Skip to main content
CVE-2025-48572 HIGH KEV THREAT Act Now

Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions.

Privilege Escalation Authentication Bypass Android Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-48633 MEDIUM KEV PATCH THREAT Act Now

CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-64081 CRITICAL POC Act Now

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

PHP SQLi Patients Waiting Area Queue Management System
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-61318 CRITICAL POC Act Now

Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, allowing attackers to exploit this feature for directory traversal.

PHP Path Traversal Emlog
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2025-65548 CRITICAL POC PATCH Act Now

A security vulnerability in NUT-14 (CVSS 9.1) that allows cashu tokens. Risk factors: public PoC available.

Information Disclosure Nutshell
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-63721 HIGH POC This Week

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

Deserialization Hummerrisk
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-65795 HIGH POC PATCH This Week

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

Authentication Bypass Memos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65804 MEDIUM POC This Month

Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE).

Buffer Overflow RCE Stack Overflow Ax3 Firmware Tenda
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-65797 MEDIUM POC PATCH This Month

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

Authentication Bypass Denial Of Service Memos
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-65231 MEDIUM POC This Month

Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.

XSS Instreamer Firmware
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-48626 CRITICAL PATCH Act Now

In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-27020 CRITICAL Act Now

Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0.

Authentication Bypass Infinera Mtc 9 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-27019 CRITICAL Act Now

Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.

Authentication Bypass Infinera Mtc 9 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14206 MEDIUM POC This Month

A remote code execution vulnerability in A vulnerability (CVSS 6.5). Risk factors: public PoC available.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-14258 MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /newsubject.php. The manipulation of the argument sub leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14257 MEDIUM POC This Month

A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /newrecord.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14256 MEDIUM POC This Month

A vulnerability was detected in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /newcurriculm.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14251 MEDIUM POC This Month

A security vulnerability has been detected in code-projects Online Ordering System 1.0. This affects an unknown function of the file /admin/ of the component Admin Login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14250 MEDIUM POC This Month

A weakness has been identified in code-projects Online Ordering System 1.0. The impacted element is an unknown function of the file /user_contact.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14249 MEDIUM POC This Month

A security flaw has been discovered in code-projects Online Ordering System 1.0. The affected element is an unknown function of the file /user_school.php. The manipulation of the argument product_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14248 MEDIUM POC This Month

A vulnerability was identified in code-projects Simple Shopping Cart 1.0. Impacted is an unknown function of the file /adminlogin.php. The manipulation of the argument admin_username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14245 MEDIUM POC This Month

A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14226 MEDIUM POC This Month

A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14223 MEDIUM POC This Month

A vulnerability has been found in code-projects Simple Leave Manager 1.0. Affected by this vulnerability is an unknown functionality of the file /request.php. Such manipulation of the argument staff_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14218 MEDIUM POC This Month

A security flaw has been discovered in code-projects Currency Exchange System 1.0. The affected element is an unknown function of the file /editotheraccount.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.

Microsoft PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14217 MEDIUM POC This Month

A vulnerability was identified in code-projects Currency Exchange System 1.0. Impacted is an unknown function of the file /edittrns.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

Microsoft PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14216 MEDIUM POC This Month

A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Microsoft PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14215 MEDIUM POC This Month

A vulnerability was found in code-projects Currency Exchange System 1.0. This vulnerability affects unknown code of the file /edit.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

Microsoft PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14212 MEDIUM POC This Month

A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /member_search.php. Executing a manipulation of the argument roll_number can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14211 MEDIUM POC This Month

A vulnerability was detected in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /delete_book.php. Performing a manipulation of the argument book_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14210 MEDIUM POC This Month

A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14209 MEDIUM POC This Month

A weakness has been identified in Campcodes School File Management System 1.0. This impacts an unknown function of the file /update_query.php. This manipulation of the argument stud_id causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-65230 MEDIUM POC This Month

Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.

XSS Instreamer Firmware
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-65798 MEDIUM POC PATCH This Month

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Authentication Bypass Memos
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-65849 CRITICAL Act Now

A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction. NOTE: this is disputed by the Supplier because the product's objective is "to discourage automated scraping / bots, not guarantee resistance to determined attackers." The documentation states “the goal is not to provide a secure cryptographic algorithm but to use a proof-of-work mechanism that allows any capable device to decrypt the hidden data.”

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-65271 HIGH PATCH This Week

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.

Privilege Escalation Code Injection RCE Azuriom
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12956 HIGH This Week

A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

XSS 3dexperience Enovia
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-26487 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge.

SSRF Infinera Mtc 9 Firmware
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-66324 HIGH This Week

Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity.

Privilege Escalation Harmonyos
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-66328 HIGH This Week

Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability.

Information Disclosure Race Condition Harmonyos
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-42620 HIGH PATCH This Week

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.

XSS
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-65799 MEDIUM POC PATCH This Month

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.

Path Traversal Memos
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-65796 MEDIUM POC PATCH This Month

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.

Authentication Bypass Memos
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-42615 HIGH PATCH This Week

A security vulnerability in affected (CVSS 8.1). High severity vulnerability requiring prompt remediation.

RCE
NVD
CVSS 4.0
8.1
EPSS
0.1%
CVE-2025-48566 HIGH PATCH This Week

In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48565 HIGH PATCH This Week

CVE-2025-48565 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48638 HIGH This Week

In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Memory Corruption Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48623 HIGH PATCH This Week

In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow Privilege Escalation Memory Corruption Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48525 HIGH PATCH This Week

In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48632 HIGH PATCH This Week

In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy