THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 19, 2025

31 CVEs tracked today. 1 Critical, 2 High, 11 Medium, 17 Low.

CVE-2025-1928 CRITICAL CVSS 9.1
The Online Food Delivery System by Restajet Information Technologies through version 19122025 fails to restrict repeated authentication attempts, enabling password recovery exploitation and unauthorized account access. With a CVSS score of 9.1 (critical severity) and unauthenticated network-based attack vector, attackers can brute-force credentials without lockout mechanisms. No public exploit is identified at time of analysis, with EPSS probability at 0.07% (22nd percentile). The vendor did not respond to early disclosure attempts by Turkey's national CERT (USOM).

Information Disclosure Online Food Delivery System
CVE-2025-14151 HIGH CVSS 7.2
Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.

WordPress XSS
CVE-2025-1927 HIGH CVSS 7.1
Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.

CSRF Online Food Delivery System
CVE-2025-14968 MEDIUM CVSS 5.5
A security flaw has been discovered in code-projects Simple Stock System 1.0. Affected by this issue is some unknown functionality of the file /market/update.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been released to th...

PHP SQLi Simple Stock System
CVE-2025-14967 MEDIUM CVSS 5.5
A vulnerability was identified in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /candidates_report.php. The manipulation of the argument school_year leads to sql injection. The attack can be initiated remotely. The exploit is publi...

PHP SQLi Student Management System
CVE-2025-14961 MEDIUM CVSS 5.5
A vulnerability was detected in code-projects Simple Blood Donor Management System 1.0. The affected element is an unknown function of the file /editedcampaign.php. The manipulation of the argument campaignname results in sql injection. The attack can be executed remotely. The exploit is now public ...

PHP SQLi Simple Blood Donor Management System
CVE-2025-14960 MEDIUM CVSS 5.5
A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1.0. Impacted is an unknown function of the file /editeddonor.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclo...

PHP SQLi Simple Blood Donor Management System
CVE-2025-14959 MEDIUM CVSS 5.5
A weakness has been identified in code-projects Simple Stock System 1.0. This issue affects some unknown processing of the file /market/signup.php. Executing a manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to...

PHP SQLi Simple Stock System
CVE-2025-14952 MEDIUM CVSS 5.5
A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing a manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be carried out remotely. The exploit is now pu...

PHP SQLi Supplier Management System
CVE-2025-14951 MEDIUM CVSS 5.5
A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publ...

PHP SQLi Scholars Tracking System
CVE-2025-14950 MEDIUM CVSS 5.5
A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the...

PHP SQLi Scholars Tracking System
CVE-2025-14940 MEDIUM CVSS 5.5
A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly discl...

PHP SQLi Scholars Tracking System
CVE-2025-14546 MEDIUM CVSS 5.4
Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it t...

Authentication Bypass CSRF
CVE-2025-1885 MEDIUM CVSS 5.4
Restajet Online Food Delivery System allows authenticated users to redirect victims to untrusted external sites through an unvalidated URL redirection mechanism, enabling phishing attacks and forceful browsing. The vulnerability affects all versions through 19122025 and has a moderate CVSS score of 5.4 with low exploitation probability (EPSS 0.04%, 12th percentile), indicating limited real-world attack likelihood despite the functional impact. The vendor has not responded to early disclosure attempts by the Turkish national CERT, leaving no official patch available.

Open Redirect Online Food Delivery System
CVE-2025-58052 LOW CVSS 2.1
Galette membership management application versions 0.9.6 through 1.1.x contain an authorization bypass allowing group managers to escalate privileges and modify data beyond their intended role scope. The vulnerability requires authenticated access as a group manager and affects the integrity of membership data and organizational controls. Galette 1.2.0 resolves the issue; affected deployments should upgrade immediately to restore proper role-based access controls.

Authentication Bypass Galette
CVE-2025-14966 LOW CVSS 2.0
SQL injection in FastAdmin up to version 1.7.0.20250506 allows high-privilege authenticated attackers to execute arbitrary SQL queries via manipulation of the custom/searchField parameter in the selectpage function of the Backend Controller. The vulnerability requires administrator-level privileges and has publicly available exploit code, though the low CVSS score (2.0) and minimal EPSS exploitation probability (0.06%) indicate limited real-world risk despite active disclosure.

PHP SQLi Fastadmin
CVE-2025-14962 LOW CVSS 2.1
Stored cross-site scripting (XSS) in Simple Stock System 1.0 via the /market/chatuser.php endpoint allows remote attackers to inject malicious scripts without authentication. User interaction is required for payload execution. Publicly available exploit code exists; EPSS score of 0.08% indicates low statistical exploitation probability despite XSS classification.

PHP XSS Simple Stock System
CVE-2025-14958 LOW CVSS 1.9
Heap-based buffer overflow in sokol_gfx.h's _sg_pipeline_common_init function allows local authenticated attackers to corrupt memory with low impact on confidentiality, integrity, and availability. Exploitation requires local access and authenticated privileges but no user interaction. Publicly available exploit code exists, though EPSS scoring (0.03%) indicates minimal real-world exploitation probability despite low CVSS score.

Buffer Overflow Sokol
CVE-2025-14957 LOW CVSS 1.9
Null pointer dereference in WebAssembly Binaryen up to version 125 allows local authenticated users to cause denial of service by manipulating the Index argument in IRBuilder::makeLocalGet, IRBuilder::makeLocalSet, or IRBuilder::makeLocalTee functions. Public exploit code exists, though real-world impact is minimal given the very low EPSS score (0.03%, 7th percentile) and local-access-only attack vector. This vulnerability is low-severity and unlikely to be prioritized for rapid patching in most environments.

Denial Of Service Binaryen
CVE-2025-14956 LOW CVSS 1.9
Heap-based buffer overflow in WebAssembly Binaryen up to version 125 within the WasmBinaryReader::readExport function allows local attackers with low privileges to cause limited information disclosure and integrity compromise. The vulnerability requires local access and authenticated privileges but has extremely low real-world exploitability with EPSS score of 0.04% despite publicly available proof-of-concept code, indicating this is a narrow, low-impact issue unlikely to be prioritized in most threat environments.

Buffer Overflow Binaryen
CVE-2025-14955 LOW CVSS 2.9
Improper initialization in the PFCP handler function ogs_pfcp_handle_create_pdr within Open5GS up to version 2.7.5 allows remote attackers to trigger information disclosure with high attack complexity. The vulnerability has a publicly available proof-of-concept and carries a very low EPSS score (0.15%), indicating minimal real-world exploitation probability despite public availability of exploit code. CVSS 2.9 reflects the limited technical impact (availability of confidentiality only), but the high complexity and resource requirements make practical attacks difficult.

Information Disclosure Open5gs
CVE-2025-14954 LOW CVSS 2.9
Reachable assertion in Open5GS up to version 2.7.6 affects the PFCP context management functions (PDR, FAR, URR, QER) in lib/pfcp/context.c, allowing remote attackers to trigger a denial of service condition via crafted PFCP messages. The vulnerability requires high attack complexity and has low availability impact, but publicly available exploit code exists. CVSS 2.9 / EPSS 0.14% indicates low real-world exploitation probability despite public POC.

Denial Of Service Open5gs
CVE-2025-14953 LOW CVSS 1.3
Null pointer dereference in Open5GS up to version 2.7.5 allows remote authenticated attackers to cause denial of service by sending manipulated PFCP (Packet Forwarding Control Protocol) packets that trigger improper handling in the FAR-ID handler component. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available proof-of-concept code and a low CVSS score of 1.3 reflecting restricted impact scope.

Denial Of Service Open5gs
CVE-2025-14939 LOW CVSS 2.0
SQL injection in code-projects Online Appointment Booking System 1.0 allows high-privilege remote attackers to manipulate the managername parameter in /admin/deletemanager.php, resulting in limited confidentiality and integrity impact. EPSS score of 0.05% and CVSS 2.0 reflect the high privilege requirement (PR:H), which severely constrains real-world exploitability despite public POC availability.

PHP SQLi Online Appointment Booking System
CVE-2025-14910 LOW CVSS 2.1
Path traversal in the FTP daemon service of Edimax BR-6208AC firmware version 1.02 allows authenticated remote attackers to access files outside the intended FTP directory via crafted FTP commands to the handle_retr function. The device is discontinued and unsupported; exploit code is publicly available. While CVSS score is low (2.1) and EPSS indicates minimal exploitation likelihood (0.12%), the vulnerability is real for the small population still using this legacy hardware.

Path Traversal Br 6208ac Firmware
CVE-2025-14909 LOW CVSS 2.1
JeecgBoot versions up to 3.9.0 allow authenticated remote attackers to manipulate user session management through the SysUserOnlineController, resulting in unauthorized session access with low availability impact. Public exploit code is available, though the CVSS score of 2.1 reflects limited real-world risk due to the requirement for authenticated access and minimal impact scope. Active exploitation has not been confirmed in CISA KEV, and the EPSS score of 0.13% indicates low probability of widespread exploitation despite public POC availability.

Java Information Disclosure Jeecg Boot
CVE-2025-14908 LOW CVSS 2.1
Authentication bypass in JeecgBoot up to version 3.9.0 allows authenticated remote attackers to manipulate tenant ID arguments in the SysTenantController, resulting in improper authentication checks that grant unauthorized access to other tenants' data. The vulnerability has a low CVSS score of 2.1 but publicly available exploit code exists, suggesting active researcher interest despite minimal real-world impact signals (EPSS 0.32%, low severity scope). Exploitation requires prior authentication and produces only limited information disclosure within the multi-tenant architecture.

Authentication Bypass Java Jeecg Boot
CVE-2025-14900 LOW CVSS 2.0
SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privileged administrators to execute arbitrary SQL queries via the ID parameter in /admin/userdelete.php. The vulnerability requires administrator access and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. Publicly available exploit code exists, though EPSS scoring (0.01%, percentile 3%) indicates minimal real-world exploitation probability, suggesting the threat is primarily theoretical despite public disclosure.

PHP SQLi Real Estate Management System
CVE-2025-14899 LOW CVSS 2.0
SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to inject malicious SQL via the /admin/stateadd.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability requires administrative privileges to exploit and has a low CVSS score (2.0) due to restricted scope and limited impact, but publicly available exploit code exists. Real-world risk is minimal given the high privilege barrier (PR:H), though organizations running this system should prioritize patching to prevent insider threats.

PHP SQLi Real Estate Management System
CVE-2025-14898 LOW CVSS 2.0
SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to execute arbitrary SQL queries via the /admin/userbuilderdelete.php endpoint. The vulnerability requires authenticated administrator access (CVSS PR:H) and affects only confidentiality and integrity with low impact. Publicly available exploit code exists, though exploitation is limited by the requirement for valid high-privilege credentials and carries low real-world risk due to EPSS score of 0.05% and the attacker profile (malicious insiders with admin accounts).

PHP SQLi Real Estate Management System
CVE-2025-14897 LOW CVSS 2.0
SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privileged administrators to execute arbitrary SQL queries via the /admin/useragentdelete.php endpoint. The vulnerability requires administrator credentials but poses risk to systems where admin accounts may be compromised or where privileged users are untrusted. Publicly available exploit code exists, though EPSS indicates low real-world exploitation probability at 0.05%.

PHP SQLi Real Estate Management System

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities