The CVE-2025-67507 vulnerability allows the same recovery code to be reused indefinitely for app-based multi-factor authentication in Filament versions 4.0.0 through 4.3.0, potentially bypassing the security benefits of multi-factor authentication.
This vulnerability is a problem because it undermines the security of multi-factor authentication, making it possible for an attacker to gain unauthorized access to an account by reusing a compromised recovery code, which could lead to sensitive data breaches or other malicious activities.
The CVE-2025-67506 vulnerability allows an attacker to submit a crafted filename to the PipesHub platform, which can lead to writing arbitrary files anywhere the service account has permission, potentially enabling remote file overwrite or planting malicious code.
This vulnerability is a problem because it allows unauthorized access and modification of sensitive files, which can compromise the security and integrity of the system, potentially leading to malicious activities such as data theft, ransomware attacks, or disruption of critical services.
The CVE-2025-67485 vulnerability allows attackers to bypass HTTP/HTTPS traffic interception rules in mad-proxy versions 0.3 and below, potentially exposing sensitive web traffic.
This vulnerability is a problem because it undermines the security measures put in place by mad-proxy, allowing malicious web activity to go undetected and potentially putting sensitive information at risk.
This CVE is a duplicate of another existing CVE, indicating that it has already been documented and addressed under a different identifier.
It's not a problem in itself since it's a duplicate, but it can cause confusion and inefficiency in vulnerability management by creating redundant entries.
This vulnerability allows attackers to create malicious URLs that redirect users to external websites after they log in to the Taguette qualitative research tool, potentially leading them to fake sites designed to steal credentials or install malware.
This is a problem because it enables phishing attacks, where victims think they are interacting with a trusted Taguette instance but are actually being directed to a malicious site, which could result in the theft of sensitive information or the installation of harmful software.
The CVE-2025-67501 vulnerability allows attackers to inject malicious SQL code into the WeGIA Web Manager application through the id_categoria parameter in the /html/matPat/editar_categoria.php endpoint, due to improper validation and sanitization of user inputs.
This vulnerability is a problem because it enables attackers to directly execute malicious SQL payloads, potentially leading to unauthorized access, data modification, or deletion, which can compromise the security and integrity of the application and its data.
The CVE-2025-67500 vulnerability in Mastodon social network servers allows an attacker to determine if a specific status exists, even if they are not authorized to see it, by sending a request with a non-English Accept-Language header.
This vulnerability is a problem because it can be used to gather information about the existence of private or restricted statuses, potentially compromising user privacy and security, even though the attacker cannot view the contents of the status.
The CNI portmap plugin has a vulnerability that allows containers to intercept all traffic destined for a specific port on the host, even if the traffic is not intended for the node itself, when the plugin is configured with the nftables backend.
This vulnerability is a problem because it enables containers to access and manipulate traffic that is not meant for them, potentially leading to unauthorized data access, eavesdropping, or other malicious activities, affecting the security and integrity of the system.
This vulnerability allows an attacker to gain unauthorized access to ColdFusion systems by exploiting improperly stored or transmitted credentials, potentially leading to limited unauthorized write access.
This vulnerability is a problem because it could enable attackers to access sensitive data or systems without permission, potentially causing data breaches or disruptions, and it does not require any user interaction to be exploited.
This vulnerability allows a low-privileged attacker to bypass security measures and gain limited unauthorized write access to ColdFusion systems, potentially leading to denial of service, by exploiting an improper access control weakness.
This vulnerability is a problem because it enables attackers to disrupt system operations, causing a denial of service, even with limited privileges, and user interaction is required for exploitation, which could be achieved through social engineering or other tactics.
This vulnerability allows an attacker to access and read arbitrary files on a server's file system by exploiting an improper restriction of XML External Entity Reference (XXE) in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier.
This is a problem because it enables a high-privileged attacker to access sensitive files and data on the server, potentially leading to unauthorized data disclosure or other malicious activities, requiring user interaction to exploit.
This vulnerability allows an attacker to write malicious files to any location on the file system of a ColdFusion server due to improper input validation, without requiring any user interaction.
This is a problem because it enables attackers to potentially take control of the server, steal sensitive data, or disrupt service by writing malicious files to critical locations, which could lead to further exploitation and damage.
The CVE-2025-61821 vulnerability allows an attacker to exploit an Improper Restriction of XML External Entity Reference ('XXE') in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier, potentially leading to arbitrary file system read and unauthorized access to sensitive files and data on the server.
This vulnerability is a problem because it enables attackers to access sensitive information without requiring any user interaction, potentially compromising the security and confidentiality of the data stored on the affected server.
The CVE-2025-61813 vulnerability allows an attacker to access and read arbitrary files on a server's file system by exploiting an Improper Restriction of XML External Entity Reference (XXE) in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, which could lead to data breaches, leakage of confidential information, and potentially other malicious activities, all without requiring any user interaction.
This vulnerability allows a high-privileged attacker to execute arbitrary code in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier, due to improper input validation, without requiring any user interaction.
This vulnerability is a problem because it enables attackers to gain control over the system, potentially leading to data breaches, system compromise, and other malicious activities, all without needing any action from the users, making it a significant security threat.
The CVE-2025-61811 vulnerability allows an attacker to execute arbitrary code in the context of the current user due to improper access control in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier.
This vulnerability is a problem because it enables a high-privileged attacker to bypass security measures and execute malicious code without requiring any user interaction, potentially leading to significant system compromise.
This vulnerability allows an attacker to execute arbitrary code on a ColdFusion application by providing maliciously crafted serialized data, potentially giving them control over the application in the context of the current user.
This is a problem because it could allow a high-privileged attacker to gain unauthorized access and control over the application, potentially leading to data theft, modification, or other malicious activities, all of which could have serious consequences.
This vulnerability allows an attacker to bypass security features in ColdFusion, potentially gaining unauthorized read and write access to sensitive data without requiring any user interaction.
This vulnerability is a significant problem because it enables attackers to circumvent security measures, potentially leading to data breaches, unauthorized modifications, or other malicious activities, which can have severe consequences for the affected systems and data.
This vulnerability allows an attacker to upload malicious files to a ColdFusion server without any restrictions, potentially leading to arbitrary code execution.
This is a significant issue because it enables a high-privileged attacker to execute arbitrary code on the server, which can result in unauthorized access, data breaches, or complete system compromise, all without requiring any user interaction.
This CVE ID refers to an issue that was initially considered a potential vulnerability but was later determined not to be a vulnerability after further research.
This issue is not a problem as it does not pose a security risk.
This CVE ID refers to an issue that was initially considered a potential vulnerability but was later determined not to be a vulnerability after further research.
This issue is not a problem as it does not pose a security risk.
The CVE-2025-67496 vulnerability allows an attacker to inject malicious code into the WeGIA web application, specifically in the employee selection dropdown, by exploiting a Stored Cross-Site Scripting (XSS) flaw in the /WeGIA/html/geral/configurar_senhas.php endpoint.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the application, potentially leading to unauthorized access, data theft, or other malicious activities, by manipulating user-controlled data that is not properly sanitized.
The CVE-2025-67495 vulnerability allows an unauthenticated remote attacker to execute malicious JavaScript code on Zitadel users' browsers through a DOM-Based XSS attack on the Zitadel V2 logout endpoint, by manipulating the post_logout_redirect GET parameter.
This vulnerability is a problem because it enables attackers to execute malicious code on users' browsers, potentially leading to unauthorized access to sensitive information or account takeover, especially if multiple user sessions are active in the same browser, although the use of Multi-Factor Authentication (MFA) or Passwordless authentication can mitigate this risk.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating that it is not a valid or active vulnerability.
It's not a problem as the CVE ID is not associated with a known vulnerability, and therefore does not pose a threat to systems or data.
The CVE-2025-67494 vulnerability allows an unauthenticated attacker to trick the ZITADEL Login UI into making HTTP requests to any domain, including internal addresses, and then read the responses, potentially exposing sensitive data.
This vulnerability is a problem because it enables data exfiltration and bypasses network-segmentation controls, allowing attackers to access and extract sensitive information from internal networks without authentication.
The CVE-2025-66645 vulnerability allows a remote attacker to read arbitrary files on a server's filesystem by exploiting a directory traversal weakness in the App.add_media_files() function of the NiceGUI Python-based UI framework, versions 3.3.1 and below.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, potentially leading to data breaches, leakage of confidential information, and further malicious activities.
The CVE-2025-66039 vulnerability allows an attacker to bypass authentication in FreePBX Endpoint Manager when the authentication type is set to "webserver" by providing an arbitrary value in the Authorization header, which associates a session with the target user without requiring valid credentials.
This vulnerability is a problem because it enables unauthorized access to the system, potentially allowing attackers to manage telephony endpoints, access sensitive information, and perform malicious actions without being detected or requiring legitimate credentials.
The CVE-2025-65513 vulnerability allows attackers to exploit a Server-Side Request Forgery (SSRF) flaw in fetch-mcp versions v1.0.2 and earlier, enabling them to bypass private IP validation and access internal network resources.
This vulnerability is a problem because it permits unauthorized access to internal network resources, which could lead to sensitive data exposure, lateral movement within the network, and potentially devastating consequences, including data breaches and disruption of critical services.
The IBM Planning Analytics Local vulnerability (CVE-2025-36437) discloses sensitive information about the server architecture, potentially revealing internal system details.
This vulnerability is a problem because it could provide attackers with valuable information to plan and execute further, more targeted attacks against the system, increasing the risk of a security breach.
The CVE-2025-34425 vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser by exploiting a reflected cross-site scripting (XSS) flaw in MailEnable versions prior to 10.54, specifically in the WindowContext parameter of a certain webpage. This happens when a user visits a malicious link or attempts to send an email, causing the attacker's script to execute in the victim's browser.
This vulnerability is a problem because it enables remote attackers to redirect victims to malicious sites, steal sensitive cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user, potentially leading to unauthorized access, data theft, and other malicious activities.
The CVE-2025-67489 vulnerability allows attackers to execute arbitrary remote code on development servers that use the @vitejs/plugin-rs plugin with React Server Components, enabling them to read, modify, or exfiltrate sensitive data through unsafe dynamic imports.
This vulnerability is a significant problem because it grants attackers with network access to the development server the ability to access and manipulate sensitive information, such as source code, environment variables, and credentials, which could lead to further internal breaches or data theft.
The CVE-2025-67488 vulnerability in SiYuan personal knowledge management software allows an authenticated user to exploit the importZipMd function, which is susceptible to ZipSlip attacks, enabling them to overwrite files on the system and potentially escalate to full code execution.
This vulnerability is a problem because it grants authenticated users the ability to overwrite any file on the system, potentially leading to unauthorized access, data corruption, or even full system compromise, which can have severe consequences for the security and integrity of the system.
The CVE-2025-66626 vulnerability allows an attacker to overwrite a critical file in Argo Workflows, a container-native workflow engine, by exploiting unsafe untar code that handles symbolic links in archives, potentially enabling the execution of a malicious script at the pod's start.
This vulnerability is a problem because it enables an attacker to gain control over the workflow engine, potentially leading to unauthorized access, data tampering, or disruption of critical workflows, especially since a previously deployed patch is ineffective against malicious archives containing symbolic links.
This vulnerability allows an attacker to execute code on a user's system by exploiting an out-of-bounds read error in Acrobat Reader when a maliciously crafted file is opened, potentially giving them access to sensitive information and control over the system.
This vulnerability is a problem because it could allow an attacker to gain control over a user's system, steal sensitive information, or install malware, all by tricking the user into opening a malicious file, which could have serious consequences for individual users and organizations.
The CVE-2025-64896 vulnerability allows an attacker to disrupt the functionality of Creative Cloud Desktop by manipulating temporary files, potentially leading to a denial-of-service. This happens when a user opens a malicious file, which exploits the incorrect permissions in the directory where temporary files are created.
This vulnerability is a problem because it enables attackers to intentionally cause the Creative Cloud Desktop application to stop working, which can lead to productivity loss and disruption of critical tasks. Since it requires user interaction, it can be particularly problematic if users are tricked into opening malicious files.
The CVE-2025-64787 vulnerability allows an attacker to bypass cryptographic protections in certain versions of Acrobat Reader, potentially gaining limited unauthorized write access to sensitive data without requiring any user interaction.
This vulnerability is a problem because it could enable attackers to access and modify sensitive information, undermining the security features of Acrobat Reader and potentially leading to data breaches or other malicious activities.
This CVE allows an attacker to bypass security features in certain versions of Acrobat Reader by exploiting an improper verification of cryptographic signatures, potentially giving them limited unauthorized write access without requiring any user interaction.
This vulnerability is a problem because it could enable attackers to modify or manipulate files without detection, potentially leading to data corruption, theft, or other malicious activities, which compromises the security and integrity of the system.
The CVE-2025-64785 vulnerability allows attackers to execute arbitrary code on a user's system by modifying the search path used by Acrobat Reader to locate critical resources, potentially leading to the execution of malicious programs.
This vulnerability is a problem because it enables attackers to run malicious code without requiring any interaction from the user, which could lead to unauthorized access, data theft, or other harmful activities, all in the context of the current user's privileges.
The Docker Desktop diagnostics feature includes expired personal access tokens (PATs) from Docker Hub in its log output due to an error in serializing error objects, potentially exposing them when diagnostics data is exported.
This vulnerability poses a risk of leaking sensitive information, such as access tokens, especially when errors related to access denied occur, which could be used by unauthorized parties to gain access to Docker Hub accounts or perform malicious actions.
The CVE-2023-53774 vulnerability allows remote attackers to send malicious commands to a MiniDVBLinux 5.4 system using the SVDRP protocol, potentially enabling them to control the video disk recorder remotely and execute arbitrary code.
This vulnerability is a problem because it allows unauthorized access to the system, which can lead to remote control of the TV system, execution of malicious code, and potential disruption of video recording and playback functionality, compromising the security and integrity of the system.
The CVE-2023-53773 vulnerability in MiniDVBLinux 5.4 allows remote attackers to generate and retrieve live stream snapshots of TV content without needing authentication, by exploiting an unauthenticated vulnerability in the tv_action.sh script through the Simple VDR Protocol.
This vulnerability is a problem because it allows unauthorized access to live TV content, potentially compromising user privacy and security by allowing attackers to capture and view sensitive information being broadcast.
This vulnerability allows attackers to read sensitive system files on a MiniDVBLinux 5.4 device by manipulating the 'file' parameter in a GET request, potentially disclosing arbitrary file contents.
This vulnerability is a problem because it enables unauthorized access to sensitive system files, which could contain confidential information, passwords, or other security-related data, compromising the security and integrity of the affected device.
The CVE-2023-53771 vulnerability allows remote attackers to bypass authentication and change the root password of a MiniDVBLinux 5.4 system without proper credentials, by sending specially crafted POST requests to the system setup endpoint.
This vulnerability is a problem because it enables unauthorized users to gain full control over the system by resetting the root password, potentially leading to data breaches, system compromise, and other malicious activities.
The CVE-2023-53770 vulnerability in MiniDVBLinux 5.4 allows unauthorized remote attackers to download the system's configuration files, including sensitive credentials, by sending a specific GET request to the backup download endpoint.
This vulnerability is a problem because it enables attackers to gain access to sensitive system configuration files and credentials, which can be used to compromise the system, steal data, or launch further attacks, ultimately putting the security and integrity of the system at risk.
The Tinycontrol LAN Controller v3 LK3 version 1.58a has a vulnerability that allows unauthorized remote access to download configuration backup files, specifically the lk3_settings.bin file, which contains sensitive credentials such as user and admin passwords encoded in base64.
This vulnerability is a problem because it allows attackers to easily obtain sensitive passwords without needing any authentication, potentially leading to unauthorized access and control of the system, as well as exposing sensitive information.
The Selea Targa IP OCR-ANPR Camera has a hard-coded developer password, 'Selea781830', that allows unauthorized access to an undocumented configuration page, enabling attackers to upload and alter device settings.
This vulnerability is a problem because it allows unauthorized users to gain control over the camera's settings, potentially disrupting its functionality, compromising the security of the footage it captures, or using it as a pivot point for further attacks within a network.
The Selea Targa IP OCR-ANPR Camera has a vulnerability that allows attackers to create new administrative users with full system privileges without needing authentication, by tricking logged-in users into visiting a malicious web page that submits a form to add the new admin user.
This vulnerability is a problem because it enables attackers to gain full control over the camera's system, potentially allowing them to access sensitive information, disrupt camera functionality, or use the camera as a starting point for further attacks on the network.
The Selea Targa IP OCR-ANPR Camera has a vulnerability that allows attackers to inject malicious code into the camera's system by sending a crafted POST request to a specific webpage, which can then execute arbitrary scripts in a victim's browser session.
This vulnerability is a problem because it enables attackers to manipulate the camera's system and potentially gain unauthorized access to sensitive information, or use the victim's browser session to perform malicious actions, which can lead to further security breaches and compromised data.
The Selea Targa IP OCR-ANPR Camera has a vulnerability that allows remote attackers to execute arbitrary shell commands by injecting malicious input into the 'addr' and 'port' parameters in the utils.php file, potentially gaining access to the system with www-data user privileges.
This vulnerability is a problem because it enables unauthorized users to remotely execute commands on the camera's system, which could lead to unauthorized access, data breaches, or other malicious activities, compromising the security and integrity of the device and potentially the entire network.
The Selea Targa IP OCR-ANPR Camera has a vulnerability that allows unauthorized remote access to its live video streams, enabling attackers to view camera footage by directly connecting to specific endpoints such as RTP/RTSP or M-JPEG streams.
This vulnerability is a problem because it allows unauthorized individuals to access sensitive video feeds without any authentication, potentially compromising privacy, security, and confidentiality of the information captured by the camera.
This vulnerability allows authenticated attackers to access arbitrary files on a system by manipulating the "files" parameter in the archive download functionality of STVS ProVision 5.9.10, enabling them to read sensitive system files.
This vulnerability is a problem because it allows attackers to access sensitive system files, such as /etc/passwd, which can contain confidential information, potentially leading to further system compromise or unauthorized access.
This vulnerability allows attackers to perform actions with administrative privileges on STVS ProVision 5.9.10 by exploiting unvalidated HTTP requests, enabling them to create new admin users without authorization.
This vulnerability is a problem because it enables attackers to gain administrative access to the system, potentially allowing them to create new admin users, modify system settings, and access sensitive information, which can lead to a loss of system integrity and confidentiality.
The COMMAX WebViewer ActiveX Control version 2.1.4.5 has a buffer overflow vulnerability that allows attackers to execute arbitrary code by sending excessively long string arrays to the control, potentially leading to code execution.
This vulnerability is a problem because it enables attackers to exploit boundary errors in the Commax_WebViewer.ocx file, causing buffer overflow conditions that can result in the execution of malicious code, compromising the security of the affected system.
The CVE-2021-47718 vulnerability in OpenBMCS 2.4 allows unauthorized users to access and view sensitive files and directories, such as /debug/ and /php/, without needing to authenticate. This enables attackers to discover confidential information like configuration files, database credentials, and system details.
This vulnerability is a problem because it exposes sensitive information that could be used by attackers to further compromise the system, steal data, or disrupt operations. By accessing configuration files and database credentials, attackers could gain unauthorized control or exploit other vulnerabilities, leading to significant security breaches.
The CVE-2021-47717 vulnerability allows attackers to identify valid user accounts in the IntelliChoice eFORCE Software Suite 2.5.9 by manipulating a specific parameter in login requests, potentially revealing sensitive user information.
This vulnerability is a problem because it enables attackers to gather a list of valid usernames, which can be used as a starting point for further attacks such as brute-force password cracking, phishing, or targeted social engineering, ultimately compromising the security of the affected system and its users.
The CVE-2021-47710 vulnerability allows an unauthorized attacker to access RTSP credentials in plain text by sending a GET request to the /overview.asp endpoint in the COMMAX Smart Home System, potentially exposing sensitive information such as login credentials and DVR settings.
This vulnerability is a problem because it enables attackers to gain access to sensitive information without authentication, which could lead to unauthorized control of the smart home system, data breaches, and potential harm to the users' privacy and security.
The CVE-2021-47709 vulnerability in the COMMAX Smart Home System allows an unauthorized user to modify the system's configuration and disrupt its service by sending a malformed request to the setconf endpoint, leading to a denial-of-service.
This vulnerability is a problem because it enables attackers to gain unauthorized access to the system, potentially causing disruptions to smart home services, and allowing them to make configuration changes without permission, which could compromise the security and reliability of the system.
The COMMAX Smart Home System CDP-1020n has a vulnerability that allows attackers to inject arbitrary SQL code into the system by manipulating the 'id' parameter in the login page, potentially bypassing authentication and gaining unauthorized access.
This vulnerability is a problem because it allows attackers to access the system without a valid username and password, potentially leading to unauthorized control of smart home devices, theft of sensitive information, and other malicious activities.
The COMMAX CVD-Axx DVR 5.1.4 has weak default administrative credentials, allowing attackers to access the device by sending a POST request with a default 'passkey' parameter, which enables them to access the web control panel and potentially view the RTSP stream.
This vulnerability is a problem because it allows unauthorized access to the device, potentially leading to unauthorized viewing of video streams, modification of device settings, or other malicious activities, compromising the security and privacy of the individuals and organizations using the device.
The COMMAX Biometric Access Control System 1.0.0 contains a vulnerability that allows unauthorized individuals to bypass authentication and access sensitive information by manipulating cookies, potentially giving them control over physical access controls in smart homes and buildings.
This vulnerability is a problem because it allows attackers to gain unauthorized access to sensitive areas and information, potentially leading to security breaches, data theft, and physical harm, by exploiting a weakness in the system's authentication mechanism.
The COMMAX UMS Client ActiveX Control contains a vulnerability that allows attackers to execute arbitrary code by sending excessively long string arrays to the system, which can cause a heap-based buffer overflow.
This vulnerability is a problem because it can lead to heap corruption, allowing attackers to potentially gain system-level access and execute malicious code, which can compromise the security and integrity of the affected system.
The CVE-2021-47704 vulnerability allows attackers who have authenticated access to the system to inject arbitrary SQL code into database queries, potentially extracting sensitive database information by sending malicious GET requests to a specific URL.
This vulnerability is a problem because it enables authorized users to escalate their privileges and access sensitive data they should not have access to, potentially leading to data breaches or other malicious activities.
The CVE-2021-47703 vulnerability allows attackers to exploit an unauthenticated Server-Side Request Forgery (SSRF) flaw in OpenBMCS 2.4, enabling them to bypass firewalls, enumerate internal network services, and potentially hijack current sessions by forcing the application to make unauthorized HTTP requests to arbitrary external domains.
This vulnerability is a problem because it allows attackers to access and map internal network resources that are normally protected by firewalls, potentially leading to unauthorized data access, session hijacking, and further malicious activities within the internal network.
The CVE-2021-47702 vulnerability allows attackers to perform actions with administrative privileges on OpenBMCS 2.4 by exploiting a CSRF weakness in the sendFeedback.php endpoint, enabling them to submit malicious requests that can trigger unintended actions such as sending unwanted emails or modifying system settings.
This vulnerability is a problem because it enables attackers to bypass normal security controls and perform administrative actions without authorization, potentially leading to unauthorized access, data breaches, or disruption of system functionality.
This vulnerability allows an attacker to gain administrative privileges by manipulating permissions and exploiting a weakness in the update_user_permissions.php script in OpenBMCS 2.4, using a malicious HTTP POST request to PHP scripts in the '/plugins/useradmin/' directory.
This vulnerability is a problem because it enables unauthorized users to elevate their privileges from a basic read-only user to a full admin user, potentially leading to unauthorized access, data modification, or system compromise.
The CVE-2025-66625 vulnerability in Umbraco CMS allows an attacker with backoffice access to determine if arbitrary files exist on the server's filesystem by exploiting how temporary files are handled during dictionary uploads. It can also potentially expose the NTLM hash of the Windows account running the Umbraco application in certain configurations.
This vulnerability is a problem because it enables attackers to gather sensitive information about the server's filesystem and potentially obtain Windows account credentials, which could be used for further exploitation or unauthorized access.
The CVE-2025-66457 vulnerability allows for arbitrary code execution in Elysia, a Typescript framework, when dynamic cookies are enabled and the cookie config is not properly sanitized, potentially leading to malicious code injection.
This vulnerability is a problem because it can be exploited to achieve remote code execution (RCE) when combined with other vulnerabilities, allowing attackers to execute malicious code on the affected system, potentially leading to data breaches, system compromise, or other malicious activities.
The CVE-2025-66456 vulnerability is a prototype pollution issue in the Elysia framework, specifically in the `mergeDeep` function, which can be exploited when merging the results of two standard schema validations with the same key, allowing an attacker to potentially merge the `__proto__` property and enable remote code execution (RCE) when combined with another vulnerability.
This vulnerability is a problem because it can allow an attacker to execute arbitrary code on a server, potentially leading to a full system compromise, data theft, or other malicious activities, by exploiting the prototype pollution vulnerability in conjunction with other weaknesses.
The CVE-2025-66214 vulnerability allows attackers to upload specially crafted XML files to a Java application using the Ladybug debugging tool, which can lead to Remote Code Execution (RCE) on the target server.
This vulnerability is a problem because it enables attackers to gain unauthorized access to the server, potentially allowing them to execute malicious code, steal sensitive data, or disrupt the application's functionality.
This vulnerability allows an attacker to inject a malicious dynamic library (.dylib file) into Sublime Text 3 on MacOS, forcing the application to execute the attacker's code.
This vulnerability is a problem because it enables an attacker to run malicious code within the context of the Sublime Text application, potentially allowing them to access sensitive information, modify files, or take control of the system.
The CVE-2025-64113 vulnerability allows an attacker to gain full administrative access to an Emby Server, which is a home media server, without requiring any specific preconditions other than network access.
This vulnerability is a problem because it enables unauthorized users to take control of the Emby Server, potentially leading to unauthorized data access, modification, or deletion, as well as disruption of media services.
This vulnerability allows an attacker to manipulate the "grade" argument in the /new_grade.php file of the itsourcecode Student Management System 1.0, leading to a SQL injection attack that can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious SQL code into the system, potentially allowing them to access, modify, or delete sensitive student data, disrupt system operations, or gain unauthorized access to the system.
The CVE-2025-9614 vulnerability is an issue in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification that allows stale write transactions from a previous security context to be processed in a new one during device rebinding, due to insufficient guidance on re-keying and stream flushing.
This vulnerability is a problem because it can lead to unintended data access across trusted domains, compromising the confidentiality and integrity of sensitive information, which can have serious consequences for data security and trust.
This vulnerability affects the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, allowing multiple requests to share the same tag after a completion timeout, which can cause completions to be delivered to the wrong security context.
This vulnerability is a problem because it can compromise data integrity and confidentiality by potentially delivering sensitive information to the wrong recipient, allowing unauthorized access or modification of data.
The CVE-2025-9612 vulnerability allows attackers to replay or reorder encrypted packets on the PCI Express (PCIe) bus without detection, due to insufficient guidance on packet ordering and tag uniqueness in the PCIe Integrity and Data Encryption specification.
This vulnerability is a problem because it enables local or physical attackers to violate data integrity protections, potentially allowing them to access or manipulate sensitive information on the PCIe bus.
The CVE-2025-65882 vulnerability allows attackers to potentially write arbitrary files or execute arbitrary commands on systems running openmptcprouter version 0.64 or earlier, due to an issue in the sys-upgrade-helper component.
This vulnerability is a problem because it enables malicious actors to gain unauthorized access and control over affected systems, potentially leading to data breaches, malware installation, or other malicious activities.
The CVE-2025-65573 vulnerability allows an attacker to trick a user into performing unintended actions on the AllSky application, potentially leading to a denial of service, by exploiting a Cross Site Request Forgery (CSRF) weakness in the handle_interface_POST_and_status function.
This vulnerability is a problem because it enables remote attackers to disrupt the service, causing it to become unavailable or unresponsive, which can lead to loss of access to critical functionality and data.
This vulnerability allows an attacker to inject malicious code into the AllSky system through certain parameters in the allskySettings.php page, which can then be executed when the page is reloaded or when a user visits the page.
This vulnerability is a problem because it enables remote attackers to execute arbitrary code, potentially allowing them to steal sensitive information, take control of the system, or disrupt its operation, which can lead to serious security breaches and data compromises.
This vulnerability allows attackers to inject malicious JavaScript code into the Coohom SaaS Platform's Account Settings module by entering unsanitized input in the Address fields, which then executes when the affected profile page is viewed.
This vulnerability is a problem because it enables attackers to hijack user sessions, steal cookies, or execute arbitrary scripts in the victim's browser, potentially leading to unauthorized access, data theft, or further malicious activities.
The CVE-2025-14336 vulnerability allows an attacker to inject malicious SQL code into the itsourcecode Student Management System 1.0 through the /promote.php file by manipulating the "sy" argument, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the database, potentially leading to unauthorized data breaches, modifications, or even deletion of critical information, which can have severe consequences for the affected organization.
The CVE-2025-14335 vulnerability allows an attacker to inject malicious SQL code into the itsourcecode Student Management System 1.0 by manipulating the "sy" argument in the /new_school_year.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the student management system, potentially leading to unauthorized data disclosure, modification, or deletion, which can have serious consequences for the affected individuals and organizations.
The CVE-2025-14334 vulnerability allows an attacker to manipulate the "Name" argument in the /new_adviser.php file of the itsourcecode Student Management System 1.0, leading to a SQL injection attack that can be performed remotely.
This vulnerability is a problem because it enables attackers to inject malicious SQL code, potentially allowing them to access, modify, or extract sensitive data from the database, which can lead to unauthorized access, data breaches, or disruption of the system.
The HP System Event Utility and Omen Gaming Hub have a vulnerability that allows certain files to be executed outside of their intended restricted paths.
This vulnerability is a problem because it could potentially allow unauthorized access or malicious activities on the system, compromising its security and integrity.
The CVE-2025-65594 vulnerability in OpenSIS versions 9.2 and below allows a user with low privileges to make unauthorized changes to other users' data in the database, even though they shouldn't have permission to do so.
This vulnerability is a problem because it can lead to the misuse of user data, potentially causing harm to individuals or the organization as a whole. An attacker could exploit this weakness to alter sensitive information, disrupt operations, or gain access to confidential data.
The CVE-2025-64894 vulnerability is an Integer Overflow or Wraparound issue in DNG SDK versions 1.7.0 and earlier, which can cause an application to crash or become unresponsive when a user opens a malicious file.
This vulnerability is a problem because it allows an attacker to exploit the issue and deny service to the application, disrupting its normal functioning and potentially causing inconvenience or loss of productivity for users.
This vulnerability allows an attacker to read memory outside the intended boundaries when a user opens a malicious file using the DNG SDK, potentially exposing sensitive information or causing the application to crash.
This vulnerability is a problem because it could lead to the disclosure of sensitive information stored in memory, or cause the application to become unresponsive, resulting in a denial of service. An attacker could exploit this issue to gain unauthorized access to sensitive data.
The CVE-2025-64784 vulnerability is a Heap-based Buffer Overflow that occurs in DNG SDK versions 1.7.0 and earlier, allowing an attacker to potentially expose sensitive memory information or cause an application to deny service when a malicious file is opened.
This vulnerability is a problem because it could lead to the disclosure of sensitive information or cause an application to become unresponsive, potentially disrupting business operations or compromising sensitive data, especially since it can be exploited by getting a user to open a malicious file.
The CVE-2025-64783 vulnerability is an Integer Overflow or Wraparound issue in DNG SDK versions 1.7.0 and earlier, which could allow arbitrary code execution when a user opens a malicious file.
This vulnerability is a problem because it enables attackers to execute arbitrary code on a victim's system, potentially leading to data theft, malware installation, or other malicious activities, all of which can occur in the context of the current user's privileges.
This vulnerability allows an attacker with authorized access to exploit a heap-based buffer overflow in the Windows DWM Core Library, enabling them to elevate their privileges locally.
This is a problem because it enables an attacker to gain higher-level access to a system, potentially allowing them to execute malicious actions, access sensitive data, or disrupt system operations, all of which could compromise the security and integrity of the system.
The CVE-2025-64679 vulnerability is a heap-based buffer overflow in the Windows DWM Core Library, which allows an authorized attacker to elevate their privileges locally, potentially gaining greater control over the system.
This vulnerability is a problem because it enables an attacker who already has some level of access to the system to increase their privileges, potentially leading to unauthorized access to sensitive data, installation of malware, or other malicious activities that could compromise the security and integrity of the system.
This vulnerability allows an attacker to overflow a buffer in the Windows Routing and Remote Access Service (RRAS), enabling them to execute malicious code over a network.
This vulnerability is a problem because it enables unauthorized attackers to gain control over a system, potentially leading to data theft, malware installation, or disruption of critical services, all of which can have severe security and operational consequences.
The CVE-2025-64673 vulnerability allows an attacker with some level of access to a system to exploit a flaw in the Storvsp.sys Driver, enabling them to gain higher privileges on the local system.
This vulnerability is a problem because it can be used by attackers to escalate their privileges, potentially allowing them to access sensitive data, install malware, or take control of the system, which could lead to significant security breaches and data losses.
This vulnerability allows an attacker to inject malicious code into Microsoft Office SharePoint web pages, enabling them to perform spoofing attacks over a network, which can trick users into divulging sensitive information or performing unintended actions.
This vulnerability is a problem because it enables authorized attackers to manipulate the content of SharePoint web pages, potentially leading to phishing attacks, unauthorized data access, or other malicious activities, compromising the security and integrity of the affected system and its users.
The CVE-2025-64671 vulnerability allows an attacker to inject malicious code into the Copilot system, enabling them to execute unauthorized commands locally.
This vulnerability is a problem because it gives attackers the ability to run arbitrary code on a victim's system, potentially leading to data theft, system compromise, or other malicious activities, which can have serious security consequences.
The CVE-2025-64670 vulnerability in Microsoft Graphics Component allows an attacker to expose sensitive information over a network, potentially giving them access to confidential data.
This vulnerability is a problem because it enables unauthorized actors to obtain sensitive information, which could be used for malicious purposes, compromising the security and confidentiality of the affected system or network.
The CVE-2025-64667 vulnerability allows an attacker to manipulate the user interface of Microsoft Exchange Server, making it display false or misleading critical information, which can be used to trick users into performing certain actions or to hide malicious activities.
This vulnerability is a problem because it enables attackers to perform spoofing attacks over a network, potentially leading to phishing, unauthorized access, or other malicious activities that can compromise the security and integrity of the Exchange Server and its users.
The CVE-2025-64666 vulnerability allows an authorized attacker to elevate their privileges on a Microsoft Exchange Server by exploiting improper input validation over a network.
This vulnerability is a problem because it enables an attacker who already has some level of access to the server to gain even higher levels of access, potentially leading to unauthorized data access, modification, or disruption of email services.
This vulnerability allows an attacker to exploit a 'race condition' in the Windows Shell, where concurrent execution using a shared resource lacks proper synchronization, enabling the attacker to elevate their privileges locally.
This vulnerability is a problem because it enables an authorized attacker to gain higher-level access to a system, potentially allowing them to perform malicious actions, such as installing malware, accessing sensitive data, or taking control of the system.
This vulnerability allows an attacker to exploit a "race condition" in the Windows Shell, where concurrent execution of tasks using shared resources without proper synchronization can be manipulated to elevate privileges locally.
This is a problem because it enables an authorized attacker to gain higher-level access to a system than they should have, potentially allowing them to execute malicious actions, access sensitive data, or disrupt system operations.
This vulnerability allows an attacker to use a password hash instead of the actual password to authenticate with Fortinet FortiWeb devices, potentially gaining unauthorized access through crafted HTTP/HTTPS requests.
This vulnerability is a problem because it enables unauthenticated attackers to bypass normal password requirements, potentially leading to unauthorized access, data breaches, and other malicious activities, compromising the security and integrity of the affected systems.