Skip to main content
CVE-2025-41077 HIGH This Week

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. [CVSS 8.1 HIGH]

Authentication Bypass Inbox
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14279 HIGH PATCH This Week

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. [CVSS 8.1 HIGH]

Authentication Bypass Mlflow
NVD GitHub
CVSS 3.0
8.1
EPSS
0.0%
CVE-2025-69273 HIGH This Week

Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Authentication Bypass Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69271 HIGH This Week

Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69272 HIGH This Week

Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22214 MEDIUM This Month

RIOT OS ethos utility has a stack buffer overflow in _handle_char() due to missing bounds checking on serial frame data. Incoming frame bytes overflow a fixed-size stack buffer.

Buffer Overflow Stack Overflow Riot
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2025-68622 MEDIUM PATCH This Month

Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length...

Buffer Overflow Usb Host Uvc Class Driver
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-68656 MEDIUM PATCH This Month

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. [CVSS 6.8 MEDIUM]

Use After Free Usb Host Hid Driver
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-22801 MEDIUM PATCH This Month

Libpng versions 1.6.26 through 1.6.53 contain an integer truncation flaw in the simplified write API functions that triggers a heap buffer over-read when processing images with negative row strides or strides exceeding 65535 bytes. Local attackers can exploit this to read sensitive heap memory, potentially disclosing application data. No patch is currently available; users should avoid processing untrusted PNG images with these vulnerable libpng versions.

Buffer Overflow Libpng Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-69267 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. [CVSS 6.5 MEDIUM]

Broadcom Linux Windows Path Traversal Dx Netops Spectrum
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-65553 MEDIUM This Month

Xz-G12 Firmware versions up to 2.1.17 contains a vulnerability that allows attackers to undetected intrusions or failure to trigger safety alerts (CVSS 6.5).

Xz G12 Firmware Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68468 MEDIUM PATCH This Month

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. [CVSS 6.5 MEDIUM]

Denial Of Service Avahi Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22213 LOW POC Monitor

RIOT OS (IoT operating system) tapslip6 utility has a stack buffer overflow due to unbounded strcpy/strcat with user-controlled device name input. PoC available.

Buffer Overflow Stack Overflow Riot
NVD GitHub
CVSS 4.0
2.4
EPSS
0.0%
CVE-2025-68657 MEDIUM PATCH This Month

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. [CVSS 6.4 MEDIUM]

Information Disclosure Usb Host Hid Driver
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-69275 MEDIUM This Month

Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. [CVSS 6.1 MEDIUM]

Broadcom Linux Windows Dx Netops Spectrum XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-69268 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. [CVSS 6.1 MEDIUM]

Broadcom Linux Windows XSS Dx Netops Spectrum
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22798 MEDIUM PATCH This Month

Hermes versions up to 0.9.1 is affected by insertion of sensitive information into log file (CVSS 5.9).

Information Disclosure Hermes
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68276 MEDIUM PATCH This Month

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. [CVSS 5.5 MEDIUM]

Denial Of Service Avahi Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22789 MEDIUM PATCH This Month

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. [CVSS 5.4 MEDIUM]

PHP RCE Wem
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2021-41074 MEDIUM This Month

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [CVSS 5.4 MEDIUM]

PHP CSRF Qloapps
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0853 MEDIUM This Month

A-Plus Video Technologies NVR devices expose an unauthenticated debug page that allows remote attackers to retrieve sensitive device status information without authentication. The vulnerability requires no user interaction and can be exploited over the network, enabling reconnaissance attacks against affected systems. No patch is currently available to remediate this exposure.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67813 MEDIUM This Month

Kace Desktop Authority versions up to 11.3.1 is affected by incorrect default permissions (CVSS 5.3).

Privilege Escalation Kace Desktop Authority
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22251 MEDIUM PATCH This Month

Wlc versions prior to 1.17.0 fail to restrict unscoped API keys, allowing them to be transmitted to unintended Weblate servers and potentially leaked to attackers with local access or through compromised credentials. A local attacker with user privileges could exploit this information disclosure to gain unauthorized access to Weblate instances across multiple servers. A patch is available in version 1.17.0 and later.

Information Disclosure Wlc
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22212 MEDIUM This Month

TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery.

Buffer Overflow Stack Overflow
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-14579 MEDIUM This Month

Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).

WordPress XSS PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-22050 MEDIUM This Month

Ontap versions up to 9.16.1 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Authentication Bypass Ontap
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22250 LOW PATCH Monitor

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. [CVSS 2.5 LOW]

TLS
NVD GitHub
CVSS 3.1
2.5
EPSS
0.0%
CVE-2026-22800 LOW PATCH Monitor

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. [CVSS 2.4 LOW]

CSRF Pilos
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-22805 LOW Monitor

Metabase is an open-source data analytics platform. versions up to 55.13 is affected by server-side request forgery (ssrf).

SSRF Metabase
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-41003 This Week

Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint ‘/projects/hospital/admin/edit_patient.php’.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-40978 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to ‘/ticket/x/conversion’, using the ‘reply_description’ parameter.

Golang XSS
NVD
EPSS
0.1%
CVE-2025-40977 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to ‘/store-ticket’, using the ‘subject’ and ‘description’ parameters.

Golang XSS
NVD
EPSS
0.1%
CVE-2025-40976 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/ticketgo-saas/home’, using the ‘description’ parameter.

XSS
NVD
EPSS
0.1%
CVE-2025-40975 This Week

Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/hrmgo/ticket/changereply’, using the ‘description’ parameter.

XSS
NVD
EPSS
0.1%
CVE-2025-41006 This Week

Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.

PHP SQLi
NVD
EPSS
0.0%
CVE-2025-41005 This Week

Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.

PHP SQLi
NVD
EPSS
0.0%
CVE-2025-41004 This Week

Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.

PHP SQLi
NVD
EPSS
0.0%
CVE-2025-14470 Awaiting Data

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
NVD
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy