Skip to main content
CVE-2025-15105 LOW POC Monitor

Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.

Information Disclosure Maxun
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-15107 LOW POC Monitor

Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.

Information Disclosure Sqle
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-15106 LOW POC Monitor

Improper authorization in getmaxun maxun up to version 0.0.28 allows authenticated remote attackers to access unauthorized resources via manipulation of the authentication endpoint router in server/src/routes/auth.ts, with publicly available exploit code and an EPSS score of 0.15% indicating low real-world exploitation probability despite confirmed public disclosure.

Information Disclosure Maxun
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-15110 LOW POC Monitor

Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.

PHP Authentication Bypass File Upload Xcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15108 LOW Monitor

PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy