This vulnerability allows an attacker to inject operating system commands into certain Linksys router models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating specific arguments in the RP_UpgradeFWByBBS function, which can be done remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary operating system commands on the affected routers, potentially leading to unauthorized access, data theft, or other malicious activities, and the fact that the exploit has been publicly disclosed increases the risk of it being used by malicious actors.
This vulnerability allows an attacker to inject operating system commands into certain Linksys Wi-Fi range extender models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating specific arguments in the wirelessAdvancedHidden function, potentially giving them remote control over the device.
This vulnerability is a problem because it can be exploited remotely, meaning an attacker does not need physical access to the device to launch the attack. This could lead to unauthorized access, data theft, or other malicious activities, compromising the security of the network and connected devices.
The NeKernal operating system stack version 0.0.2 has a vulnerability that causes a 1-byte heap overflow in the `rt_copy_memory` function, allowing an extra null terminator to be written beyond the end of a 256-byte destination buffer.
This vulnerability is a problem because it can potentially lead to buffer overflow attacks, which can cause the system to crash, allow unauthorized access, or execute malicious code, compromising the security and stability of the system.
The CVE-2025-48958 vulnerability allows an attacker to inject malicious HTML code into the email section of the Froxlor customer account portal, which can redirect users to external malicious websites.
This vulnerability is a problem because it can lead to phishing attacks, credential theft, and reputational damage, as attackers can use it to trick users into revealing sensitive information or installing malware, all without needing authentication.
The CVE-2025-48957 vulnerability allows an attacker to access sensitive information, such as API keys and account passwords, by exploiting a path traversal weakness in AstrBot versions 3.4.4 through 3.5.12.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, potentially allowing attackers to gain control over accounts, steal confidential information, or disrupt services, ultimately compromising the security and integrity of the affected systems.
The CVE-2025-48955 vulnerability in Para backend server/framework versions prior to 1.50.8 causes access and secret keys to be exposed in logs without redaction, and these credentials are reused in variable assignments.
This vulnerability is a problem because it allows sensitive credentials to be visible in logs, potentially giving unauthorized access to sensitive information and compromising system security.
The CVE-2025-48495 vulnerability allows an authenticated user to inject JavaScript code into the API key overview of a Gokapi file sharing server by renaming the friendly name of an API key, which can then be executed when another user views the API tab.
This vulnerability is a problem because it enables malicious users to inject and execute arbitrary code, potentially leading to unauthorized access, data theft, or other malicious activities, especially since prior to version 2.0.0, all authenticated users had access to all resources, including end-to-end encrypted files.
The CVE-2025-46807 vulnerability allows attackers to exhaust the file descriptors in sslh, a service that enables multiple protocols to share the same port, by allocating resources without limits or throttling.
This vulnerability is a problem because it enables attackers to deny legitimate users access to the service, effectively causing a denial-of-service (DoS) attack, which can disrupt business operations and impact users who rely on the service.
This vulnerability allows an attacker to inject operating system commands into certain Linksys Wi-Fi range extender models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating a specific argument in the RP_pingGatewayByBBS function, potentially giving them remote control over the device.
This is a problem because it enables remote attackers to execute arbitrary commands on the affected devices, which could lead to unauthorized access, data theft, or other malicious activities, compromising the security of the network and connected devices.
This vulnerability allows an attacker to inject operating system commands into certain Linksys router models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating the DeviceURL argument in the setDeviceURL function, which can be done remotely.
This is a problem because it enables remote attackers to execute arbitrary commands on the affected routers, potentially allowing them to gain control, steal sensitive information, or disrupt network operations, which can compromise the security and integrity of the network.
The CVE-2025-48494 vulnerability allows an attacker to upload a file with JavaScript code embedded in the filename to a Gokapi file sharing server, which can then be executed when the upload list is opened, potentially leading to cross-site scripting attacks.
This vulnerability is a problem because it can be exploited by any authenticated user to inject malicious code, potentially stealing sensitive information or taking control of the system, especially in versions prior to 2.0.0 where all authenticated users have access to all resources, including end-to-end encrypted files.
This vulnerability allows an attacker to inject malicious JavaScript code into the testimonial description field of the CE Phoenix eCommerce platform, which executes when a user visits the testimonial page, potentially leading to the theft of session cookies.
This is a problem because the stolen session cookies can be used by the attacker to take over user accounts, including those of administrators, since the cookies are not protected with the `HttpOnly` flag, allowing the attacker to access sensitive information and perform unauthorized actions.
The CE Phoenix eCommerce platform has a vulnerability that allows logged-in users to delete their accounts without needing to re-enter their password, which can be exploited by an attacker with temporary access to an authenticated session.
This vulnerability is a problem because it puts users at risk of losing their accounts and disrupting their data, as an attacker could permanently delete a user's account without knowing the password.
This vulnerability allows an attacker to bypass authorization checks in Grafana's datasource proxy API by adding an extra slash character in the URL path, potentially giving them unauthorized read access to certain endpoints.
This vulnerability is a problem because it enables users with minimal permissions to access sensitive data in Alertmanager and Prometheus datasources, which could lead to unauthorized disclosure of information.
The CVE-2025-29785 vulnerability allows a malicious QUIC client to trigger a nil-pointer dereference in the quic-go implementation by sending specifically crafted packets, including valid QUIC packets from different remote addresses and fake ACKs, exploiting the loss recovery logic for path probe packets.
This vulnerability is a problem because it can cause a server using the quic-go implementation to crash or become unstable, potentially leading to a denial-of-service (DoS) attack, which can disrupt the availability of services and impact users.
This vulnerability allows a non-privileged user process to access memory outside of the designated buffer bounds on certain Arm GPU userspace drivers, potentially through WebGL or WebGPU operations.
This vulnerability is a problem because it can enable unauthorized access to sensitive data, potentially leading to data breaches, crashes, or other malicious activities, by allowing a user process to bypass normal memory restrictions.
The CVE-2025-0819 vulnerability allows a local non-privileged user process to access and use memory that has already been freed by the system, specifically in the context of Arm Ltd's Bifrost, Valhall, and 5th Gen GPU Architecture Kernel Drivers, by performing valid GPU memory processing operations.
This vulnerability is a problem because it can enable an attacker to potentially execute arbitrary code, escalate privileges, or cause a denial-of-service by manipulating the already freed memory, which could lead to system instability or security breaches.
The CVE-2025-0073 vulnerability allows a local non-privileged user process to access and process memory on Arm Ltd's Valhall GPU and 5th Gen GPU Architecture that has already been freed, due to a Use After Free flaw in the kernel driver.
This vulnerability is a problem because it enables unauthorized access to sensitive memory areas, potentially leading to data breaches, privilege escalation, or other malicious activities, which can compromise the security and integrity of the system.
This vulnerability allows an attacker to inject operating system commands into certain Linksys router models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating specific date and time settings in the Network Time Protocol (NTP) function, which can be done remotely.
This is a problem because it enables unauthorized access and control over the affected routers, potentially leading to malicious activities such as data theft, malware distribution, or disruption of network services, compromising the security and integrity of the network.
The CVE-2025-5439 vulnerability allows an attacker to inject operating system commands into certain Linksys router models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating the "uid" or "accessToken" argument in the "verifyFacebookLike" function, which can be exploited remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary operating system commands on the affected routers, potentially allowing them to take control of the device, steal sensitive information, or disrupt network operations, which can have serious security and privacy implications.
This vulnerability allows authenticated users to bypass dashboard and folder permissions in Grafana, giving them unauthorized access to view, edit, or delete dashboards and folders, regardless of their assigned roles.
This is a problem because it undermines the access control and permission settings in place, potentially exposing sensitive information and allowing unauthorized modifications to dashboards and folders, which could lead to data breaches or disruptions.
This vulnerability allows an attacker to inject malicious SQL code into the delete function of DuckDBVectorStore, enabling them to manipulate the ref_doc_id parameter and access arbitrary files on the server, potentially leading to remote code execution.
This vulnerability is a problem because it can give an attacker unauthorized access to sensitive files and data on the server, and potentially allow them to execute malicious code remotely, leading to a complete compromise of the system.
The CVE-2025-5455 vulnerability occurs when the qDecodeDataUrl() function in Qt's QtCore is called with malformed data, such as a URL containing a "charset" parameter without a value, causing the program to hit an assertion and result in a denial of service (abort) if Qt is built with assertions enabled.
This vulnerability is a problem because it can be exploited to cause a denial of service, potentially disrupting the functionality of applications that rely on Qt, leading to system crashes or aborts, and impacting the overall reliability and availability of the system.
This vulnerability allows an attacker to inject commands into certain Linksys Wi-Fi range extender models (RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000) by manipulating the PIN argument in the WPS function, which can be done remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data theft, or other malicious activities, and the fact that the exploit has been publicly disclosed makes it more likely to be used by malicious actors.
This vulnerability allows an attacker to exploit the Password Change Handler in the Multilaser Sirius RE016 MLT1.0, specifically targeting the /cgi-bin/cstecgi.cgi file, which can lead to improper authentication, enabling remote unauthorized access.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to bypass authentication mechanisms and potentially gain access to sensitive information or systems without proper authorization, which can lead to data breaches, system compromises, or other malicious activities.
This vulnerability in the Multilaser Sirius RE016 MLT1.0 allows attackers to manipulate the /cgi-bin/cstecgi.cgi file, leading to the disclosure of sensitive information, and can be initiated remotely.
This vulnerability is a problem because it enables unauthorized access to confidential information, potentially compromising the security and privacy of individuals or organizations using the affected device, and since the exploit is publicly disclosed, attackers can easily use it.
This vulnerability allows an attacker to inject malicious SQL code into the Marwal Infotech CMS 1.0 system by manipulating the "ID" argument in the /page.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the database, potentially leading to data theft, modification, or deletion, and can also be used to gain unauthorized access to the system.
The Diviotec professional series has a vulnerable web interface endpoint that allows attackers to inject arbitrary commands, and it also uses hardcoded passwords that can be easily discovered.
This vulnerability is a problem because it enables attackers to execute unauthorized commands on the device, potentially leading to unauthorized access, data breaches, or system compromise, while the hardcoded passwords can be used to gain initial access or escalate privileges.
This vulnerability allows a lower-privileged user to gain administrator privileges on Axis Communication devices due to a flaw in the VAPIX Device Configuration framework, enabling privilege escalation.
This vulnerability is a problem because it allows unauthorized users to gain high-level access to devices, potentially leading to sensitive data exposure, device tampering, and disruption of services, which can have serious security and operational consequences.
The CVE-2025-0325 vulnerability allows an attacker to manipulate a parameter in the Guard Tour VAPIX API, potentially blocking access to the guard tour configuration page on an Axis device's web interface.
This vulnerability is a problem because it enables an attacker to restrict administrative access to important configuration settings, potentially disrupting security monitoring and management capabilities.
The VAPIX Device Configuration framework has a vulnerability that allows a user with lower privileges to gain administrator privileges, giving them full control over the device.
This vulnerability is a problem because it enables unauthorized users to elevate their access and perform malicious actions, potentially leading to data breaches, system compromise, and other security threats.
This vulnerability allows an attacker to inject malicious SQL code into the Aem Solutions CMS by manipulating the "ID" argument in the /page.php file, which can be done remotely.
This is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to data breaches, unauthorized access, or disruption of services, and the fact that the exploit is publicly disclosed increases the likelihood of attacks.
This vulnerability allows an attacker to inject malicious SQL code into the Fengoffice Feng Office system by manipulating the "tz_offset" argument in the /index.php?c=account&a=set_timezone file, potentially giving them unauthorized access to sensitive data.
This SQL injection vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, which can lead to data breaches, unauthorized modifications, and other malicious activities.
The Netcom NTC 6200 and NWL 222 series devices have a vulnerable web interface that allows attackers to inject arbitrary commands and access the system using hardcoded passwords, potentially leading to arbitrary code execution with elevated privileges.
This vulnerability is a problem because it enables remote authenticated attackers to gain control of the device, allowing them to execute malicious code and access sensitive information, which can lead to unauthorized access, data breaches, and disruption of services.
This vulnerability allows a low-privileged attacker to set the device's date to January 19th, 2038, which exceeds the 32-bit time limit, causing the device's date to revert to January 1st, 1970.
This vulnerability is a problem because it can disrupt the device's functionality and potentially cause issues with time-sensitive operations, such as scheduling, logging, and authentication, which can lead to system instability and security risks.
This vulnerability allows an attacker to inject malicious SQL code into the AssamLook CMS 1.0 system by manipulating the "ID" argument in the /view_tender.php file, which can be done remotely.
This vulnerability is a problem because it gives attackers the ability to access and manipulate sensitive data in the database, potentially leading to data breaches, unauthorized access, and other malicious activities, and since the exploit is publicly available, it can be easily used by malicious actors.
This vulnerability allows an attacker to inject malicious SQL code into the AssamLook CMS 1.0 system by manipulating the "ID" argument in the /department-profile.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, and the fact that the exploit has been publicly disclosed means that attackers may already be using it.
The WP-Optimize WordPress plugin, prior to version 4.2.0, fails to properly secure user input when checking image compression statuses, allowing administrators to potentially inject malicious SQL code in Multi-Site WordPress configurations.
This vulnerability is a problem because it enables SQL Injection attacks, which can lead to unauthorized access, modification, or deletion of sensitive data within the database, compromising the security and integrity of the WordPress site.
The Real Cookie Banner WordPress plugin has a vulnerability that allows high-privilege users, such as administrators, to inject malicious code into the plugin's settings, which can lead to Stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, even in environments where such capabilities are supposed to be restricted.
This vulnerability allows an attacker to inject malicious SQL code into the AssamLook CMS 1.0 system by manipulating the "ID" argument in the /product.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the database, potentially leading to data breaches, unauthorized access, and other malicious activities, which can compromise the security and integrity of the system.
The CVE-2025-5429 vulnerability allows an attacker to exploit improper access controls in the juzaweb CMS Plugins Page, specifically in the /admin-cp/plugin/install file, which can be initiated remotely.
This vulnerability is a problem because it enables unauthorized access to the system, potentially leading to malicious activities such as data breaches, system compromise, or other security threats, and the fact that the exploit has been publicly disclosed increases the risk of attack.
The CVE-2025-49113 vulnerability allows remote code execution by authenticated users in Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11, due to a lack of validation of the _from parameter in a specific URL, leading to PHP Object Deserialization.
This vulnerability is a problem because it enables malicious users who have already gained authentication to execute arbitrary code on the server, potentially leading to unauthorized access, data theft, or complete system compromise, given its high severity score of 9.9.
The CVE-2025-49112 vulnerability is an integer underflow issue in the setDeferredReply function of the networking.c component in Valkey versions up to 8.1.1, which occurs when calculating the size of a reply.
This vulnerability is a problem because an integer underflow can cause the program to access or write to memory incorrectly, potentially leading to a crash, data corruption, or even allowing an attacker to execute arbitrary code, which could compromise the security and stability of the system.
This vulnerability allows software running with limited privileges to make unauthorized requests to the computer's graphics processing unit (GPU), which can then be used to write data to any part of the computer's memory.
This is a problem because it could allow an attacker to gain control over the computer by writing malicious data to sensitive areas of memory, potentially leading to a complete system compromise.
The CVE-2025-5428 vulnerability allows an attacker to exploit improper access controls in the Error Logs Page of juzaweb CMS versions up to 3.4.2, potentially granting unauthorized access to sensitive information.
This vulnerability is a problem because it enables remote attacks, allowing hackers to access restricted areas of the CMS without permission, which could lead to data breaches, system compromises, or other malicious activities.
The CVE-2025-5427 vulnerability allows improper access controls in the juzaweb CMS, specifically in the Permalinks Page component, which can be exploited remotely to manipulate the system.
This vulnerability is a problem because it enables unauthorized access to the system, potentially allowing attackers to modify or exploit sensitive data, which can lead to security breaches and data compromisation.
The Bluetooth HCI Adaptor from Realtek has a vulnerability that allows a local attacker to create a symbolic link, tricking the system into deleting arbitrary files, potentially leading to privilege escalation.
This vulnerability is a problem because it enables attackers with regular privileges to gain elevated access and control over the system by deleting critical files, which can compromise the security and integrity of the system.
The CVE-2025-5426 vulnerability allows attackers to exploit improper access controls in the juzaweb CMS, specifically in the Menu Page component, by manipulating the /admin-cp/menus file, which can be done remotely.
This vulnerability is a problem because it enables unauthorized access to the system, potentially allowing attackers to perform malicious actions, such as modifying or deleting sensitive data, or taking control of the affected system, which can lead to serious security breaches and data compromises.
The CVE-2025-5425 vulnerability allows for improper access controls in the juzaweb CMS, specifically in the Theme Editor Page, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to gain unauthorized access to the system, potentially leading to data breaches, modifications, or other malicious activities, and the fact that the exploit has been publicly disclosed increases the risk of attack.
This vulnerability, found in juzaweb CMS versions up to 3.4.2, allows remote attackers to manipulate the Media Page component, specifically the /admin-cp/media file, leading to improper access controls.
This vulnerability is a problem because it enables unauthorized access to sensitive areas of the CMS, potentially allowing attackers to modify or exploit the system, which can lead to data breaches, system compromise, or other malicious activities.
The CVE-2025-20678 vulnerability causes a system crash in the ims service due to incorrect error handling, potentially leading to a remote denial of service when a device connects to a rogue base station.
This vulnerability is a problem because it allows an attacker to disrupt service and cause a system crash without needing any additional execution privileges, and it can be exploited without requiring any user interaction.
The CVE-2025-20677 vulnerability causes a system crash in the Bluetooth driver due to an uncaught exception, potentially leading to a local denial of service.
This vulnerability is a problem because it allows an attacker with user execution privileges to crash the system, disrupting its functionality and causing a denial of service, all without requiring any user interaction.
The CVE-2025-20676 vulnerability causes a system crash in the WLAN STA driver due to an uncaught exception, leading to a local denial of service.
This vulnerability is a problem because it allows an attacker with user execution privileges to crash the system, disrupting its functionality and causing potential data loss or other issues, all without requiring any user interaction.
The CVE-2025-20675 vulnerability causes a system crash in the wlan STA driver due to an uncaught exception, potentially leading to a local denial of service.
This vulnerability is a problem because it allows an attacker with User execution privileges to disrupt the system, causing it to crash and become unavailable, without requiring any user interaction.
The CVE-2025-20674 vulnerability allows an attacker to inject arbitrary packets into a wireless access point (AP) driver due to a missing permission check, potentially leading to remote escalation of privilege.
This vulnerability is a problem because it enables attackers to gain elevated privileges on a system without requiring any additional execution privileges or user interaction, which could result in unauthorized access and control.
The CVE-2025-20673 vulnerability causes a system crash in the wlan STA driver due to an uncaught exception, leading to a local denial of service.
This vulnerability is a problem because it allows an attacker with user execution privileges to crash the system, disrupting its functionality and causing potential data loss or other issues, all without requiring any user interaction.
The CVE-2025-20672 vulnerability is a flaw in the Bluetooth driver that allows an out of bounds write due to an incorrect bounds check, potentially leading to a local escalation of privilege.
This vulnerability is a problem because it could allow an attacker to gain elevated privileges on a system, potentially giving them access to sensitive data and allowing them to perform malicious actions, all without requiring any user interaction.
This vulnerability allows an attacker to exploit improper access controls in the General Setting Page of the juzaweb CMS, specifically in the /admin-cp/setting/system/general file, which can be initiated remotely.
This vulnerability is a problem because it enables unauthorized access to sensitive areas of the CMS, potentially allowing attackers to modify system settings, extract confidential data, or perform other malicious actions, which can compromise the security and integrity of the system.
The CVE-2025-5422 vulnerability allows attackers to exploit improper access controls in the Email Logs Page of juzaweb CMS versions up to 3.4.2, potentially granting unauthorized access to sensitive information.
This vulnerability is a problem because it enables remote attacks, allowing hackers to access restricted areas of the system without permission, which can lead to data breaches, unauthorized data modification, or other malicious activities.
The CVE-2025-5421 vulnerability allows attackers to exploit improper access controls in the juzaweb CMS Plugin Editor Page, potentially granting unauthorized access to sensitive areas of the system.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to bypass security measures and gain access to the system without authorization, which could lead to data breaches, system compromises, or other malicious activities.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Upload" argument in the file manager of the Profile Page in juzaweb CMS versions up to 3.4.2, potentially injecting malicious code into the website.
This vulnerability is a problem because it enables remote attackers to inject malicious code into the website, which can lead to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website and its users.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "return_to" argument in the login function of Mist Community Edition, affecting versions up to 4.7.1.
This vulnerability is a problem because it enables remote attackers to inject malicious code into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, which can compromise the security and integrity of the system.
The CVE-2025-5411 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "tag" argument in the Mist Community Edition software, specifically in the tag_resources function of the src/mist/api/tag/views.py file, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the software, potentially leading to unauthorized access, data theft, or other malicious activities, and since the exploit has been publicly disclosed, attackers may use it to target vulnerable systems.
This vulnerability allows an attacker to manipulate the session_start_response function in Mist Community Edition, leading to cross-site request forgery (CSRF) attacks, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to trick users into performing unintended actions on a web application, potentially leading to unauthorized access, data theft, or other malicious activities, and since the exploit has been publicly disclosed, attackers may actively use it to target vulnerable systems.
This vulnerability allows for improper access controls in the Mist Community Edition, specifically in the API Token Handler, by manipulating the create_token function, which can be initiated remotely.
This is a problem because it enables unauthorized access to the system, potentially allowing attackers to exploit the vulnerability and gain control, which can lead to data breaches, system compromise, and other security threats.
This vulnerability allows an attacker to overflow a buffer by manipulating the "login_page" argument in the login function of certain WAVLINK wireless router models, potentially enabling remote code execution.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to gain unauthorized access to the affected routers, compromise their security, and potentially use them as a launching point for further attacks on the network.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "fullname" argument in the /register_script.php file of the chaitak-gorai Blogbook, potentially leading to the execution of malicious code on a user's browser.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to inject malicious code into a user's browser, which can lead to unauthorized access to sensitive information, session hijacking, or other malicious activities.
This vulnerability allows an attacker to upload files without restrictions to the chaitak-gorai Blogbook platform by manipulating the "image" argument in the /admin/posts.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to upload malicious files, such as malware or backdoors, to the platform, potentially leading to unauthorized access, data breaches, or disruption of service.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the comment author, email, or content fields in the /post.php file of the chaitak-gorai Blogbook application, potentially leading to the execution of malicious code on a user's browser.
This vulnerability is a problem because it enables remote attackers to inject malicious code into the application, which can then be executed on the browsers of unsuspecting users, potentially leading to unauthorized access, data theft, or other malicious activities.
The CVE-2025-5404 vulnerability allows an attacker to manipulate the "Search" argument in the GET Parameter Handler of the /search.php file in chaitak-gorai Blogbook, leading to a denial of service.
This vulnerability is a problem because it can be exploited to disrupt the service, making it unavailable to users, which can lead to loss of productivity, reputation damage, and potential financial losses.
This vulnerability allows an attacker to inject malicious SQL code into the Blogbook application by manipulating the "post_id" argument in the GET parameter of the /admin/view_all_posts.php file, potentially leading to unauthorized access and data manipulation.
This vulnerability is a problem because it enables remote attackers to exploit the SQL injection flaw, potentially allowing them to extract or modify sensitive data, disrupt the application's functionality, or even gain administrative access to the system.
This vulnerability allows an attacker to inject malicious SQL code into the Blogbook application by manipulating the "edit_post_id" argument in the GET Parameter Handler of the /admin/includes/edit_post.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing direct access to the system, and the fact that the exploit has been publicly disclosed means that attackers can easily use it to launch attacks.
The YAML-LibYAML library for Perl, versions prior to 0.903.0, uses a 2-argument open function, which allows an attacker to modify existing files.
This vulnerability is a problem because it enables an attacker to overwrite or alter the contents of files on a system, potentially leading to data corruption, loss, or even execution of malicious code.
This vulnerability allows an attacker to inject malicious SQL code into the Blogbook application by manipulating the "p_id" argument in the GET parameter of the /post.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the SQL injection weakness, potentially leading to data breaches, unauthorized data modification, or even full control of the affected system, which can have severe consequences for the security and integrity of the application and its data.
The IBM Planning Analytics Local versions 2.0 and 2.1 fail to properly end a user's session after they log out, allowing an authenticated user to potentially access and impersonate another user's account on the system.
This vulnerability is a problem because it could allow unauthorized access to sensitive information and enable malicious activities, such as data tampering or theft, by permitting an attacker to assume the identity of a legitimate user without their knowledge or consent.
The CVE-2025-33004 vulnerability in IBM Planning Analytics Local 2.0 and 2.1 allows a user with privileged access to delete files from directories, due to the system's failure to properly restrict pathname access.
This vulnerability is a problem because it can lead to unauthorized data deletion, potentially causing loss of important information, disrupting business operations, and compromising the integrity of the system.
This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the IBM Planning Analytics Local Web UI, potentially altering its intended functionality and executing unwanted actions.
This vulnerability is a problem because it can lead to the disclosure of sensitive credentials, such as usernames and passwords, within a trusted session, which could be used by attackers to gain unauthorized access to the system.
This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the IBM Planning Analytics Local Web UI, altering its intended functionality and potentially leading to the disclosure of sensitive credentials within a trusted session.
This vulnerability is a problem because it enables an attacker to inject malicious code into the system, potentially exposing user credentials and allowing unauthorized access to sensitive information, which could lead to data breaches or other security incidents.
The IBM InfoSphere Information Server 11.7 stores database authentication credentials in plain text within a parameter file, making it accessible to authenticated users.
This vulnerability is a problem because it allows authenticated users to view sensitive credential information, potentially leading to unauthorized access to databases and compromising the security of the system.
This vulnerability allows an attacker to inject malicious SQL code into the Blogbook application through the "u_id" argument in the /user.php file, which can be manipulated remotely.
This is a problem because SQL injection attacks can give an attacker unauthorized access to sensitive data, allowing them to modify, delete, or steal information from the database, potentially leading to data breaches, financial losses, and reputational damage.
The CVE-2025-5390 vulnerability allows improper access controls in the JeeWMS File Handler component, specifically in the filedeal function of the /systemController/filedeal.do file, which can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access to sensitive files and data, potentially leading to data breaches, theft, or other malicious activities, which can have serious consequences for individuals and organizations.
The CVE-2025-5389 vulnerability allows attackers to exploit improper access controls in the JeeWMS system, specifically in the dogenerateOne2Many function of the File Handler component, which can be manipulated remotely.
This vulnerability is a problem because it enables remote attackers to bypass access controls, potentially leading to unauthorized access to sensitive data or systems, which can result in data breaches, system compromise, or other malicious activities.
This vulnerability allows an attacker to inject malicious SQL code into the JeeWMS system through the "dogenerate" function in the /generateController.do?dogenerate file, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the database, potentially leading to unauthorized data disclosure, modification, or deletion, which can have serious consequences for the security and integrity of the system.
The CVE-2025-5387 vulnerability allows attackers to exploit improper access controls in the JeeWMS File Handler component, specifically in the dogenerate function of the /generateController.do?dogenerate file, which can be launched remotely.
This vulnerability is a problem because it enables remote attackers to bypass access controls, potentially leading to unauthorized access to sensitive data or systems, which can result in data breaches, system compromise, or other malicious activities.
The CVE-2025-5386 vulnerability allows an attacker to inject malicious SQL code into the JeeWMS system through the transEditor function, which can be accessed remotely.
This vulnerability is a problem because it enables an attacker to potentially extract, modify, or delete sensitive data from the database, compromising the security and integrity of the system.
The CVE-2025-5385 vulnerability allows an attacker to manipulate the "doAdd" function in the JeeWMS system, specifically in the /cgformTemplateController.do?doAdd file, leading to a path traversal attack that can be initiated remotely.
This vulnerability is a problem because it enables attackers to access and potentially modify sensitive files and directories on the system by traversing the file path, which could lead to unauthorized data access, modification, or even system compromise.
This vulnerability allows an attacker to perform a SQL injection attack on the JeeWMS system by manipulating the CgAutoListController function, which can be initiated remotely.
This is a problem because SQL injection attacks can give an attacker access to sensitive data, allow them to modify database records, or even take control of the entire system, leading to potential data breaches or system compromises.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack on Yifang CMS versions up to 2.0.2 by manipulating the "Default Value" argument in the Article Management Module, potentially leading to the execution of malicious code on a user's browser.
This vulnerability is a problem because it enables remote attackers to inject malicious scripts into a website, potentially stealing user data, taking control of user sessions, or performing other malicious activities, which can compromise the security and integrity of the website and its users.
The CVE-2025-5381 vulnerability allows an attacker to manipulate the "File" argument in the downloadFile function of the Yifang CMS Admin Panel, enabling them to access files outside of the intended directory through path traversal.
This vulnerability is a problem because it allows remote attackers to potentially access sensitive files and data on the affected system, which could lead to unauthorized data disclosure, system compromise, or other malicious activities.
This vulnerability allows an attacker to manipulate the file upload process in the XueShengZhuSu 学生住宿管理系统, specifically in the Image File Upload component, by exploiting a path traversal weakness, potentially leading to unauthorized access to sensitive files and directories.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and potentially modify sensitive data without being physically present. This can lead to data breaches, malware distribution, and other malicious activities, compromising the security and integrity of the system.
This vulnerability allows an attacker to access the Console Application of NuCom NC-WR744G devices using hard-coded credentials by manipulating a specific argument, potentially giving them unauthorized control over the device.
This is a problem because it enables remote attacks, allowing hackers to gain access to the device without needing a legitimate password, which can lead to data theft, device takeover, and other malicious activities.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "atTxtStreet" argument in the "mycouncil2.aspx" file of Astun Technology iShare Maps 5.4.0, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially leading to unauthorized access to user data, session hijacking, or other malicious activities, and since the exploit has been publicly disclosed, attackers may actively use it to target vulnerable systems.
The CVE-2025-5377 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Zoom" argument in the historic1.asp file of Astun Technology iShare Maps 5.4.0, potentially allowing malicious code to be executed on a user's browser.
This vulnerability is a problem because it can be exploited remotely, allowing an attacker to inject malicious code into a user's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious activities.
The CVE-2025-5376 vulnerability allows an attacker to inject malicious SQL code into the Health Center Patient Record Management System by manipulating the "itr_no" argument in the /patient.php file, potentially giving them unauthorized access to sensitive patient data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive patient information without needing physical access to the system, which can lead to data breaches, identity theft, and other serious security issues.
The Newsletters plugin for WordPress has a vulnerability that allows attackers with Administrator-level access to include and execute arbitrary files on the server, potentially executing any PHP code in those files.
This vulnerability is a problem because it can be used to bypass access controls, obtain sensitive data, or achieve code execution, which can lead to unauthorized access and malicious activities on the server.
The Free Booking Plugin for WordPress has a vulnerability that allows unauthorized users to view the details of any booking request due to a lack of validation on a user-controlled key, specifically through the 'view_request_details' feature.
This vulnerability is a problem because it enables attackers to access sensitive information about bookings, potentially compromising the privacy and security of customers who have made bookings through the plugin, and could be used for malicious purposes such as identity theft or phishing attacks.
The CVE-2025-5375 vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul HPGurukul Online Birth Certificate System 2.0 by manipulating the "del" argument in the /admin/registered-users.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to launch SQL injection attacks, which can lead to data breaches, unauthorized data modification, or even complete system compromise, ultimately putting sensitive user information at risk.
This vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul Online Birth Certificate System 2.0 by manipulating the "del" argument in the /admin/all-applications.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to unauthorized data disclosure, modification, or deletion, which can have serious consequences for the security and integrity of the system and its users.
This vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul Online Birth Certificate System 2.0 by manipulating the "userid" argument in the /admin/users-applications.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the system's database, potentially leading to unauthorized access, data breaches, or disruption of services.
This vulnerability allows an attacker to inject malicious SQL code into the Health Center Patient Record Management System by manipulating the "Username" argument in the /admin/admin.php file, potentially giving them unauthorized access to sensitive patient data.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized data access, modification, or deletion, which can compromise patient confidentiality and the integrity of the healthcare system.