Make a Reservation. This manipulation of the argument selected_date causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-65794 Awaiting Data

Rejected reason: DO NOT USE THIS CVE RECORD. No vendor patch available.

Information Disclosure
NVD
CVE-2025-65793 Awaiting Data

Rejected reason: DO NOT USE THIS CVE RECORD. No vendor patch available.

Information Disclosure
NVD
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy