Skip to main content
CVE-2025-68437 MEDIUM POC PATCH This Month

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]

SSRF Craft Cms
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-65328 MEDIUM POC This Month

Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. [CVSS 6.5 MEDIUM]

Authentication Bypass Mega Fence
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67732 MEDIUM POC This Month

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. [CVSS 6.5 MEDIUM]

Authentication Bypass Information Disclosure AI / ML Dify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15448 MEDIUM POC This Month

A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 6.3 MEDIUM]

Java Javamall
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-59955 MEDIUM POC This Month

Coolify versions up to 4.0.0 contains a vulnerability that allows attackers to a malicious actor to perform an unauthorized email address change on behalf of t (CVSS 5.7).

Information Disclosure Coolify
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-15458 MEDIUM POC This Month

A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. [CVSS 7.3 HIGH]

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-15457 MEDIUM POC This Month

A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. [CVSS 7.3 HIGH]

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-0589 MEDIUM POC This Month

Online Product Reservation System versions up to 1.0 is affected by improper authentication (CVSS 7.3).

Authentication Bypass Online Product Reservation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-15456 MEDIUM POC This Month

A vulnerability has been found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. [CVSS 7.3 HIGH]

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-15455 MEDIUM POC This Month

A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. [CVSS 6.5 MEDIUM]

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0606 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /FrontEnd/Albums.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving all installations at risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0605 MEDIUM POC This Month

SQL injection in the Online Music Site 1.0 login functionality allows unauthenticated remote attackers to manipulate username and password parameters, potentially leading to unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0592 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 user registration handler allows remote attackers to manipulate multiple input fields (name, address, contact details, email, username) without authentication to execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing active exploitation risk. No patch is currently available for affected PHP-based installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0585 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the transaction_id parameter in /order_view.php and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to read, modify, or delete sensitive data with network access only.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0583 MEDIUM POC This Month

SQL injection in the User Login component of Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the emailadd parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or modify database contents. No patch is currently available to address this issue.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15449 MEDIUM POC This Month

A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 5.4 MEDIUM]

Java Path Traversal Javamall
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-67316 MEDIUM POC This Month

An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser [CVSS 5.4 MEDIUM]

RCE XSS Internet Browser
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-67315 MEDIUM POC This Month

Employee Leave Management System versions up to 2.1 is affected by cross-site request forgery (csrf) (CVSS 5.4).

PHP Employee Leave Management System
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-64422 MEDIUM POC This Month

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. [CVSS 4.3 MEDIUM]

Denial Of Service Coolify
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-12513 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]

XSS Centreon Web
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-12511 MEDIUM PATCH This Month

Dynamic Service Management versions up to 25.10.1 is affected by cross-site scripting (xss) (CVSS 6.8).

XSS Dynamic Service Management
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-13056 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. [CVSS 6.8 MEDIUM]

XSS Centreon Web
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-23511 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-39561 MEDIUM This Month

Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-15235 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. [CVSS 6.5 MEDIUM]

Authentication Bypass AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67427 MEDIUM This Month

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]

SSRF Evershop
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68280 MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE Spatial Information System
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-15239 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15238 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69224 MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]

Python Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68436 MEDIUM PATCH This Month

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]

Information Disclosure Craft Cms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68014 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. [CVSS 6.5 MEDIUM]

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2023-51513 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21634 MEDIUM This Month

UniFi Protect Application versions 6.1.79 and earlier suffer from a buffer overflow in the discovery protocol that allows adjacent network attackers to trigger denial of service by causing the application to restart. The vulnerability requires network proximity but no authentication or user interaction, making it exploitable by any attacker on the same network segment. Administrators should upgrade to version 6.2.72 or later to remediate this issue.

Buffer Overflow Unifi Protect
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-39497 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68029 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. [CVSS 6.3 MEDIUM]

WordPress Information Disclosure
NVD
CVSS 3.0
6.3
EPSS
0.0%
CVE-2025-52516 MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. [CVSS 6.2 MEDIUM]

Samsung Linux Denial Of Service Exynos 1330 Firmware Exynos 1480 Firmware +4
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-52517 MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. [CVSS 5.9 MEDIUM]

Samsung Denial Of Service Race Condition Exynos 1330 Firmware Exynos 1480 Firmware +4
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2023-52212 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. [CVSS 5.4 MEDIUM]

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-5591 MEDIUM This Month

Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user’s session and perform actions in their security context. [CVSS 5.4 MEDIUM]

XSS Xperience
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69226 MEDIUM PATCH This Month

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]

Python Path Traversal Aiohttp Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21635 MEDIUM This Month

Unifi Connect EV Station Lite firmware v1.5.2 and earlier contains an access control weakness that permits nearby Wi-Fi attackers to activate the AutoLink feature on devices provisioned exclusively through Ethernet connections. This vulnerability could allow unauthorized wireless configuration of the charging station despite it being administratively restricted to wired network adoption. No patch is currently available for this medium-severity issue.

Authentication Bypass Unifi Connect Ev Station Lite Firmware
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-12519 MEDIUM PATCH This Month

Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. [CVSS 5.3 MEDIUM]

Information Disclosure Centreon Web
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-52515 MEDIUM This Month

An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. [CVSS 5.1 MEDIUM]

Samsung Denial Of Service Race Condition Exynos 2400 Firmware Exynos 2500 Firmware +4
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-15237 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. [CVSS 4.3 MEDIUM]

Path Traversal AI / ML Qoca Aim
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-15236 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. [CVSS 4.3 MEDIUM]

Path Traversal AI / ML Qoca Aim
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-65922 MEDIUM This Month

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. [CVSS 4.3 MEDIUM]

XSS
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-31046 MEDIUM This Month

Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. [CVSS 4.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53344 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. [CVSS 4.3 MEDIUM]

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy