Skip to main content

N A

457 CVEs product

Monthly

CVE-2025-67030 Maven HIGH PATCH GHSA This Week

A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.

Path Traversal RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-52204 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.

XSS N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-63260 MEDIUM This Month

SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).

XSS N A
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67260 HIGH This Week

A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

RCE File Upload N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26740 HIGH POC PATCH This Week

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when processing Graphic Control Extension blocks, enabling remote attackers to trigger denial of service conditions. Public exploit code exists for this vulnerability, though no patch is currently available. The flaw affects any application using the vulnerable giflib version to process GIF files from untrusted sources.

Buffer Overflow Denial Of Service Memory Corruption N A
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-30695 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess physical access control devices across multiple product lines (XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+). The vulnerability stems from improper sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing attackers to inject malicious scripts that execute in the context of authenticated administrators. A public proof-of-concept has been disclosed on GitHub (https://github.com/iremnurylmz/CVE-2026-30695), and given the lack of CVSS/EPSS scoring data and KEV status confirmation, the true exploitation likelihood remains uncertain but the presence of a POC elevates practical risk.

XSS N A
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-50881 HIGH This Week

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution.

PHP RCE Code Injection N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.

Path Traversal RCE N A
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).

XSS N A
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A file upload vulnerability exists in multiple Terrapack software components from ASTER TEC / ASTER S.p.A. that permits remote code execution when attackers upload malicious files. The affected products include Terrapack TkWebCoreNG version 1.0.20200914, Terrapack TKServerCGI version 2.5.4.150, and Terrapack TpkWebGIS Client version 1.0.0. Proof-of-concept code is available in public repositories, and the vulnerability enables arbitrary code execution on affected systems.

RCE File Upload N A
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when processing Graphic Control Extension blocks, enabling remote attackers to trigger denial of service conditions. Public exploit code exists for this vulnerability, though no patch is currently available. The flaw affects any application using the vulnerable giflib version to process GIF files from untrusted sources.

Buffer Overflow Denial Of Service Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess physical access control devices across multiple product lines (XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+). The vulnerability stems from improper sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing attackers to inject malicious scripts that execute in the context of authenticated administrators. A public proof-of-concept has been disclosed on GitHub (https://github.com/iremnurylmz/CVE-2026-30695), and given the lack of CVSS/EPSS scoring data and KEV status confirmation, the true exploitation likelihood remains uncertain but the presence of a POC elevates practical risk.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution.

PHP RCE Code Injection +1
NVD GitHub VulDB
Prev Page 6 of 6

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy