Skip to main content
CVE-2025-14691 LOW POC PATCH Monitor

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."

XSS Mayan Edms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14648 LOW POC Monitor

Command injection in DedeBIZ up to version 6.5.9 allows authenticated high-privilege administrators to execute arbitrary system commands via the /src/admin/catalog_add.php endpoint. The vulnerability requires high-privilege authentication (PR:H in CVSS v4.0) and has publicly available exploit code, but real-world risk is constrained by the authentication requirement and limited scope of impact (CVSS 2.0, EPSS 0.28%).

PHP Command Injection Dedebiz
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2025-14642 LOW POC Monitor

Unrestricted file upload in Computer Laboratory System 1.0 via the technical_staff_pic.php file allows high-privilege users to upload arbitrary files to the server. The vulnerability requires administrator-level access (PR:H) and affects confidentiality, integrity, and availability with low impact scope. Publicly available exploit code exists; however, the EPSS score of 0.07% (21st percentile) and high-privilege requirement significantly limit real-world exploitation risk compared to the CVSS 2.0 baseline.

PHP Authentication Bypass File Upload Computer Laboratory System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14641 LOW POC Monitor

Unrestricted file upload in Computer Laboratory System 1.0 via the admin_pic.php image parameter allows high-privilege authenticated users to upload arbitrary files remotely, with publicly available proof-of-concept code demonstrating exploitation. Despite the CVSS 2.0 score reflecting the high authentication barrier (PR:H), the vulnerability enables attackers with admin credentials to bypass upload restrictions and potentially establish persistence or execute malicious code on the server.

PHP Authentication Bypass File Upload Computer Laboratory System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14663 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Student File Management System 1.0 allows high-privilege users to inject malicious scripts via the /admin/update_student.php endpoint, requiring user interaction to execute. The vulnerability has low real-world impact (CVSS 1.9, EPSS 0.06%) despite publicly available exploit code, as it demands high administrative privileges and user action; however, the low exploitation threshold (EPSS percentile 18%) indicates this is not a widespread threat.

PHP XSS Student File Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-14662 LOW POC Monitor

Cross-site scripting vulnerability in code-projects Student File Management System 1.0 allows high-privilege authenticated users to inject malicious scripts via the Update User Page at /admin/update_user.php, requiring user interaction to trigger. The exploit is publicly available and rated CVSS 1.9 due to restrictive privilege and UI requirements, though EPSS score of 0.05% indicates minimal real-world exploitation risk.

PHP XSS Student File Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14660 LOW Monitor

Improper access controls in DecoCMS Mesh up to 1.0.0-alpha.31 allow remote attackers to manipulate the domain argument in the createTool function of the Workspace Domain Handler, resulting in unauthorized information disclosure. The vulnerability requires high attack complexity and has published exploit code available, though real-world exploitation appears difficult. CVSS score of 2.9 reflects low severity with limited confidentiality impact, while EPSS scoring at 25th percentile suggests minimal real-world exploitation probability.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14651 LOW Monitor

MartialBE one-hub up to version 0.14.27 uses a hard-coded cryptographic key in the SESSION_SECRET environment variable of its default docker-compose.yml configuration, allowing remote attackers to potentially decrypt or forge session tokens with high attack complexity. The vulnerability requires non-standard deployment configurations and affects confidentiality rather than integrity or availability. Exploit code has been disclosed publicly, though active exploitation remains unconfirmed by CISA, and the vendor explicitly recommends against using the default Docker Compose example in production environments.

Docker Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy