This vulnerability allows an attacker to remotely access and manipulate files in the "/storage/" directory of the Mogu Blog v2 Storage Management Endpoint without proper authorization, due to a missing authorization check in the system.
This is a problem because it enables unauthorized access to potentially sensitive data, which could lead to data breaches, tampering, or other malicious activities, and the fact that the exploit is publicly available increases the risk of it being used by attackers.
This vulnerability allows an attacker to inject malicious SQL code into the WebStack-Guns application by manipulating the "sort" argument, potentially leading to unauthorized access or modification of sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the application's database, potentially resulting in data breaches, tampering, or disruption of service, which can have significant consequences for the application's users and the organization hosting it.
This vulnerability allows an attacker to manipulate the `renderPicture` function in the `KaptchaController` of the WebStack-Guns 1.0 application, resulting in path traversal, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to access and potentially modify sensitive files and directories on the server by traversing the file system, which could lead to data breaches, unauthorized access, and other malicious activities.
This vulnerability allows an attacker to manipulate the SSH connection handler in the orion-ops software, leading to server-side request forgery by altering arguments such as host, SSH port, username, password, and authentication type, which can be done remotely.
This vulnerability is a problem because it enables remote attackers to potentially access and manipulate sensitive data or systems by exploiting the SSH connection handler, which could lead to unauthorized access, data breaches, or other malicious activities.
This vulnerability allows an attacker to manipulate the ID argument in the UserController function of the orion-ops application, bypassing proper authorization and potentially gaining unauthorized access to user profiles.
This vulnerability is a problem because it enables remote attackers to exploit the improper authorization, allowing them to access or modify sensitive user data without permission, which can lead to security breaches and data theft.
The CVE-2025-13807 vulnerability allows for improper authorization in the MachineKeyController function of the orion-ops API, which can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access to the system, potentially allowing attackers to perform malicious actions without proper credentials, which can lead to data breaches, system compromise, or other security issues.
The CVE-2025-13806 vulnerability allows for improper authorization in the NutzBoot Transaction API due to the manipulation of the "from/to/wei" argument in the EthModule.java file, potentially enabling remote exploitation.
This vulnerability is a problem because it can be exploited remotely, allowing unauthorized access and potentially leading to malicious activities, such as unauthorized transactions or data breaches, which can compromise the security and integrity of the system.
The CVE-2025-13805 vulnerability allows an attacker to manipulate the deserialization process in the LiteRpc-Serializer component of NutzBoot, potentially leading to remote code execution.
This vulnerability is a problem because it could allow an attacker to remotely execute malicious code, potentially gaining unauthorized access to sensitive data or systems, and it has been made publicly available, making it a target for exploitation.
The CVE-2025-13804 vulnerability allows an attacker to manipulate the Ethereum Wallet Handler in NutzBoot versions up to 2.6.0-SNAPSHOT, resulting in the disclosure of sensitive information, and this attack can be initiated remotely.
This vulnerability is a problem because it enables unauthorized access to sensitive information, potentially leading to financial loss, identity theft, or other malicious activities, and since the exploit has been made public, attackers can easily use it to target vulnerable systems.
The CVE-2025-13803 vulnerability allows an attacker to manipulate the "Host" argument in the MediaCrush 1.0.0/1.0.1 Header Handler, leading to improper neutralization of HTTP headers for scripting syntax, which can be exploited remotely.
This vulnerability is a problem because it enables remote attackers to potentially inject malicious scripts or headers, allowing them to execute unauthorized actions, steal sensitive information, or take control of the affected system, which could lead to significant security breaches and data compromises.
This vulnerability allows an attacker to manipulate the "selected_date" argument in the "Make a Reservation" component of the jairiidriss RestaurantWebsite, leading to a cross-site scripting (XSS) attack that can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, all of which can compromise the security and privacy of users interacting with the website.
This vulnerability allows an attacker to inject commands into the system by manipulating the "mac" argument in the set_mesh_disconnect function of the /send_order.cgi file, which can be exploited remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary commands on the system, potentially leading to unauthorized access, data theft, or other malicious activities, and the fact that the exploit has been made public increases the risk of attack.
The installer for INZONE Hub versions 1.0.10.3 to 1.0.17.0 has a flaw that allows it to load Dynamic Link Libraries (DLLs) from unsafe locations, potentially leading to the execution of arbitrary code with the same privileges as the user running the installer.
This vulnerability is a problem because it could allow an attacker to run malicious code on a user's system, potentially leading to data theft, system compromise, or other harmful activities, all under the guise of the user's own privileges.
This vulnerability allows an attacker to inject commands into the system by manipulating the "mac" argument in the ap_macfilter_del function of the /send_order.cgi file, potentially giving them unauthorized control over the device.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to execute arbitrary commands on the device without physical access, which could lead to data theft, device takeover, or other malicious activities, especially since the exploit has been publicly disclosed.
This vulnerability allows an attacker to inject commands into the system by manipulating the "mac" argument in the ap_macfilter_add function of the /send_order.cgi file in ADSLR NBR1005GPEV2 devices.
This is a problem because it enables remote attackers to execute arbitrary commands on the device, potentially leading to unauthorized access, data theft, or disruption of service, which can compromise the security and integrity of the system.
This vulnerability allows an attacker to inject commands into a system by manipulating the "del_swifimac" argument in the "/send_order.cgi" file, which can be done remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary commands on the system, potentially leading to unauthorized access, data breaches, or other malicious activities, and the exploit is publicly available.
This vulnerability allows an attacker to manipulate the "url" argument in the AnalyticsScript function of the deco-cx app, leading to server-side request forgery, which can be executed remotely.
This vulnerability is a problem because it enables attackers to trick the server into making unauthorized requests, potentially allowing them to access sensitive data, disrupt service, or execute malicious actions, all from a remote location.
The CVE-2025-13795 vulnerability allows an attacker to manipulate the "First Name" field in the Edit Student Info Page of the codingWithElias School Management System, leading to a cross-site scripting (XSS) attack. This means an attacker can inject malicious code into the system, potentially stealing user data or taking control of user sessions.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized access to sensitive student information, session hijacking, or further malicious activities. The fact that the exploit is publicly available increases the risk of attack, and the vendor's lack of response exacerbates the issue.
This vulnerability allows an attacker to execute arbitrary commands with root privileges on a HexStrike AI MCP server by providing a specially crafted command-line argument starting with a semi-colon ; to a specific API endpoint.
This vulnerability is a problem because it enables attackers to gain unrestricted access to the server, allowing them to perform malicious actions, steal sensitive data, or disrupt the system's operation, all with the highest level of privilege.
This vulnerability allows attackers to manipulate the "Error" argument in the GET Parameter Handler of the winston-dsouza Ecommerce-Website, leading to cross-site scripting (XSS) attacks, which can be executed remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, all of which can be done remotely without the need for physical access to the system.
The CVE-2025-13792 vulnerability allows an attacker to inject code into the Qualitor system by manipulating the "passageiros" argument in the /html/st/stdeslocamento/request/getResumo.php file, potentially leading to remote code execution.
This vulnerability is a problem because it enables remote attackers to inject malicious code, potentially allowing them to access sensitive data, disrupt system operations, or gain unauthorized control over the affected system, which could have serious security and privacy implications.
The CVE-2025-13791 vulnerability allows an attacker to manipulate the Common.getHomeDir function in Scada-LTS, leading to path traversal, which enables them to access and potentially modify files outside the intended directory.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access sensitive files and potentially disrupt or take control of the system, and the fact that the exploit is publicly available increases the likelihood of an attack.
This vulnerability allows an attacker to perform a cross-site request forgery (CSRF) attack on Scada-LTS versions up to 2.7.8.1, which can be initiated remotely, potentially allowing unauthorized actions to be taken on behalf of a user.
This vulnerability is a problem because it enables attackers to trick users into performing unintended actions, potentially leading to unauthorized access, data modification, or other malicious activities, and since the exploit has been publicly disclosed, attackers may already be utilizing it.
This vulnerability allows an attacker to manipulate the "Base" argument in the makeRequest function of the ZenTao module/ai/model.php file, resulting in server-side request forgery, which can be launched remotely.
This vulnerability is a problem because it enables attackers to trick the server into making unintended requests, potentially leading to unauthorized access to sensitive data, disruption of services, or other malicious activities, all of which can be initiated remotely without the need for physical access to the system.
The CVE-2025-13788 vulnerability allows an attacker to inject malicious SQL code into the Chanjet CRM system by manipulating the "gblOrgID" argument in the /tools/upgradeattribute.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the CRM system, potentially leading to data breaches, unauthorized access, and other malicious activities, which can compromise the security and integrity of the system.
The CVE-2025-13787 is a vulnerability in ZenTao versions up to 21.7.6-8564 that allows an attacker to manipulate the fileID argument in the file deletion function, potentially bypassing privilege checks and deleting files without proper authorization.
This vulnerability is a problem because it enables remote attackers to exploit improper privilege management, potentially leading to unauthorized file deletion, data loss, and disruption of service, which can have significant consequences for the security and integrity of the affected system.
This vulnerability allows an attacker to inject code into the taosir WTCMS system by manipulating the "content" argument in the fetch function of the /index.php file, which can be done remotely.
This vulnerability is a problem because it enables remote code injection, allowing attackers to execute malicious code on the system, potentially leading to data breaches, system compromise, or other security incidents.
The CVE-2025-13785 vulnerability allows an attacker to manipulate the Image Handler component in the yungifez Skuul School Management System, specifically targeting the /user/profile file, which can lead to the disclosure of sensitive information. This attack can be performed remotely.
This vulnerability is a problem because it enables unauthorized access to sensitive information, potentially compromising the privacy and security of the individuals whose data is stored in the system. The fact that the exploit has been publicly disclosed and the vendor has not responded increases the risk of exploitation.
The CVE-2025-13784 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack on the yungifez Skuul School Management System, specifically targeting the SVG File Handler component when editing school information. This can be done remotely.
This vulnerability is a problem because it enables malicious actors to inject harmful scripts into the system, potentially stealing user data, taking control of user sessions, or disrupting the system's functionality. The fact that the exploit is publicly available and the vendor has not responded increases the risk of exploitation.
The CVE-2025-13783 vulnerability allows an attacker to inject malicious SQL code into the taosir WTCMS system by manipulating the "ids" argument in the CommentadminController component, which can be executed remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the database, potentially leading to data breaches, unauthorized access, and other malicious activities, and since the exploit has been made public, it increases the likelihood of the vulnerability being exploited.
The CVE-2025-66433 vulnerability allows an authenticated user to submit a batch job that impersonates other users on the local machine, using HTCondor Access Point versions before 25.3.1.
This vulnerability is a problem because it enables malicious users to gain unauthorized access to other users' accounts and potentially sensitive information, by pretending to be someone else on the same machine.
The CVE-2025-66432 vulnerability allows API tokens in Oxide control plane versions 15 through 17 (before 17.1) to be renewed beyond their intended expiration date.
This vulnerability is a problem because it could enable unauthorized access to systems and data by allowing expired tokens to remain valid, potentially leading to security breaches and data compromises.
This vulnerability allows an attacker to inject malicious SQL code into the taosir WTCMS system by manipulating the "ids" argument in the SlideController, potentially leading to unauthorized data access or modification.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially allowing them to extract or modify sensitive data, disrupt system operations, or gain unauthorized access to the system, which could have serious security and data integrity implications.
The Tryton trytond version 6.0 before 7.6.11 has a vulnerability that allows unauthorized data export because it fails to enforce access rights.
This vulnerability is a problem because it can lead to sensitive data being accessed and exported by unauthorized users, potentially resulting in data breaches and confidentiality issues.
The Tryton trytond version 6.0 before 7.6.11 has a vulnerability that fails to enforce access rights for the route of the HTML editor, allowing unauthorized access.
This vulnerability is a problem because it can allow attackers to bypass security restrictions and potentially gain unauthorized access to sensitive data or functions, leading to data breaches or other malicious activities.
The CVE-2025-66422 vulnerability in Tryton trytond allows remote attackers to obtain sensitive server setup information, including trace-back data, when using versions prior to 7.6.11.
This vulnerability is a problem because it exposes sensitive information about the server setup, which could be used by attackers to plan and execute further attacks, potentially leading to unauthorized access or data breaches.
The Tryton sao vulnerability allows an attacker to inject malicious code into the system through unescaped completion values, leading to a Cross-Site Scripting (XSS) attack.
This vulnerability is a problem because it enables an attacker to execute malicious scripts on a user's browser, potentially stealing sensitive information, taking control of the user's session, or performing unauthorized actions.
The CVE-2025-66420 vulnerability allows an attacker to perform a Cross-Site Scripting (XSS) attack by sending an HTML attachment to the Tryton sao application, versions prior to 7.6.9.
This vulnerability is a problem because it enables an attacker to inject malicious code into the application, potentially stealing user data, taking control of user sessions, or performing other unauthorized actions, which can compromise the security and integrity of the system.
The StreamTube Core plugin for WordPress allows unauthenticated attackers to change user passwords, potentially taking over administrator accounts, due to a vulnerability that lets users bypass authorization and access system resources.
This vulnerability is a significant problem because it enables attackers to gain control of administrator accounts, allowing them to make malicious changes to the website, steal sensitive information, or disrupt its operation, which can lead to severe security breaches and reputational damage.
The CVE-2025-6666 vulnerability allows an attacker to exploit a hard-coded cryptographic key in the NFC Handler component of the motogadget mo.lock Ignition Lock, potentially giving them unauthorized access to the device.
This vulnerability is a problem because it could allow an attacker to bypass security measures and gain control of the physical device, which could have serious consequences depending on how the device is used. The fact that the vendor has not responded to the disclosure makes it difficult for users to obtain an official patch or fix.
The CVE-2025-66291 vulnerability in OrangeHRM versions 5.0 to 5.7 allows an authenticated user with limited access to directly request and receive confidential interview documents, including candidate CVs and evaluations, without needing permission to access the associated interview record.
This vulnerability is a problem because it exposes sensitive information to unauthorized users, potentially leading to data breaches and confidentiality issues, as users who should not have access to certain recruitment documents can still obtain them.
The OrangeHRM system has a vulnerability that allows any authenticated user to access and download sensitive candidate documents, such as CVs, without proper authorization, by directly requesting the attachment endpoint.
This vulnerability is a problem because it exposes sensitive applicant data to unauthorized users, potentially leading to data breaches and confidentiality issues, even if the users do not have the necessary permissions to view the Recruitment module.
The OrangeHRM system fails to invalidate existing user sessions when a user's account is disabled or their password is changed, allowing active session cookies to remain valid and enabling access to protected pages and operations even after the account has been disabled or the password has been reset.
This vulnerability is a problem because it allows unauthorized users to retain full access to the system even after their account has been closed or their password has been reset, exposing the system to prolonged unauthorized use and increasing the impact of account takeover scenarios, making administrative disable actions ineffective.
The CVE-2025-66225 vulnerability in OrangeHRM versions 5.0 to 5.7 allows an attacker to change the password of any account, including privileged ones, by exploiting a flaw in the password reset workflow where the system does not verify if the username in the final reset request matches the original account.
This vulnerability is a problem because it enables an attacker to take full control of any account, including those with administrative privileges, by simply obtaining a valid password reset link for any account and then altering the username to target a different user, potentially leading to unauthorized access and malicious activities.
The OrangeHRM application has a flaw that allows user-controlled input to directly affect the system's sendmail command, potentially leading to unintended behaviors such as writing files on the server, which can result in the execution of attacker-controlled content if those files are stored in web-accessible locations.
This vulnerability is a problem because it enables attackers to potentially execute malicious code on the server, allowing them to gain unauthorized access, steal sensitive data, or disrupt the system's operations, which can have severe consequences for the security and integrity of the application and its data.
This vulnerability allows an attacker to execute arbitrary JavaScript code in a victim's browser by crafting a specific URL that targets the krpano software, particularly when the xml parameter is enabled in the passQueryParameters function.
This is a problem because it enables remote, unauthenticated attackers to inject malicious scripts into a user's browser session, potentially leading to unauthorized actions, data theft, or further exploitation of the user's system.
The CVE-2025-65540 vulnerability allows attackers to inject and execute malicious scripts on the xmall v1.1 platform by exploiting improper handling of user-supplied data in input fields such as username and description.
This vulnerability is a problem because it enables attackers to perform Cross-Site Scripting (XSS) attacks, which can lead to unauthorized access to user data, session hijacking, and other malicious activities, ultimately compromising the security and integrity of the platform.
The OpenObserve cloud-native observability platform has a vulnerability where organization invitation tokens do not expire after they are issued, allowing removed or demoted users to regain access or escalate privileges using previously issued links.
This vulnerability is a problem because it breaks access control, enabling unauthorized users to access the system or gain higher privileges, which can lead to security breaches and data compromises.
The Werkzeug library's safe_join function has a vulnerability that allows it to serve files with Windows device names, such as CON or AUX, which can cause the application to hang indefinitely when trying to read from these files.
This vulnerability is a problem because it can lead to a denial-of-service (DoS) attack, where an attacker can cause the application to become unresponsive by requesting files with special device names, potentially disrupting the service and causing inconvenience to users.
The CVE-2025-66217 vulnerability is an integer underflow issue in the MQTT parsing logic of AIS-catcher, a multi-platform AIS receiver, which allows an attacker to send a malformed MQTT packet and trigger a heap buffer overflow, leading to a Denial of Service (DoS) and potentially Remote Code Execution (RCE).
This vulnerability is a problem because it can cause an immediate disruption of service and potentially allow an attacker to execute arbitrary code, giving them control over the system, which can lead to severe consequences such as data breaches, system compromise, and unauthorized access.
The CVE-2025-66216 vulnerability is a heap buffer overflow in the AIS-catcher AIS::Message class, which allows an attacker to write a large amount of arbitrary data into a small buffer, potentially causing the program to crash or execute malicious code.
This vulnerability is a problem because it can be exploited by an attacker to gain control over the system, steal sensitive information, or disrupt the normal functioning of the AIS-catcher application, which could have serious consequences in maritime or other industries that rely on AIS data.
The CVE-2025-61915 vulnerability allows a user in the lpadmin group to modify the configuration of the OpenPrinting CUPS printing system through the web interface, inserting malicious lines that can cause an out-of-bounds write when the cupsd process, running as root, parses the new configuration.
This vulnerability is a problem because it enables a user with limited privileges to potentially execute arbitrary code with root privileges, leading to a significant escalation of privileges and potential system compromise.
The CVE-2025-58436 vulnerability affects the OpenPrinting CUPS printing system, allowing a client to slow down the cupsd service by sending messages at a very slow rate, such as one byte per second, which in turn delays the entire service.
This vulnerability is a problem because it can render the cupsd service unusable for other clients, effectively causing a denial-of-service (DoS) condition, which can disrupt printing operations and impact productivity.
The CVE-2025-53939 vulnerability allows an attacker to elevate another user's permissions on a shared folder in Kiteworks, a private data network, due to improper input validation when managing roles.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, allowing malicious users to view, modify, or delete files without permission, potentially compromising confidentiality, integrity, and security.
The CVE-2025-53900 vulnerability in Kiteworks MFT allows authorized users to potentially escalate their privileges unexpectedly due to a flawed definition of roles and permissions when managing connections.
This vulnerability is a problem because it could allow users to gain unauthorized access to sensitive information or perform actions that they should not be able to, potentially leading to data breaches or other security issues.
The Kiteworks MFT system has a vulnerability that allows an attacker with administrative privileges to intercept communication between the system and other channels, potentially leading to an escalation of privileges.
This vulnerability is a problem because it can be exploited by an attacker to gain higher levels of access to the system, potentially allowing them to perform malicious actions, such as stealing sensitive data or disrupting system operations.
This vulnerability allows an external attacker to gain access to log information from the Kiteworks MFT system by tricking an administrator into visiting a specifically crafted fake page.
This is a problem because it could allow unauthorized access to sensitive log information, potentially revealing confidential data or system vulnerabilities that an attacker could exploit for further malicious activities.
The Kiteworks MFT software has a bug that prevents a user's active session from timing out due to inactivity under certain circumstances, allowing the session to remain active indefinitely.
This vulnerability is a problem because it could allow unauthorized access to sensitive information if a user's session remains active on an unattended device, potentially leading to data breaches or other malicious activities.
The CVE-2025-66219 vulnerability allows for command injection in the "willitmerge" command line tool, which checks if pull requests are mergeable. This happens because the tool uses an insecure method to execute child processes, combining user input with commands, whether the input comes from command-line flags or the target repository.
This vulnerability is a problem because it enables attackers to inject and execute arbitrary commands, potentially leading to unauthorized access, data tampering, or other malicious activities on the system running the "willitmerge" tool.
The CVE-2025-66201 vulnerability allows an authenticated user to trick the LibreChat server into making unauthorized requests to internal URLs, such as cloud metadata services, by passing specially crafted OpenAPI specs to its "Actions" feature.
This vulnerability is a problem because it could be used to access sensitive information or impersonate the server, potentially leading to unauthorized actions or data breaches.
The CVE-2025-66036 vulnerability allows an attacker to inject malicious code into the Retro online platform through its input handling component, prior to version 2.4.7, which can lead to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on users' browsers, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions on the platform.
The fontTools library has a vulnerability that allows an attacker to write arbitrary files and execute remote code when a malicious .designspace file is processed using the fonttools varLib script.
This vulnerability is a problem because it can be exploited by attackers to gain control over a system, allowing them to execute malicious code and potentially steal sensitive information or disrupt operations.
The CVE-2025-66027 vulnerability in Rallly, an open-source scheduling and collaboration tool, exposes participant details such as names and email addresses through a specific API endpoint, even when privacy features are enabled.
This vulnerability is a problem because it bypasses intended privacy controls, allowing participants to view other users' personal information, which could lead to unauthorized access and potential misuse of sensitive data.
The CVE-2025-65113 vulnerability allows any unauthenticated user to flag any content, including users, videos, photos, and collections, on the ClipBucket v5 video sharing platform due to an authorization bypass in the AJAX flagging system.
This vulnerability is a problem because it enables mass flagging attacks, disrupts content, and can be used to abuse the moderation system, potentially leading to unnecessary removal of legitimate content and undermining the platform's integrity.
The CVE-2025-65112 vulnerability allows unauthenticated users to upload packages to PubNet as if they were any other user, by providing a fake author ID, enabling them to impersonate others and potentially upload malicious packages.
This vulnerability is a problem because it enables identity spoofing, privilege escalation, and supply chain attacks, which can lead to unauthorized access, data breaches, and the distribution of malicious software, putting users and systems at risk.
The CVE-2025-64715 vulnerability in Cilium affects how network policies are enforced, specifically when referencing non-existent or unattached AWS security group IDs. This can cause the policy to unintentionally allow broader outbound access than intended.
This vulnerability is a problem because it can lead to unauthorized outbound traffic, potentially exposing sensitive data or allowing malicious activity. The issue arises when the policy fails to generate the necessary restrictions, resulting in more permissive access than the policy authors intended.
The CVE-2025-13683 vulnerability allows the exposure of credentials in unintended requests in Devolutions Server and Remote Desktop Manager on Windows, specifically affecting versions of Devolutions Server up to 2025.3.8.0 and Remote Desktop Manager up to 2025.3.23.0.
This vulnerability is a problem because it could potentially allow unauthorized access to sensitive information, including login credentials, which could be used for malicious purposes such as data theft or system compromise.
The CVE-2025-12183 vulnerability allows remote attackers to perform out-of-bounds memory operations in the lz4-java library version 1.8.0 and earlier, by sending specially crafted compressed input, which can cause the system to crash (denial of service) and potentially reveal adjacent memory contents.
This vulnerability is a problem because it can be exploited by remote attackers to disrupt the service, causing it to become unavailable, and potentially gain access to sensitive information stored in the adjacent memory, compromising the system's security and integrity.
The CVE-2025-59792 vulnerability in Apache Kvrocks exposes plaintext credentials when the MONITOR command is used, allowing unauthorized access to sensitive information.
This vulnerability is a problem because it compromises the security of user credentials, potentially leading to unauthorized data access, modification, or theft, which can have serious consequences for individuals and organizations.
The CVE-2025-59790 vulnerability is an Improper Privilege Management issue in Apache Kvrocks, affecting versions from 2.9.0 to 2.13.0, which can potentially allow unauthorized access or elevated privileges.
This vulnerability is a problem because it can lead to unauthorized users gaining access to sensitive data or performing actions that they should not be allowed to, potentially compromising the security and integrity of the system.
The CVE-2025-51736 vulnerability allows unauthorized file uploads in HCL Technologies Ltd. Unica version 12.0.0, potentially enabling attackers to upload malicious files to the system.
This vulnerability is a problem because it could allow attackers to upload malicious files, such as viruses, malware, or backdoors, which could then be used to compromise the system, steal sensitive data, or disrupt operations.
The CVE-2025-51735 vulnerability allows an attacker to inject malicious formulas into CSV files used by HCL Technologies Ltd. Unica 12.0.0, potentially executing unauthorized actions.
This vulnerability is a problem because it could enable attackers to manipulate data, execute arbitrary code, or gain unauthorized access to sensitive information, compromising the security and integrity of the system.
The CVE-2025-51734 vulnerability allows an attacker to inject malicious code into a website using cross-site scripting (XSS), affecting HCL Technologies Ltd. Unica version 12.0.0.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform unauthorized actions on the affected website, potentially leading to security breaches and data theft.
The CVE-2025-51733 vulnerability allows an attacker to trick a user into performing unintended actions on the HCL Technologies Ltd. Unica 12.0.0 platform, by exploiting a Cross-Site Request Forgery (CSRF) weakness.
This vulnerability is a problem because it enables attackers to bypass security measures and perform actions that the user did not intend to do, potentially leading to unauthorized data modification, deletion, or other malicious activities.
The Keras version 3.11.3 has a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives, allowing files to be written outside the intended extraction directory due to a security bypass.
This vulnerability is a problem because it enables arbitrary file writes outside the cache directory, which can lead to potential system compromise or malicious code execution, putting the system and its data at risk.
The CVE-2025-11156 vulnerability allows a local, authenticated user with Administrator privileges on Windows systems to improperly load a driver, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine.
This vulnerability is a problem because it can be exploited by an attacker with Administrator privileges to intentionally crash a Windows system, disrupting service and causing potential data loss or downtime, which can have significant operational and financial impacts.
The CVE-2025-12143 is a Stack-based Buffer Overflow vulnerability found in ABB Terra AC wallbox devices, specifically those with versions up to 1.8.33, allowing potential overflows of data on the stack.
This vulnerability is a problem because it could be exploited by attackers to execute arbitrary code, potentially leading to unauthorized access, data breaches, or disruption of the device's functionality, which in the context of charging stations, could have significant security and safety implications.
This vulnerability allows authenticated remote attackers to read and download arbitrary system files from a WebITR system developed by Uniong, by exploiting a Relative Path Traversal weakness.
This vulnerability is a problem because it enables attackers to access sensitive system files, potentially revealing confidential information, disrupting system operations, or gaining unauthorized access to the system.
This vulnerability allows attackers to inject arbitrary SQL commands into the WebITR system, giving them unauthorized access to read sensitive database contents.
This vulnerability is a problem because it enables malicious actors to extract confidential information from the database, potentially leading to data breaches, identity theft, and other security incidents, even if they only have authenticated access.
This vulnerability allows attackers to inject arbitrary SQL commands into the WebITR system, giving them unauthorized access to read the database contents.
This is a problem because it enables authenticated remote attackers to extract sensitive information from the database, potentially leading to data breaches, unauthorized data access, and other malicious activities.
This vulnerability allows remote attackers to bypass authentication in the WebITR system by modifying a specific parameter, enabling them to log in as any user once they have obtained a valid user ID.
This vulnerability is a problem because it allows unauthorized access to the system, potentially leading to sensitive data breaches, malicious activities, and compromised user accounts, which can have severe security and privacy implications.
The CVE-2025-66386 vulnerability allows an attacker with site-admin privileges to manipulate file paths in the MISP application, specifically when viewing pictures, potentially accessing files outside the intended directory.
This vulnerability is a problem because it could enable an attacker to access sensitive files or data that they should not have access to, potentially leading to data breaches or other security incidents.
This vulnerability allows an authenticated non-privileged user to escalate their privileges by modifying certain fields, such as role_id or organisation_id, in the user-edit request to the UsersController::edit endpoint in Cerebrate versions before 1.30.
This vulnerability is a problem because it enables non-privileged users to gain higher levels of access, such as admin roles, without proper authorization, potentially leading to unauthorized data access, modification, or other malicious activities.
The CVE-2025-66384 vulnerability allows attackers to bypass file upload validation in MISP versions before 2.5.24 due to incorrect logic in the EventsController.php file, specifically related to the handling of temporary file names (tmp_name).
This vulnerability is a problem because it enables malicious actors to upload unauthorized or malicious files to the system, potentially leading to code execution, data breaches, or other security compromises.
The CVE-2025-66382 vulnerability allows an attacker to create a specially crafted file that can cause the libexpat library to consume excessive processing time, with files as small as 2 MiB potentially leading to delays of dozens of seconds.
This vulnerability is a problem because it can be used for denial-of-service (DoS) attacks, where an attacker intentionally overwhelms a system with crafted files, leading to significant performance degradation or even complete system unavailability.
The CVE-2025-66372 vulnerability in Mustang versions before 2.16.3 allows attackers to exfiltrate files using XML External Entity (XXE) attacks, which can lead to unauthorized access to sensitive data.
This vulnerability is a problem because it enables malicious actors to extract confidential files from a system, potentially leading to data breaches, intellectual property theft, and other security incidents, compromising the confidentiality and integrity of the affected system.
The CVE-2025-66371 vulnerability in Peppol-py before version 1.1.1 allows an attacker to perform an XML eXternal Entity (XXE) attack, which enables the reading of files from the filesystem and exposes their content to a remote host when validating XML-based invoices.
This vulnerability is a problem because it allows unauthorized access to sensitive files on the system, potentially leading to data breaches and exposing confidential information to remote attackers.
The CVE-2025-66370 vulnerability allows an attacker to inject malicious XML code (XXE injection) into the Kivitendo system by uploading a specially crafted electronic invoice in the ZUGFeRD format, enabling them to read and extract files from the server's filesystem.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, potentially leading to data breaches, intellectual property theft, and other malicious activities, compromising the security and confidentiality of the system.
The CVE-2025-64312 vulnerability allows unauthorized access to files due to a weakness in permission controls within the file management module.
This vulnerability is a problem because it can compromise the confidentiality of sensitive information and services, potentially leading to unauthorized data access or leaks.
The CVE-2025-58311 is a Use-After-Free (UAF) vulnerability in the USB driver module, which allows an attacker to access and manipulate memory that has already been freed, potentially leading to unauthorized actions.
This vulnerability is a problem because it can affect the availability and confidentiality of a system, allowing attackers to disrupt services, steal sensitive information, or gain unauthorized access, which can lead to significant security breaches and data losses.
The CVE-2025-58308 vulnerability is caused by an improper security check in the call module, which can lead to abnormal feature performance when exploited.
This vulnerability is a problem because it can cause features to malfunction, potentially leading to unexpected behavior, errors, or even more severe security issues, which can compromise the overall security and reliability of the system.
This vulnerability allows an attacker to bypass identity authentication in the Gallery app, potentially giving them unauthorized access to sensitive information.
This vulnerability is a problem because it compromises the confidentiality of the service, allowing attackers to access data they shouldn't have permission to see, which can lead to data breaches and other security issues.
The CVE-2025-58304 vulnerability allows unauthorized access to files due to a weakness in permission control within the file management module, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized parties to access restricted files and data, which could lead to data breaches or other security incidents.
The CVE-2025-58302 vulnerability allows unauthorized access to the Settings module due to a flaw in permission control, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized parties to access restricted data, which can lead to security breaches and data theft.
The Nextend Social Login and Register plugin for WordPress has a vulnerability that allows attackers to trick site administrators into unlinking a user's social login account through a forged request, due to a lack of proper validation.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate site administrators into performing unintended actions, potentially leading to unauthorized access or disruption of social login accounts, which can compromise user identity and security.
The CVE-2025-64315 vulnerability is a configuration defect in the file management module, which can be exploited to compromise the security of an application's data.
This vulnerability is a problem because it can allow unauthorized access to sensitive application data, potentially leading to a breach of confidentiality and integrity, which can have serious consequences for users and the application itself.
The CVE-2025-64314 vulnerability allows unauthorized access to sensitive areas of a system's memory due to a flaw in permission control within the memory management module.
This vulnerability is a problem because it can compromise the confidentiality of sensitive information stored in the system's memory, potentially leading to data breaches or unauthorized exposure of confidential data.
This vulnerability allows an attacker to cause a denial of service (DoS) in the office service, which means they can disrupt or shut down the service, making it unavailable to users.
This vulnerability is a problem because it can affect the availability of the office service, leading to downtime and potential losses in productivity, which can have significant impacts on businesses or organizations that rely on the service.
The CVE-2025-64311 is a permission control vulnerability found in the Notepad module, which allows unauthorized access to sensitive information.
This vulnerability is a problem because it can compromise service confidentiality, meaning that sensitive data may be exposed to unauthorized parties, potentially leading to data breaches or other security issues.
This vulnerability allows an attacker to launch a Denial of Service (DoS) attack on the video-related system service module, potentially crashing or disrupting the service.
This vulnerability is a problem because it can affect the availability of the system or service, making it inaccessible to users, which can lead to downtime, loss of productivity, and other negative consequences.