The CVE-2025-46658 vulnerability in ExonautWeb, part of 4C Strategies Exonaut 21.6, reveals detailed error messages when issues occur, potentially exposing sensitive information about the system.
This vulnerability is a problem because it could allow attackers to gather valuable information about the system's configuration, security measures, and potential weaknesses, making it easier for them to plan and execute targeted attacks.
This vulnerability allows authorized users to execute any system command with the highest privileges on FIRSTNUM JC21A-04 devices, by sending specially crafted data to a specific endpoint on the device.
This is a problem because it gives attackers who have already gained some level of access to the device the ability to take full control of it, potentially leading to data theft, disruption of service, or other malicious activities.
The CVE-2025-54874 vulnerability is a bug in the OpenJPEG codec that can cause the program to write data outside the boundaries of a heap memory location when processing a JPEG 2000 image file with a malformed data stream.
This vulnerability is a problem because it can potentially allow an attacker to execute arbitrary code or crash the program, leading to a denial-of-service or possibly even gaining control of the system.
This vulnerability allows a remote attacker to execute arbitrary code on a server running thinkphp3 version 3.2.5, specifically through the index.php component, potentially giving them full control over the system.
This is a problem because it enables attackers to run any code they want on the affected server, which could lead to data theft, system compromise, or other malicious activities, ultimately putting sensitive information and system integrity at risk.
The CVE-2025-50706 vulnerability allows a remote attacker to execute arbitrary code on a system running thinkphp version 5.1, specifically through the routecheck function, which can lead to unauthorized access and control.
This vulnerability is a problem because it enables attackers to run malicious code remotely, potentially leading to data breaches, system compromise, and other harmful activities, which can result in significant financial and reputational damage.
This vulnerability allows an attacker to read data outside of authorized boundaries in the PDF-XChange Editor when a specially crafted EMF file is used, potentially exposing sensitive information.
This vulnerability is a problem because it could lead to the unauthorized disclosure of sensitive information, which could compromise user privacy and security.
The CVE-2025-46958 vulnerability allows a low-privileged attacker to inject malicious scripts into form fields in Adobe Experience Manager versions 6.5.22 and earlier, which can lead to the execution of malicious JavaScript in a victim's browser when they visit the affected page.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious activities, all by exploiting a vulnerability that can be triggered by a relatively low-privileged user.
The CVE-2025-44964 vulnerability allows attackers to intercept and alter communication between BlueStacks v5.20 and its intended destination due to a lack of SSL certificate validation, potentially enabling them to steal sensitive information.
This vulnerability is a problem because it enables malicious actors to conduct man-in-the-middle attacks, compromising the confidentiality and integrity of data transmitted through BlueStacks, which could lead to unauthorized access to sensitive information.
The ICTBroadcast application has a vulnerability that allows an attacker to inject shell commands into a session cookie, which can then be executed on the server, resulting in unauthenticated remote code execution.
This vulnerability is a problem because it enables an attacker to execute arbitrary commands on the server without needing to authenticate, potentially allowing them to steal sensitive data, disrupt service, or take control of the system.
This vulnerability allows attackers to obtain sensitive Net-NTLMv2 hash information from a remote server by using a specially crafted file that exploits a weakness in the scanning module of Emsisoft Anti-Malware versions prior to 2024.12.
This is a problem because Net-NTLMv2 hash information can be used by attackers to gain unauthorized access to systems and networks, potentially leading to data breaches, malware infections, and other security threats.
This vulnerability allows an attacker to perform an out-of-bounds read in the PDF-XChange Editor by using a specially crafted EMF file, potentially disclosing sensitive information.
This vulnerability is a problem because it could allow attackers to access sensitive information that is not intended to be publicly available, compromising the security and confidentiality of the affected system or data.
The CVE-2025-7033 vulnerability allows a custom file to manipulate the Rockwell Automation Arena Simulation into reading and writing beyond its allocated memory space, potentially enabling the execution of malicious code or the disclosure of sensitive information when a user opens a malicious file or webpage.
This vulnerability is a problem because it could allow a threat actor to gain unauthorized access to sensitive information or execute malicious code on a system, potentially leading to data breaches, system compromise, or other malicious activities.
The CVE-2025-7032 vulnerability allows a custom file to trick the Rockwell Automation Arena Simulation into reading and writing beyond its allocated memory space, potentially enabling a threat actor to execute arbitrary code or access sensitive information when a user opens a malicious file or webpage.
This vulnerability is a problem because it could allow an attacker to gain control over the affected system or steal confidential data by exploiting the memory abuse issue, which can lead to significant security breaches and disruptions.
The CVE-2025-7025 vulnerability allows a custom file to manipulate the Rockwell Automation Arena Simulation into reading and writing beyond its allocated memory space, potentially enabling the execution of arbitrary code or disclosure of sensitive information when a user opens a malicious file or webpage.
This vulnerability is a problem because it could allow a threat actor to gain unauthorized access to sensitive information or execute malicious code, potentially leading to data breaches, system compromises, or other security incidents, all of which can have serious consequences for the confidentiality, integrity, and availability of affected systems and data.
This vulnerability allows an attacker to inject malicious code into the IBM Engineering Lifecycle Optimization - Publishing system due to a lack of validation of Uniform Resource Identifiers (URIs), potentially leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on users' browsers, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions on the system.
This vulnerability allows a remote attacker to upload malicious code to the Trend Micro Apex One management console without needing to authenticate first, and then execute commands on the affected system.
This is a significant issue because it enables an attacker to gain control over the system, potentially leading to data theft, disruption of services, or further malicious activities, all without needing any login credentials.
This vulnerability allows an unauthorized remote attacker to upload and execute malicious code on Trend Micro Apex One management console without needing to log in first.
This is a significant issue because it enables attackers to gain control over the affected system, potentially leading to data breaches, malware distribution, and disruption of critical services, all without the need for any authentication.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "keyword" argument in the /search function of atjiu pybbs versions up to 6.0.0, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, and since the exploit is publicly disclosed, attackers can easily use it to launch attacks.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Username" argument in the /admin/user/list file of atjiu pybbs versions up to 6.0.0, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and integrity of the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "word" argument in the /admin/sensitive_word/list file of atjiu pybbs versions up to 6.0.0, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, all of which can be done remotely without the need for physical access to the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Name" argument in the /admin/tag/list file of atjiu pybbs versions up to 6.0.0, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially stealing user data, taking control of user sessions, or performing other malicious activities, which can compromise the security and integrity of the system and its users.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Username" argument in the /admin/comment/list file of atjiu pybbs versions up to 6.0.0, which can be launched remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially stealing user data, taking control of user sessions, or performing other malicious activities, and since the exploit has been publicly disclosed, attackers may actively use it to target vulnerable systems.
The Employee Directory plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages through a specific parameter, which can then execute when a user visits the affected page.
This vulnerability is a problem because it enables authenticated attackers with certain levels of access to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or further malicious activities on the affected website.
The Download Counter plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages by exploiting the 'name' parameter, due to poor input validation and output escaping.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to embed arbitrary web scripts that will execute whenever a user visits the compromised page, potentially leading to unauthorized actions, data theft, or malware distribution.
The WP Import Export Lite plugin for WordPress allows attackers to upload any type of file to the site's server, due to a lack of validation in the file upload process, potentially leading to remote code execution.
This vulnerability is a problem because it enables authenticated attackers with minimal permissions to upload malicious files, which could then be executed on the server, giving them control over the site and potentially leading to data theft, site defacement, or other malicious activities.
The WP Import Export Lite plugin for WordPress allows attackers to upload any type of file to the site's server due to a lack of file type validation, potentially enabling them to execute remote code.
This vulnerability is a problem because it permits authenticated attackers with minimal permissions to upload malicious files, which could lead to remote code execution and give them control over the affected site.
This vulnerability allows a low-privileged local attacker to interact with a service that should normally restrict user interaction, potentially enabling unauthorized access or actions.
This vulnerability is a problem because it could permit malicious activities by exploiting a service that is supposed to be inaccessible, leading to potential data breaches, system compromises, or other security issues, especially given its relatively high severity score of 7.8.
This vulnerability allows a low-privileged local attacker to exploit a service using a hardcoded cryptographic key, potentially gaining unauthorized access to sensitive information.
This vulnerability is a problem because it enables attackers with limited access to bypass security measures and compromise the system, potentially leading to data breaches, unauthorized modifications, or other malicious activities.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Username" argument in the /admin/topic/list file of atjiu pybbs versions up to 6.0.0, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially leading to unauthorized access, data theft, or other malicious activities, and since the exploit has been publicly disclosed, it can be easily used by attackers.
This vulnerability allows attackers to bypass weak password requirements in the atjiu pybbs system, specifically in the UserAdminController function, by exploiting a flaw in the update process, potentially leading to unauthorized access.
This vulnerability is a problem because it enables remote attackers to launch attacks with relative ease, despite the complexity being high, and the exploitability being difficult, allowing them to potentially gain access to sensitive information or systems using weak passwords.
This vulnerability allows an attacker to expose sensitive information through error messages by manipulating the email argument in the Registered Email Handler component, specifically in the sendEmailCode function.
This vulnerability is a problem because it can lead to information exposure, potentially revealing sensitive data to unauthorized parties, and it can be initiated remotely, making it a significant threat to the security of the system.
The WP Easy Contact plugin for WordPress allows attackers to inject arbitrary web scripts into pages due to a vulnerability in the 'noaccess_msg' parameter, which can execute when a user accesses the injected page.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject malicious scripts, potentially leading to unauthorized actions, data theft, or taking control of user sessions, compromising the security and integrity of the WordPress site.
The Campus Directory plugin for WordPress has a vulnerability that allows attackers with Contributor-level access or higher to inject malicious scripts into pages through the 'noaccess_msg' parameter, due to poor input sanitization and output escaping, affecting versions up to 1.9.1.
This vulnerability is a problem because it enables authenticated attackers to execute arbitrary web scripts on injected pages, potentially leading to unauthorized access, data theft, or other malicious activities whenever a user visits the compromised page.
The Use-your-Drive | Google Drive plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into file metadata titles, which can execute when a user accesses the infected page.
This vulnerability is a problem because it enables attackers to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or taking control of user sessions, and it can be exploited by unauthenticated users if a file upload shortcode is published on a publicly accessible post.
This vulnerability allows an attacker to manipulate the Email Verification Handler component in atjiu pybbs versions up to 6.0.0, leading to improper authorization, which can be initiated remotely.
This vulnerability is a problem because it enables unauthorized access, potentially allowing attackers to gain control over accounts or systems without proper credentials, which can lead to further malicious activities such as data theft or system compromise.
This vulnerability allows an attacker to bypass the security checks in Zscaler's SAML authentication mechanism by exploiting an improper verification of cryptographic signatures, potentially leading to unauthorized access.
This vulnerability is a problem because it enables attackers to abuse the authentication system, potentially gaining access to sensitive information and systems without proper credentials, which could lead to data breaches, unauthorized actions, and other malicious activities.
This vulnerability allows an attacker to guess the captcha code used in the admin login function of atjiu pybbs versions up to 6.0.0, potentially leading to unauthorized access.
This is a problem because it enables remote attackers to bypass the security measures intended to prevent automated login attempts, increasing the risk of successful brute-force attacks and unauthorized access to sensitive areas of the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "nm_motivo" argument in the /intranet/educar_motivo_afastamento_cad.php file in Portabilis i-Educar 2.10, potentially injecting malicious code into the website.
This vulnerability is a problem because it enables remote attackers to inject malicious scripts into the website, which can lead to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "nome" argument in the /module/RegraAvaliacao/edit file of Portabilis i-Educar version 2.10, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, and since the exploit has been publicly disclosed, attackers may already be using it.
The CVE-2025-54868 vulnerability in LibreChat versions 0.0.6 through 0.7.7-rc1 exposes a testing endpoint (/api/search/test) that allows unauthorized access to the Meilisearch engine, enabling the reading of arbitrary chats directly from the engine without proper access control.
This vulnerability is a problem because it compromises the privacy and security of user chats, allowing unauthorized individuals to access and read sensitive conversations that are meant to be private, which can lead to data breaches and other malicious activities.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "nm_raca" argument in the /intranet/educar_raca_cad.php file of Portabilis i-Educar 2.10, potentially injecting malicious code into the website.
This vulnerability is a problem because it enables remote attackers to execute malicious scripts on the website, potentially stealing user data, taking control of user sessions, or performing other malicious activities, which can compromise the security and integrity of the system.
The CVE-2025-8542 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "fantasia/razao_social" argument in the /intranet/empresas_cad.php file of Portabilis i-Educar 2.10, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and integrity of the system and its users.
No specific vulnerability or exploit information is provided for CVE-2025-54980, as the original description was rejected and marked as "Not used".
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty in cybersecurity planning and defense.
No information is available for this CVE as the original description was rejected and no details were provided.
The lack of information makes it difficult to assess the potential impact or risk associated with this CVE, which could lead to uncertainty in security planning and vulnerability management.
No specific vulnerability or exploit information is available for this CVE, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be associated with a actual vulnerability in the future.
No specific vulnerability or exploit information is provided for CVE-2025-54977, as the original description was rejected and marked as "Not used".
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty in securing systems or applications that might be affected.
No information is available for this CVE as the reason provided is "Not used" and the severity is listed as "N/A", indicating that this entry does not describe a known vulnerability.
This entry does not represent a recognized security vulnerability, so it does not pose a problem.
No specific vulnerability information is available for CVE-2025-54975, as the original description was rejected and marked as "Not used".
The lack of information about this CVE makes it difficult to assess its potential impact, but in general, unknown or unexplained vulnerabilities can pose a risk if they are exploited by attackers.
No vulnerability information is available for CVE-2025-54974, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be exploited.
This vulnerability allows an attacker to manipulate the "nome" argument in the /intranet/public_uf_cad.php file of Portabilis i-Educar 2.10, leading to a cross-site scripting (XSS) attack that can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, all of which can be done remotely without the need for physical access to the system.
The CVE-2025-8540 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "nome" argument in the /intranet/public_municipio_cad.php file of Portabilis i-Educar 2.10, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, which can compromise the security and integrity of the system and its users.
The CVE-2025-53417 vulnerability allows an attacker to access and disclose sensitive information by traversing directories in DIAView versions 4.2.0 and prior.
This vulnerability is a problem because it enables unauthorized access to potentially sensitive information, which could lead to data breaches, intellectual property theft, or other malicious activities.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "nome" argument in the /intranet/public_distrito_cad.php file of Portabilis i-Educar version 2.10, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially stealing user data, taking control of user sessions, or performing other malicious actions, and since the exploit has been publicly disclosed, attackers may actively be using it.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "name/description" argument in the /usuarios/tipos/novo file of Portabilis i-Educar version 2.10, which can be done remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially leading to unauthorized access, data theft, or other malicious activities, and since the exploit has been publicly disclosed, attackers may use it to launch attacks.
The CVE-2025-8537 vulnerability in Axiomatic Bento4 up to version 1.6.0-641 allows an attacker to manipulate the AP4_DataBuffer::SetDataSize function, leading to the allocation of resources, which can be done remotely.
This vulnerability is a problem because it can be exploited by attackers to potentially cause resource exhaustion or other malicious activities, and since the exploit has been publicly disclosed, attackers may use it to launch attacks, despite the complexity of the attack being relatively high.
This vulnerability allows an attacker to perform cross-site scripting (XSS) by manipulating the executeJavaScript function in the cronoh NanoVault xrb URL Handler, potentially leading to the execution of malicious code on a user's browser.
This vulnerability is a problem because it enables remote attackers to inject malicious scripts into a user's browser, potentially allowing them to steal sensitive information, take control of the user's session, or perform other malicious actions.
The CVE-2025-54871 vulnerability allows local unprivileged users on macOS to bypass privacy protections and execute arbitrary Node.js code within the Electron context, potentially accessing sensitive files and folders.
This vulnerability is a problem because it enables unauthorized access to sensitive data, such as documents and downloads, by exploiting a weakness in the Electron Capture application, which could lead to data breaches or other malicious activities.
The CVE-2025-54870 vulnerability affects VTun-ng, a virtual tunneling software, where a failure to initialize encryption modules can cause the software to revert to sending data in plaintext, rather than encrypting it, due to poor error handling.
This vulnerability is a problem because it can expose sensitive data being transmitted through the virtual tunnel, as it will not be encrypted as intended, potentially allowing unauthorized access to confidential information.
The Tilesheets MediaWiki Extension has a vulnerability that allows users to insert malicious SQL code due to a missing backtick in a query, potentially enabling the execution of unauthorized database commands.
This vulnerability is a problem because it could allow attackers to access, modify, or delete sensitive data stored in the database, compromising the security and integrity of the MediaWiki installation.
The CVE-2025-54804 vulnerability allows a malicious client to crash a server by exploiting an integer overflow in the Russh SSH client & server library when processing a channel window adjust message.
This vulnerability is a problem because it enables an attacker to intentionally cause a server to crash, resulting in denial-of-service and potential disruption of services, by sending a specially crafted message that triggers the integer overflow.
The CVE-2025-54803 vulnerability allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input using the js-toml parser, affecting versions below 1.0.2.
This vulnerability is a problem because it enables an attacker to modify the global Object.prototype, potentially leading to unintended behavior, errors, or security breaches in JavaScript applications that rely on the js-toml parser.
The CVE-2025-54802 vulnerability allows an attacker to exploit a path traversal weakness in the pyLoad download manager, enabling them to write arbitrary files to any location on the system, which can lead to remote code execution.
This vulnerability is a significant problem because it allows unauthenticated attackers to overwrite critical system files, potentially leading to privilege escalation and remote code execution with root privileges, giving them complete control over the affected system.
The CVE-2025-54795 vulnerability allows an attacker to bypass the confirmation prompt in Claude Code, a coding tool, and execute untrusted commands by exploiting an error in command parsing, but only if they can add malicious content to a Claude Code context window.
This vulnerability is a problem because it enables potential attackers to run unauthorized commands, which could lead to malicious activities such as data theft, system compromise, or other harmful actions, especially if the attacker can manipulate the content within the Claude Code environment.
The CVE-2025-54794 vulnerability allows an attacker to bypass directory restrictions in Claude Code, a coding tool, by exploiting a path validation flaw, potentially accessing files outside the current working directory.
This vulnerability is a problem because it enables unauthorized access to sensitive files and data, which could lead to data breaches, theft, or malicious modifications, compromising the security and integrity of the system.
The glpi-screenshot-plugin vulnerability allows authenticated users to access and leak files from the system or use PHP wrappers through the /ajax/screenshot.php endpoint in versions below 2.0.2.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the system, potentially leading to data breaches and security compromises, which can have serious consequences for the confidentiality and integrity of the data.
The IPX image optimizer has a vulnerability that allows an attacker to bypass path restrictions by manipulating the path prefix, potentially accessing files outside of allowed directories.
This vulnerability is a problem because it could enable unauthorized access to sensitive files and directories, potentially leading to data breaches or other security issues, especially if the allowed directories do not end with a path separator.
The Cursor code editor has a vulnerability that allows an attacker to write files in a workspace without user approval, specifically if the file does not already exist, including sensitive files like .cursor/mcp.json. This can be used to inject malicious prompts, hijack the context, and trigger remote code execution (RCE) on the victim's system.
This vulnerability is a problem because it enables attackers to execute arbitrary code on a victim's system without their knowledge or consent, potentially leading to data theft, system compromise, or other malicious activities. The fact that it can be triggered without user approval makes it particularly dangerous.
The Cursor code editor has a vulnerability that allows an attacker to write files in the workspace without user approval, specifically if the file does not already exist, including sensitive files like .vscode/settings.json, potentially leading to Remote Code Execution (RCE) attacks.
This vulnerability is a problem because it enables attackers to hijack the context and execute malicious code on the victim's system without their knowledge or approval, which can lead to unauthorized access, data theft, or other harmful activities.
The CVE-2025-54119 vulnerability allows an attacker to execute arbitrary SQL statements on a sqlite3 database when using the ADOdb PHP database class library, specifically when calling certain methods with a crafted table name.
This vulnerability is a problem because it enables attackers to inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion, which can have severe consequences for the security and integrity of the database.
The CVE-2025-53544 vulnerability allows an unauthenticated attacker to bypass brute-force protection in Trilium Notes, a note-taking application, enabling them to guess the login password without being rate-limited, potentially leading to unauthorized access.
This vulnerability is a problem because it makes it easier for attackers to guess the login password, especially since Trilium Notes is a single-user app without a username requirement, and it can be exposed to the internet, putting user data at risk of unauthorized access.
The CVE-2025-52892 vulnerability affects EspoCRM versions 9.1.6 and below, allowing a corrupted Slim router's cache to occur when a user loads the application in a browser with double slashes in the URL (e.g., https://domain//#Admin) and the web server does not remove the double slash, rendering the instance unusable until a rebuild is completed.
This vulnerability is a problem because it can cause the EspoCRM instance to become unusable, resulting in potential data loss and disruption of business operations, until a rebuild is performed, which can be time-consuming and may require significant resources.
The CVE-2025-8534 vulnerability is a null pointer dereference issue in the libtiff 4.6.0 library, specifically in the tiff2ps component, which can be triggered by manipulating the PS_Lvl2page function. This can occur when specific options like DEFER_STRILE_LOAD or TIFFOpen("rD") are used.
This vulnerability is a problem because it can be exploited by an attacker to potentially crash the system or execute arbitrary code, although the complexity of the attack is considered high, making exploitation difficult. The fact that the exploit has been publicly disclosed increases the risk.
This CVE is a duplicate of an existing vulnerability (CVE-2025-52464) and does not introduce a new security issue.
It may cause confusion in tracking and addressing unique vulnerabilities, potentially leading to inefficiencies in cybersecurity efforts.
This vulnerability allows an attacker to use default credentials to access the system by manipulating the login-username and login-password arguments in the eladmin-system application, specifically targeting the Druid component's configuration file.
This vulnerability is a problem because it enables remote attackers to gain unauthorized access to the system using default credentials, which can lead to data breaches, system compromise, and other malicious activities.
This vulnerability allows an attacker to manipulate the "url" argument in the getCollectLogoUrl function of the CollectController.java file, leading to server-side request forgery, which enables the attacker to make unauthorized requests to internal or external systems.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to potentially access sensitive data, disrupt service, or execute malicious actions on the server, which can lead to security breaches and data compromises.
The CVE-2025-46094 vulnerability allows an attacker to access files and directories outside of the intended location by manipulating the pathname of a local executable file in LiquidFiles versions before 4.1.2.
This vulnerability is a problem because it enables unauthorized access to sensitive files and directories, potentially leading to data breaches, theft of confidential information, or execution of malicious code, compromising the security and integrity of the system.
The LiquidFiles software, version 4.1.2 and earlier, has a vulnerability that allows users with FTPDrop access to execute arbitrary code as the root user, due to the support of FTP SITE CHMOD with mode 6777, which can be exploited using the Actionscript feature and the sudoers configuration.
This vulnerability is a problem because it allows attackers to gain complete control over the system, potentially leading to data breaches, malware installation, and other malicious activities, all with elevated privileges.
The CVE-2025-27212 vulnerability allows a malicious actor to inject commands into certain UniFi Access devices due to improper input validation, potentially giving them control over the device.
This vulnerability is a problem because it could allow an attacker with access to the UniFi Access management network to execute arbitrary commands, potentially leading to unauthorized access, data breaches, or disruption of services.
The CVE-2025-27211 vulnerability allows an attacker to inject malicious commands into the EdgeMAX EdgeSwitch device (version 1.10.4 and earlier) by exploiting improper input validation, but only if they have access to the adjacent network.
This vulnerability is a problem because it could give an attacker control over the device, allowing them to execute arbitrary commands, potentially leading to unauthorized access, data theft, or disruption of network services.
This vulnerability in Exrick xboot up to version 3.3.4 allows an attacker to store sensitive information in plain text within a cookie, which can be done remotely by exploiting a flaw in the `/xboot/permission/getMenuList` file.
This is a problem because sensitive information stored in plain text can be easily accessed by unauthorized parties, potentially leading to data breaches, identity theft, or other malicious activities. The fact that the attack can be launched remotely increases the risk, as it does not require physical access to the system.
The CVE-2025-8527 vulnerability allows an attacker to manipulate the "loginUrl" argument in the SecurityController.java file of the Exrick xboot Swagger component, leading to server-side request forgery, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to trick the server into making unintended requests, potentially allowing them to access sensitive data, disrupt service, or take control of the system, all of which can be done remotely without the need for physical access or authentication.
This vulnerability allows a stack buffer overrun to occur when exporting a TPM-based RSA key larger than 2048 bits from the TPM, specifically if the default key size limit is not adjusted to match the TPM hardware's capabilities.
This is a problem because a stack buffer overrun can potentially lead to a crash or allow an attacker to execute arbitrary code, compromising the security and stability of the system.
The CVE-2025-54554 vulnerability allows unauthorized access to sensitive information about the database structure and underlying SQL queries through unauthenticated REST API requests in Tera Insights tiCrypt before 2025-07-17.
This vulnerability is a problem because it exposes internal database details, which could be used by attackers to plan and execute more targeted and damaging attacks, potentially leading to data breaches or system compromises.
This vulnerability allows attackers to bypass the Captcha check in certain versions of Liferay Portal and Liferay DXP, enabling them to run scripts in the Gogo shell.
This vulnerability is a problem because it enables unauthorized access to the Gogo shell, which can lead to malicious activities such as executing arbitrary code, modifying system settings, or stealing sensitive data, ultimately compromising the security and integrity of the system.
The CVE-2025-4599 vulnerability allows a remote attacker to inject JavaScript code into the fragment preview functionality of Liferay Portal and Liferay DXP, using a technique called postMessage-based XSS, which can be executed without the need for authentication.
This vulnerability is a problem because it enables attackers to execute malicious JavaScript code on the vulnerable system, potentially leading to unauthorized access, data theft, or other malicious activities, all without requiring the attacker to have any authenticated access to the system.
This vulnerability allows an attacker to upload unrestricted files to a server using the Upload function in Exrick xboot versions up to 3.3.4, due to the improper handling of the "File" argument in the UploadController.java file, and can be initiated remotely.
This vulnerability is a problem because it enables attackers to upload malicious files, such as viruses, malware, or backdoors, to the server, potentially leading to unauthorized access, data breaches, or disruption of service, and since the exploit has been publicly disclosed, it is likely to be widely exploited.
This vulnerability allows attackers to disclose sensitive information in Exrick xboot versions up to 3.3.4, specifically affecting the Spring Boot Admin/Spring Actuator component, and can be initiated remotely.
This vulnerability is a problem because it enables remote attackers to access confidential information, potentially leading to further exploitation and security breaches, which can compromise the integrity and security of the affected system.
The CyberGhostVPNSetup.exe Windows installer uses a weak cryptographic hash algorithm (SHA-1) and lacks a security feature called High Entropy Address Space Layout Randomization (ASLR), making it vulnerable to attacks where a malicious actor can create a fake installer that appears legitimate and can be loaded into predictable memory locations.
This vulnerability is a problem because it allows attackers to create fake installers that can bypass Windows security checks, potentially leading to successful supply-chain style attacks or privilege escalation, where an attacker can gain elevated access to a system, compromising its security and integrity.
The GitKraken Desktop versions 10.8.0 and 11.1.0 have a vulnerability that allows attackers to inject code into the application due to incorrect settings in Electron Fuses, specifically with RunAsNode enabled and EnableNodeCliInspectArguments not disabled, which enables arbitrary code execution.
This vulnerability is a problem because it allows attackers to execute arbitrary code, potentially giving them control over the affected system, accessing sensitive data, or causing other malicious activities, which can lead to serious security breaches.
The Unisite CMS version 5.0 has a stored Cross-Site Scripting (XSS) vulnerability in its "Report" functionality, allowing malicious scripts to be executed in the admin panel when an administrator views a report, potentially leading to the upload and execution of a PHP web shell on the server.
This vulnerability is a problem because it enables attackers to hijack the admin session, gain full remote code execution, and potentially take control of the server, allowing them to access, modify, or delete sensitive data, disrupt service, or use the server for malicious activities.
This vulnerability allows an attacker to manipulate SQL queries in Axelor 5.2.4 by exploiting a Boolean-based SQL injection flaw in the _domain parameter, potentially enabling them to extract data or exploit further weaknesses.
This vulnerability is a problem because it could lead to unauthorized data exposure, allowing attackers to access sensitive information, and possibly pave the way for additional malicious activities such as data tampering or system compromise.
The CVE-2025-8524 vulnerability allows for the improper export of Android application components in the Boquan DotWallet App version 2.15.2 on Android devices, due to an issue in the AndroidManifest.xml file. This can be exploited locally.
This vulnerability is a problem because it could allow an attacker to access and manipulate sensitive components of the DotWallet App, potentially leading to unauthorized data access, theft, or other malicious activities, especially since the exploit has been publicly disclosed.
The CVE-2025-8523 vulnerability allows for the improper export of Android application components in the RiderLike Fruit Crush-Brain App 1.0, specifically affecting the AndroidManifest.xml file. This can be exploited locally, potentially giving an attacker access to sensitive components of the app.
This vulnerability is a problem because it could allow malicious actors to launch attacks on the app, potentially gaining unauthorized access to its components and the data they handle. Since the exploit has been publicly disclosed and the vendor has not responded, users are left without an official patch, making them more vulnerable to attacks.
The YouDao plugin for StarDict sends user selection data to remote servers (dict.youdao.com and dict.cn) over an unencrypted HTTP connection.
This vulnerability is a problem because it exposes sensitive user data, such as selected text, to potential eavesdropping and interception by unauthorized parties, as the data is transmitted in cleartext.
This vulnerability allows an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request, effectively impersonating another user.
This is a problem because it enables unauthorized users to send emails as if they were someone else, which can lead to impersonation, phishing, or unauthorized communication within the system, potentially causing harm to individuals or the organization.
This vulnerability allows an attacker to manipulate the "File" argument in the /save.php file of the givanz Vvvebjs component, up to version 2.0.4, enabling path traversal. This means an attacker can access and potentially modify files outside the intended directory structure.
This path traversal vulnerability is a problem because it can be exploited remotely, allowing an attacker to access sensitive files or execute malicious code on the affected system. The severity of this vulnerability is rated as critical, with a severity score of 5.0, indicating a significant potential impact.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack on the givanz Vvveb application, specifically targeting the Add Type Handler component through the /vadmin123/index.php?module=settings/post-types file.
This vulnerability is a problem because it enables remote attackers to inject malicious code into the application, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, compromising the security and integrity of the application and its users.
This vulnerability allows a local attacker to execute arbitrary code with administrator privileges by creating a malicious .mrimgx backup file and a crafted VSSSvr.dll, which is loaded by Macrium Reflect when a user with administrative privileges mounts the backup.
This vulnerability is a problem because it enables an attacker to gain administrator-level access to a system, potentially allowing them to install malware, steal sensitive data, or take control of the system, all by exploiting a flaw in how Macrium Reflect loads DLL files.
This vulnerability allows attackers to execute arbitrary code with administrator privileges by creating a malicious backup file (.mrimgx or .mrbax) and a renamed executable, which is launched when a user with administrative privileges opens the backup file and mounts it.
This is a problem because it enables attackers to gain control over a system with elevated privileges, potentially leading to unauthorized access, data theft, or malware installation, all of which can have severe consequences for the security and integrity of the affected system.
This vulnerability allows attackers to upload any file they want to a ZKEACMS v4.1 system, which can then be executed by the system, potentially giving the attacker control over the system.
This is a problem because it enables attackers to run malicious code on the system, which can lead to unauthorized access, data theft, or complete system compromise.