Skip to main content
CVE-2025-14516 LOW POC Monitor

Server-side request forgery in Yalantis uCrop 2.2.11 allows authenticated remote attackers to manipulate the downloadFile function in BitmapLoadTask.java URL handler, enabling arbitrary HTTP requests from the affected server. The vulnerability requires user authentication (PR:L) and carries limited confidentiality and integrity impact. Public exploit code exists, though the vendor has not responded to early disclosure attempts.

Java SSRF Ucrop
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14531 LOW POC Monitor

CRLF injection in code-projects Rental Management System 2.0 allows authenticated remote attackers to manipulate log entries via the Log Handler component in Transaction.java, enabling log tampering with minimal real-world impact. The vulnerability requires prior authentication (PR:L), has low integrity impact, and carries a very low EPSS score (0.07%) despite public exploit availability, suggesting exploitation is limited to specific threat scenarios.

Java Code Injection Rental Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14518 LOW POC Monitor

Server-side request forgery in PowerJob up to version 5.1.2 allows authenticated remote attackers to manipulate the targetIp and targetPort arguments in the checkConnectivity function of the Network Request Handler component, enabling SSRF attacks with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite the public exploit availability, suggesting this vulnerability has seen limited active abuse.

Java SSRF Powerjob
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-14530 LOW POC Monitor

Unrestricted file upload in SourceCodester Real Estate Property Listing App 1.0 allows high-privileged authenticated users to upload arbitrary files via the image parameter in /admin/property.php, potentially leading to remote code execution. The vulnerability affects only administrators or high-privilege accounts due to PR:H requirements, but public exploit code exists and EPSS scoring indicates low real-world exploitation probability (0.07th percentile).

PHP Authentication Bypass File Upload Real Estate Property Listing App
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14519 LOW POC Monitor

Stored cross-site scripting (XSS) in baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c allows authenticated users with user interaction to inject malicious scripts via the /admin/index.php/advtext/add endpoint in the advtext module. Public exploit code is available, and the vulnerability carries a low CVSS score of 2.0 due to authentication and user-interaction requirements, but the EPSS score of 0.05% indicates minimal real-world exploitation probability despite public availability of proof-of-concept code.

PHP XSS Hfly
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14517 LOW POC Monitor

Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.

Information Disclosure Google Ucrop
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-14520 LOW Monitor

Arbitrary file deletion via path traversal in baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c allows authenticated remote attackers to delete files by manipulating the filename parameter in /admin/index.php/datafile/delfile. The vulnerability has public exploit code available but remains low-risk due to authentication requirement and limited scope (information integrity impact only).

PHP Path Traversal Hfly
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-14521 LOW Monitor

Path traversal vulnerability in baowzh hfly allows authenticated remote attackers to read arbitrary files via manipulation of the filename parameter in the /admin/index.php/datafile/download endpoint. The vulnerability affects versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, with publicly available exploit code disclosed and no vendor response to early disclosure notification. CVSS score of 2.1 reflects limited confidentiality impact but the low EPSS (0.15%) suggests minimal real-world exploitation despite public disclosure.

PHP Path Traversal Hfly
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-14522 LOW Monitor

Unrestricted file upload in baowzh hfly allows authenticated remote attackers to upload arbitrary files via manipulation of the imgFile parameter in /Public/Kindeditor/php/upload_json.php. The vulnerability affects rolling-release versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, carries low overall risk (CVSS 2.1, EPSS 0.07%), and has publicly available exploit code but requires authenticated access, significantly limiting real-world exploitability compared to unauthenticated file upload scenarios.

PHP Authentication Bypass File Upload Hfly
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14538 LOW Monitor

Reflected cross-site scripting (XSS) in yangshare warehouseManager 仓库管理系统 1.1.0 allows authenticated remote attackers to inject malicious scripts via the Name parameter in the addCustomer function of CustomerManageHandler.java. User interaction is required for exploitation. Public exploit code is available, and the vulnerability has been disclosed publicly.

XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14485 LOW Monitor

Command injection in EFM ipTIME A3004T firmware version 14.19.0 allows authenticated remote attackers to execute arbitrary commands via malformed input to the aaksjdkfj parameter in the show_debug_screen function of /sess-bin/timepro.cgi. Public exploit code is available, but the vulnerability has a high attack complexity requirement and the vendor has not issued a patch despite early disclosure notification.

Command Injection
NVD VulDB
CVSS 4.0
1.3
EPSS
1.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy