Skip to main content
CVE-2023-53959 HIGH POC This Week

FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Filezilla Client
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.3%
CVE-2025-14968 MEDIUM POC This Month

A security flaw has been discovered in code-projects Simple Stock System 1.0. Affected by this issue is some unknown functionality of the file /market/update.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP SQLi Simple Stock System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14967 MEDIUM POC This Month

A vulnerability was identified in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /candidates_report.php. The manipulation of the argument school_year leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14952 MEDIUM POC This Month

A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing a manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

PHP SQLi Supplier Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14951 MEDIUM POC This Month

A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

PHP SQLi Scholars Tracking System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14950 MEDIUM POC This Month

A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

PHP SQLi Scholars Tracking System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14940 MEDIUM POC This Month

A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Scholars Tracking System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14961 MEDIUM POC This Month

A vulnerability was detected in code-projects Simple Blood Donor Management System 1.0. The affected element is an unknown function of the file /editedcampaign.php. The manipulation of the argument campaignname results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

PHP SQLi Simple Blood Donor Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14960 MEDIUM POC This Month

A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1.0. Impacted is an unknown function of the file /editeddonor.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

PHP SQLi Simple Blood Donor Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14959 MEDIUM POC This Month

A weakness has been identified in code-projects Simple Stock System 1.0. This issue affects some unknown processing of the file /market/signup.php. Executing a manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi Simple Stock System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-1928 CRITICAL Act Now

The Online Food Delivery System by Restajet Information Technologies through version 19122025 fails to restrict repeated authentication attempts, enabling password recovery exploitation and unauthorized account access. With a CVSS score of 9.1 (critical severity) and unauthenticated network-based attack vector, attackers can brute-force credentials without lockout mechanisms. No public exploit is identified at time of analysis, with EPSS probability at 0.07% (22nd percentile). The vendor did not respond to early disclosure attempts by Turkey's national CERT (USOM).

Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-14151 HIGH This Week

Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-1927 HIGH This Week

Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.

CSRF
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14955 LOW POC PATCH Monitor

Improper initialization in the PFCP handler function ogs_pfcp_handle_create_pdr within Open5GS up to version 2.7.5 allows remote attackers to trigger information disclosure with high attack complexity. The vulnerability has a publicly available proof-of-concept and carries a very low EPSS score (0.15%), indicating minimal real-world exploitation probability despite public availability of exploit code. CVSS 2.9 reflects the limited technical impact (availability of confidentiality only), but the high complexity and resource requirements make practical attacks difficult.

Information Disclosure Open5gs
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14954 LOW POC PATCH Monitor

Reachable assertion in Open5GS up to version 2.7.6 affects the PFCP context management functions (PDR, FAR, URR, QER) in lib/pfcp/context.c, allowing remote attackers to trigger a denial of service condition via crafted PFCP messages. The vulnerability requires high attack complexity and has low availability impact, but publicly available exploit code exists. CVSS 2.9 / EPSS 0.14% indicates low real-world exploitation probability despite public POC.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14908 LOW POC PATCH Monitor

Authentication bypass in JeecgBoot up to version 3.9.0 allows authenticated remote attackers to manipulate tenant ID arguments in the SysTenantController, resulting in improper authentication checks that grant unauthorized access to other tenants' data. The vulnerability has a low CVSS score of 2.1 but publicly available exploit code exists, suggesting active researcher interest despite minimal real-world impact signals (EPSS 0.32%, low severity scope). Exploitation requires prior authentication and produces only limited information disclosure within the multi-tenant architecture.

Java Authentication Bypass Jeecg Boot
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2025-14909 LOW POC PATCH Monitor

JeecgBoot versions up to 3.9.0 allow authenticated remote attackers to manipulate user session management through the SysUserOnlineController, resulting in unauthorized session access with low availability impact. Public exploit code is available, though the CVSS score of 2.1 reflects limited real-world risk due to the requirement for authenticated access and minimal impact scope. Active exploitation has not been confirmed in CISA KEV, and the EPSS score of 0.13% indicates low probability of widespread exploitation despite public POC availability.

Information Disclosure Java Jeecg Boot
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14910 LOW POC Monitor

Path traversal in the FTP daemon service of Edimax BR-6208AC firmware version 1.02 allows authenticated remote attackers to access files outside the intended FTP directory via crafted FTP commands to the handle_retr function. The device is discontinued and unsupported; exploit code is publicly available. While CVSS score is low (2.1) and EPSS indicates minimal exploitation likelihood (0.12%), the vulnerability is real for the small population still using this legacy hardware.

Path Traversal Br 6208ac Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14962 LOW POC Monitor

Stored cross-site scripting (XSS) in Simple Stock System 1.0 via the /market/chatuser.php endpoint allows remote attackers to inject malicious scripts without authentication. User interaction is required for payload execution. Publicly available exploit code exists; EPSS score of 0.08% indicates low statistical exploitation probability despite XSS classification.

PHP XSS Simple Stock System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-58052 LOW POC Monitor

Galette membership management application versions 0.9.6 through 1.1.x contain an authorization bypass allowing group managers to escalate privileges and modify data beyond their intended role scope. The vulnerability requires authenticated access as a group manager and affects the integrity of membership data and organizational controls. Galette 1.2.0 resolves the issue; affected deployments should upgrade immediately to restore proper role-based access controls.

Authentication Bypass Galette
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14966 LOW POC Monitor

SQL injection in FastAdmin up to version 1.7.0.20250506 allows high-privilege authenticated attackers to execute arbitrary SQL queries via manipulation of the custom/searchField parameter in the selectpage function of the Backend Controller. The vulnerability requires administrator-level privileges and has publicly available exploit code, though the low CVSS score (2.0) and minimal EPSS exploitation probability (0.06%) indicate limited real-world risk despite active disclosure.

PHP SQLi Fastadmin
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-14939 LOW POC Monitor

SQL injection in code-projects Online Appointment Booking System 1.0 allows high-privilege remote attackers to manipulate the managername parameter in /admin/deletemanager.php, resulting in limited confidentiality and integrity impact. EPSS score of 0.05% and CVSS 2.0 reflect the high privilege requirement (PR:H), which severely constrains real-world exploitability despite public POC availability.

PHP SQLi Online Appointment Booking System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14899 LOW POC Monitor

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to inject malicious SQL via the /admin/stateadd.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability requires administrative privileges to exploit and has a low CVSS score (2.0) due to restricted scope and limited impact, but publicly available exploit code exists. Real-world risk is minimal given the high privilege barrier (PR:H), though organizations running this system should prioritize patching to prevent insider threats.

PHP SQLi Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14898 LOW POC Monitor

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to execute arbitrary SQL queries via the /admin/userbuilderdelete.php endpoint. The vulnerability requires authenticated administrator access (CVSS PR:H) and affects only confidentiality and integrity with low impact. Publicly available exploit code exists, though exploitation is limited by the requirement for valid high-privilege credentials and carries low real-world risk due to EPSS score of 0.05% and the attacker profile (malicious insiders with admin accounts).

PHP SQLi Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14897 LOW POC Monitor

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privileged administrators to execute arbitrary SQL queries via the /admin/useragentdelete.php endpoint. The vulnerability requires administrator credentials but poses risk to systems where admin accounts may be compromised or where privileged users are untrusted. Publicly available exploit code exists, though EPSS indicates low real-world exploitation probability at 0.05%.

PHP SQLi Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14900 LOW POC Monitor

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privileged administrators to execute arbitrary SQL queries via the ID parameter in /admin/userdelete.php. The vulnerability requires administrator access and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. Publicly available exploit code exists, though EPSS scoring (0.01%, percentile 3%) indicates minimal real-world exploitation probability, suggesting the threat is primarily theoretical despite public disclosure.

PHP SQLi Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-14956 LOW POC PATCH Monitor

Heap-based buffer overflow in WebAssembly Binaryen up to version 125 within the WasmBinaryReader::readExport function allows local attackers with low privileges to cause limited information disclosure and integrity compromise. The vulnerability requires local access and authenticated privileges but has extremely low real-world exploitability with EPSS score of 0.04% despite publicly available proof-of-concept code, indicating this is a narrow, low-impact issue unlikely to be prioritized in most threat environments.

Buffer Overflow Binaryen
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14958 LOW POC PATCH Monitor

Heap-based buffer overflow in sokol_gfx.h's _sg_pipeline_common_init function allows local authenticated attackers to corrupt memory with low impact on confidentiality, integrity, and availability. Exploitation requires local access and authenticated privileges but no user interaction. Publicly available exploit code exists, though EPSS scoring (0.03%) indicates minimal real-world exploitation probability despite low CVSS score.

Buffer Overflow Sokol
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14957 LOW POC PATCH Monitor

Null pointer dereference in WebAssembly Binaryen up to version 125 allows local authenticated users to cause denial of service by manipulating the Index argument in IRBuilder::makeLocalGet, IRBuilder::makeLocalSet, or IRBuilder::makeLocalTee functions. Public exploit code exists, though real-world impact is minimal given the very low EPSS score (0.03%, 7th percentile) and local-access-only attack vector. This vulnerability is low-severity and unlikely to be prioritized for rapid patching in most environments.

Denial Of Service Binaryen
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-14546 MEDIUM PATCH This Month

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Authentication Bypass CSRF
NVD GitHub
CVSS 4.0
5.4
EPSS
0.2%
CVE-2025-1885 MEDIUM This Month

Restajet Online Food Delivery System allows authenticated users to redirect victims to untrusted external sites through an unvalidated URL redirection mechanism, enabling phishing attacks and forceful browsing. The vulnerability affects all versions through 19122025 and has a moderate CVSS score of 5.4 with low exploitation probability (EPSS 0.04%, 12th percentile), indicating limited real-world attack likelihood despite the functional impact. The vendor has not responded to early disclosure attempts by the Turkish national CERT, leaving no official patch available.

Open Redirect
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14953 LOW POC PATCH Monitor

Null pointer dereference in Open5GS up to version 2.7.5 allows remote authenticated attackers to cause denial of service by sending manipulated PFCP (Packet Forwarding Control Protocol) packets that trigger improper handling in the FAR-ID handler component. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available proof-of-concept code and a low CVSS score of 1.3 reflecting restricted impact scope.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy