Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]
Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. [CVSS 6.5 MEDIUM]
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. [CVSS 6.5 MEDIUM]
A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 6.3 MEDIUM]
Coolify versions up to 4.0.0 contains a vulnerability that allows attackers to a malicious actor to perform an unauthorized email address change on behalf of t (CVSS 5.7).
A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. [CVSS 7.3 HIGH]
A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. [CVSS 7.3 HIGH]
Online Product Reservation System versions up to 1.0 is affected by improper authentication (CVSS 7.3).
A vulnerability has been found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. [CVSS 7.3 HIGH]
A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. [CVSS 6.5 MEDIUM]
SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /FrontEnd/Albums.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving all installations at risk.
SQL injection in the Online Music Site 1.0 login functionality allows unauthenticated remote attackers to manipulate username and password parameters, potentially leading to unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at immediate risk.
SQL injection in the Online Product Reservation System 1.0 user registration handler allows remote attackers to manipulate multiple input fields (name, address, contact details, email, username) without authentication to execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing active exploitation risk. No patch is currently available for affected PHP-based installations.
SQL injection in the Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the transaction_id parameter in /order_view.php and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to read, modify, or delete sensitive data with network access only.
SQL injection in the User Login component of Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the emailadd parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or modify database contents. No patch is currently available to address this issue.
A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 5.4 MEDIUM]
An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser [CVSS 5.4 MEDIUM]
Employee Leave Management System versions up to 2.1 is affected by cross-site request forgery (csrf) (CVSS 5.4).
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. [CVSS 4.3 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
Dynamic Service Management versions up to 25.10.1 is affected by cross-site scripting (xss) (CVSS 6.8).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 6.5 MEDIUM]
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. [CVSS 6.5 MEDIUM]
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]
Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. [CVSS 6.5 MEDIUM]
UniFi Protect Application versions 6.1.79 and earlier suffer from a buffer overflow in the discovery protocol that allows adjacent network attackers to trigger denial of service by causing the application to restart. The vulnerability requires network proximity but no authentication or user interaction, making it exploitable by any attacker on the same network segment. Administrators should upgrade to version 6.2.72 or later to remediate this issue.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. [CVSS 6.5 MEDIUM]
Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. [CVSS 6.3 MEDIUM]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. [CVSS 6.2 MEDIUM]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. [CVSS 5.9 MEDIUM]
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. [CVSS 5.4 MEDIUM]
Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. [CVSS 5.4 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]
Unifi Connect EV Station Lite firmware v1.5.2 and earlier contains an access control weakness that permits nearby Wi-Fi attackers to activate the AutoLink feature on devices provisioned exclusively through Ethernet connections. This vulnerability could allow unauthorized wireless configuration of the charging station despite it being administratively restricted to wired network adoption. No patch is currently available for this medium-severity issue.
Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. [CVSS 5.3 MEDIUM]
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. [CVSS 5.1 MEDIUM]
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. [CVSS 4.3 MEDIUM]
QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. [CVSS 4.3 MEDIUM]
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. [CVSS 4.3 MEDIUM]
Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. [CVSS 4.3 MEDIUM]
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. [CVSS 4.3 MEDIUM]