This vulnerability allows an attacker to access and read arbitrary files on a server hosting RiteCMS v3.1.0 by exploiting a local file inclusion weakness in the admin.php component, specifically through directory traversal in the admin_language_file and default_page_language_file settings.
This is a problem because it enables attackers to potentially gain access to sensitive information stored in files on the server, such as configuration files, user data, or other confidential documents, which could be used for further malicious activities.
This vulnerability allows an attacker to trick a user into creating new pages on a RiteCMS v3.1.0 website without their knowledge or consent, by sending a fake request that appears to come from the user.
This vulnerability is a problem because it enables attackers to add malicious content to a website, potentially leading to security breaches, data theft, or the spread of malware, which can damage the website's reputation and compromise user data.
The CVE-2025-67171 vulnerability allows attackers to access sensitive files in the RiteCMS v3.1.0 system by exploiting incorrect access control in the /templates/ component through directory traversal.
This vulnerability is a problem because it enables unauthorized access to sensitive files, which can lead to data breaches, theft of confidential information, and potentially allow attackers to gain further control over the system.
This vulnerability allows attackers to inject malicious code into a user's browser through a specially crafted payload, exploiting a reflected cross-site scripting (XSS) weakness in RiteCMS version 3.1.0.
This vulnerability is a problem because it enables attackers to execute arbitrary code in the context of a user's browser, potentially leading to unauthorized access to sensitive information, session hijacking, or other malicious activities.
The RiteCMS version 3.1.0 uses insecure encryption methods to store user passwords, potentially exposing them to unauthorized access.
This vulnerability is a problem because it allows attackers to easily obtain user passwords, which can lead to unauthorized account access, data breaches, and other malicious activities, compromising the security and privacy of users.
This vulnerability allows a remote attacker to trick a user into executing unintended actions on the narda miteq Uplink Power Control Unit UPC2's web management interface, potentially leading to the execution of arbitrary code.
This vulnerability is a problem because it enables an attacker to gain unauthorized control over the device, potentially disrupting its operation, stealing sensitive information, or using it as a launching point for further attacks, all without the user's knowledge or consent.
The CVE-2025-66395 vulnerability allows any authenticated user to execute arbitrary SQL commands on the ChurchCRM database due to a SQL injection flaw in the `src/ListEvents.php` file, specifically when filtering events by type. This enables attackers to perform time-based blind SQL injection attacks.
This vulnerability is a problem because it gives any authenticated user, regardless of their privilege level, the ability to access, modify, or delete sensitive data in the database, including user credentials, financial information, and personal data, potentially leading to a full compromise of the application's data.
The CVE-2025-62521 vulnerability allows unauthorized attackers to inject arbitrary PHP code into the ChurchCRM church management system during its initial installation process, potentially leading to complete server compromise.
This vulnerability is a significant issue because it can be exploited without requiring any login credentials, and it affects the installation process that administrators must complete, making it a high-risk entry point for attackers to gain control of the server.
This CVE (CVE-2025-14828) is not a valid vulnerability due to an error in issuance, and all related information has been removed.
It's not a problem as it was issued in error and does not represent an actual vulnerability.
The Ultimate Member plugin for WordPress has a flaw that allows authenticated attackers with basic access to bypass profile privacy settings, modifying their profile to be private or hidden from others, even if the administrator has restricted this option for their role.
This vulnerability is a problem because it undermines the administrator's control over user privacy settings, potentially exposing sensitive information or allowing users to hide their profiles when they shouldn't be able to, which can lead to security and privacy issues within the WordPress environment.
The Live Composer WordPress plugin has a vulnerability that allows attackers to inject malicious scripts into website pages due to poor input validation, which can lead to the execution of arbitrary web scripts when a user visits an affected page.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject harmful scripts, potentially leading to unauthorized data access, theft, or other malicious activities, compromising the security and integrity of the website.
The Mattermost Desktop App version less than 6.0.0 has a vulnerability that fails to enable the Hardened Runtime when packaged for the Mac App Store, allowing an attacker to copy the app's binary to a temporary folder and inherit sensitive permissions.
This vulnerability is a problem because it enables an attacker to gain unauthorized access to sensitive permissions, potentially leading to data breaches, malware infections, or other malicious activities on the affected Mac device.
This vulnerability allows malicious actors to reuse invite tokens that have already been used to join a Mattermost channel, potentially manipulating channel memberships by adding or removing users from private channels.
This vulnerability is a problem because it enables unauthorized access and control over private channels, which can lead to sensitive information being exposed or modified, and can compromise the security and integrity of the channel and its members.
The Mattermost Desktop App versions prior to 6.0.0 fails to properly remove sensitive information from its logs and data when a server is deleted, allowing an attacker with access to the user's system to read the application logs and potentially gain access to sensitive information.
This vulnerability is a problem because it could expose sensitive information, such as user data or server details, to unauthorized individuals who gain access to the user's system, potentially leading to data breaches or other security incidents.
The Ultimate Member WordPress plugin has a vulnerability that allows attackers to inject malicious scripts into user profile pages via the YouTube Video field, potentially executing arbitrary web scripts when a user views the infected profile.
This vulnerability is a problem because it enables authenticated attackers with minimal access (Subscriber-level and above) to inject harmful scripts, which can lead to unauthorized actions, data theft, or further exploitation of the website, compromising user security and trust.
This vulnerability allows an attacker to crash the Calls plug-in in Mattermost by sending a malformed WebSocket request that doesn't follow proper UTF-8 format, affecting versions 11.0.x up to 11.0.4, 10.12.x up to 10.12.2, and 10.11.x up to 10.11.6.
This vulnerability is a problem because it enables attackers to disrupt the functionality of the Calls plug-in, potentially causing denial-of-service conditions and impacting the productivity and communication of users relying on the Mattermost platform.
The Miniconda3 macOS installer, prior to version 23.11.0-1, contains a vulnerability that allows a local user to gain elevated privileges and execute arbitrary commands as the root user when the installer is run outside of the user's home directory.
This vulnerability is a problem because it enables a low-privileged user to inject malicious code and execute it with root privileges, potentially leading to unauthorized access, data tampering, or system compromise.
The Anaconda3 macOS installer, prior to version 2024.06-1, contains a vulnerability that allows a local user to execute arbitrary commands with root privileges when the installer is run outside of the user's home directory, potentially leading to code execution as the root user.
This vulnerability is a problem because it enables a low-privileged user to gain elevated access to the system, which could result in unauthorized modifications, data breaches, or other malicious activities, compromising the security and integrity of the system.
The CVE-2025-67172 vulnerability allows an attacker to execute remote code on a RiteCMS v3.1.0 system by exploiting the parse_special_tags() function, but only if they have already authenticated into the system.
This vulnerability is a problem because it enables attackers to gain control over the system, potentially leading to data breaches, malware installation, or other malicious activities, even if they are already authenticated, which is typically considered a trusted state.
This vulnerability allows an attacker to inject arbitrary web scripts or HTML code into the "name" parameter when creating or updating item kits in Open Source Point of Sale version 3.4.1, enabling cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the point of sale system.
This vulnerability allows an attacker to inject malicious scripts or HTML code into the Open Source Point of Sale system through the phone number field when creating or updating customer information, potentially leading to unauthorized actions on the website.
This vulnerability is a problem because it enables attackers to execute arbitrary code on the website, which could result in theft of sensitive customer data, session hijacking, or other malicious activities, compromising the security and integrity of the system.
This vulnerability allows an attacker to access and steal stored credentials from KeePassXC-Browser when it autofills or prompts to fill credentials into a document that has security restrictions in place, but still executes malicious scripts.
This is a problem because it enables attackers to bypass security measures and gain unauthorized access to sensitive information, such as usernames and passwords, which can be used for malicious purposes like identity theft or unauthorized account access.
This vulnerability allows attackers to inject malicious SQL code into the COVID Tracking System Using QR-Code by exploiting the 'id' parameter in the '/cts/admin/?page=zone' file, enabling them to manipulate the database queries.
This vulnerability is a problem because it enables unauthorized access and manipulation of sensitive data, potentially leading to data breaches, modification, or deletion, which can compromise the integrity and confidentiality of the system.
The CVE-2025-67165 vulnerability allows attackers to exploit an Insecure Direct Object Reference (IDOR) in Pagekit CMS version 1.0.18, enabling them to escalate their privileges and potentially gain unauthorized access to sensitive areas of the system.
This vulnerability is a problem because it can be used by attackers to bypass normal security restrictions and gain elevated access to the system, potentially leading to data breaches, unauthorized modifications, or other malicious activities.
This vulnerability allows an attacker to upload any file, including malicious PHP code, to a Pagekit CMS system, potentially giving them control over the system by executing arbitrary code.
This is a problem because it enables attackers to gain unauthorized access and control over the system, potentially leading to data breaches, malware distribution, or disruption of service, which can have serious consequences for the security and integrity of the system and its data.
This vulnerability allows an attacker to inject malicious scripts or HTML code into the "name" parameter of the Create/Update Item(s) Module in Open Source Point of Sale version 3.4.1, potentially leading to Cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute arbitrary code on the victim's browser, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions on the Point of Sale system.
The vulnerability in Netun Solutions HelpFlash IoT devices allows an attacker to exploit the device's over-the-air (OTA) firmware update mechanism by using hardcoded WiFi credentials to create a malicious WiFi access point and serve fake firmware updates, potentially leading to arbitrary code execution on the device.
This vulnerability is a problem because it enables an attacker with brief physical access to the device to take control of it, which is particularly concerning since the device is used for safety-critical emergency signaling, potentially putting people's lives at risk.
The CVE-2025-65185 vulnerability allows attackers to figure out which usernames are valid on an Entrinsik Informer v5.10.1 system by attempting to log in locally and then checking the application's response after entering a one-time password (OTP) code and a new password.
This vulnerability is a problem because it enables malicious users to identify existing usernames, which can be the first step in a targeted attack, such as phishing or password cracking, potentially leading to unauthorized access to the system.
The Portrait Dell Color Management application creates a temporary folder with weak permissions during installation and uninstallation, allowing a low-privileged attacker with local access to potentially exploit this vulnerability and elevate their privileges.
This vulnerability is a problem because it could enable an attacker with limited access to gain higher-level privileges, potentially leading to unauthorized access to sensitive data and system resources.
The Portrait Dell Color Management application 3.3.8 for Dell monitors has insecure permissions, which means that the access controls to the application's files or settings are not properly restricted.
This vulnerability is a problem because it could allow unauthorized users or malicious programs to modify the application's settings or access sensitive data, potentially leading to security breaches or disruptions to the system.
This vulnerability allows an attacker to gain unauthorized access to sensitive information if successfully exploited.
This is a problem because it can lead to the exposure of confidential data, potentially causing financial loss, reputational damage, or other harmful consequences.
A potential vulnerability has been identified in Cisco products, but details are currently limited as the investigation is ongoing.
This vulnerability is a significant concern due to its high severity rating of 10.0, indicating a critical risk that could potentially lead to severe consequences if exploited.
This vulnerability allows an attacker to bypass security checks and force a system to create certificates without proper authorization, potentially granting unauthorized access to sensitive information.
This vulnerability is a problem because it enables attackers to obtain certificates that can be used to impersonate legitimate entities, leading to potential man-in-the-middle attacks, eavesdropping, and other security breaches, ultimately compromising the confidentiality and integrity of sensitive data.
This vulnerability allows an attacker to modify the firmware of a device and potentially gain full access to it, giving them control over the device's functions and data.
This is a problem because if an attacker gains full access to a device, they can steal sensitive information, install malware, or use the device to launch further attacks on other systems, compromising the security and integrity of the device and its associated networks.
The CVE-2025-14727 vulnerability affects the NGINX Ingress Controller, specifically in the validation of the nginx.org/rewrite-target annotation, allowing potential exploitation.
This vulnerability is a problem because it could allow attackers to manipulate the rewrite-target annotation, potentially leading to unauthorized access, data tampering, or other malicious activities, thus compromising the security and integrity of the system.
This vulnerability allows an attacker to create a malicious JSON Web Encryption (JWE) token that, when processed by a server using the jose4j library before version 0.9.5, can cause excessive memory usage and processing time due to an exceptionally high compression ratio.
This vulnerability is a problem because it can lead to a Denial-of-Service (DoS) condition, where the server becomes unresponsive or crashes due to the significant memory allocation and processing time required to decompress the malicious token, potentially disrupting service availability and impacting users.
This vulnerability allows an attacker to create a malicious JSON Web Encryption (JWE) token that, when processed by a server using the python-jose library, can cause the server to consume excessive memory and processing time due to an exceptionally high compression ratio.
This vulnerability is a problem because it can lead to a Denial-of-Service (DoS) condition, where the server becomes unresponsive or crashes due to the high resource usage, potentially disrupting service and causing downtime.
The CVE-2022-23851 vulnerability allows an attacker to inject malicious templates on the server side of the Netaxis API Orchestrator (APIO) version before 0.19.3, potentially enabling them to execute unauthorized code or access sensitive data.
This vulnerability is a problem because it can give attackers the ability to manipulate the API Orchestrator's behavior, leading to potential data breaches, unauthorized access, or disruption of service, which can have serious consequences for the security and reliability of the system.
This vulnerability allows an attacker to perform certain actions on the Ercom Cryptobox administration console by tricking an administrator into visiting a malicious website or clicking a link while they are logged into the console.
This is a problem because it enables an attacker to act on behalf of an administrator, potentially leading to unauthorized changes, data breaches, or other malicious activities, all without the administrator's knowledge or consent.
The CVE-2025-62690 vulnerability allows an attacker to redirect a user to a malicious website by crafting a link that exploits a flaw in Mattermost's redirect URL validation on the error page.
This vulnerability is a problem because it enables phishing attacks, where an attacker can trick a user into visiting a malicious site, potentially leading to sensitive information theft, malware installation, or other harmful activities.
This vulnerability allows an authenticated attacker to initiate calls and inject messages into channels or direct messages on Mattermost platforms by exploiting a lack of CSRF protection on the Calls widget page, using a malicious webpage or crafted link.
This vulnerability is a problem because it enables attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to spam, phishing, or other malicious activities that can disrupt communication and compromise the security of the platform.
This vulnerability causes a product to fail in re-establishing communication after its certificate expires, leading to a potential disruption in service.
This vulnerability is a problem because it can result in unintended downtime or loss of functionality, which may impact business operations, user experience, or critical system availability.
This vulnerability allows remote code execution and unauthorized device management on certain Radiometer products when specific internal conditions are met and a remote connection is established.
This vulnerability is a problem because it can be exploited by attackers to gain control over affected devices, potentially leading to unauthorized access, data breaches, or other malicious activities, especially if the network is not secure.
This vulnerability allows an attacker with physical access to certain Radiometer products to extract sensitive credential information due to weak design and insufficient protection of credentials in the operating system.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information, potentially compromising the security and integrity of the affected systems and data, especially in environments where physical access to devices is not strictly controlled.
This vulnerability allows attackers to hijack the GitHub reaction feature in Mattermost, tricking users into adding reactions to arbitrary GitHub objects by sending crafted notification posts.
This vulnerability is a problem because it enables attackers to manipulate user interactions with GitHub objects, potentially leading to unauthorized changes or misuse of GitHub features, which can compromise the integrity of projects and collaborations.
The CVE-2025-67895 vulnerability allows for Remote Code Execution (RCE) on Airflow 2 when the Edge3 Worker RPC is used, enabling unauthorized code execution in the webserver context.
This vulnerability is a problem because it allows a DAG author to execute arbitrary code, which is a privilege they should not have, potentially leading to unauthorized access, data breaches, or system compromise.
This vulnerability allows a user with physical access to certain Radiometer products to gain unauthorized access to restricted areas of the system, bypassing normal access controls.
This is a problem because it could allow an individual with physical access to the analyzer to perform actions that they should not be able to, potentially compromising the security and integrity of the system and its data.
The CVE-2025-14101 vulnerability allows an attacker to bypass authorization in the PaperWork software by exploiting a user-controlled key, potentially enabling them to access trusted identifiers and sensitive information.
This vulnerability is a problem because it enables unauthorized access to sensitive data and trusted identifiers, which could lead to data breaches, identity theft, and other malicious activities, compromising the security and integrity of the system.
This vulnerability allows an attacker to inject malicious code into web pages generated by the OBS (Student Affairs Information System)0, enabling Reflected Cross-Site Scripting (XSS) attacks, which can steal user data or take control of user sessions.
This vulnerability is a problem because it can be exploited by attackers to steal sensitive information, such as login credentials or personal data, from users of the affected system, potentially leading to identity theft, financial loss, or other malicious activities.
The CVE-2025-14399 vulnerability allows an attacker to trick a WordPress site administrator into downloading and archiving all the site's plugins and themes into the `wp-content/uploads/` directory via a forged request, due to missing or incorrect nonce validation in the Download Plugins and Themes in ZIP from Dashboard plugin.
This vulnerability is a problem because it enables unauthenticated attackers to potentially access sensitive information about the site's plugins and themes, which could be used to plan and execute further attacks, compromising the site's security and integrity.
The Zephyr Project Manager plugin for WordPress has a vulnerability that allows attackers with certain access levels to read the contents of arbitrary files on the server, including sensitive information, by exploiting a directory traversal issue through the `file` parameter.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information on the server, potentially exposing confidential data. Additionally, if the server has `allow_url_fopen` enabled, it can also be used for Server-Side Request Forgery, further increasing the risk of exploitation.
This vulnerability allows third-party apps to access and enable ADB (Android Debug Bridge) debugging functionality on a device without the user's knowledge or interaction, by constructing specific intents to open the com.transsion.tranfacmode.entrance.main.MainActivity component.
This vulnerability is a problem because it could allow malicious apps to gain unauthorized access to the device's debugging interface, potentially leading to data theft, unauthorized device control, or other malicious activities, all without the user's awareness or consent.
The WP Cookie Consent plugin for WordPress has a vulnerability that allows unauthorized users to delete any post, page, or attachment by ID, due to a missing capability check in the plugin's code.
This vulnerability is a problem because it enables unauthenticated attackers to permanently delete important content on a WordPress site, potentially causing data loss and disrupting the site's functionality.
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to modify data without proper authorization, specifically deleting optimized WebP/AVIF image variants for any attachment.
This vulnerability is a problem because it enables low-level users to intentionally or unintentionally delete optimized image files, potentially disrupting website functionality, causing data loss, and affecting the website's performance and user experience.
The Ninja Forms plugin for WordPress has a vulnerability that allows unauthorized users to access form definitions and submission records, including sensitive information, by exploiting a leaked bearer token and accessing certain REST endpoints.
This vulnerability is a problem because it enables attackers to read arbitrary form data and submissions without needing proper authentication, potentially exposing sensitive user information and compromising the security of the WordPress site.
The Better Messages – Live Chat plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages by exploiting the guest display name field, due to inadequate input sanitization and output escaping, enabling them to execute arbitrary web scripts whenever a user accesses the affected page.
This vulnerability is a problem because it enables unauthenticated attackers to inject malicious code into WordPress pages, potentially leading to unauthorized access, data theft, or other malicious activities, affecting all users who access the compromised page.
This vulnerability allows an attacker to trick a logged-in user into performing unintended actions on a GROWI platform (version 7.3.3 or earlier) by getting them to view a malicious webpage.
This is a problem because it enables attackers to exploit the trust a user has in a website, potentially leading to unauthorized data modifications, disclosures, or other malicious activities without the user's knowledge or consent.
The ASUS Live Update client was compromised through a supply chain attack, resulting in unauthorized modifications that could cause affected devices to perform unintended actions under specific conditions.
This vulnerability is a problem because it allows attackers to potentially take control of devices that have installed the compromised Live Update client version, leading to unauthorized actions and potential security breaches.
The WP Recipe Maker plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the 'name' parameter in a specific shortcode, due to insufficient input sanitization and output escaping.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The WP Social Ninja plugin for WordPress has a vulnerability that allows unauthorized access and modification of its advanced settings, due to a missing capability check in certain functions, enabling unauthenticated attackers to view and modify these settings.
This vulnerability is a problem because it allows malicious actors to access and alter sensitive plugin settings without permission, potentially leading to data breaches, unauthorized changes to social media feeds, or other security issues that can compromise the integrity of the WordPress site.
The HTML Forms – Simple WordPress Forms Plugin for WordPress has a vulnerability that allows unauthenticated attackers to inject arbitrary web scripts into the WordPress admin dashboard by exploiting insufficient sanitization of file upload field metadata, potentially executing malicious scripts when an administrator views form submissions.
This vulnerability is a problem because it enables attackers to inject malicious scripts without needing to authenticate, allowing them to potentially steal sensitive information, take control of the administrator's session, or perform other malicious actions, compromising the security and integrity of the WordPress site.
This vulnerability allows an attacker with physical access to certain ASUS motherboards to install a specially crafted device and software, potentially leading to uncontrolled resource consumption and increased risk of unauthorized direct memory access (DMA).
This vulnerability is a problem because it could allow an attacker to gain unauthorized access to sensitive system memory, potentially leading to data theft, system crashes, or other malicious activities, especially if the attacker has physical access to the system.
This vulnerability allows an attacker to send specially crafted requests to the asComSvc service, potentially causing it to crash or lose some functionality due to an out-of-bounds read error.
This vulnerability is a problem because it can disrupt the normal operation of the affected ASUS motherboard series products, leading to a denial of service or instability in the system.
The ListCheck.exe application developed by Acer contains a vulnerability that allows an authenticated local attacker to replace the original executable with a malicious one, which can then be executed by the system, resulting in elevated privileges.
This vulnerability is a problem because it enables an attacker with local access to gain higher privileges on the system, potentially allowing them to access sensitive information, modify system settings, or install malicious software, thereby compromising the security and integrity of the system.
This vulnerability allows an attacker with physical access to a vulnerable ASRock, ASRockRack, or ASRockInd motherboard to use a specific type of device to read and modify the computer's memory before the operating system loads, bypassing security features.
This is a problem because it enables an attacker to potentially install malware, steal sensitive data, or take control of the system before the operating system's security measures can prevent it, all without needing to authenticate or have any prior access to the system.
The Essential Addons for Elementor plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages, which will execute when a user visits those pages, due to poor input validation in certain features like the Event Calendar widget and Image Masking module.
This vulnerability is a problem because it enables authenticated attackers with moderate access levels to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or taking control of user sessions, which can compromise the security and integrity of the WordPress site.
The CVE-2025-14303 vulnerability allows an unauthenticated physical attacker to read and write arbitrary physical memory on certain MSI motherboard models using a DMA-capable PCIe device, before the operating system kernel and its security features are loaded.
This vulnerability is a problem because it enables an attacker with physical access to the system to potentially access and modify sensitive data, bypass security mechanisms, and gain unauthorized control over the system, all before the operating system's security features can take effect.
This vulnerability allows an unauthorized physical attacker to access and modify the computer's memory using a DMA-capable PCIe device before the operating system's security features are loaded, due to the improper enablement of IOMMU (Input-Output Memory Management Unit) on certain GIGABYTE motherboard models.
This vulnerability is a problem because it enables attackers to bypass the operating system's security measures and access sensitive information, potentially allowing them to install malware, steal data, or take control of the system, all before the OS has a chance to load its security features.
This vulnerability allows an attacker to manipulate the "content" argument in the createComment function of the xiweicheng TMS system, leading to a cross-site scripting (XSS) attack, which can be performed remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the system, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, all from a remote location, without the need for physical access to the system.
The Gutenberg Essential Blocks plugin for WordPress has a vulnerability that allows authenticated attackers with Author-level access or higher to access API keys for external services, such as Instagram and Google Maps, due to insufficient capability checks on certain functions.
This vulnerability is a problem because it allows attackers to gain unauthorized access to sensitive information, such as API keys, which could be used to compromise the security of the website or steal sensitive data.
The Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GT Designer3 allows a local attacker to access plaintext credentials stored in the project file, which can be used to operate GOT2000 or GOT1000 series devices.
This vulnerability is a problem because it enables an unauthorized attacker to obtain sensitive credentials, potentially allowing them to illegally operate critical devices, compromising the security and integrity of the systems controlled by these devices.
The Fuji Electric Monitouch V-SFT-6 system is vulnerable to an attack where a specially crafted project file can cause the system to write data outside of its intended boundaries, potentially allowing an attacker to execute arbitrary code.
This vulnerability is a problem because it could enable an attacker to gain control of the system, allowing them to execute malicious code, steal sensitive information, or disrupt the operation of the system, which could have significant consequences in industrial or other critical environments.
This vulnerability allows an attacker to inject malicious code into the Server MOTD (Message of the Day) component of Crafty Controller, enabling them to perform a stored Cross-Site Scripting (XSS) attack, which can be triggered without the attacker's direct involvement.
This vulnerability is a problem because it enables remote, unauthenticated attackers to execute malicious scripts on the affected system, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the system.
This vulnerability allows a remote, authenticated attacker to execute code on a server by injecting malicious templates into the Webhook Template component of Crafty Controller.
This is a significant issue because it enables attackers to gain control over the server, potentially leading to data breaches, system compromise, and unauthorized access to sensitive information, all due to the high severity score of 9.9.
The CVE-2025-34288 vulnerability allows a local attacker to escalate privileges in Nagios XI versions prior to 2026R1.1 by modifying a writable application file, which is then executed with elevated privileges when a maintenance script is run, resulting in arbitrary code execution as the root user.
This vulnerability is a problem because it enables an attacker with access to a lower-privileged application account to gain root access, allowing them to execute malicious code and potentially compromise the entire system, leading to unauthorized data access, modification, or destruction.
This vulnerability allows a remote attacker to read and write data outside the intended boundaries in the V8 component of Google Chrome, potentially exploiting heap corruption through a crafted HTML page.
This vulnerability is a problem because it could enable attackers to crash the browser, execute arbitrary code, or access sensitive information, posing a significant threat to user data and system security.
This vulnerability allows a remote attacker to exploit heap corruption in Google Chrome's WebGPU feature by using a crafted HTML page, taking advantage of a "use after free" error, which occurs when the program tries to access memory that has already been freed.
This vulnerability is a problem because it can potentially lead to arbitrary code execution, allowing an attacker to gain control over the affected system, steal sensitive information, or cause other malicious activities, making it a significant threat to user security.
The CVE-2025-68274 vulnerability is a nil pointer dereference issue in the SIPGO library's `NewResponseFromRequest` function, which can be triggered by sending a single malformed SIP request without a To header, causing the application to crash.
This vulnerability is a problem because it allows remote attackers to disrupt normal SIP operations, such as call setup, authentication, and message handling, by crashing any SIP application that uses the affected SIPGO library version, potentially leading to denial-of-service attacks.
The CVE-2025-64520 vulnerability allows an unauthorized user with API access to read all knowledge base entries in GLPI, a free asset and IT management software package, affecting versions 9.1.0 to 10.0.20.
This vulnerability is a problem because it exposes sensitive information stored in the knowledge base to unauthorized users, potentially leading to data breaches and security compromises.
This vulnerability allows an attacker to create a specially crafted DICOM file that can cause an out-of-bounds read in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024, potentially leading to an information leak.
This vulnerability is a problem because it can be exploited by an attacker to access sensitive information by providing a malicious DICOM file, which can compromise the security and confidentiality of the data.
This vulnerability allows an attacker to create a specially crafted DICOM file that can cause an out-of-bounds read in the Grassroot DICOM software, potentially leading to an information leak when the file is processed.
This vulnerability is a problem because it can be exploited by attackers to access sensitive information, potentially compromising the confidentiality and integrity of medical imaging data, and putting patient privacy at risk.
This vulnerability allows an attacker to potentially leak sensitive information by exploiting an out-of-bounds read in the Overlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024, using a specially crafted DICOM file.
This vulnerability is a problem because it could allow an attacker to access confidential information by providing a malicious DICOM file, potentially compromising the security and privacy of sensitive data.
This vulnerability allows an attacker to create a specially crafted DICOM file that can cause the Grassroot DICOM software to read data outside of its intended boundaries, potentially leaking sensitive information from the system's memory.
This vulnerability is a problem because it can allow attackers to access sensitive data, potentially including confidential information or other security-related data stored in the system's memory, by providing a maliciously crafted file.
This vulnerability allows an attacker to send specially crafted HTTP requests to the web interface of certain Güralp devices, causing the web service to restart intentionally.
This is a problem because it can lead to a brief denial-of-service condition, disrupting the device's functionality and potentially causing issues for users who rely on it.
This CVE (CVE-2025-0852) was voluntarily withdrawn and does not describe an actual vulnerability.
It is not a problem as the CVE was withdrawn and does not pose any security risk.
A specially crafted packet can cause high CPU utilization in the OSPFv3 process on Arista EOS platforms, potentially leading to the process being restarted and disrupting OSPFv3 routes on the switch.
This vulnerability can cause network disruptions, as the restart of the OSPFv3 process may lead to temporary loss of routes, affecting network connectivity and stability.
The CVE-2025-65834 vulnerability allows an attacker to cause a buffer overflow in Meltytech Shotcut 25.10.31 by manipulating the width and height parameters in MLT project files, leading to a memory access violation during image processing.
This vulnerability is a problem because it can cause the application to crash or potentially allow an attacker to execute malicious code, leading to unauthorized access or data breaches.
The Server Agent component of Fortra's Core Privileged Access Manager (BoKS) has insecure default settings that can lead to the use of weak password hash algorithms, specifically affecting BoKS Server Agent 9.0 instances that support yescrypt in a BoKS 8.1 domain.
This vulnerability is a problem because it allows attackers to potentially crack passwords more easily, gaining unauthorized access to sensitive systems and data, which can lead to security breaches and data compromise.
The CVE-2025-68270 vulnerability allows users with the CourseLimitedStaffRole to access and edit courses in the Open edX Platform's studio, even if they were only granted the role at the organization level, not the course level. It also permits these users to list courses they have the role on, despite not being intended to have studio access.
This vulnerability is a problem because it grants unauthorized access and editing capabilities to users who should not have such privileges, potentially leading to data breaches, course tampering, or other security issues, especially given its high severity score of 9.9.
The CVE-2025-68156 vulnerability affects the Expr expression language library for Go, where certain built-in functions can cause a stack overflow panic due to infinite recursion when evaluating deeply nested or cyclic data structures, leading to a denial-of-service (DoS) risk and causing the host application to crash.
This vulnerability is a problem because it allows an attacker to crash the application by introducing cyclic or deeply nested data structures, resulting in a denial of service, and it can also lead to unexpected process termination, affecting the overall robustness of the library.
The CVE-2025-68155 vulnerability allows an attacker to read any file accessible to the Node.js process by sending a crafted HTTP request to the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` version prior to 0.5.8, during development mode.
This vulnerability is a problem because it enables unauthorized access to sensitive files, potentially leading to data breaches, intellectual property theft, or other malicious activities, without requiring any authentication.
The CVE-2025-68154 vulnerability allows an attacker to inject arbitrary OS commands on Windows systems through the `fsSize()` function in the systeminformation library for node.js, potentially leading to unauthorized command execution.
This vulnerability is a problem because it enables attackers to execute malicious commands on a system, which can result in data breaches, system compromise, or other harmful activities, especially if user-controlled input is passed to the vulnerable function.
The CVE-2025-68150 vulnerability allows clients to specify a custom API URL in the Instagram authentication adapter of Parse Server, which can lead to Server-Side Request Forgery (SSRF) attacks and potentially bypass authentication by accepting fake responses from malicious endpoints.
This vulnerability is a problem because it enables attackers to manipulate the authentication process, potentially allowing unauthorized users to gain access to the system, and also allows for SSRF attacks which can lead to unauthorized access to internal systems or services.
The CVE-2025-68146 vulnerability allows a local attacker to corrupt or truncate arbitrary user files by exploiting a Time-of-Check-Time-of-Use (TOCTOU) race condition in the filelock library for Python, which occurs when the library checks if a file exists before opening it, and an attacker creates a symlink to a victim file in that time gap.
This vulnerability is a problem because it can lead to data loss or corruption, and it affects all users of filelock on various operating systems, including Unix, Linux, macOS, and Windows, with exploitation possible through standard user permissions, making it a significant security risk.
The CVE-2025-65593 vulnerability allows an attacker to perform Cross Site Request Forgery (CSRF) attacks on nopCommerce version 4.90.0, specifically exploiting the Schedule Tasks functionality to trick users into performing unintended actions.
This vulnerability is a problem because it enables attackers to manipulate users into executing malicious requests, potentially leading to unauthorized access, data modification, or other harmful actions, which can compromise the security and integrity of the affected system.
The CVE-2025-65592 vulnerability allows malicious code to be inserted into the "Product Name" and "Short Description" fields of nopCommerce 4.90.0, which is then stored in the database and executed when a user views the affected pages, leading to a Cross Site Scripting (XSS) attack.
This vulnerability is a problem because it enables attackers to inject malicious scripts into the website, potentially allowing them to steal user data, take control of user sessions, or perform other unauthorized actions, compromising the security and integrity of the website and its users.
The CVE-2025-65591 vulnerability allows an attacker to perform Cross Site Scripting (XSS) attacks through the Currencies functionality in nopCommerce version 4.90.0, potentially injecting malicious code into the website.
This vulnerability is a problem because it enables attackers to execute arbitrary code on the website, which can lead to unauthorized access, data theft, and other malicious activities, compromising the security and integrity of the website and its users.
The CVE-2025-65590 vulnerability allows an attacker to perform Cross Site Scripting (XSS) attacks through the Blog posts functionality in the Content Management area of nopCommerce version 4.90.0, potentially injecting malicious scripts into the website.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the website, which can lead to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website and its users.
The CVE-2025-14553 vulnerability exposes password hashes through an unauthenticated API response in the TP-Link Tapo C210 V.1.8 app on iOS and Android, allowing attackers to potentially brute force the password within the local network.
This vulnerability is a problem because it enables attackers to access password hashes, which can be used to crack the actual passwords, especially weaker ones, and gain unauthorized access to the device and network, potentially leading to data breaches and other security issues.
The CVE-2025-68142 vulnerability is a ReDOS bug in the PyMdown Extensions figure caption extension, which can cause systems to hang when processing maliciously crafted user content.
This vulnerability is a problem because it can lead to prolonged system hangs or slowdowns when processing user-provided data, potentially causing service disruptions or allowing for denial-of-service attacks.