Skip to main content
CVE-2025-14856 LOW POC Monitor

Code injection in RuoYi up to version 4.8.1 via the /monitor/cache/getnames endpoint allows authenticated remote attackers to inject arbitrary code through the fragment parameter with low impact to confidentiality, integrity, and availability. The vulnerability requires valid user authentication (PR:L per CVSS 4.0 vector) and has publicly available exploit code, though EPSS scoring at 0.08% percentile (22nd percentile) indicates low real-world exploitation probability despite public disclosure.

Information Disclosure Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14885 LOW POC Monitor

Unrestricted file upload in SourceCodester Client Database Management System 1.0 via the /user_leads.php endpoint in the Leads Generation Module allows authenticated remote attackers to upload arbitrary files. The vulnerability requires valid user credentials (PR:L in CVSS v4.0) but carries low confidentiality, integrity, and availability impact per the vector. Public exploit code exists, and EPSS score of 0.06% suggests minimal real-world exploitation despite public availability, likely due to the authenticated requirement limiting attack surface.

PHP Authentication Bypass File Upload Client Database Management System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14889 LOW POC Monitor

Improper authorization in Campcodes Advanced Voting Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/voters_edit.php, resulting in unauthorized modification of voter passwords. The vulnerability affects the Password Handler component and requires valid user credentials to exploit, limiting real-world risk despite public exploit availability. EPSS exploitation probability is low at 0.06 percentile, suggesting this flaw targets specific administrative scenarios rather than representing widespread attack potential.

PHP Information Disclosure Advanced Voting Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14837 LOW POC Monitor

Code injection in ZZCMS 2025 Backend Website Settings Module allows authenticated remote attackers to inject arbitrary code via the icp parameter in the stripfxg function (/admin/siteconfig.php), with limited confidentiality impact. Public exploit code is available, but exploitation requires high-privilege administrative access, significantly limiting practical attack surface despite network-accessible vector.

PHP Information Disclosure Zzcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-40891 LOW Monitor

Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.

XSS Open Redirect Cmc Guardian
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2025-14841 LOW Monitor

Null pointer dereference in OFFIS DCMTK up to version 3.6.9 within the DcmQueryRetrieveIndexDatabaseHandle::startFindRequest and DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest functions in dcmqrscp causes denial of service. The vulnerability requires local access with low privilege level and results in availability impact through service crash. No public exploit code is confirmed, and EPSS exploitation probability is extremely low at 0.04%, indicating this is a low-priority reliability issue rather than an active security threat.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy