Skip to main content
CVE-2025-15098 LOW POC Monitor

Server-side request forgery in YunaiV yudao-cloud through version 2025.11 allows authenticated remote attackers to manipulate HTTP callback and sync request functionality in the Business Process Management component by controlling the URL, headers, and body parameters, enabling attackers to forge arbitrary server-side requests. The vulnerability carries a low CVSS score (2.1) due to the authenticated requirement (PR:L) and limited scope, but publicly available proof-of-concept code exists; the vendor did not respond to early disclosure notification.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15094 LOW POC Monitor

Reflected cross-site scripting (XSS) in sunkaifei FlyCMS userLogin function allows unauthenticated remote attackers to inject malicious scripts via the redirectUrl parameter, requiring user interaction to trigger. The vulnerability is publicly available for exploitation with a low CVSS score of 2.1 reflecting limited integrity impact, but active public PoC code exists and the affected project has not responded to disclosure.

Java XSS Flycms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15093 LOW POC Monitor

Cross-site scripting (XSS) in sunkaifei FlyCMS Admin Login component allows remote attackers to inject malicious scripts via the redirectUrl parameter in IndexAdminController.java. The vulnerability requires user interaction (UI:P) and results in limited integrity impact (VI:L), with a very low CVSS score of 2.1 despite public exploit availability. Active exploitation risk is minimal given the low EPSS score (0.02%, 6th percentile) and requirement for social engineering the admin user.

Java XSS Flycms
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15095 LOW Monitor

Cross-site scripting (XSS) vulnerability in postmanlabs httpbin up to version 0.6.1 allows authenticated remote attackers to inject malicious scripts via manipulation of an unknown function in httpbin/core.py, requiring user interaction to execute. Public exploit code is available, and the vendor has not yet responded to early disclosure notification despite a low CVSS score of 2.0 and EPSS exploitation probability of 0.02%, indicating minimal real-world risk despite code availability.

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy