Skip to main content
CVE-2025-15398 LOW POC Monitor

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP Information Disclosure Badaso
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-15391 LOW POC Monitor

Command injection in the SSDP Request Handler (ssdpcgi_main function) of D-Link DIR-806A firmware 100CNb11 allows remote authenticated attackers to execute arbitrary commands with low integrity and availability impact. Publicly available exploit code exists, but the vulnerability affects only end-of-life firmware with minimal real-world exploitation probability (EPSS 0.11%) due to low privilege requirements and limited scope of impact.

Command Injection D-Link Dir 806A Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15393 LOW POC Monitor

A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP Information Disclosure Kodicms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15375 LOW POC Monitor

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP Deserialization Eyoucms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15373 LOW POC Monitor

Server-side request forgery (SSRF) in EyouCMS versions up to 1.7.7 allows authenticated remote attackers to manipulate the saveRemote function in application/function.php, enabling arbitrary HTTP requests from the server. The vulnerability carries low confidentiality, integrity, and availability impact but is publicly exploitable with proof-of-concept code available. Vendor has acknowledged the flaw and committed to releasing patched version 1.7.8.

PHP SSRF Eyoucms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15390 LOW POC Monitor

Missing authorization in PHPGurukul Small CRM 4.0's /admin/edit-user.php endpoint allows authenticated users to perform unauthorized administrative actions via remote network access. The vulnerability enables privilege escalation or lateral movement by bypassing access controls on user management functions. While publicly available exploit code exists and CVSS indicates network accessibility, the low EPSS score (0.02%, 4th percentile) and requirement for prior authentication suggest limited real-world exploitation despite proof-of-concept availability.

PHP Authentication Bypass Small Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15223 LOW POC Monitor

A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is "[f]or educational purposes only".

PHP XSS Simple Php Blog
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15394 LOW POC Monitor

Code injection in iCMS up to version 8.0.0 allows remote attackers with high privileges to inject arbitrary code via the config POST parameter in the ConfigAdmincp.php component. The vulnerability affects the Save function's parameter handling and has publicly available exploit code, though the extremely low CVSS score (2.0) reflects the requirement for high-privileged authenticated access, limiting real-world risk despite public exploit availability.

PHP Code Injection Icms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-15374 LOW POC Monitor

A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing a manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP XSS Eyoucms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15372 LOW POC Monitor

A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

XSS Vue3 Element Admin
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15392 LOW Monitor

A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Kodicms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy