No specific vulnerability or exploit information is provided for CVE-2025-62835, as the original description was rejected and marked as "Not used".
The lack of information about this CVE makes it difficult to assess its potential impact or severity, which could lead to confusion or overlooking of a potential security issue.
No information is available for this CVE as the original description was rejected and not provided.
The severity of this vulnerability is not specified, making it difficult to assess its potential impact.
No information is available for this CVE as the reason for rejection is listed as "Not used" and severity is marked as "N/A", indicating that this CVE does not contain a valid vulnerability description.
This CVE does not pose a known problem as there is no provided information about a specific vulnerability.
No specific vulnerability or exploit is described, as the reason for the CVE entry is listed as "Not used".
This entry does not pose a problem as it does not describe an actual vulnerability.
No specific vulnerability or exploit information is available for this CVE, as the original description was rejected and no details were provided.
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be associated with a real vulnerability in the future.
This CVE is currently not providing any specific information about a vulnerability as the reason for rejection is listed as "Not used".
The lack of information about this CVE does not pose a direct problem, but it indicates that there is no known vulnerability to address at this time.
No information is available for this CVE, as the original description was rejected and not provided.
The lack of information about this vulnerability makes it difficult to assess its potential impact, but in general, unknown vulnerabilities can be a problem because they may be exploited by attackers before a fix is available.
No specific vulnerability or exploit information is available for this CVE, as the original description was rejected and marked as "Not used".
The lack of information about this CVE makes it difficult to assess its potential impact or risk, which could lead to uncertainty and potential security gaps if it were to be associated with a real vulnerability in the future.
No information is available for this CVE as the reason for rejection is listed as "Not used" and severity is marked as "N/A", indicating that this CVE does not contain a valid or applicable vulnerability description.
This CVE does not pose a known problem as there is no provided information about a specific vulnerability.
The Bold Page Builder plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages via the 'percentage' parameter, due to poor input sanitization and output escaping, affecting versions up to 5.4.5.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that will execute when a user visits the affected page, potentially leading to unauthorized actions, data theft, or further malicious activities.
The ComboServlet in Liferay Portal and Liferay DXP has a vulnerability that allows remote attackers to create very large responses by combining multiple files without any limitations, which can be triggered via the URL query string.
This vulnerability is a problem because it enables remote attackers to launch a denial of service (DoS) attack, potentially overwhelming the system with large responses and making it unavailable to legitimate users.
This vulnerability allows an unauthenticated remote attacker to access and delete arbitrary directories on a target machine by exploiting a relative path traversal flaw in the Productivity Suite software, specifically interacting with the ProductivityService PLC simulator.
This vulnerability is a problem because it enables attackers to remotely delete important files and directories without needing any authentication, potentially disrupting business operations, causing data loss, and leading to significant downtime and recovery efforts.
This vulnerability allows an unauthenticated remote attacker to create arbitrary directories on a target machine by exploiting a relative path traversal flaw in the Productivity Suite software, specifically interacting with the ProductivityService PLC simulator.
This vulnerability is a problem because it enables attackers to potentially disrupt system organization, create backdoors for future attacks, or even overwrite critical system files by creating directories in unintended locations, all without needing authentication.
This vulnerability allows an unauthenticated remote attacker to access and delete arbitrary files on a target machine by exploiting a relative path traversal flaw in the Productivity Suite software, specifically interacting with the ProductivityService PLC simulator.
This vulnerability is a problem because it enables unauthorized access and deletion of files, which can lead to data loss, disruption of services, and potential system compromise, posing a significant risk to the confidentiality, integrity, and availability of the affected system.
The CVE-2025-62688 vulnerability allows an attacker with limited access to change their role and gain full control over a project in the Productivity Suite software version 4.4.1.19.
This vulnerability is a problem because it enables attackers with low-privileged credentials to escalate their access, potentially leading to unauthorized data modification, theft, or disruption of critical project operations.
This vulnerability allows an attacker to execute arbitrary code on a machine by tampering with a productivity project file in Productivity Suite software version 4.4.1.19, using a relative path traversal (ZipSlip) attack.
This is a problem because it enables attackers to run malicious code on vulnerable machines, potentially leading to data theft, system compromise, or other harmful activities, especially since it can be triggered simply by opening a tampered project file.
The CVE-2025-61977 vulnerability allows an attacker to access an encrypted project in Productivity Suite software version v4.4.1.19 by answering only one password recovery question, due to a weak password recovery mechanism.
This vulnerability is a problem because it enables unauthorized access to sensitive encrypted projects, potentially leading to data theft, modification, or other malicious activities, which can compromise user confidentiality and integrity.
This vulnerability allows an unauthenticated remote attacker to access and manipulate files and folders on a target machine by interacting with the ProductivityService PLC simulator, due to a binding issue with an unrestricted IP address in Productivity Suite software version v4.4.1.19.
This is a significant issue because it enables attackers to read, write, or delete arbitrary files and folders without authentication, potentially leading to data theft, modification, or destruction, and compromising the security and integrity of the target system.
The CVE-2025-59503 vulnerability allows an authorized attacker to exploit a server-side request forgery (SSRF) in Azure Compute Gallery, enabling them to elevate their privileges over a network.
This vulnerability is a problem because it enables an attacker to gain unauthorized access and control over network resources, potentially leading to data breaches, lateral movement, and further malicious activities, emphasizing the high severity level of 9.9.
The CVE-2025-59500 vulnerability allows an authorized attacker to gain higher privileges over a network by exploiting improper access control in the Azure Notification Service.
This vulnerability is a problem because it enables an attacker who already has some level of access to escalate their privileges, potentially gaining control over sensitive resources and data within the network, which could lead to unauthorized access, data breaches, or other malicious activities.
The CVE-2025-59273 vulnerability allows an unauthorized attacker to gain elevated privileges over a network due to improper access control in Azure Event Grid.
This vulnerability is a problem because it enables attackers to access and control sensitive resources and data without permission, potentially leading to data breaches, unauthorized modifications, and other malicious activities.
This vulnerability allows an unauthorized user to access and read arbitrary files on a computer running Productivity Suite software version 4.4.1.19 by exploiting a relative path traversal flaw in the ProductivityService PLC simulator.
This is a problem because it enables an attacker to remotely access sensitive files without authentication, potentially leading to data breaches, intellectual property theft, or other malicious activities.
The CVE-2025-58078 vulnerability allows an unauthorized attacker to access and manipulate files on a computer running Productivity Suite software version 4.4.1.19, by exploiting a relative path traversal weakness in the ProductivityService PLC simulator, enabling them to write arbitrary data to the target machine.
This vulnerability is a problem because it enables an unauthenticated remote attacker to interact with sensitive components of the system and write malicious files, potentially leading to data corruption, theft, or execution of malicious code, which can compromise the security and integrity of the affected system.
The MongoDB BI Connector ODBC driver has an Incorrect Default Permissions vulnerability, allowing attackers to escalate their privileges and gain unauthorized access to sensitive data and systems.
This vulnerability is a problem because it can be exploited by attackers to elevate their privileges, potentially leading to unauthorized data access, modification, or deletion, and compromising the security and integrity of the system.
The Rollbar.js library has a vulnerability that allows an attacker to modify the prototype of an object, potentially leading to unauthorized access or code execution, when untrusted input is passed to the `rollbar.configure()` function.
This vulnerability is a problem because it can be exploited by an attacker to inject malicious code or alter the behavior of the application, potentially leading to sensitive data exposure, privilege escalation, or other security breaches.
The Frontier Airlines website has a vulnerable endpoint that allows anyone to check if an email address is associated with an existing account, potentially revealing valid email addresses.
This vulnerability is a problem because it could help attackers gather valid email addresses, which they could then use for phishing, spamming, or other malicious activities, potentially leading to further attacks or breaches.
The CVE-2025-58428 vulnerability allows remote attackers with valid credentials to execute system-level commands on the underlying Linux system of the TLS4B ATG system through its SOAP-based interface, potentially leading to remote command execution, full shell access, and lateral movement within the network.
This vulnerability is a problem because it enables attackers to gain unauthorized control over the system, allowing them to perform malicious actions, access sensitive data, and potentially spread to other parts of the network, compromising the security and integrity of the entire system.
This vulnerability allows an attacker to gain full root privileges within a container by exploiting a flaw in the container's setup, where the /etc/passwd file is created with group-writable permissions, enabling them to add a new user with arbitrary UID, including UID 0.
This is a problem because it enables an attacker, even with limited access as a non-root user within the container, to escalate their privileges and gain complete control over the container, potentially leading to unauthorized data access, modification, or other malicious activities.
The TLS4B ATG system has a vulnerability that causes it to improperly handle Unix time values beyond January 19, 2038, resulting in a system clock reset to December 13, 1901, and leading to authentication failures, disrupted system functionalities, and potential denial of service (DoS) conditions if an attacker manipulates the system time.
This vulnerability is a problem because it can cause significant disruptions to the system, including administrative lockout, operational timer failures, and corrupted log entries, ultimately compromising the security and reliability of the TLS4B ATG system.
The BAE SOCET GXP Job Status Service has an issue where certain endpoints may release sensitive information, including local file paths and the version of SOCET GXP being used.
This vulnerability is a problem because it could allow attackers to gain valuable information about the system, such as file paths and software versions, which could be used to plan and execute more targeted attacks.
The CVE-2025-54964 vulnerability allows an attacker to inject arbitrary executables into the BAE SOCET GXP Job Service, potentially enabling them to run malicious code on the system.
This vulnerability is a problem because it can lead to privilege escalation if the Job Service is only accessible locally, and even worse, it can allow remote command execution if the Job Service is accessible over the network, giving attackers control over the system.
The CVE-2025-54963 vulnerability allows an attacker to submit a specially crafted job request to the BAE SOCET GXP Job Service, potentially granting them read access to files on the system with the same permissions as the service. This is possible due to a lack of sanitization for directory traversal in file paths.
This vulnerability is a problem because it could enable an attacker to access sensitive files on the system, potentially leading to data breaches or other malicious activities, especially if the GXP Job Service has elevated permissions.
This vulnerability allows an unauthenticated attacker to cause a denial of service in Vault and Vault Enterprise by sending complex JSON payloads, overwhelming the system before rate limits are applied.
This vulnerability is a problem because it enables attackers to disrupt the service, making it unavailable to legitimate users, without needing any authentication, which can lead to significant downtime and potential data loss.
The Captive Portal vulnerability exposes sensitive information, potentially allowing unauthorized access to confidential data.
This vulnerability is a problem because it can lead to the unauthorized disclosure of sensitive information, which could be used for malicious purposes, such as identity theft, financial fraud, or other cyber attacks, ultimately compromising the security and privacy of individuals and organizations.
The CVE-2025-6979 vulnerability allows unauthorized access to a network by bypassing the authentication process on a Captive Portal, which is a web page that requires users to authenticate before accessing the internet.
This vulnerability is a problem because it enables attackers to gain unauthorized access to a network without a username or password, potentially leading to data theft, malware spread, or other malicious activities, compromising the security and privacy of the network and its users.
This vulnerability allows an attacker to inject malicious commands into a system's diagnostics function, potentially giving them unauthorized access and control.
This vulnerability is a problem because it could enable attackers to execute arbitrary commands, leading to data breaches, system compromise, and disruption of services, which can have serious consequences for the security and integrity of the affected system.
This vulnerability allows an attacker to inject malicious web scripts or HTML code into a Knowledge Base article's attachment filename on Liferay Portal and Liferay DXP, enabling self-cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute arbitrary code on the user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, by tricking users into clicking on crafted attachments.
This vulnerability allows an attacker to execute arbitrary code on a Gnuboard 5.6.15 website by manipulating the c_id parameter in the bbs/view_comment.php file, but only if the attacker has authentication credentials.
This is a problem because it enables authenticated attackers to inject malicious scripts, potentially leading to unauthorized data access, modification, or deletion, and compromising the security and integrity of the website and its users' data.
This vulnerability allows attackers to inject malicious JavaScript code into a user's browser through a crafted payload, exploiting a reflected cross-site scripting (XSS) flaw in MCMS v6.0.1.
This vulnerability is a problem because it enables attackers to execute arbitrary code in the context of a user's browser, potentially leading to unauthorized actions, data theft, or session hijacking, which can compromise user privacy and security.
The MinKNOW software by Oxford Nanopore Technologies stores authentication tokens in a world-readable temporary directory on the host machine, allowing any local user or application to access the token, which can then be used to establish unauthorized remote connections to the sequencer if remote access is enabled.
This vulnerability is a problem because it can lead to unauthorized access to the sequencer, potentially allowing malicious actors to control the device remotely, bypass standard authentication mechanisms, and gain persistent access, which could compromise sensitive data and disrupt operations.
The NVIDIA vGPU software has a vulnerability in the Virtual GPU Manager that allows a malicious guest to access uninitialized pointers, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
This vulnerability is a problem because it could allow an attacker to gain control over the system, disrupt service, elevate their privileges, access sensitive information, or modify data, which could have serious consequences for the security and integrity of the system.
The NVIDIA Project G-Assist vulnerability allows an attacker to potentially escalate their permissions, which could result in unauthorized code execution, elevated privileges, data modification, service disruption, and sensitive information exposure.
This vulnerability is a problem because it could give an attacker excessive control over a system, allowing them to execute malicious code, access sensitive data, disrupt services, or tamper with information, ultimately compromising the security and integrity of the system.
The NVIDIA Display Driver for Windows and Linux has a vulnerability in its video decoder that allows an attacker to cause an out-of-bounds read, potentially leading to information disclosure or denial of service.
This vulnerability is a problem because it could allow an attacker to access sensitive information or disrupt the system's operation, causing it to become unresponsive or crash.
The NVIDIA Display Driver for Linux has a vulnerability that allows an attacker to potentially cause a null pointer dereference in a kernel module, which could lead to a system crash or freeze.
This vulnerability is a problem because it could be exploited by an attacker to cause a denial of service, disrupting the normal functioning of the system and potentially leading to downtime or loss of productivity.
The NVIDIA Display Driver for Linux has a vulnerability that allows an attacker to potentially trigger a null pointer dereference, which could lead to a denial of service.
This vulnerability is a problem because it could allow an attacker to crash the system or make it unavailable, resulting in disruption of service and potential loss of productivity or sensitive data.
The NVIDIA Display Driver for Linux has a vulnerability that allows a user to cause a null pointer dereference by allocating a specific memory resource, which can lead to a denial of service.
This vulnerability is a problem because it can be exploited to disrupt the normal functioning of the system, making it unavailable to users, which can lead to loss of productivity and potential security risks.
This vulnerability allows for potential authentication bypass in Vault's AWS Auth method when the bound_principal_iam role is the same across multiple AWS accounts or uses a wildcard.
This is a problem because it could enable unauthorized access to sensitive resources and data, as an attacker might be able to authenticate without proper credentials if they can match the bound_principal_iam role.
The MinKNOW software by Oxford Nanopore Technologies creates a temporary file to store an authentication token during startup, but this file is accessible to all users on the system, allowing an unauthorized user to lock the file and prevent the software from completing its token generation process.
This vulnerability is a problem because it can lead to a denial-of-service (DoS) condition, where the software is unable to execute commands on the sequencer, effectively blocking all sequencing operations, which can significantly disrupt workflows and research activities.
This vulnerability allows an attacker to perform a Second-order SQL Injection attack on gnuboard4 versions v4.36.04 and earlier through the search functionality in bbs/search.php, potentially enabling them to extract or modify sensitive data.
This vulnerability is a problem because it could allow unauthorized access to database information, leading to data breaches, modification of critical data, or even full control of the database, which could severely compromise the security and integrity of the system.
This vulnerability allows attackers to inject malicious code into the Markdown blocks of pages created in Piranha CMS v12.1, enabling them to execute arbitrary web scripts or HTML, which can lead to the execution of unwanted actions on the website.
This vulnerability is a problem because it enables attackers to manipulate the website's content and potentially steal user data, take control of user sessions, or perform other malicious activities, compromising the security and integrity of the website and its users.
This vulnerability allows attackers to execute arbitrary code on the 17gz International Student service system 1.0 via a cross-site scripting (XSS) attack during the registration step, potentially giving them control over the system.
This vulnerability is a problem because it enables malicious actors to inject malicious code into the system, which can lead to unauthorized access, data theft, or disruption of services, compromising the security and integrity of the system and its users' data.
The Kottster Node.js admin panel contains a pre-authentication remote code execution (RCE) vulnerability that allows attackers to execute malicious code on the system when it is running in development mode.
This vulnerability is a problem because it enables unauthorized access and code execution on the system, potentially leading to data breaches, system compromise, and other malicious activities, even before any authentication is required.
The Tibbo AggreGate Network Manager version < 6.40.05 has an unauthenticated endpoint at /cwmp/happyaxis.jsp that exposes sensitive system information, including Java system properties, server path details, and version information, to anyone who accesses it.
This vulnerability is a problem because it allows unauthorized users to gain valuable information about the system, which could be used to plan and execute further attacks, potentially leading to a full compromise of the system.
The Tibbo AggreGate Network Manager version < 6.40.05 has a vulnerability in its login system that reveals whether a username exists or not when a login attempt fails, allowing an attacker to figure out which usernames are valid.
This vulnerability is a problem because it enables attackers to identify valid usernames, making it easier for them to launch targeted attacks such as brute-force or credential-stuffing attacks to gain unauthorized access to accounts.
The OctoPrint-SpoolManager plugin has a vulnerability that allows unauthorized access to its APIs due to missing authentication and authorization checks in versions 1.8.0a2 and older of the testing branch and versions 1.7.7 and older of the stable branch.
This vulnerability is a problem because it potentially allows unauthorized users to access and manipulate spool and usage metadata, which could lead to security breaches and disruptions in 3D printing operations.
The OpenBao AWS Plugin has a vulnerability that allows an IAM role from an untrusted AWS account to impersonate a role with the same name in a trusted account, granting unauthorized access to the system.
This vulnerability is a problem because it enables malicious actors to gain access to sensitive resources and data in a trusted AWS account by exploiting duplicate IAM role names across different accounts, which can lead to security breaches and data compromise.
The CVE-2025-50951 vulnerability is a memory leak in FontForge version v20230101, specifically occurring in the utf7toutf8_copy function located at /fontforge/sfd.c, which can cause the program to consume increasing amounts of memory.
This vulnerability is a problem because a memory leak can lead to performance issues, crashes, and potentially even allow an attacker to exploit the vulnerability to execute arbitrary code or disrupt the system, especially if the leak occurs repeatedly over time.
The CVE-2025-50950 vulnerability is a NULL pointer dereference issue in the Audiofile v0.3.7 software, specifically in the ModuleState::setup function, which can cause the program to crash or potentially execute unwanted code when it encounters a null pointer.
This vulnerability is a problem because it can lead to a denial-of-service (DoS) condition, causing the software to become unresponsive or crash, and potentially allowing an attacker to execute arbitrary code, compromising the security and integrity of the system.
The FontForge software, specifically version v20230101, contains a memory leak vulnerability through its DlgCreate8 component, which can cause the program to consume increasing amounts of memory.
This vulnerability is a problem because a memory leak can lead to performance issues, crashes, and potentially even allow an attacker to exploit the vulnerability to execute malicious code or gain unauthorized access to the system.
The enabled serial console in certain versions of BLU-IC2 and BLU-IC4 devices could potentially leak sensitive information, which might aid an attacker in identifying vulnerabilities.
This vulnerability is a problem because it could provide attackers with valuable information to exploit other weaknesses in the system, potentially leading to unauthorized access or further malicious activities.
The CVE-2025-61136 vulnerability allows attackers to manipulate the Host header in the password reset component of axewater sharewarez v2.4.3, potentially leading to password reset poisoning and account takeover by generating malicious reset links.
This vulnerability is a problem because it enables remote attackers to take control of user accounts by tricking the password reset system into sending reset links to attacker-controlled servers, allowing them to intercept and use the reset links to gain unauthorized access to the accounts.
This vulnerability allows an attacker to manipulate the password reset process in levlaz braindump v0.4.14 by injecting a fake Host header, potentially leading to unauthorized account takeovers.
This vulnerability is a problem because it enables attackers to intercept and alter password reset links, granting them access to user accounts and sensitive information, which can result in identity theft, data breaches, and other malicious activities.
This vulnerability allows an attacker to take control of a KeeneticOS device by tricking a user into opening a malicious webpage, which then sends a request to the device's "/rci" API endpoint to add new users with full permissions.
This is a problem because it enables unauthorized users to gain full control over the device, potentially leading to data theft, device malfunction, or other malicious activities, all without the user's knowledge or consent.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack on KeeneticOS devices with versions before 4.3, specifically on the "Wireless ISP" page, enabling them to add new users with full permissions and potentially take over the device.
This vulnerability is a problem because it enables attackers who are physically near the router to gain full control over the device, allowing them to access sensitive information, modify settings, and perform malicious actions without authorization.
This vulnerability allows attackers to inject malicious code into the KeeneticOS system by exploiting a weakness in the "/auth" API endpoint, enabling them to add new users with full permissions to the device.
This vulnerability is a problem because it enables attackers to take control of the device, potentially leading to unauthorized access, data theft, and other malicious activities, by tricking the victim into opening a page with the exploit.
The CVE-2025-12110 vulnerability allows an offline session in Keycloak to remain valid even after the offline_access scope has been removed from the client, permitting the continued use of refresh tokens to obtain new session tokens.
This vulnerability is a problem because it can lead to unintended access. If an administrator removes the offline_access scope, they would typically expect that offline sessions are no longer accessible, but due to this flaw, sessions can still be active, potentially allowing unauthorized or unintended access.
The CVE-2025-62256 vulnerability allows remote attackers to access the OpenAPI YAML file in Liferay Portal and Liferay DXP via a crafted URL, due to improper access restrictions to OpenAPI in certain circumstances.
This vulnerability is a problem because it enables unauthorized access to sensitive information, potentially allowing attackers to gain insight into the system's API structure and exploit other vulnerabilities, which could lead to further security breaches and data exposure.
This vulnerability allows an attacker to inject malicious code into CSV files exported by applications built with Instant Developer Foundation versions prior to 25.0.9600, potentially leading to code execution when the CSV file is opened.
This is a problem because it enables attackers to execute arbitrary code on a user's system simply by tricking them into opening a maliciously crafted CSV file, which could lead to data theft, system compromise, or other malicious activities.
The CVE-2025-53702 vulnerability allows an unauthenticated attacker on the same local network to send a crafted request to the /cgi-bin/action endpoint of Vilar VS-IPC1002 IP cameras, causing the device to become completely unresponsive and requiring a manual restart.
This vulnerability is a problem because it enables an attacker to launch a Denial-of-Service (DoS) attack, disrupting the functionality of the IP camera and potentially causing security breaches or losses, especially in environments where constant surveillance is critical.
The Vilar VS-IPC1002 IP camera is vulnerable to a Reflected XSS (Cross-site Scripting) attack, which occurs when an attacker sends a malicious GET request to the /cgi-bin/action endpoint, exploiting the fact that the camera does not properly sanitize parameters in these requests, potentially targeting logged-in admin users.
This vulnerability is a problem because it allows an attacker to inject malicious code into the camera's web interface, potentially leading to unauthorized access, data theft, or taking control of the camera, which could compromise the security of the network and the privacy of individuals being monitored.
This vulnerability allows attackers with administrative privileges to manipulate HTTP Host headers in Moxa's Ethernet switches by injecting specially crafted Host headers into HTTP requests, potentially redirecting users, forging links, or conducting phishing attacks.
This vulnerability is a problem because it can be used to trick users into visiting malicious websites or divulging sensitive information, which can lead to security breaches and other cyber threats, even though it does not directly impact the confidentiality, integrity, and availability of the affected device.
This vulnerability allows an authorized administrator to inject malicious scripts into the web service of Moxa's Ethernet switches, which can then affect other authenticated users who interact with the device's web interface, potentially compromising their session.
This is a problem because it can lead to a loss of confidentiality and integrity for users interacting with the device's web interface, even though the device itself remains unaffected. An attacker could exploit this to steal user data or perform actions on behalf of the affected users.
This vulnerability allows existing user sessions in Keycloak to retain extended session lifetimes even after the "Remember Me" realm setting has been disabled, due to a flaw in session management that fails to immediately enforce the new setting on existing sessions.
This vulnerability is a problem because it increases the potential window for successful session hijacking or unauthorized long-term access persistence, allowing attackers to maintain access to user accounts for an extended period even after the administrator has attempted to tighten security settings.
The Beaver Builder Plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages through a parameter called 'auto_play', which can execute when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with certain access levels to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or further exploitation of the website.
The RSS Aggregator by Feedzy plugin for WordPress has a vulnerability that allows authenticated attackers to make unauthorized web requests to any location, including internal services, by exploiting the 'feedzy_sanitize_feeds' function.
This vulnerability is a problem because it enables attackers with minimal access (Subscriber-level and above) to query sensitive information from internal services, potentially leading to unauthorized data access, network exploitation, or other malicious activities.
The CVE-2025-11023 vulnerability allows an attacker to include and execute local files on a server running the AcBakImzala software, potentially leading to unauthorized access and code execution. This is due to improper control of filename inclusion in PHP programs, enabling PHP Local File Inclusion attacks.
This vulnerability is a significant problem because it can be exploited by attackers to gain unauthorized access to sensitive data and systems, potentially leading to data breaches, malware infections, and other malicious activities. The high severity rating of 9.8 indicates that this vulnerability can be easily exploited and has a high impact on the affected system.
The MxChat – AI Chatbot for WordPress plugin has a vulnerability that allows attackers to trick the WordPress server into making unauthorized HTTP requests to any destination on the internet, without the need for authentication.
This vulnerability is a problem because it enables attackers to use the WordPress server to make requests to internal or external services, potentially leading to data exposure, server compromise, or other malicious activities, all without the attacker needing to access the server directly.
This vulnerability allows students to bypass the time limit set for timed assignments in Moodle, giving them potentially unlimited time to complete an assessment.
This vulnerability undermines the integrity of timed assessments, as it enables students to have an unfair advantage over their peers by having more time to complete the assignment, which can impact the validity and fairness of the assessment results.
The Moodle vulnerability exposes the names of hidden groups to users who have permission to create calendar events, even if they don't have permission to view these hidden groups.
This vulnerability is a problem because it can reveal private or restricted group information to unauthorized users, potentially compromising confidentiality and security.
The CVE-2025-62399 vulnerability allows attackers to repeatedly attempt to guess passwords for Moodle's mobile and web service authentication endpoints without sufficient restrictions, making it possible to launch brute-force attacks.
This vulnerability is a problem because it enables attackers to guess or crack passwords through repeated attempts, potentially leading to unauthorized access to sensitive information and systems, which can result in data breaches, tampering, or other malicious activities.
This vulnerability allows attackers who already have valid login credentials to bypass the extra security step of multi-factor authentication (MFA) under specific circumstances, potentially giving them unauthorized access to user accounts.
This is a problem because multi-factor authentication is a critical security layer designed to prevent unauthorized access, even if an attacker has a user's password. By bypassing MFA, an attacker can gain access to sensitive information and systems, compromising the security and privacy of the affected accounts.
This vulnerability allows attackers to determine which course IDs are valid on a router by analyzing the router's inconsistent responses to invalid course IDs.
This is a problem because it enables attackers to gather information about the router's configuration and potentially use this information to plan further attacks, making it easier for them to exploit other vulnerabilities.
The CVE-2025-62396 vulnerability is an error-handling issue in the Moodle router that can cause the application to display internal directory listings when specific HTTP headers are not properly configured.
This vulnerability is a problem because it can potentially expose sensitive information about the application's internal structure, which could be used by attackers to plan and execute further attacks, compromising the security and confidentiality of the system.
This vulnerability allows users with lower-level permissions to access restricted administrative data from the system context through the cohort search web service, even though they shouldn't have access to it.
This is a problem because it exposes sensitive information that should only be available to higher-level administrators, potentially leading to unauthorized data access, misuse, or exploitation.
This vulnerability in Moodle allows suspended or inactive users to receive quiz notifications, potentially leaking limited course information, because the system fails to properly verify a user's enrolment status.
This is a problem because it can lead to unauthorized access to course information by users who should no longer have access, compromising the privacy and security of the course content.
This vulnerability allows unauthorized users to view information about courses they should not have access to, due to a flaw in enforcing user access permissions in the course overview output function.
This is a problem because it potentially exposes limited course details to individuals who are not supposed to see them, which could compromise the privacy and security of sensitive course information.
The CVE-2025-10355 vulnerability allows an attacker to create a malicious URL that manipulates the redirection parameter in MOLGENIS EMX2 v11.14.0, potentially redirecting users to phishing sites or other malicious destinations.
This vulnerability is a problem because it can trick users into visiting fake or malicious websites, which can lead to sensitive information being stolen, malware being installed, or other harmful activities.
This CVE is a duplicate entry and does not describe a unique vulnerability.
It is not a problem as it does not represent an actual security vulnerability.
The CVE-2025-41073 vulnerability allows an authenticated attacker to download a ZIP file containing sensitive files from the server, including those located in parent directories, by manipulating the "direstudio" parameter in a specific PHP file.
This vulnerability is a problem because it enables attackers to access and download confidential files from the server, potentially leading to data breaches, unauthorized access, and other security threats.
The CVE-2025-40643 vulnerability allows an attacker to store malicious code in the Energy CRM system by exploiting a lack of input validation in the "JobCreatedBy" parameter of the "/crm/create_job_submit.php" page, potentially leading to the theft of authenticated users' cookie session details.
This vulnerability is a problem because it enables remote attackers to send specially crafted queries to authenticated users, which could result in the theft of sensitive session information, allowing the attacker to impersonate the user and gain unauthorized access to the system.
The CVE-2025-9981 vulnerability allows an attacker with admin privileges to inject arbitrary HTML and JavaScript code into a website's slider editor functionality, which will then be executed on every page of the site.
This vulnerability is a problem because it enables malicious administrators to embed harmful scripts into the website, potentially leading to unauthorized access, data theft, or other malicious activities, affecting all users who visit the site.
The CVE-2025-9980 vulnerability allows an attacker with admin privileges to inject malicious HTML and JavaScript code into a website using the page editor functionality in QuickCMS, which will be executed when a user visits the edited page.
This vulnerability is a problem because it enables an attacker to potentially steal user data, take control of user sessions, or perform other malicious actions on the website, compromising the security and integrity of the site and its users.
The CVE-2025-12105 vulnerability is a flaw in the libsoup library that handles HTTP/2 communications, which can cause a use-after-free memory access when network operations are aborted at specific times, potentially crashing the application. This can be exploited remotely by triggering specific HTTP/2 read and cancel sequences.
This vulnerability is a problem because it can lead to a denial-of-service condition, where an attacker can remotely crash applications that use the libsoup library, such as GNOME and WebKit-based applications, disrupting their functionality and causing inconvenience to users.
The CVE-2025-10914 vulnerability allows an attacker to inject malicious code into web pages generated by the OBS (Student Affairs Information System) due to improper neutralization of input, leading to Reflected Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the system and its users.
The CVE-2025-10727 vulnerability allows an attacker to inject malicious code into a web page, enabling Reflected Cross-site Scripting (XSS) attacks, which can be executed when a user visits a compromised webpage in the AcBakImzala system.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform unauthorized actions on behalf of the user, potentially leading to sensitive information disclosure, identity theft, or other malicious activities.
This vulnerability allows an attacker with "ContentType Management" privilege to store malicious input in the Edit CategorySet of ContentType page in Movable Type, which can lead to the execution of arbitrary scripts on the web browser of users who access the page.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the webpage, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions on behalf of the user.
The NarSuS App installs a Windows service with a file path that is not properly quoted, allowing a potential attacker to manipulate the service's execution.
This vulnerability is a problem because it enables an attacker with write permission on the system drive's root directory to run arbitrary code with elevated SYSTEM privileges, potentially leading to a full system compromise.
This vulnerability allows an attacker with "ContentType Management" privilege to store crafted input in Movable Type's Edit ContentData page, which can execute an arbitrary script on the web browser of any user who accesses that page.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially stealing user data, taking control of user sessions, or spreading malware, by exploiting the trust users have in the website.
The CVE-2025-54806 vulnerability allows an attacker to execute an arbitrary script on a user's web browser if the user accesses a specially crafted URL while logged in to GROWI version 4.2.7 or earlier, due to a cross-site scripting flaw in the page alert function.
This vulnerability is a problem because it enables attackers to potentially steal user data, take control of the user's session, or perform other malicious actions on the user's browser, compromising the security and integrity of the user's interactions with the GROWI platform.
The Slack Nebula vulnerability allows the network to accept arbitrary source IP addresses, due to improper handling of CIDR (Classless Inter-Domain Routing) in certain configurations, potentially granting unauthorized access to the Nebula network.
This vulnerability is a problem because it could enable malicious actors to bypass security controls and access the network from unauthorized IP addresses, potentially leading to data breaches, lateral movement, and other security threats.