The CVE-2025-6761 vulnerability allows attackers to manipulate the Freemarker Engine in Kingdee Cloud-Starry-Sky Enterprise Edition, specifically targeting the plugin.buildMobilePopHtml function, which can lead to improper neutralization of special elements used in a template engine, enabling remote attacks.
This vulnerability is a problem because it enables remote attacks, potentially allowing unauthorized access and manipulation of the system, which can lead to data breaches, system compromise, and other security issues, given its critical severity rating of 7.3.
The Ninja Forms plugin for WordPress has a vulnerability that allows attackers with contributor-level access or higher to inject malicious scripts into pages, which will be executed when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or taking control of user sessions, which can compromise the security and integrity of the WordPress site.
The Ninja Tables plugin for WordPress has a vulnerability that allows attackers to make unauthorized requests to any URL, potentially accessing or modifying internal services, by exploiting the args[url] parameter.
This vulnerability is a problem because it enables unauthenticated attackers to bypass normal security controls, allowing them to query or modify sensitive information from internal services, which could lead to data breaches, unauthorized access, or other malicious activities.
The DWT - Directory & Listing WordPress Theme has a vulnerability that allows attackers to take over user accounts, including those of administrators, by exploiting a weakness in the password reset function, which fails to properly check for an empty token value.
This vulnerability is a problem because it enables unauthorized users to change the passwords of any account, potentially allowing them to gain access to sensitive information and take control of the entire system, especially if they target administrator accounts.
The FL3R Accessibility Suite plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages using a specific shortcode, due to poor input sanitization and output escaping.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that will execute whenever a user visits the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The Simple Payment plugin for WordPress has a vulnerability that allows unauthorized users to bypass authentication and log in as administrative users, due to a flaw in verifying user identities during the login process.
This vulnerability is a significant issue because it enables attackers to gain administrative access to WordPress sites using the affected plugin, potentially leading to data breaches, site takeovers, and other malicious activities.
The Pack Elementor addon plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages through a parameter called 'slider_options', which can then execute when a user visits the affected page.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or taking control of user sessions, compromising the security and integrity of the WordPress site.
The Osom Blocks plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages through the 'class_name' parameter, which can execute when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or malware distribution, compromising the security and integrity of the WordPress site.
The VR Calendar plugin for WordPress has a vulnerability that allows attackers to trick site administrators into unintentionally syncing the calendar by clicking on a malicious link, due to a lack of proper validation on the syncCalendar function.
This vulnerability is a problem because it enables unauthenticated attackers to perform unauthorized actions on the site, potentially leading to data manipulation or other security issues, without the need for direct access to the site's administrative interface.
The CVE-2025-5306 vulnerability allows an attacker to inject operating system commands into the Netflow directory field of Pandora FMS versions 774 through 778, due to improper handling of special elements.
This vulnerability is a problem because it enables attackers to execute unauthorized commands on the affected system, potentially leading to data breaches, system compromise, or other malicious activities.
The A/B Testing for WordPress plugin has a vulnerability that allows attackers to inject malicious scripts into pages by exploiting insufficient input validation in the 'id' parameter of the 'ab-test-block' block, affecting versions up to 1.18.2.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to execute arbitrary web scripts on pages, potentially leading to unauthorized actions, data theft, or further malicious activities whenever a user visits the compromised page.
The BuddyPress Docs WordPress plugin, versions before 2.2.5, allows a logged-in user to access, view, and download files that belong to other users without proper authorization.
This vulnerability is a problem because it compromises the privacy and security of user files, potentially exposing sensitive information to unauthorized individuals, and undermining trust in the platform.
The WP Map Block WordPress plugin has a vulnerability that allows users with the contributor role or higher to inject malicious code into a page or post through certain block options, which are not properly validated or escaped.
This vulnerability is a problem because it enables Stored Cross-Site Scripting (XSS) attacks, which can lead to unauthorized access, data theft, or malicious activities on the affected website, compromising the security and integrity of the site and its users.
The Responsive Lightbox & Gallery WordPress plugin, prior to version 2.5.2, fails to properly validate and escape title attributes from user input, allowing them to be executed as code when displayed on a page or post.
This vulnerability enables users with the contributor role or higher to perform Stored Cross-Site Scripting (XSS) attacks, potentially leading to unauthorized access, data theft, or malware distribution.
The Firelight Lightbox WordPress plugin has a vulnerability that allows users with a low role, such as contributors, to inject malicious code into the website through title attributes, which can lead to stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially stealing user data, taking control of user accounts, or performing other malicious actions, all by exploiting a weakness that should have been restricted to higher-privileged users.
This vulnerability allows an attacker to send a specially crafted request to TB-eye network recorders and AHD recorders, causing a buffer overflow that may terminate the CGI process abnormally.
This vulnerability is a problem because it can be exploited by attackers to disrupt the normal functioning of the recorders, potentially leading to a denial-of-service (DoS) condition, and possibly allowing for further malicious activities such as code execution or data theft.
This vulnerability allows an attacker to inject and execute arbitrary operating system commands on TB-eye network recorders and AHD recorders if they have login access to the device.
This is a problem because it gives an attacker the ability to take control of the device, potentially allowing them to steal sensitive information, disrupt operations, or use the device as a launching point for further attacks.
This vulnerability allows an attacker to perform a SQL injection attack on the huija bicycleSharingServer 1.0 by manipulating the selectAdminByNameLike function in the AdminController.java file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it could allow a remote attacker to inject malicious SQL code, potentially leading to data breaches, unauthorized data modification, or even complete control of the affected system, which could have severe consequences for the security and integrity of the data.
The isMobile plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages by exploiting the 'device' parameter, due to poor input validation and output escaping.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to embed arbitrary web scripts that will be executed whenever a user visits the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The CVE-2025-45737 vulnerability allows attackers to send specially crafted commands to a component of the NeacSafe64 Driver, which can lead to escalating privileges on a system.
This vulnerability is a problem because it enables attackers to gain higher levels of access to a system than they should have, potentially allowing them to install malware, steal sensitive information, or disrupt system operations.
This vulnerability allows an attacker to cause a stack-based buffer overflow in certain Linksys router models (WRT1900ACS, EA7200, EA7450, and EA7500) by manipulating a specific argument in the SetDefaultConnectionService function, which can be initiated remotely.
This is a critical issue because it can be exploited remotely, potentially allowing an attacker to gain control over the affected router, compromise network security, and access sensitive information.
This vulnerability allows an attacker to overflow a buffer by manipulating the "dut_language" argument in the HTTP POST request handler of the Linksys E8450 router, specifically in the set_device_language function of the portal.cgi file, which can be initiated remotely.
This is a problem because it can be exploited by attackers to potentially execute arbitrary code, gain unauthorized access, or disrupt the operation of the router, compromising the security and integrity of the network and connected devices.
No specific vulnerability or exploit information is available for CVE-2025-53166, as the original description was rejected and not provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if not properly addressed.
No information is available for this CVE as the reason for rejection is listed as "Not used" and the severity is marked as "N/A", indicating that this CVE does not contain a valid vulnerability description.
This CVE does not pose a known problem as there is no provided information about a vulnerability.
No specific vulnerability or exploit information is available for this CVE, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be associated with a actual vulnerability in the future.
No information is available for this CVE as the original description was rejected and not provided.
The lack of information makes it difficult to assess the severity or potential impact of this vulnerability, which could lead to uncertainty in security planning and potential exposure to unknown risks.
No specific vulnerability or exploit information is available for CVE-2025-53162, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be associated with a actual vulnerability in the future.
No information is available for this CVE as the original description was rejected and marked as "Not used".
The severity of this vulnerability is not applicable, and without a description, it's unclear what specific security issues it may pose.
No information is available for this CVE as the original description was rejected and not provided.
The severity of this vulnerability is not available, and without a description, it's unclear what potential risks or issues it may pose.
No specific vulnerability information is available for CVE-2025-53159, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact, but in general, unknown or unspecified vulnerabilities can be a problem because they may be exploited by attackers before a fix is available.
No information is available for this CVE as the original description was rejected and marked as "Not used".
The severity of this vulnerability is not applicable or available, making it unclear what potential risks or issues it may pose.
No information is available for this CVE as the original description was rejected and no details were provided.
The lack of information makes it difficult to assess the potential impact or risk associated with this CVE, which could lead to uncertainty in securing systems or applications.
This vulnerability causes a heap-based buffer overflow in the HDF5 library, specifically in the H5O__mtime_new_encode function, when manipulated locally.
This issue is problematic because it allows an attacker to potentially execute arbitrary code or crash the system by overflowing the buffer, which can lead to unauthorized access or disruption of service.
The Flock Safety License Plate Reader devices store code in cleartext, meaning that the code is not encrypted, in devices with firmware versions up to 2.2.
This vulnerability is a problem because it allows unauthorized access to the device's code, potentially enabling attackers to exploit weaknesses, modify the code, or gain sensitive information, which could compromise the security and integrity of the device and the data it collects.
The Flock Safety License Plate Reader devices have a hardcoded password for a system in their firmware versions up to 2.2, meaning that the password is embedded in the device's code and is the same for all devices.
This vulnerability is a problem because a hardcoded password can be easily discovered by attackers, allowing them to gain unauthorized access to the device and potentially exploit its functionality, compromise data, or disrupt its operation.
The Flock Safety License Plate Reader devices have a debug interface that is not properly secured, allowing unauthorized access to the device's firmware, which can be exploited by attackers.
This vulnerability is a problem because it can allow malicious actors to gain unauthorized access to the device, potentially enabling them to manipulate or extract sensitive data, disrupt the device's operation, or use it as a entry point to attack other systems.
The Flock Safety Gunshot Detection device has a hardcoded password for its system, which is a fixed password set by the manufacturer that cannot be changed by the user, affecting devices with versions before 1.3.
This vulnerability is a problem because a hardcoded password can be easily discovered by attackers, allowing them to gain unauthorized access to the device and potentially disrupt its function, compromise the security of the surrounding area, or exploit the device for malicious purposes.
This vulnerability allows an attacker to inject malicious SQL code into the huija bicycleSharingServer by manipulating the "Title" argument in the searchAdminMessageShow function, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, meaning an attacker doesn't need direct access to the system to launch the attack. Additionally, since the exploit has been publicly disclosed, attackers may already be using it, making it a significant threat to the security of the huija bicycleSharingServer.
The CVE-2025-6748 vulnerability in the Bharti Airtel Thanks App for Android allows an attacker to store sensitive data in cleartext on the device, which can be accessed by exploiting an unknown function in the app's file system.
This vulnerability is a problem because it enables unauthorized access to sensitive information stored on the device, potentially leading to data breaches, identity theft, or other malicious activities, especially since the exploit has been publicly disclosed and the vendor has not responded with a fix.
The Flock Safety Gunshot Detection device stores its code in cleartext, meaning that the code is not encrypted, in versions before 1.3.
This vulnerability is a problem because it allows unauthorized access to the device's code, potentially enabling malicious actors to modify or exploit the device, which could compromise its functionality and the security of the surrounding environment.
The Flock Safety Gunshot Detection device has an on-chip debug interface that is not properly secured, allowing unauthorized access to the device's internal systems in versions before 1.3.
This vulnerability is a problem because it could allow an attacker to exploit the debug interface, potentially giving them control over the device, access to sensitive information, or the ability to disrupt its functionality, which could compromise public safety and security.
The Flock Safety Gunshot Detection device has a hard-coded password that allows connection to the device, affecting versions before 1.3.
This vulnerability is a problem because a hard-coded password can be easily discovered by unauthorized individuals, allowing them to gain access to the device and potentially disrupt or manipulate its functionality, which could lead to security breaches or false alerts.
This vulnerability allows an attacker to perform a SQL injection attack by manipulating the "Username" argument in the `userDao.selectUserByUserNameLike` function of the `UserServiceImpl.java` file in the huija bicycleSharingServer, potentially allowing unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to inject malicious SQL code, which can lead to unauthorized data access, modification, or deletion, compromising the security and integrity of the affected system.
This vulnerability allows an attacker to exploit the "Add New Themes Page" in juzaweb CMS 3.4.2, specifically targeting the /admin-cp/theme/install file, which can lead to improper authorization, enabling unauthorized access to the system.
This vulnerability is a problem because it can be exploited remotely, meaning an attacker does not need direct access to the system to launch the attack. Since the exploit has been publicly disclosed and the vendor has not responded, it is likely that attackers may use this information to gain unauthorized access to systems running the affected version of juzaweb CMS.
This vulnerability allows an attacker to exploit the Import Page feature in juzaweb CMS 3.4.2, bypassing proper authorization and potentially gaining unauthorized access to the system.
This vulnerability is a problem because it enables remote attackers to launch exploits, potentially leading to unauthorized data access, modification, or other malicious activities, which can compromise the security and integrity of the system.
This vulnerability allows an attacker to cause a buffer overflow in the UTT HiPER 840G device by manipulating the "except" argument in the API's function sub_484E40, which can be initiated remotely.
This is a critical issue because it can be exploited remotely, potentially allowing an attacker to crash the device, execute arbitrary code, or gain unauthorized access, which can lead to data breaches, disruptions, or other malicious activities.
This vulnerability allows an attacker to remotely manipulate the "GroupName" argument in the UTT HiPER 840G device's API, specifically in the function sub_416928 of the /goform/formConfigDnsFilterGlobal file, leading to a buffer overflow.
This vulnerability is a problem because it can be exploited remotely, allowing an attacker to potentially gain unauthorized access, disrupt the device's functionality, or execute malicious code, which could compromise the security and integrity of the device and the network it is connected to.
This vulnerability allows a remote attacker to bypass authentication and gain unauthorized access to Mitsubishi Electric Corporation's air conditioning systems, enabling them to control the systems, disclose sensitive information, or tamper with the firmware.
This vulnerability is a significant problem because it enables attackers to take control of critical systems without permission, potentially disrupting operations, compromising sensitive data, and causing physical harm by manipulating the air conditioning systems, all without the need for authentication.
This vulnerability allows an attacker to overflow a buffer by manipulating the "passwd1" argument in the UTT HiPER 840G API, specifically in the /goform/setSysAdm function, which can be initiated remotely.
This is a critical issue because it can be exploited remotely, and the exploit has been publicly disclosed, making it easily accessible to potential attackers. If successfully exploited, it could lead to unauthorized access or control of the affected system, compromising its security and potentially leading to data breaches or other malicious activities.
This vulnerability allows an attacker to manipulate the "File" argument in the uploadApk function of the APK File Handler in yzcheng90 X-SpringBoot, enabling them to traverse the file system and potentially access or modify sensitive files.
This vulnerability is a problem because it can be exploited remotely, allowing an attacker to access and modify sensitive files without needing physical access to the system, which could lead to data breaches, malware infections, or other malicious activities.
The Infinispan CLI has a flaw that causes a sensitive password, originally encoded in Base64 within a Kubernetes secret, to be processed in plain text and potentially included in an error message when an unrecognized command is executed.
This vulnerability is a problem because it could expose sensitive passwords, potentially allowing unauthorized access to systems or data, especially if error messages are logged or visible to unauthorized individuals.
The pycode-browser version before 1.0 creates temporary files in a predictable manner, allowing attackers to potentially guess and access these files.
This vulnerability is a problem because it could enable attackers to read or modify sensitive data stored in these temporary files, potentially leading to information disclosure or further malicious activities.
The CVE-2015-0843 vulnerability allows for buffer overflows in yubiserver versions before 0.6 due to the misuse of the sprintf function, which can lead to unauthorized access and code execution.
This vulnerability is a problem because it can be exploited by attackers to gain control over the affected system, potentially leading to data breaches, malware installation, and other malicious activities.
The CVE-2015-0842 vulnerability allows an attacker to inject malicious SQL code into the yubiserver, potentially bypassing authentication mechanisms, due to the server's version being before 0.6.
This vulnerability is a problem because it could enable unauthorized access to sensitive data and systems by allowing attackers to circumvent security controls, potentially leading to data breaches, tampering, or other malicious activities.
The CVE-2025-52555 vulnerability allows an unprivileged user to gain root privileges in a CephFS file system by changing the permissions of a root-owned directory, enabling them to read, write, and execute files in any directory owned by root.
This vulnerability is a problem because it compromises the confidentiality, integrity, and availability of data stored in the CephFS file system, allowing unauthorized users to access, modify, or delete sensitive information, which can lead to security breaches and data loss.
The PowerDNS (pdns) package in Debian, versions before 3.3.1-1, creates a MySQL user with excessive privileges when using the pdns-backend-mysql component, granting the pdns user too wide database permissions.
This vulnerability is a problem because it allows the pdns user to perform unauthorized actions on the database, potentially leading to data modification, deletion, or unauthorized access, which can compromise the security and integrity of the system.
The CVE-2014-6271 (also known as Shellshock) is not the correct match for this description, instead this issue affects git-annex, where embedded AWS credentials are stored in plaintext in the git repository when using certain encryption settings.
This vulnerability is a problem because it exposes sensitive AWS credentials, potentially allowing unauthorized access to AWS resources, which could lead to data breaches, unauthorized changes, or other malicious activities.
This vulnerability allows the web server to execute scripts that users have uploaded to their version control repositories (such as SVN, Git, or Bzr) in FusionForge, a collaborative development platform, due to a flaw in the shipped Apache configuration.
This is a problem because it enables malicious users to upload and execute arbitrary scripts on the server, potentially leading to unauthorized access, data breaches, or other malicious activities.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating that it is no longer a valid or recognized vulnerability.
The rejection of this CVE ID means that it should not be considered a security threat, and any concerns or actions related to it are unnecessary.
The Canon EOS Webcam Utility Pro for MAC OS version 2.3d (2.3.29) and earlier has a vulnerability that allows an attacker with administrator access to modify directory permissions, potentially leading to code execution and privilege escalation.
This vulnerability is a problem because it could allow a malicious user with administrator access to gain elevated privileges, potentially taking control of the system and executing malicious code, which could lead to unauthorized access, data theft, or other harmful activities.
This vulnerability allows an attacker to inject malicious SQL code into OpenNMS Horizon and Meridian applications, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, compromising the security and integrity of the affected systems and data.
The CVE-2025-49592 vulnerability allows an attacker to redirect authenticated users to untrusted domains after logging in to the n8n workflow automation platform, by crafting malicious URLs with a misleading redirect query parameter.
This vulnerability is a problem because it can lead to phishing attacks, where attackers impersonate the n8n UI on lookalike domains to trick users into re-entering sensitive information, such as credentials or 2FA codes, potentially resulting in credential theft and reputation risk.
The CVE-2013-1424 is a buffer overflow vulnerability in the matplotlib library, which occurs when more data is written to a buffer than it is designed to hold, causing the extra data to spill over into adjacent areas of memory.
This vulnerability is a problem because it can potentially allow an attacker to execute arbitrary code, leading to a range of malicious activities such as data theft, system compromise, or disruption of service, by exploiting the buffer overflow to inject malicious code into the system.
This vulnerability allows an attacker to store malicious code, such as HTML or JavaScript, in the database of OpenMNS Horizon versions 33.0.8 and earlier than 33.1.6, which can then be injected into web pages, potentially leading to unauthorized access or control.
This vulnerability is a problem because it enables attackers to inject malicious code into web pages, which can be used to steal sensitive information, take control of user sessions, or perform other malicious activities, compromising the security and integrity of the system.
The File Browser application has a Command Execution feature that allows users to run shell commands, but in version 2.32.0, this feature is not limited to the user's assigned scope, potentially giving them access to all files on the server.
This vulnerability is a problem because it could allow an attacker to read and write files outside of their intended scope, leading to unauthorized access and potential data breaches.
The CVE-2025-52903 vulnerability allows an attacker to execute arbitrary shell commands on a server running File Browser version 2.32.0, despite the feature being limited to predefined commands on a user-specific allowlist, potentially granting full code execution rights.
This vulnerability is a problem because it enables attackers to gain full control over the server, allowing them to execute malicious commands and potentially causing significant damage, especially since many standard commands can be used to execute subcommands.
This vulnerability allows a user to authenticate to a Linux host using an invalid Linux Hello PIN when the host is offline, due to a flaw in the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune.
This vulnerability is a problem because it enables unauthorized access to local systems, even when the user's credentials are invalid, as long as the system is offline and Hello PIN authentication is enabled, which could lead to security breaches and data compromise.
The Northern.tech Mender Server versions before 3.7.11 and 4.x before 4.0.1 have a vulnerability known as Incorrect Access Control, which allows unauthorized access to certain resources or functions.
This vulnerability is a problem because it can enable attackers to bypass security restrictions, potentially leading to unauthorized data access, modification, or other malicious activities, compromising the confidentiality, integrity, and availability of the system.
The CVE-2025-52477 vulnerability allows unauthorized access to Octo-STS, a GitHub App, by exploiting fields in OpenID Connect tokens, enabling malicious actors to trigger internal network requests and potentially expose sensitive information through error logs.
This vulnerability is a problem because it allows attackers to bypass authentication and gain access to internal network resources, potentially leading to the exposure of sensitive information, which could be used for further malicious activities, compromising the security and confidentiality of the affected systems.
The CVE-2025-30131 vulnerability allows an attacker to upload files to an IROAD Dashcam FX2 device without authentication, potentially executing arbitrary commands, including uploading a webshell or a netcat binary to gain full control over the device and establish a reverse shell for persistent remote access.
This vulnerability is a problem because it enables an attacker to take complete control of the dashcam device, potentially allowing them to access sensitive information, disrupt device functionality, or use the device as a pivot point for further attacks, all without needing any authentication credentials.
The CVE-2024-52928 vulnerability allows websites that have already been granted permissions by the user to add new permissions without the user's knowledge or consent, simply by the user clicking anywhere on the website, affecting Arc versions before 1.26.1 on Windows.
This vulnerability is a problem because it can lead to unauthorized access and potential misuse of user data and system resources by malicious websites, as they can escalate their permissions without explicit user approval, posing a significant security risk.
This vulnerability allows an attacker to manipulate the "adminComment" argument in the /wx/comment/post file of linlinjava litemall version 1.8.0, leading to improper authorization, which can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access and potential malicious activities, as an attacker can bypass normal authorization checks and perform actions that should be restricted to authorized administrators, potentially compromising the security and integrity of the system.
The CVE-2025-6701 vulnerability allows an attacker to manipulate the "redirect_url" argument in the /xxl-sso-server/doLogin file of the Xuxueli xxl-sso 1.1.0 system, leading to an open redirect. This means an attacker can redirect users to a malicious website, potentially stealing sensitive information or installing malware.
This vulnerability is a problem because it enables remote attackers to trick users into visiting fake or malicious websites, which can lead to phishing attacks, data theft, or other types of cyber attacks. The fact that the exploit has been publicly disclosed and the vendor has not responded increases the risk of the vulnerability being exploited.
The CVE-2025-6700 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "errorMsg" argument in the Xuxueli xxl-sso 1.1.0 login feature, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and integrity of the system and its users.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Nome/Sobrenome" argument in the Cadastro de Funcionário component of LabRedesCefetRJ WeGIA 3.4.0, specifically in the /html/funcionario/cadastro_funcionario.php file, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, and since the exploit has been publicly disclosed, attackers may actively try to exploit this vulnerability.
This vulnerability allows attackers to inject and execute arbitrary SQL code into the Dairy Farm Shop Management System by manipulating the "category" and "categorycode" parameters in a POST request to the manage-categories.php file.
This vulnerability is a problem because it enables remote attackers to access, modify, or extract sensitive data from the database, potentially leading to data breaches, system compromise, or unauthorized control over the system.
The PHPGurukul Pre-School Enrollment System Project v1.0 has a vulnerability in the manage-classes.php file that allows an attacker to traverse directories, potentially accessing sensitive files and information outside of the intended directory.
This vulnerability is a problem because it could allow unauthorized access to sensitive data, such as user information, system files, or other confidential data, which could be used for malicious purposes, including data theft, system compromise, or further exploitation.
This vulnerability allows an attacker to inject malicious code into the node creation form of Backdrop CMS 1.30, potentially leading to the execution of unauthorized scripts on a user's browser.
This Cross-Site Scripting (XSS) vulnerability can be used by attackers to steal user data, take control of user sessions, or perform other malicious actions, compromising the security and privacy of users interacting with the affected Backdrop CMS system.
The IBM InfoSphere DataStage Flow Designer in IBM InfoSphere Information Server 11.7 sends sensitive user information in clear text through API requests, making it possible for this data to be intercepted.
This vulnerability is a problem because it allows attackers to potentially intercept and access sensitive user information using man-in-the-middle techniques, which could lead to unauthorized access, identity theft, or other malicious activities.
The CVE-2025-34049 vulnerability allows an attacker to inject arbitrary operating system commands into the OptiLink ONT1GEW GPON router's web management interface, which are then executed with root privileges, enabling remote code execution and full compromise of the device.
This vulnerability is a problem because it allows an authenticated attacker to gain complete control over the device, potentially leading to unauthorized access, data theft, and disruption of network services, by exploiting the lack of proper input sanitization in the router's administrative endpoints.
This vulnerability allows an attacker to access and read arbitrary files on certain D-Link ADSL routers (DSL-2730U, DSL-2750U, and DSL-2750E) by exploiting a flaw in the web management interface, specifically through the getpage parameter in the /cgi-bin/webproc CGI script.
This vulnerability is a problem because it enables an unauthenticated remote attacker to perform path traversal attacks, potentially exposing sensitive information stored on the device, such as configuration files or other sensitive data, which could be used for further malicious activities.
This vulnerability allows an attacker to access and read any file on the system that uses the Leadsec SSL VPN by manipulating the "ostype" parameter in a specific endpoint, due to poor input validation.
This is a problem because it enables unauthorized access to sensitive files and information on the system, which could lead to data breaches, theft of confidential information, or further exploitation of the system.
This vulnerability allows an attacker to upload arbitrary files to a Fanwei E-Office server without authentication by exploiting a flaw in the /general/index/UploadFile.php endpoint, potentially enabling remote code execution.
This vulnerability is a problem because it could allow an attacker to completely compromise the web application and potentially the underlying system, giving them full control over the server and its data.
This vulnerability allows an attacker to access and read arbitrary files on a server running WeiPHP 5.0, a framework used for developing WeChat public account platforms, by exploiting a flaw in the input validation of a specific endpoint.
This is a problem because it enables unauthorized access to sensitive information such as configuration files and source code, which could lead to further attacks, data breaches, or exploitation of other vulnerabilities.
This vulnerability allows an attacker to send a specially crafted HTTP request to the WIFISKY 7-layer Flow Control Router, which can execute arbitrary operating system commands due to insufficient input validation in the confirm.php interface.
This vulnerability is a problem because it enables unauthenticated attackers to remotely inject commands, potentially giving them control over the router and allowing them to perform malicious actions, such as stealing sensitive information, disrupting network operations, or using the router as a launching point for further attacks.
This vulnerability allows attackers to send malicious commands to Vacron Network Video Recorder (NVR) devices via crafted HTTP requests, which can be executed by the device's operating system, potentially leading to remote code execution and full device compromise.
This vulnerability is a problem because it enables unauthenticated attackers to gain control over the device, allowing them to access sensitive data, disrupt operations, or use the device as a launching point for further attacks, all without needing any credentials or authorization.
This vulnerability allows an attacker to inject arbitrary system commands into the ServerName and TimeZone parameters on the servetest CGI page of the Beward N100 IP Camera firmware, potentially leading to remote code execution with root privileges.
This is a problem because it enables an attacker with access to the web interface to gain complete control over the camera's system, allowing them to execute malicious commands, steal sensitive information, or disrupt the camera's functionality, all without proper authorization.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Insira o novo tipo" argument in the /html/matPat/adicionar_tipoSaida.php file of the LabRedesCefetRJ WeGIA 3.4.0 system, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the system, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, all of which can compromise the security and integrity of the system and its users.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Insira o novo tipo" argument in the /html/matPat/adicionar_tipoEntrada.php file of the LabRedesCefetRJ WeGIA 3.4.0 system, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the system, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, and since the exploit has been publicly disclosed, attackers may already be using it.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Nome/Sobrenome" argument in the Cadastro de Atendio component of the LabRedesCefetRJ WeGIA 3.4.0 system, specifically targeting the /html/atendido/Cadastro_Atendido.php file, and can be launched remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the system, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, and since the exploit has been publicly disclosed, attackers may already be using it.
The CVE-2025-53007 vulnerability allows an attacker to inject malicious HTTP headers into an outgoing response by exploiting the `sendHeader` function in the arduino-esp32 library, which does not validate or sanitize input for HTTP header names and values.
This vulnerability is a problem because it enables attackers to manipulate the structure of HTTP responses, inject additional headers, and potentially inject an entire new HTTP response, leading to HTTP Response Splitting and other HTTP protocol attacks, which can compromise the security and integrity of the system.
This vulnerability allows malicious attackers to execute arbitrary code on a host system by passing a malicious parameter through the WebUI interface during the LLaMA-Factory training process, due to the improper loading of the `vhead_file` without secure safeguards.
This is a significant problem because it enables stealthy remote code execution, meaning attackers can run malicious code on the victim's system without their knowledge, potentially leading to data breaches, system compromise, or other harmful activities.
The Markdown preview function in File Browser versions prior to v2.33.7 allows any JavaScript code embedded in a Markdown file uploaded by a user to be executed by the browser, due to a Stored Cross-Site-Scripting (XSS) vulnerability.
This vulnerability is a problem because it enables attackers to inject malicious JavaScript code into Markdown files, which can then be executed by the browser when other users preview these files, potentially leading to unauthorized actions, data theft, or further exploitation of the system.
The File Browser application fails to set explicit file access permissions for uploaded or created files, as well as its database, allowing these files to be readable by any operating system account by default.
This vulnerability is a problem because it allows unauthorized access to sensitive files and data, potentially leading to data breaches or other security issues, especially on standard servers where the umask configuration has not been hardened.
The CVE-2025-52887 vulnerability affects the cpp-httplib library, allowing an attacker to cause the library to consume increasing amounts of system memory by sending a large number of HTTP headers, which are not properly released when the connection is closed.
This vulnerability is a problem because it can lead to exhaustion of system memory, causing a server to crash or become unresponsive, which can result in downtime and disruption of services.
This vulnerability allows an attacker to inject arbitrary SQL code into the Dairy Farm Shop Management System through a POST request, specifically by manipulating the "companyname" parameter in the manage-companies.php file, which can lead to unauthorized access and manipulation of sensitive data.
This vulnerability is a problem because it enables remote attackers to execute malicious SQL commands, potentially allowing them to extract, modify, or delete sensitive data, disrupt system operations, or gain unauthorized access to the system, which can lead to serious security breaches and data compromises.
This vulnerability allows a remote attacker to execute arbitrary code on a system running MHSanaei 3x-ui versions before 2.5.3, by exploiting the management script's use of wget with the "no check certificate" option when downloading updates.
This vulnerability is a problem because it enables attackers to potentially gain control of the system, steal sensitive data, or disrupt operations by executing malicious code, all due to the lack of proper certificate validation during the update process.
The CVE-2024-56915 vulnerability allows an attacker to perform Cross Site Scripting (XSS) attacks through the RSS feed widget in Netbox Community versions prior to v4.2.2, specifically affecting version v4.1.7.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the RSS feed widget, potentially leading to unauthorized access, data theft, or execution of malicious actions on the affected system, compromising the security and integrity of the Netbox Community platform.
The MongoDB Server contains a vulnerability that allows specially crafted JSON inputs to cause excessive recursion in the JSON parsing mechanism, leading to a stack overflow that crashes the server. This can happen before authorization, allowing unauthorized access to exploit the issue in certain versions.
This vulnerability is a problem because it can cause the MongoDB Server to crash, resulting in a denial of service. An attacker could exploit this issue to disrupt the service, potentially leading to data loss or other security issues. In some versions, exploitation requires authentication, but in others, it can be done pre-authorization, making it more severe.
The MongoDB Server has a vulnerability that can cause it to crash when it receives specific date values in JSON input, especially when using OIDC authentication, allowing an attacker to send a malicious payload and disrupt the server.
This vulnerability is a problem because it can lead to a denial of service, where the server becomes unavailable, potentially causing disruptions to critical services and data access, and affecting the overall reliability and security of the system.