The Frontend Post Submission Manager Lite plugin for WordPress has a vulnerability that allows unauthorized users to modify any post on a website by exploiting a missing authorization check in the post update functionality.
This vulnerability is a problem because it enables attackers to alter post titles, content, excerpts, and even remove post authors without needing to log in, potentially leading to defacement, misinformation, or disruption of the website's content.
The Live Composer WordPress plugin has a vulnerability that allows attackers with certain access levels to inject malicious PHP objects into the website, potentially leading to unauthorized actions, but only if another vulnerable plugin or theme with a POP chain is also installed.
This vulnerability is a problem because it could enable attackers to perform harmful actions such as deleting files, accessing sensitive data, or executing malicious code, especially if a POP chain is present through another plugin or theme, compromising the security and integrity of the website.
The WC Builder plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages through certain styling parameters, such as 'heading_color', due to poor input validation and output escaping.
This vulnerability is a problem because it enables authenticated attackers with Shop Manager-level access or higher to embed arbitrary web scripts that will run whenever a user visits the compromised page, potentially leading to unauthorized data access, malware distribution, or other malicious activities.
The Tainacan plugin for WordPress has a vulnerability that allows unauthorized users to create metadata sections in any collection, due to a flawed authentication check in the `create_item_permissions_check()` function, which always returns true and bypasses security validation.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the metadata of any collection on a WordPress site using the Tainacan plugin, potentially leading to data tampering, unauthorized access, or other malicious activities, especially since they can access the site's REST API.
The WishSuite plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages through a specific shortcode parameter, due to poor input validation and escaping. This enables them to execute arbitrary web scripts whenever a user visits the compromised page.
This vulnerability is a problem because it allows authenticated attackers with Contributor-level access or higher to inject harmful scripts, potentially leading to unauthorized data access, malware distribution, or other malicious activities, compromising the security and integrity of the website and its users.
The PostX plugin for WordPress has a vulnerability that allows unauthorized access to sensitive user data, including password hashes, through a REST API endpoint without properly checking user capabilities.
This vulnerability is a problem because it enables attackers to retrieve sensitive information without authentication, potentially leading to password cracking, identity theft, and unauthorized access to user accounts.
The Five Star Restaurant Reservations WordPress plugin has a vulnerability that allows attackers to inject malicious scripts into the website via a specific parameter, which can then execute when a user visits the affected page.
This vulnerability is a problem because it enables unauthenticated attackers to inject arbitrary web scripts, potentially leading to unauthorized access, data theft, or other malicious activities, affecting users who access the compromised pages.
The CVE-2023-47232 is a vulnerability found in the WP Affiliate Disclosure plugin for WordPress, specifically in versions up to 1.2.6, which could be exploited by attackers.
This vulnerability is a problem because it could allow unauthorized access or malicious activities on websites using the affected plugin, potentially leading to data breaches, website defacement, or other security issues, thus compromising the integrity and security of the affected websites.
The CVE-2023-25446 vulnerability allows unauthorized access to HappyFiles Pro due to incorrectly configured access control security levels, potentially enabling exploitation of the system.
This vulnerability is a problem because it can allow unauthorized users to access sensitive data or perform actions they should not be able to, potentially leading to data breaches, system compromise, or other security issues.
The CVE-2023-25445 vulnerability allows unauthorized access to HappyFiles Pro due to missing authorization, enabling exploitation of incorrectly configured access control security levels in versions up to 1.8.1.
This vulnerability is a problem because it can allow unauthorized users to access sensitive information or perform actions they should not be able to, potentially leading to data breaches or other security issues.
The CVE-2025-14989 vulnerability allows an attacker to inject malicious SQL code into the Campcodes Complete Online Beauty Parlor Management System 1.0, specifically targeting the /admin/search-invoices.php file, which can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access to sensitive database information, potentially leading to data theft, modification, or deletion, and can be exploited by attackers remotely, making it a significant threat to the security of the system.
The CVE-2023-25068 vulnerability allows unauthorized access to Mapro Collins Magazine Edge due to missing authorization and incorrectly configured access control security levels, affecting versions from n/a through 1.13.
This vulnerability is a problem because it enables unauthorized users to access sensitive information or perform actions that they should not be allowed to, potentially leading to data breaches, malicious activities, or other security incidents.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating that it is no longer a valid or recognized vulnerability.
It's not a problem as the CVE ID is not associated with a known vulnerability, eliminating any potential risk or threat.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating that it is not a valid or active vulnerability.
It's not a problem as the CVE ID is not associated with a actual vulnerability, eliminating any potential risk or threat.
The Versa SASE Client for Windows has a vulnerability that allows a local attacker to trick the system into deleting important system folders, potentially giving them elevated system privileges.
This vulnerability is a problem because it can be exploited by an attacker to gain control over the system, allowing them to execute malicious code with high-level system privileges, potentially leading to data theft, system compromise, or other malicious activities.
The WP JobHunt plugin for WordPress has a vulnerability that allows authenticated attackers with Candidate-level access or higher to modify the status of job applications for any user and inject cross-site scripting code.
This vulnerability is a problem because it enables attackers to manipulate data and inject malicious code, potentially leading to unauthorized access, data theft, or further malicious activities, compromising the security and integrity of the affected WordPress sites.
The WP JobHunt plugin for WordPress has a vulnerability that allows attackers with Candidate-level access or higher to send emails with injected HTML to any user, due to a lack of validation on a user-controlled key.
This vulnerability is a problem because it enables authenticated attackers to potentially phishing or spam users by sending them manipulated emails, which could lead to further security issues or data breaches.
The FiboSearch plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages using a specific shortcode, potentially executing whenever a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with certain access levels to inject arbitrary web scripts, which can lead to unauthorized actions, data theft, or other malicious activities, compromising the security and integrity of the website.
The Ultimate Member WordPress plugin has a vulnerability that allows attackers to access sensitive user information, including usernames, display names, user roles, and profile URLs, by exploiting a predictable token used to identify member directories.
This vulnerability is a problem because it enables unauthorized users to extract sensitive data from the website, potentially leading to identity theft, targeted attacks, or other malicious activities, and it can be easily exploited by brute-forcing a small token space or enumerating predictable directory IDs.
The Flex Store Users plugin for WordPress has a vulnerability that allows unauthorized users to gain administrator access to a site by exploiting a weakness in the user registration process, specifically through the 'fsUserHandle::signup' and 'fsSellerRole::add_role_seller' functions.
This vulnerability is a problem because it enables unauthenticated attackers to easily gain full control over a WordPress site, potentially leading to data breaches, malware distribution, and other malicious activities, by allowing them to register as administrators.
The Pure WC Variation Swatches WordPress plugin has a vulnerability that allows any authenticated user to update its settings without proper authorization checks.
This vulnerability is a problem because it enables any user who has access to the system, regardless of their intended permissions, to modify the plugin's settings, potentially disrupting the website's functionality or leading to unauthorized changes.
The Amazon affiliate lite Plugin for WordPress has a vulnerability that allows attackers with administrator-level permissions to inject malicious scripts into website pages, which will execute when a user visits the infected page, due to poor input validation and sanitization.
This vulnerability is a problem because it enables attackers to inject arbitrary web scripts, potentially leading to unauthorized access, data theft, or other malicious activities, especially in multi-site installations or where certain security features like unfiltered_html are disabled.
The Amazon affiliate lite Plugin for WordPress has a vulnerability that allows attackers to trick site administrators into updating plugin settings without their knowledge or permission, by sending forged requests to the site.
This vulnerability is a problem because it enables unauthenticated attackers to modify plugin settings, potentially leading to unauthorized access, data breaches, or other malicious activities, all by deceiving a site administrator into taking a simple action like clicking a link.
The Responsive and Swipe slider plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the plugin's shortcode, due to poor input validation and escaping of user-supplied attributes.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that will execute when a user visits the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The F70 Lead Document Download plugin for WordPress has a vulnerability that allows unauthorized access to files in the WordPress media library, enabling attackers to download any file by guessing or enumerating WordPress attachment IDs.
This vulnerability is a problem because it allows unauthenticated attackers to access sensitive files without permission, potentially leading to data breaches and unauthorized disclosure of confidential information.
This vulnerability occurs when an incorrect End-of-Record (EOR) configuration is used to parse delimited files, particularly those containing CR+LF characters, leading to inaccurate parsing and potential exposure of personally identifiable information (PII).
This vulnerability is a problem because it can result in the unintended exposure of sensitive personal data, which could be accessed or exploited by unauthorized parties, potentially leading to identity theft, fraud, or other malicious activities.
The WP DB Booster plugin for WordPress has a vulnerability that allows attackers to trick site administrators into deleting important database records, including post drafts, revisions, comments, and metadata, by sending a forged request.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate site administrators into performing unintended actions, potentially leading to loss of important data and disrupting the functionality of the WordPress site.
The Quran Gateway plugin for WordPress has a vulnerability that allows attackers to trick site administrators into modifying the plugin's display settings without their knowledge or consent, by sending forged requests to the site.
This vulnerability is a problem because it enables unauthenticated attackers to change the plugin's settings, potentially disrupting the site's functionality or displaying unauthorized content, which could lead to security issues or damage to the site's reputation.
The Overstock Affiliate Links plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages via a reflected cross-site scripting (XSS) attack, which occurs when a user clicks on a malicious link.
This vulnerability is a problem because it enables unauthenticated attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized actions, data theft, or other malicious activities, all without needing direct access to the website.
The WP Hallo Welt plugin for WordPress has a vulnerability that allows attackers to trick site administrators into updating plugin settings and injecting malicious scripts through forged requests, potentially leading to Stored Cross-Site Scripting.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate plugin settings and inject malicious code, which can compromise the security and integrity of the WordPress site, potentially leading to unauthorized access, data theft, or malware distribution.
The File Uploader for WooCommerce plugin for WordPress allows attackers to upload any type of file to the Uploadcare service without proper validation, which can then be downloaded to the site's server, potentially enabling remote code execution.
This vulnerability is a problem because it enables unauthenticated attackers to upload malicious files, such as executables or scripts, to a site's server, which could lead to remote code execution and give attackers full control over the site, allowing them to steal sensitive data, install malware, or disrupt service.
The Pretty Google Calendar plugin for WordPress has a vulnerability that allows unauthorized access to data because it lacks a proper capability check, enabling unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
This vulnerability is a problem because it allows attackers to obtain sensitive information, specifically the Google API key, without needing any authentication, which could lead to further unauthorized access and potential data breaches.
The Attachments Handler plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into web pages by tricking users into clicking on a link, due to poor input sanitization and output escaping.
This vulnerability is a problem because it enables unauthenticated attackers to execute arbitrary web scripts, potentially leading to unauthorized access, data theft, or other malicious activities, all by simply tricking a user into performing a single action like clicking a link.
This vulnerability allows an attacker to send specially crafted XML requests to the Tapo C200 V3 device, causing a buffer overflow that can crash the device and disrupt its service.
This is a problem because it can be exploited by an unauthenticated attacker on the same network to launch a denial-of-service (DoS) attack, rendering the device unusable and potentially causing significant disruptions.
The Tapo C200 V3 device has a vulnerable HTTPS service that allows unauthorized access to its connectAP interface, enabling an attacker to change the device's Wi-Fi settings without needing a password.
This vulnerability is a problem because it can be exploited by an attacker on the same local network to disrupt the device's internet connection, causing a denial-of-service (DoS) and potentially leading to loss of connectivity and device unavailability.
The Tapo C200 V3 HTTPS server has a vulnerability that allows an attacker to send specially crafted requests, causing the device to allocate too much memory and eventually crash, resulting in a denial-of-service (DoS) that disrupts the device's functionality.
This vulnerability is a problem because it can be exploited by an unauthenticated attacker on the same local network segment, allowing them to intentionally crash the device and disrupt its service, potentially causing inconvenience, data loss, or other security issues.
The CVE-2025-68613 vulnerability allows an authenticated attacker to execute arbitrary code on an n8n workflow automation platform by exploiting a weakness in the workflow expression evaluation system, potentially leading to unauthorized access and control.
This vulnerability is a problem because it can be used by attackers to gain full control over the affected n8n instance, compromising sensitive data, modifying workflows, and executing system-level operations, ultimately putting the entire system at risk.
The CVE-2025-68481 vulnerability in FastAPI Users allows an attacker to capture and reuse a state token from the OAuth login process, tricking a victim's browser into completing the login flow with the attacker's account, potentially leading to account takeover or unauthorized login.
This vulnerability is a problem because it enables login CSRF (Cross-Site Request Forgery) attacks, where an attacker can hijack a victim's account or log the victim into the attacker's account, compromising the security and integrity of the affected application and its users.
The CVE-2023-53959 vulnerability allows attackers to execute malicious code on a computer by placing a specially crafted file called TextShaping.dll in the FileZilla Client application directory, potentially leading to remote code execution when the application is launched.
This vulnerability is a problem because it enables attackers to gain control over a computer, allowing them to access sensitive information, install malware, or disrupt system operations, which can have severe consequences for individuals and organizations.
The LDAP Tool Box Self Service Password 1.5.2 contains a vulnerability that allows attackers to manipulate HTTP Host headers during password reset token generation, enabling them to intercept and use stolen reset tokens.
This vulnerability is a problem because it allows attackers to potentially take over user accounts by intercepting and using password reset tokens, which could lead to unauthorized access to sensitive information and systems.
The CVE-2023-53957 vulnerability in Kimai 1.30.10 allows attackers to steal user session cookies by exploiting a SameSite cookie weakness, potentially enabling them to hijack user sessions through maliciously crafted PHP scripts.
This vulnerability is a problem because it allows attackers to gain unauthorized access to user accounts, potentially leading to sensitive data theft, malicious activities, and compromised system security, due to the high severity score of 9.8.
The CVE-2023-53956 vulnerability allows administrative users to upload arbitrary PHP files through the file manager in Flatnux 2021-03.25, enabling them to upload malicious PHP scripts to the web root directory and potentially execute remote code on the server.
This vulnerability is a problem because it allows attackers with administrative credentials to gain remote code execution on the server, which can lead to unauthorized access, data breaches, and complete system compromise.
The ActFax 10.10 software has a vulnerability that allows attackers to potentially gain elevated system access by exploiting an unquoted service path in the ActiveFaxServiceNT service configuration, which can be used to inject a malicious executable when the service restarts.
This vulnerability is a problem because it can be used by local attackers with write permissions to Program Files directories to escalate their privileges and gain control over the system, potentially leading to unauthorized access, data theft, or other malicious activities.
This vulnerability allows authenticated users to inject malicious scripts into webpage titles in WebsiteBaker 2.13.3, which can execute arbitrary JavaScript code when the page is viewed by other users.
This vulnerability is a problem because it enables attackers to perform cross-site scripting (XSS) attacks, potentially stealing user data, taking control of user sessions, or spreading malware, which can compromise the security and integrity of the website and its users.
The CVE-2023-53952 vulnerability in Dotclear 2.25.3 allows authenticated attackers to upload malicious PHP files with a .phar extension through the blog post creation interface, enabling them to execute arbitrary code on the server.
This vulnerability is a problem because it allows attackers to gain control over the server by uploading and executing malicious code, potentially leading to data breaches, unauthorized access, and other malicious activities.
This vulnerability allows attackers to exploit a weak secret key used for JSON Web Token (JWT) authentication in Ever Gauzy version 0.281.9, enabling them to gain unauthorized access with administrative permissions.
This vulnerability is a problem because it enables attackers to bypass authentication and gain high-level access to the system, potentially leading to data breaches, system compromise, and other malicious activities.
The InnovaStudio WYSIWYG Editor 5.4 has a vulnerability that allows attackers to upload malicious files, including ASP shells, by manipulating file names and using techniques such as null bytes and alternate file extensions, bypassing the upload controls in the asset manager.
This vulnerability is a problem because it enables attackers to upload and execute malicious code on the server, potentially leading to a complete takeover of the system, data breaches, and other severe security consequences.
The AspEmail 5.6.0.2 vulnerability allows local users to escalate their privileges by exploiting the Persits Software EmailAgent service, which has full write permissions in the BIN directory, enabling attackers to replace the service executable and gain elevated system access.
This vulnerability is a problem because it can be exploited by local users to gain elevated system access, potentially allowing them to perform malicious actions, such as installing malware, stealing sensitive data, or disrupting system operations, which can compromise the security and integrity of the system.
The CVE-2023-53948 vulnerability allows attackers to inject arbitrary commands into the Lilac-Reloaded for Nagios autodiscovery feature, potentially leading to remote code execution, including the ability to establish a reverse shell by sending a crafted POST request.
This vulnerability is a problem because it enables attackers to execute malicious code on the affected system, potentially giving them full control and allowing them to steal sensitive information, disrupt operations, or spread further malware, making it a highly severe security threat.
The CVE-2023-53947 vulnerability in OCS Inventory NG 2.3.0.0 allows a local attacker to gain system-level privileges by exploiting an unquoted service path, enabling them to execute malicious code with elevated system privileges.
This vulnerability is a problem because it enables attackers to escalate their privileges, potentially allowing them to take control of the system, access sensitive data, and perform malicious actions with system-level authority.
The Arcsoft PhotoStudio 6.0.0.172 software has a vulnerability in its ArcSoft Exchange Service that allows an attacker to execute arbitrary code with system-level permissions by placing a malicious executable in an unquoted service path.
This vulnerability is a problem because it enables local attackers to escalate their privileges, potentially gaining control over the entire system and allowing them to perform malicious actions, such as stealing sensitive data or installing additional malware.
The BrainyCP 1.0 vulnerability allows logged-in users to inject arbitrary commands through the crontab configuration interface, potentially enabling attackers to execute malicious code and gain unauthorized access to the system.
This vulnerability is a problem because it enables authenticated users to exploit the system, potentially leading to a complete takeover by attackers, who can use it to spawn reverse shells, steal sensitive data, or disrupt system operations.
This vulnerability allows a remote attacker to inject arbitrary HTML code into a user's browser, potentially tricking them into clicking a malicious link, when using Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30.
This vulnerability is a problem because it could be used to deceive users into performing unintended actions, potentially leading to security breaches or other malicious activities, although the impact is limited since it does not allow JavaScript execution.
This vulnerability allows an attacker to inject malicious SQL code into the Simple Stock System 1.0 by manipulating the "email" argument in the /market/update.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to data breaches, unauthorized access, or disruption of the system, and since the exploit has been made public, it's likely that attackers will try to take advantage of it.
This vulnerability allows an attacker to inject malicious SQL code into the itsourcecode Student Management System 1.0 by manipulating the "school_year" argument in the /candidates_report.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to unauthorized data disclosure, modification, or even deletion, which can have serious consequences for the affected organization and its students.
This vulnerability allows an attacker to inject malicious SQL code into the FastAdmin system by manipulating the "custom/searchField" argument in the Backend Controller, potentially leading to unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, which can lead to data breaches, unauthorized modifications, and other malicious activities.
The CVE-2025-12874 vulnerability allows an attacker to manipulate HTTP requests, potentially bypassing security controls, by exploiting inconsistent interpretation of HTTP requests in Quest Coexistence Manager for Notes, specifically through the Content-Length-Transfer-Encoding (CL.TE) attack vector.
This vulnerability is a problem because it could enable attackers to bypass access controls, poison web caches, hijack user sessions, or trigger unintended internal requests, which could lead to unauthorized access, data breaches, or disruption of services.
This vulnerability allows an attacker to manipulate the file upload function in the yougou-mall application, potentially leading to path traversal, which means an attacker could access or modify files outside the intended directory.
This vulnerability is a problem because it could allow an attacker to read or write sensitive files on the server, potentially leading to data breaches, unauthorized access, or even taking control of the system.
This vulnerability allows an attacker to overflow a buffer on the stack by manipulating the loginAuthUrl argument in the /cgi-bin/cstecgi.cgi file of TOTOLINK T10 devices, potentially leading to remote code execution.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to gain control of the device and potentially use it as a entry point for further attacks on the network, compromising sensitive information and system security.
The CVE-2025-14962 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack on the Simple Stock System 1.0, specifically targeting the /market/chatuser.php file, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the system, potentially stealing user data, taking control of user sessions, or spreading malware, all of which can be done from a remote location, making it a significant threat to the security of the system and its users.
This vulnerability allows an attacker to inject malicious SQL code into the Simple Blood Donor Management System 1.0 by manipulating the "campaignname" argument in the /editedcampaign.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to data breaches, system compromise, or other malicious activities, and since the exploit is public, it can be easily used by malicious actors.
The Langflow tool, prior to version 1.7.0, allows an attacker to specify any file path in the request body, enabling them to create or overwrite files at arbitrary locations on the server, including sensitive system directories.
This vulnerability is a problem because it allows attackers to potentially gain control over the server by writing malicious files to critical locations, such as system configuration files or executable directories, which could lead to code execution, data tampering, or other malicious activities.
The CVE-2025-68430 vulnerability allows an attacker with an account on a CVAT instance to access and retrieve the names of files and subdirectories in any file system directory that the CVAT server has access to, although the contents of the files themselves remain inaccessible.
This vulnerability is a problem because it can expose sensitive information about the file system structure and the names of files and directories, potentially aiding an attacker in planning further attacks or exploiting other vulnerabilities.
This vulnerability allows an attacker to inject malicious SQL code into the Simple Blood Donor Management System 1.0 by manipulating the "Name" argument in the /editeddonor.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized data access, modification, or deletion, which could compromise the confidentiality, integrity, and availability of sensitive donor information.
The CVE-2025-14959 vulnerability allows an attacker to inject malicious SQL code into the Simple Stock System 1.0 by manipulating the "Username" argument in the /market/signup.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to unauthorized data breaches, modifications, or even complete system compromise.
The CVE-2025-14958 vulnerability is a heap-based buffer overflow flaw in the floooh sokol library, specifically in the _sg_pipeline_common_init function. This occurs when an attacker manipulates the function, causing it to overflow and potentially execute malicious code.
This vulnerability is a problem because it allows an attacker with local access to exploit the buffer overflow, potentially leading to arbitrary code execution, data corruption, or even complete system compromise. The fact that the exploit has been publicly released increases the risk of it being used by malicious actors.
The Langflow API Request component allows attackers to send arbitrary HTTP requests from a server, potentially accessing internal resources and services by exploiting the ability to control the request URL in a flow, leading to non-blind Server-Side Request Forgery (SSRF).
This vulnerability is a problem because it enables attackers to access internal administrative endpoints, metadata services, and databases, resulting in information disclosure and potentially providing a foothold for further attacks, as the server's network context can be exploited without proper restrictions on private IP ranges and cloud metadata endpoints.
The CVE-2025-68457 vulnerability allows an attacker to run malicious code by embedding `javascript:` code within data attributes of HTML elements handled by Orejime, a consent manager, prior to version 2.3.2. When a user consents to a related purpose, Orejime transforms these data attributes into executable code, potentially executing the malicious script.
This vulnerability is a problem because it enables attackers to inject and execute malicious code on a webpage, potentially leading to security breaches, data theft, or other harmful activities, especially if an attacker can inject HTML code into pages.
This vulnerability allows an attacker to inject malicious code into the Dive application, which can lead to the execution of arbitrary JavaScript and potentially enable Remote Code Execution (RCE) on the victim's machine when a specific node is clicked.
This is a significant issue because it enables attackers to execute malicious code on the victim's machine, potentially allowing them to gain control of the system, steal sensitive information, or cause other harm.
The CVE-2025-65035 vulnerability allows an attacker to instantiate arbitrary PHP objects due to insecure storage of user-controlled data in the database, which is later unserialized on every page load, but only if the attacker has already obtained database write access through another vulnerability or misconfiguration.
This vulnerability is a problem because it enables an attacker to potentially execute malicious code, leading to unauthorized access, data breaches, or disruption of services, especially if the attacker can chain this vulnerability with another one to gain initial database access.
This vulnerability allows attackers to execute arbitrary code by injecting a specially crafted JSON payload into the Prompt window of the GT Edge AI Platform, affecting versions before v2.0.10-dev.
This vulnerability is a problem because it enables attackers to run malicious code on the affected system, potentially leading to unauthorized access, data theft, or system compromise.
The CVE-2025-58053 vulnerability allows an attacker to send a forged POST request to update an existing account in the Galette membership management web application, potentially granting them higher privileges.
This vulnerability is a problem because it enables attackers to escalate their privileges, potentially allowing them to access sensitive information, modify accounts, or perform other malicious actions that could compromise the security and integrity of the application and its data.
The CVE-2025-58052 vulnerability allows attackers with a group manager role in the Galette membership management web application to bypass restrictions and access or modify unauthorized areas, despite role-based controls in place.
This vulnerability is a problem because it enables malicious insiders or compromised group manager accounts to access sensitive information or make unauthorized changes, potentially disrupting the organization's operations or compromising member data.
The CVE-2025-14957 vulnerability is a null pointer dereference issue in WebAssembly Binaryen, specifically affecting the IRBuilder function. It occurs when the Index argument is manipulated, leading to a potential crash or exploit.
This vulnerability is a problem because it can be exploited by an attacker with local access, potentially allowing them to crash the system or execute arbitrary code. Since the exploit is publicly available, it increases the risk of attack.
This vulnerability causes a heap-based buffer overflow in WebAssembly Binaryen due to a flaw in the WasmBinaryReader::readExport function, allowing an attacker to potentially launch an attack on the local host.
This vulnerability is a problem because it can be exploited to cause a buffer overflow, which may lead to crashes, data corruption, or even allow an attacker to execute arbitrary code, potentially compromising the security of the system.
The CVE-2025-14955 vulnerability affects the Open5GS system, specifically the PFCP component, allowing for improper initialization due to a flaw in the ogs_pfcp_handle_create_pdr function. This can be exploited remotely, although it requires high complexity and difficulty.
This vulnerability is a problem because it can be exploited remotely, potentially allowing attackers to disrupt or manipulate the affected system. Although the exploitation is considered difficult, the fact that an exploit has been made public increases the risk of it being used by malicious actors.
The ArcSearch app for iOS, in versions prior to 1.45.2, can show a different website address in the address bar than the actual content being displayed, especially when navigating through iframes that use a specific type of link.
This vulnerability increases the risk of spoofing, where an attacker could trick users into thinking they are on a legitimate website when they are actually on a fake or malicious site, potentially leading to phishing, data theft, or other security issues.
The ArcSearch app for Android has a vulnerability that allows it to display a different website in the address bar than the actual content being shown, but only after a user interacts with specially crafted web content.
This vulnerability is a problem because it enables address bar spoofing, which can trick users into thinking they are on a legitimate website when they are actually viewing malicious content, potentially leading to phishing attacks, data theft, or other security issues.
The Glutton V1 service endpoints were accessible without any authentication, allowing unauthorized users to directly interact with the Glutton backend and potentially read, update, or delete data.
This vulnerability is a problem because it allows unauthorized access to sensitive data, which could lead to data breaches, tampering, or other malicious activities, compromising the security and integrity of the system.
The Gotham Gaia application has multiple endpoints that are accessible without authentication, allowing unauthorized users to interact with the application.
This vulnerability is a problem because it enables attackers to potentially extract sensitive information, disrupt service, or perform unauthorized actions without needing to log in, which could compromise the security and integrity of the application and its data.
The CVE-2025-67442 vulnerability allows attackers to exploit a Directory Traversal flaw in EVE-NG 6.4.0-13-PRO, specifically in the /api/export interface, which enables authenticated users to export lab files by manipulating file path parameters due to inadequate input validation.
This vulnerability is a problem because it could allow malicious users to access and potentially modify sensitive files outside of the intended directory, leading to unauthorized data disclosure, modification, or even execution of malicious code, which could compromise the security and integrity of the system.
This CVE record is a duplicate reservation of CVE-2025-67039 and has been marked for non-use, with all relevant information removed.
Using this duplicate record could lead to confusion and inaccuracies in vulnerability tracking and management.
This CVE record is a duplicate reservation of CVE-2025-67036 and has been removed from use.
Using this duplicate record could lead to confusion and inaccuracies in vulnerability tracking and management.
This CVE record is a duplicate reservation of CVE-2025-67037 and has been removed to prevent accidental usage.
It may cause confusion and lead to incorrect referencing, potentially resulting in outdated or inaccurate information being used.
This CVE record is a duplicate reservation of CVE-2025-67041 and has been removed to prevent accidental usage.
Using this duplicate record could lead to confusion and incorrect referencing of the actual vulnerability, potentially causing delays or missteps in addressing the security issue.
This CVE record is a duplicate reservation of CVE-2025-67035 and has been marked for non-use, with all relevant information removed.
It's a problem because using this record could lead to confusion and inaccuracies in vulnerability tracking and management, as it's a duplicate of another existing CVE record.
This CVE record is a duplicate reservation of CVE-2025-67038 and has been rejected for use, with all relevant information removed to prevent accidental usage.
It's a problem because using this duplicate record could lead to confusion and inconsistencies in vulnerability tracking and management, potentially causing delays or oversights in addressing the actual security issue.
The CVE-2025-66906 vulnerability allows an attacker to exploit a Cross Site Request Forgery (CSRF) weakness in the Turms Admin API, versions up to v0.10.0-SNAPSHOT, to gain escalated privileges on the system.
This vulnerability is a problem because it enables attackers to perform unauthorized actions on the system by tricking legitimate users into performing unintended requests, potentially leading to data breaches, system compromises, or other malicious activities.
The Takes web framework has a vulnerability that allows an attacker to access files on the host system by manipulating the HTTP request path, using "../" sequences to escape the designated directory and read arbitrary files.
This vulnerability is a problem because it enables a remote attacker to potentially access sensitive information, such as configuration files or user data, which could be used for malicious purposes, compromising the security and confidentiality of the system.
The CVE-2025-53922 vulnerability allows a logged-in group manager in the Galette membership management web application to bypass restrictions on accessing and modifying Contributions and Transactions, potentially gaining unauthorized access to sensitive information.
This vulnerability is a problem because it enables group managers to exceed their intended permissions, potentially leading to data breaches, financial fraud, or other malicious activities that could harm the non-profit organization and its members.
The CVE-2025-34433 vulnerability allows attackers to execute arbitrary code on a web server by exploiting a predictable installation salt generation in AVideo versions 14.3.1 prior to 20.1, enabling them to send malicious payloads to a notification API endpoint.
This vulnerability is a problem because it enables unauthorized remote code execution, which can lead to a complete compromise of the web server, allowing attackers to steal sensitive data, disrupt service, or use the server for malicious activities.
The CVE-2025-14954 vulnerability affects Open5GS versions up to 2.7.5, allowing remote attackers to manipulate certain functions, leading to a reachable assertion, which can cause the system to crash or behave unexpectedly.
This vulnerability is a problem because it can be exploited remotely, potentially disrupting the normal functioning of the Open5GS system, and may require significant resources and expertise to exploit, but the exploit has been publicly disclosed, making it accessible to malicious actors.
The CVE-2025-14953 vulnerability is a flaw in Open5GS up to version 2.7.5 that allows remote attackers to manipulate the ogs_pfcp_handle_create_pdr function, potentially leading to a null pointer dereference.
This vulnerability is a problem because it can be exploited by remote attackers, allowing them to potentially disrupt or crash the system, which could lead to service outages or other malicious activities, despite requiring a high level of complexity to execute.
The Turms IM Server vulnerability allows any authenticated user to access the online status, device information, and login timestamps of other users without needing proper authorization, due to a flaw in the user online status query functionality.
This vulnerability is a problem because it compromises user privacy by allowing unauthorized access to sensitive information, potentially leading to stalking, harassment, or other malicious activities.
The Turms Server v0.10.0-SNAPSHOT and earlier versions store administrator passwords in plaintext in the system's memory to speed up the login process, even though they are initially protected with bcrypt encryption.
This vulnerability is a problem because it allows attackers who have access to the system to extract these plaintext passwords from memory, bypassing the bcrypt protection, which could lead to unauthorized access to the system and potentially sensitive data.
The CVE-2025-66909 vulnerability allows an attacker to upload a specially crafted compressed image file that, when loaded, expands to a large size in memory, causing a denial of service. This happens because the Turms AI-Serving module fails to validate image dimensions or pixel count before decompression.
This vulnerability is a problem because it can lead to immediate memory exhaustion, causing the service to crash and become unavailable. Since no authentication is required if the OCR service is publicly accessible, an attacker can easily exploit this vulnerability, and multiple requests can completely deny service availability.
The Turms AI-Serving module has a vulnerability that allows attackers to upload any type of file, including malicious files, by disguising them as image files, even though the system is supposed to only accept image uploads.
This vulnerability is a problem because it enables attackers to potentially execute code on the server, steal sensitive information, or inject malicious scripts into the system, which could lead to serious security breaches and data compromises.
The CVE-2025-50681 vulnerability allows remote attackers to crash the igmpproxy application by sending a specially crafted IGMPv3 membership report packet with a malicious source address, causing a denial of service.
This vulnerability is a problem because it can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash and potentially disrupting IPTV and other streaming services in embedded networking environments and consumer-grade IoT devices, such as home routers and media gateways.
This vulnerability allows an attacker to inject malicious SQL code into the Campcodes Supplier Management System 1.0 by manipulating the "txtCategoryName" argument in the /admin/add_category.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the system's database, potentially leading to data breaches, system compromise, or other malicious activities, and the fact that the exploit is now public makes it more likely to be exploited.
This vulnerability allows an attacker to inject malicious SQL code into the Scholars Tracking System 1.0 through the /home.php file by manipulating the "post_content" argument, which can be done remotely.
This is a problem because it enables attackers to access, modify, or extract sensitive data from the system's database, potentially leading to data breaches, unauthorized access, or disruption of the system's functionality.