Skip to main content
CVE-2025-14692 LOW POC PATCH Monitor

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."

Open Redirect Mayan Edms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-14730 LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.

PHP Code Injection Ctcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14729 LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.

PHP Code Injection Ctcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14697 LOW Monitor

Sixun Shanghui Group Business Management System 4.10.24.3 allows unauthenticated remote attackers to access files and directories through the /ExportFiles/ endpoint due to improper access controls, resulting in information disclosure of sensitive data. The vulnerability requires high attack complexity and has publicly available exploit code, but remains difficult to exploit in practice with an EPSS score of 0.06% indicating minimal real-world exploitation probability.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14695 LOW Monitor

Remote code execution via dynamic code resource manipulation in SamuNatsu HaloBot's Inter-plugin API allows authenticated remote attackers to execute arbitrary code by manipulating the action argument in the html_renderer plugin. The vulnerability affects unsupported legacy versions of the product (commit hash 026b01d4a896d93eaaf9d5163a287dc9f267515b and earlier), with publicly available exploit code disclosed but no vendor-released patch, as the maintainer has abandoned the project and did not respond to early disclosure.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14694 LOW Monitor

SQL injection in ketr JEPaaS up to version 7.2.8 allows high-privileged remote attackers to manipulate the keyWord argument in the readAllPostil function (/je/postil/postil/readAllPostil), resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the CVSS score of 2.0 reflects the requirement for high-level privileges (PR:H), significantly limiting real-world exploitation scope.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14722 LOW Monitor

Stored cross-site scripting (XSS) vulnerability in vion707 DMadmin backend allows high-privilege authenticated users to inject malicious scripts via the Add function in AddonsController, affecting the application's integrity. The vulnerability requires user interaction (UI:P) and high-privilege access (PR:H), limiting real-world exploitation risk despite a network attack vector. Public exploit code is available, but the extremely low CVSS score (1.9) and EPSS probability (0.05th percentile) suggest minimal practical risk in typical deployments.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-14702 LOW Monitor

Path traversal vulnerability in Smartbit CommV Smartschool App up to version 10.4.4 allows local authenticated attackers to manipulate the SplashActivity component and access or modify files outside intended directories. The vendor has not responded to early disclosure notification, and public exploit code is available.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14699 LOW Monitor

Path traversal vulnerability in Municorn FAX App 3.27.0 on Android allows local authenticated users to access files outside intended directories with low confidentiality, integrity, and availability impact. The vulnerability affects the biz.faxapp.app component and has been publicly disclosed with exploit code available, though EPSS exploitation probability remains very low at 0.04%, suggesting limited real-world attack likelihood despite public availability.

Google Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14698 LOW Monitor

Path traversal vulnerability in atlaszz AI Photo Team Galleryit App version 1.3.8.2 on Android allows authenticated local attackers to manipulate the gallery.photogallery.pictures.vault.album component and access files outside intended directories. The vulnerability requires local access and authenticated user privileges; public exploit code exists. The vendor has not responded to early disclosure notification, leaving the application unpatched.

Google Hashicorp Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy