The EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products are vulnerable to brute force attacks because they do not limit the number of authentication attempts, allowing an attacker to repeatedly try different passwords to gain access to an administrative user's account.
This vulnerability is a problem because it enables attackers to guess or crack administrative passwords through relentless guessing, potentially leading to unauthorized access and control of the projector products, which could result in data breaches, malicious configuration changes, or other harmful activities.
The AuthKit library for Next.js has a vulnerability that allows authenticated responses to be cached by CDNs, potentially including sensitive session tokens, when using authkit-nextjs version 2.11.0 or below.
This vulnerability is a problem because it can result in session tokens being served to multiple users, allowing unauthorized access to sensitive information and potentially leading to security breaches.
The CVE-2025-64755 vulnerability allows an attacker to bypass the read-only validation in Claude Code, an agentic coding tool, and write to arbitrary files on the host system due to an error in sed command parsing.
This vulnerability is a problem because it enables unauthorized modifications to files on the host system, potentially leading to data corruption, system compromise, or malicious activity.
The CVE-2025-64751 vulnerability affects OpenFGA, an authorization engine, and allows for improper policy enforcement when specific calls are made, potentially leading to unauthorized access or data exposure.
This vulnerability is a problem because it can compromise the security and integrity of systems that rely on OpenFGA for permission management, potentially allowing malicious actors to bypass restrictions and access sensitive data or perform unauthorized actions.
The CVE-2025-62426 vulnerability affects the vLLM inference and serving engine, allowing an attacker to send a specially crafted request to the /v1/chat/completions and /tokenize endpoints, which can cause the API server to become unresponsive for an extended period.
This vulnerability is a problem because it enables a denial-of-service (DoS) attack, where an attacker can intentionally overload the API server, delaying or blocking all other requests and potentially disrupting critical services that rely on the vLLM engine.
The CVE-2025-62372 vulnerability allows attackers to crash the vLLM engine, which serves large language models, by sending specially crafted multimodal embedding inputs with incorrect shapes, even if the model is not intended to support such inputs.
This vulnerability is a problem because it can be used to disrupt the service of the vLLM engine, potentially leading to downtime and affecting users who rely on it, by exploiting a flaw in the engine's input validation.
The CVE-2025-62164 vulnerability is a memory corruption issue in the vLLM inference and serving engine that can cause a crash or potentially allow remote code execution when processing user-supplied prompt embeddings.
This vulnerability is a problem because it can be exploited by attackers to crash the vLLM server, disrupting service, or potentially execute malicious code on the server, leading to unauthorized access or data breaches.
The CVE-2025-13485 vulnerability allows an attacker to inject malicious SQL code into the itsourcecode Online File Management System 1.0 by manipulating the "Username" argument in the /ajax.php?action=login file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to unauthorized data breaches, modification, or deletion, which can have serious consequences for the security and integrity of the system.
The CVE-2025-64660 vulnerability allows an authorized attacker to bypass a security feature in GitHub Copilot and Visual Studio Code over a network, due to improper access control.
This vulnerability is a problem because it enables attackers to gain unauthorized access to sensitive information or systems, potentially leading to data breaches, unauthorized modifications, or other malicious activities, even if they already have some level of authorized access.
The CVE-2025-64655 vulnerability allows an unauthorized attacker to gain elevated privileges over a network by exploiting improper authorization in Dynamics OmniChannel SDK Storage Containers.
This vulnerability is a problem because it enables attackers to access sensitive information and perform actions that they should not be allowed to, potentially leading to data breaches, system compromise, and other malicious activities, especially given its high severity score of 8.8.
The Microsoft Defender Portal Spoofing Vulnerability (CVE-2025-62459) allows an attacker to trick users into interacting with a fake Microsoft Defender portal, potentially leading to unauthorized access or malicious activities.
This vulnerability is a problem because it can be used to deceive users into revealing sensitive information, installing malware, or performing unintended actions, which can compromise the security of their systems and data.
The Azure Monitor Elevation of Privilege Vulnerability allows an attacker to gain elevated access and permissions within the Azure Monitor system, potentially giving them control over sensitive data and operations.
This vulnerability is a problem because it could enable unauthorized users to access, modify, or delete critical system resources, leading to data breaches, service disruptions, or other malicious activities, ultimately compromising the security and integrity of the affected systems.
The CVE-2025-59245 vulnerability allows an attacker to gain elevated privileges on Microsoft SharePoint Online, potentially giving them unauthorized access to sensitive information and capabilities.
This vulnerability is a problem because it enables attackers to bypass normal security restrictions, allowing them to perform malicious actions such as accessing confidential data, modifying system settings, or taking control of user accounts, which can lead to significant data breaches and security compromises.
The Azure Bastion Elevation of Privilege Vulnerability allows an attacker to gain higher-level access and control within an Azure Bastion environment, potentially enabling them to perform actions that would normally be restricted.
This vulnerability is a problem because it could allow unauthorized users to gain administrative access, compromising the security and integrity of the Azure Bastion and connected resources, leading to potential data breaches, system compromises, and other malicious activities.
The CVE-2025-36072 vulnerability in IBM webMethods Integration allows an authenticated user to execute arbitrary code on the system by exploiting the deserialization of untrusted object graphs data.
This vulnerability is a problem because it enables an attacker with authenticated access to take control of the system, potentially leading to data breaches, malware installation, or other malicious activities, which can have severe consequences for the security and integrity of the system.
This vulnerability allows an attacker to inject malicious code into the Campcodes Complete Online Beauty Parlor Management System, specifically through the "Name" argument in the /admin/customer-list.php file, leading to a cross-site scripting (XSS) attack that can be initiated remotely.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the system, potentially stealing sensitive data, hijacking user sessions, or taking control of the system, which can compromise the security and integrity of the beauty parlor management system and its users.
The Qlik Sense Enterprise version v14.212.13 has a vulnerability that allows unauthorized access to sensitive information through the /dev-hub/ directory, potentially exposing internal data.
This vulnerability is a problem because it could allow attackers to gain access to confidential information, which could be used for malicious purposes, compromising the security and integrity of the system and its data.
The IBM Concert vulnerability (CVE-2025-36160) allows sensitive server information to be disclosed through HTTP response headers, potentially revealing details about the system.
This vulnerability is a problem because it could provide attackers with valuable information to plan and execute further attacks against the system, compromising its security and potentially leading to unauthorized access or data breaches.
This vulnerability in IBM Concert versions 1.0.0 through 2.0.0 allows a local user to manipulate log files, making it possible to impersonate other users or conceal their own identity by altering the logs.
This vulnerability is a problem because it enables malicious users to disguise their actions, making it difficult to track and identify security breaches or other malicious activities, which can lead to further unauthorized access or damage.
The IBM Concert vulnerability allows a local user with specific permissions to access sensitive information from files by exploiting uncontrolled recursive directory copying in versions 1.0.0 through 2.0.0.
This vulnerability is a problem because it enables unauthorized access to sensitive information, potentially leading to data breaches or other security issues, even if the attacker only has local access and specific permissions.
This vulnerability allows an attacker to embed arbitrary JavaScript code into the IBM Concert Web UI, altering its intended functionality and potentially leading to the disclosure of sensitive credentials within a trusted session.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the Web UI, potentially stealing credentials and gaining unauthorized access to sensitive information, which could compromise the security and integrity of the system.
This vulnerability allows an attacker to execute arbitrary code with root privileges on Opto22 Groov Manage REST API, affecting GRV-EPIC and groov RIO Products, by injecting malicious commands through a POST request.
This vulnerability is a problem because it enables an attacker with administrative privileges to gain complete control over the affected system, potentially leading to unauthorized access, data breaches, and disruption of critical operations.
This vulnerability allows unauthorized access to camera configuration information through Open Network Video Interface Forum (ONVIF) services without requiring authentication.
This is a problem because it enables attackers to gain access to sensitive camera settings and potentially manipulate them, which could lead to unauthorized surveillance, data breaches, or disruption of camera functionality.
This vulnerability allows attackers to perform brute-force attacks on verification codes in the university-bbs (Blogin) system without authentication, due to a weak verification code generation mechanism and lack of rate limiting, potentially leading to account takeover via password reset or other authentication bypass methods.
This vulnerability is a problem because it enables unauthorized users to gain access to accounts, potentially leading to sensitive information theft, data tampering, or other malicious activities, which can have serious consequences for the security and integrity of the system and its users.
The Quark Cloud Drive v3.23.2 application is vulnerable to DLL Hijacking, which allows an attacker to load and execute a malicious DLL file when the program starts, by placing it in the application's startup directory.
This vulnerability is a problem because it enables an attacker to run malicious code on a user's system, potentially leading to data theft, system compromise, or other harmful activities, simply by tricking the user into launching the application.
The CVE-2025-62674 vulnerability allows unauthorized access to Real Time Streaming Protocol (RTSP) services without requiring authentication, potentially giving attackers access to sensitive camera configuration information.
This vulnerability is a problem because it could allow malicious individuals to gain unauthorized access to camera settings and configuration data, which could be used for malicious purposes such as spying, data theft, or disrupting camera functionality.
The FS Inc S3150-8T2F switch transmits cookies containing usernames and passwords in cleartext using simple base64 encoding during every POST request to the server for its web-based administrative application, for all versions before 2.2.0D Build 135103.
This vulnerability is a problem because it allows unauthorized access to sensitive information, such as usernames and passwords, which can be easily decoded from the base64 encoding, potentially leading to unauthorized control of the switch and the network it manages.
The CVE-2025-55124 vulnerability allows an attacker to inject malicious code into the Revive Adserver's banner-zone.php script, which can lead to a reflected Cross-Site Scripting (XSS) attack, enabling the execution of unauthorized code on a user's browser.
This vulnerability is a problem because it can be exploited by attackers to steal user data, take control of user sessions, or redirect users to malicious websites, ultimately compromising the security and privacy of users interacting with the affected Revive Adserver.
The CVE-2025-55123 vulnerability allows manager accounts in Revive Adserver versions 5.5.2, 6.0.1, and earlier to create malicious input that can launch Cross-Site Scripting (XSS) attacks on their own advertiser users.
This vulnerability is a problem because it enables attackers to inject malicious code into the websites or applications of advertiser users, potentially leading to unauthorized access, data theft, or other malicious activities.
The CVE-2025-52671 vulnerability allows non-admin users to access debug information in SQL error messages in Revive Adserver versions 5.5.2, 6.0.1, and earlier, revealing details about the software, PHP, and database versions being used.
This vulnerability is a problem because it discloses sensitive information about the system's configuration, which could be used by attackers to plan and launch targeted attacks, potentially leading to further exploitation and compromise of the system.
The CVE-2025-52670 vulnerability allows users to delete banners owned by other accounts in Revive Adserver versions 5.5.2, 6.0.1, and earlier, due to a missing authorization check.
This vulnerability is a problem because it enables unauthorized users to manipulate and delete advertisements that belong to other accounts, potentially disrupting ad campaigns, causing financial losses, and compromising the integrity of the ad serving system.
The CVE-2025-52669 vulnerability allows non-admin users to access the contact name and email address of other users in the Revive Adserver system, specifically in versions 5.5.2, 6.0.1, and earlier.
This vulnerability is a problem because it compromises user privacy by exposing sensitive contact information to unauthorized individuals, potentially leading to spam, phishing attacks, or other malicious activities.
The CVE-2025-52668 vulnerability allows an attacker to inject malicious code into the stats-conversions.php script in Revive Adserver versions 5.5.2, 6.0.1, and earlier, potentially leading to information disclosure and session hijacking through a stored XSS (Cross-Site Scripting) attack.
This vulnerability is a problem because it enables attackers to steal sensitive information, hijack user sessions, and potentially gain unauthorized access to the affected system, compromising the security and privacy of users.
The CVE-2025-52667 vulnerability allows a stored XSS (Cross-Site Scripting) attack to occur in Revive Adserver versions 6.0.1, 5.5.2, and earlier, due to a missing JSON Content-Type header in a script, which can be exploited by a logged-in manager user.
This vulnerability is a problem because it enables an attacker to inject malicious code into the system, potentially leading to unauthorized access, data theft, or disruption of service, by exploiting the trust given to a logged-in manager user.
The CVE-2025-52666 vulnerability allows an attacker to exploit improper neutralization of format characters in the settings of Revive Adserver versions 5.5.2, 6.0.1, and earlier, potentially causing a fatal PHP error that disables the admin user console.
This vulnerability is a problem because it can be used to disable administrative access to the Revive Adserver, potentially allowing an attacker to disrupt or take control of the system, and causing significant disruption to advertising services.
The CVE-2025-48987 vulnerability allows an attacker to inject malicious code into the Revive Adserver, specifically versions 5.5.2, 6.0.1, and earlier, through improper neutralization of user input, leading to a potential reflected Cross-Site Scripting (XSS) attack.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions, which can compromise the security and integrity of the affected system and its users.
The CVE-2025-48986 vulnerability allows an authorized user to bypass security measures in Revive Adserver versions 5.5.2, 6.0.1, and earlier, enabling them to change other users' email addresses and potentially take control of their accounts by exploiting the forgot password feature.
This vulnerability is a problem because it can lead to unauthorized account takeovers, allowing attackers to access sensitive information, make changes to accounts, and potentially disrupt the entire system, compromising the security and integrity of the Revive Adserver platform.
This vulnerability allows an authenticated attacker to add malicious content to the 'Demographic Information' page in Medical Informatics Engineering Enterprise Health, which will be executed when someone else accesses the page.
This is a problem because it enables attackers to inject arbitrary code, potentially leading to unauthorized actions, data theft, or disruption of the system, all of which can compromise the security and integrity of sensitive medical information.
This vulnerability allows attackers to bypass the OAuth authentication process in Clerk-js version 5.88.0 by manipulating the request during the One-Time Password (OTP) verification stage.
This vulnerability is a problem because it enables unauthorized access to protected resources, potentially leading to data breaches, identity theft, or other malicious activities, by circumventing the intended authentication mechanism.
This vulnerability allows an attacker with admin interface access to request an excessively large number of items per page on the "userlog-index.php" page, potentially overwhelming the system.
This vulnerability is a problem because it could lead to a denial of service, where the system becomes unresponsive or crashes due to excessive resource consumption, disrupting normal operations and causing inconvenience to users.
This vulnerability allows an attacker to create a username with leading or trailing whitespace characters, making it appear similar to a legitimate username when displayed in the user interface.
This vulnerability can cause confusion among users and administrators, potentially leading to mistaken identities, unauthorized access, or other security issues, as the username with whitespace may be virtually indistinguishable from its legitimate counterpart.
This vulnerability allows an attacker to store malicious code in the campaign names on advertiser-related pages, which can then be executed when a user interacts with the navigation box at the top of the page, potentially leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and trust of the website and its users.
This vulnerability allows unauthorized access to ABB Ability Edgenius by bypassing the normal authentication process through an alternate path or channel, affecting versions 3.2.0.0 and 3.2.1.1.
This vulnerability is a significant problem because it enables attackers to gain unauthorized access to the system without being detected, potentially leading to data theft, system compromise, or other malicious activities, especially given its high severity score of 9.6.
The CVE-2025-64524 vulnerability is a heap-buffer-overflow issue in the rastertopclx filter of the cups-filters software, which can cause the program to crash when processing malicious input data, potentially leading to arbitrary code execution.
This vulnerability is a problem because it can be exploited by attackers to trigger memory corruption, potentially allowing them to execute arbitrary code and gain unauthorized access to a system, which can lead to data theft, system compromise, or other malicious activities.
The CVE-2025-63889 vulnerability allows attackers to read arbitrary files on a server by manipulating file paths in template values, specifically targeting the fetch function in ThinkPHP's Template.php file.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, potentially leading to data breaches, leakage of confidential information, or further exploitation of the system.
The CVE-2025-63888 vulnerability allows an attacker to execute remote code on a server by exploiting a flaw in the read function of the ThinkPHP 5.0.24 library, specifically in the File.php file.
This vulnerability is a problem because it enables attackers to run malicious code on the server, potentially leading to unauthorized access, data breaches, and system compromise, which can have severe consequences for the security and integrity of the affected system.
This vulnerability allows attackers to perform JNDI (Java Naming and Directory Interface) injection attacks on Dataease, an open source data visualization analysis tool, by exploiting the iiop, corbaname, and iiopname schemes, even after a blacklist was added in version 2.10.14.
This vulnerability is a problem because it enables attackers to potentially execute malicious code, access sensitive data, or take control of the system, compromising the security and integrity of the Dataease application and its associated data.
The Open OnDemand HPC portal creates world-writable locations in the GEM_PATH in versions prior to 4.0.8 and 3.1.16, allowing unauthorized access and modifications.
This vulnerability is a problem because it enables malicious users to write and execute arbitrary code, potentially leading to data breaches, system compromises, and other security threats.
The CVE-2025-64027 vulnerability allows an attacker to inject arbitrary HTML or JavaScript code into the Snipe-IT application when an invalid CSV file is uploaded, causing the code to execute in the browser of any authenticated admin who views the import page.
This vulnerability is a problem because it enables an attacker to execute malicious code on the admin's browser, potentially allowing them to steal sensitive information, perform unauthorized actions, or take control of the admin's session.
This vulnerability allows attackers to execute arbitrary code on a website by storing malicious code in a SWISH Prolog web IDE notebook, which can then be executed when the notebook is accessed.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website and its users.
This vulnerability allows users to exploit a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files, potentially accessing files outside of the allowed list in Open OnDemand, an open-source HPC portal.
This vulnerability is a problem because it could allow unauthorized access to sensitive files, even though they are still protected by UNIX permissions, which could lead to data breaches or other security issues, particularly in sites that rely on file browser allowlists.
The CVE-2025-62709 vulnerability in ClipBucket v5 allows an attacker to manipulate the server URL by supplying a fake Host header, which can be used to generate password-reset links with the attacker's domain, potentially leading to account takeover.
This vulnerability is a problem because it enables attackers to trick victims into revealing their activation codes, allowing the attackers to reset the victims' passwords and gain unauthorized access to their accounts, compromising the security and privacy of the users.
The Institute-of-Current-Students v1.0 has a vulnerability that allows an attacker to inject malicious SQL code into the database through the `myds` parameter in the `mydetailsstudent.php` endpoint, potentially giving them access to sensitive information.
This vulnerability is a problem because it could allow unauthorized users to extract or modify sensitive data, disrupt the application's functionality, or even gain control of the entire system, leading to serious security breaches and data losses.
The CVE-2025-13437 vulnerability occurs when the zx CLI is invoked with a specific option, causing it to create a symlink to an external directory. Due to a logic error, the function returns the wrong path, leading to the deletion of the target directory instead of the intended symlink.
This vulnerability is a problem because it can result in the unintentional deletion of external directories, specifically the node_modules directory, which can cause significant disruptions to projects and systems that rely on those directories.
The CVE-2025-12121 vulnerability in Lite XL versions 2.1.8 and prior allows an attacker to execute arbitrary commands on a system by exploiting the system.exec function, which constructs shell commands without proper sanitization, potentially through project directory launching, drag-and-drop file handling, or the "open in system" command.
This vulnerability is a problem because it enables an attacker to run arbitrary commands with the same privileges as the Lite XL process, potentially leading to unauthorized access, data theft, or system compromise if an attacker can influence the input to the system.exec function.
The Lite XL software automatically runs a file called .lite_project.lua when opening a project directory, without asking for user confirmation, allowing it to execute Lua code embedded in the file.
This behavior is a problem because it enables the potential execution of malicious Lua code if a user opens a tampered project directory, which could lead to unauthorized actions being performed with the same privileges as the Lite XL application.
The CVE-2025-62875 vulnerability allows local users to crash the OpenSMTPD service due to an improper check for unusual or exceptional conditions.
This vulnerability is a problem because it can be exploited by local users to intentionally disrupt the email service, causing denial-of-service and potentially leading to loss of important emails or system downtime.
The CVE-2025-62731 vulnerability allows an attacker to inject arbitrary HTML and JavaScript code into the SOPlanning website through the /feries endpoint, which is used to manage public holidays. This malicious code will be executed when multiple pages are opened.
This vulnerability is a problem because it enables an attacker to perform Stored Cross-Site Scripting (XSS) attacks, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions. Although only administrators and users with special privileges can access this endpoint by default, it still poses a significant risk if an attacker gains access to these privileged accounts.
The CVE-2025-62730 vulnerability in SOPlanning allows users with the "user_manage_team" role to modify permissions of other users, including assigning administrative permissions to themselves or others, effectively escalating their privileges to admin level.
This vulnerability is a problem because it enables malicious authenticated attackers with the "user_manage_team" role to gain unauthorized administrative access, potentially leading to unauthorized data modifications, breaches, or other malicious activities.
The CVE-2025-62729 vulnerability allows an attacker with an account to inject arbitrary HTML and JavaScript code into the SOPlanning website through the /status endpoint, which can then be executed when multiple pages are opened.
This vulnerability is a problem because it enables malicious users to embed malicious code into the website, potentially leading to unauthorized actions, data theft, or other harmful activities when other users access the affected pages.
The CVE-2025-62297 vulnerability allows an attacker with medium privileges to inject arbitrary HTML and JavaScript code into the SOPlanning website through the /projets endpoint, which will be executed when the edited page is opened.
This vulnerability is a problem because it enables malicious attackers to execute arbitrary code on the website, potentially leading to unauthorized access, data theft, or other malicious activities, by exploiting the Stored XSS vulnerability.
The CVE-2025-62296 vulnerability allows an attacker with medium privileges to inject arbitrary HTML and JavaScript code into the SOPlanning website through the /taches endpoint, which is then rendered and executed when the editor is opened.
This vulnerability is a problem because it enables malicious attackers to execute arbitrary code on the website, potentially leading to unauthorized access, data theft, or other malicious activities, by exploiting the trust that users have in the website.
The CVE-2025-62295 vulnerability allows an attacker to inject arbitrary HTML and JavaScript code into the SOPlanning website through the /groupe_form endpoint, which is then rendered and executed when the editor is opened.
This vulnerability is a problem because it enables malicious attackers with medium privileges to perform Stored Cross-Site Scripting (XSS) attacks, potentially leading to unauthorized access, data theft, or other malicious activities on the website.
The SOPlanning vulnerability allows an attacker to predict and brute-force password recovery tokens, enabling them to take over any account.
This vulnerability is a problem because it allows malicious attackers to gain unauthorized access to user accounts, potentially leading to data theft, tampering, or other malicious activities, all due to the weak password recovery token generation mechanism.
The CVE-2025-62293 vulnerability in SOPlanning allows an authenticated attacker to add, edit, and delete any project status due to a lack of permission checks in the Project Status functionality, specifically in the /status endpoint.
This vulnerability is a problem because it enables unauthorized modifications to project statuses, which can lead to data inconsistency, disruption of project workflows, and potential security breaches by allowing attackers to manipulate project information.
The CVE-2025-60738 vulnerability allows a remote attacker to execute arbitrary code on the Ilevia EVE X1 Server Firmware due to a lack of secure filtering on IP parameters in the ping.php component.
This vulnerability is a problem because it enables attackers to remotely take control of the server, potentially leading to unauthorized access, data theft, or disruption of service, which can have serious consequences for the security and integrity of the system.
This vulnerability allows a remote attacker to execute arbitrary code on the Ilevia EVE X1 Server by exploiting a Cross Site Scripting (XSS) flaw in the /index.php component, affecting firmware versions 4.7.18.0.eden and earlier, with Logic Version 6.00 or earlier.
This vulnerability is a problem because it enables attackers to inject malicious code into the server, potentially leading to unauthorized access, data theft, or disruption of service, which can have serious consequences for the security and integrity of the system.
The IBM Concert vulnerability (CVE-2025-36161) allows a remote attacker to obtain sensitive information by exploiting the lack of HTTP Strict-Transport-Security (HSTS) enforcement, making it possible to intercept data using man-in-the-middle techniques.
This vulnerability is a problem because it enables attackers to access sensitive information, potentially leading to data breaches, eavesdropping, and other malicious activities, which can compromise the security and confidentiality of the affected system.
The BASIS BBj vulnerability allows an attacker to access arbitrary system files on the server by exploiting a weakness in the Jetty-served web endpoint, which fails to properly validate input path segments, enabling unauthenticated directory traversal.
This vulnerability is a problem because it can lead to the exposure of sensitive information, including account credentials used for BBj Enterprise Manager, which can be used to gain administrative access and execute system commands, potentially allowing access to other confidential files on the host.
This vulnerability causes a bug in the filesystem traversal fallback path, leading to an application crash (denial of service) when it encounters an empty directory, due to an "index out of range" error.
This vulnerability is a problem because it can be exploited to deliberately crash an application, resulting in a denial of service, which means that users cannot access the application or its services, potentially causing disruption and loss of productivity.
This CVE (CVE-2024-31405) has been voluntarily withdrawn and does not pose a known security risk.
There is no identified problem or vulnerability associated with this CVE, as it was withdrawn.
The CVE-2025-65226 vulnerability allows an attacker to overflow a buffer by manipulating the deviceId parameter in the /goform/saveParentControlInfo endpoint of the Tenda AC21 router, version V16.03.08.16.
This vulnerability is a problem because it could potentially allow an attacker to execute arbitrary code on the router, leading to unauthorized access, data theft, or disruption of network services.
The CVE-2025-65223 vulnerability allows an attacker to overflow a buffer by manipulating the "urls" parameter in the "/goform/saveParentControlInfo" endpoint of the Tenda AC21 router, version V16.03.08.16, potentially leading to arbitrary code execution.
This vulnerability is a problem because it could enable an attacker to gain control of the router, allowing them to intercept sensitive information, disrupt network traffic, or use the router as a launching point for further attacks on the network.
The CVE-2025-65222 vulnerability allows an attacker to overflow a buffer by manipulating the rebootTime parameter in the /goform/SetSysAutoRebbotCfg endpoint of Tenda AC21 devices running firmware version V16.03.08.16, potentially leading to arbitrary code execution.
This vulnerability is a problem because it could be exploited by an attacker to gain control over the affected device, leading to unauthorized access, data theft, or disruption of network services, which can compromise the security and integrity of the network.
The CVE-2025-65221 vulnerability allows an attacker to overflow a buffer by manipulating the "list" parameter in the /goform/setPptpUserList endpoint of Tenda AC21 devices running firmware version V16.03.08.16, potentially enabling them to execute arbitrary code.
This vulnerability is a problem because it could allow unauthorized access and control of the affected device, leading to potential data theft, disruption of service, or other malicious activities, compromising the security and integrity of the network.
The CVE-2025-65220 vulnerability allows an attacker to exploit a buffer overflow in the Tenda AC21 router's SetVirtualServerCfg function, specifically through the 'list' parameter, potentially enabling them to execute malicious code or crash the system.
This vulnerability is a problem because it could allow unauthorized access to the router, giving attackers the ability to modify settings, intercept sensitive information, or disrupt network services, which could lead to significant security breaches and data loss.
This vulnerability allows an attacker to carry out a reflected Cross-Site Scripting (XSS) attack using phishing techniques on certain Kaspersky products, including Kaspersky Endpoint Security for Linux, Kaspersky Industrial CyberSecurity for Linux Nodes, and Kaspersky Endpoint Security for Mac, with outdated anti-virus databases.
This vulnerability is a problem because it enables attackers to trick users into performing unintended actions, potentially leading to unauthorized access, data theft, or malware installation, which can compromise the security of the affected systems and put sensitive information at risk.
The CVE-2025-62346 vulnerability allows an attacker to trick a user's web browser into performing an unwanted action on a trusted website, specifically on one endpoint of the HCL Glovius Cloud, without the user's knowledge or consent.
This vulnerability is a problem because it enables attackers to exploit the trust between a user and a website, potentially leading to unauthorized actions, data breaches, or other malicious activities, all while appearing to come from the legitimate user.
The CVE-2025-60799 vulnerability in phpPgAdmin 7.13.0 and earlier allows attackers to manipulate session variables by sending user-controlled parameters, potentially storing arbitrary SQL queries in the session, which can lead to unauthorized access or malicious actions.
This vulnerability is a problem because it enables attackers to exploit the application's lack of proper validation and access control checks, potentially resulting in session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data, compromising the security and integrity of the application and its users.
The CVE-2025-60798 vulnerability allows an attacker to inject malicious SQL code into the phpPgAdmin application by manipulating user-controlled input, potentially enabling them to execute arbitrary SQL commands and access sensitive database information.
This vulnerability is a problem because it can lead to a complete database compromise, giving an attacker unauthorized access to sensitive data, allowing them to modify or delete data, and potentially disrupting the entire system.
The CVE-2025-60797 vulnerability allows an attacker to inject malicious SQL code into the phpPgAdmin application through the $_REQUEST['query'] parameter, enabling them to execute arbitrary SQL commands.
This vulnerability is a problem because it can lead to a complete database compromise, allowing attackers to steal sensitive data, modify database structures, or escalate their privileges, potentially gaining full control over the database.
The CVE-2025-60796 vulnerability allows an attacker to inject malicious JavaScript code into the phpPgAdmin application, which is then executed in the user's browser, due to improper encoding or sanitization of user-supplied input.
This vulnerability is a problem because it enables attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions, compromising the security and privacy of users.
The CVE-2025-60794 vulnerability allows session tokens and passwords to be stored in memory without being properly cleared, making them accessible through memory dumps, debugging tools, or other memory access techniques.
This vulnerability is a problem because it creates an opportunity for attackers to extract sensitive data, such as session tokens and passwords, which could lead to session hijacking and unauthorized access to sensitive information.
This vulnerability allows attackers with Contributor-level access or higher to inject malicious scripts into WordPress pages using a flawed library called lightGallery, which is bundled with various plugins and themes. This happens because the library doesn't properly clean and secure user-inputted data.
This is a problem because it enables attackers to execute arbitrary web scripts whenever a user visits an infected page, potentially leading to unauthorized actions, data theft, or further malicious activities on the affected WordPress site.
The CVE-2025-41076 vulnerability allows an external user to send a malformed session cookie to the LimeSurvey system, causing a 500 error and exposing internal backend information, including the framework, database engine, table names, and primary keys.
This vulnerability is a problem because it provides an attacker with valuable information about the internal architecture of the application, making it easier for them to plan and execute further attacks, potentially leading to unauthorized access or data breaches.
The CVE-2025-41075 vulnerability in LimeSurvey 6.13.0 causes infinite HTTP redirects when the /optin endpoint is accessed directly, leading to a potential Denial of Service (DoS) attack by exhausting server or client resources.
This vulnerability is a problem because it can cause service degradation or browser instability due to the system's inability to break the redirect loop, ultimately disrupting the normal functioning of the system and potentially causing resource exhaustion.
The CVE-2025-41074 vulnerability in LimeSurvey 6.13.0 causes infinite HTTP redirects when the /optout endpoint is accessed directly, leading to a potential Denial of Service (DoS) attack by exhausting server or client resources.
This vulnerability is a problem because it can cause service degradation or browser instability due to the system's inability to break the redirect loop, potentially disrupting normal operations and impacting user experience.
This vulnerability allows an attacker to manipulate file system paths on an Email Security appliance by using special sequences of characters (like "../") to access files and directories that are normally restricted.
This is a problem because it could allow unauthorized access to sensitive files and directories, potentially leading to data theft, system compromise, or other malicious activities.
The SonicWall Email Security appliance has a vulnerability that allows attackers to download and load code without verifying its integrity, specifically by modifying root filesystem images without checking their signatures, which can lead to arbitrary code execution.
This vulnerability is a problem because it enables attackers with access to the appliance's VMDK or datastore to modify system files, potentially allowing them to gain persistent and unauthorized control over the system, which can lead to data breaches, malware infections, and other security threats.
This vulnerability allows a remote attacker to overflow a buffer in the SonicOS SSLVPN service, causing a Denial of Service (DoS) that can crash an impacted firewall.
This vulnerability is a problem because it enables an unauthenticated attacker to disrupt the normal functioning of a firewall, potentially leaving a network vulnerable to further attacks and causing downtime.
This vulnerability allows an attacker to manipulate the "manualInstructions" argument in the Payment Instructions Setting Handler of the Public Knowledge Project's Open Journal Systems (OJS) and Open Monograph Press (OMP), leading to a cross-site scripting (XSS) attack, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the system, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, compromising the security and integrity of the affected systems.
The CVE-2025-13468 vulnerability allows an attacker to manipulate the ID argument in the delete functions of the Alumni Management System, potentially bypassing authorization and allowing unauthorized deletion of forum posts, careers, comments, galleries, and events.
This vulnerability is a problem because it enables remote attackers to modify or delete sensitive data without proper authorization, which can lead to data loss, disruption of services, and potential security breaches.
This vulnerability allows an attacker to inject malicious SQL code into the Online Shop Project 1.0 database by manipulating the "Search" argument in the /action.php file, potentially leading to unauthorized data access or modification.
This vulnerability is a problem because it enables remote attackers to exploit the database, potentially stealing sensitive information, modifying data, or disrupting the application's functionality, which can lead to significant security breaches and data losses.
The CVE-2025-13450 vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "f_name" argument in the /shop/register.php file of the SourceCodester Online Shop Project 1.0, which can be initiated remotely.
This vulnerability is a problem because it enables attackers to inject malicious code into the website, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and trust of the online shop.
This vulnerability allows an attacker to inject malicious SQL code into the Online Shop Project 1.0's login system by manipulating the password field, potentially giving them unauthorized access to the database.
This vulnerability is a problem because it could allow attackers to remotely access sensitive data, modify database records, or even take control of the entire system, compromising user accounts and confidential information.
This vulnerability allows an attacker to overflow a buffer on the stack by manipulating the timeZone/time argument in the /goform/SetSysTimeCfg file of the Tenda AC21 router, which can be done remotely.
This vulnerability is a problem because it can be exploited by an attacker to potentially execute arbitrary code, gain unauthorized access, or cause the router to crash, compromising the security and stability of the network.
The CVE-2025-13445 vulnerability is a stack-based buffer overflow flaw in the Tenda AC21 router, specifically in the /goform/SetIpMacBind file, which can be exploited by manipulating the argument list, allowing for remote execution of the attack.
This vulnerability is a problem because it can be executed remotely, meaning an attacker can exploit it from anywhere, and the exploit has already been published, making it easily accessible to potential attackers, which could lead to unauthorized access, data theft, or other malicious activities.
This vulnerability allows an attacker to manipulate the "ids" argument in the delete function of the /member/readHistory/delete file in macrozheng mall versions up to 1.0.3, bypassing access controls and potentially deleting unauthorized data.
This vulnerability is a problem because it enables remote exploitation, allowing attackers to access and manipulate sensitive data without proper authorization, which can lead to data loss, unauthorized modifications, and other security breaches.
This vulnerability allows an attacker to inject commands into the system of UTT 进取 750W devices with firmware up to 3.2.2-191225 by manipulating the "policyNames" argument in the /goform/formPdbUpConfig function, which can be done remotely.
This vulnerability is a problem because it enables remote attackers to execute arbitrary commands on the device, potentially leading to unauthorized access, data theft, or disruption of service, and the fact that the exploit has been publicly disclosed increases the risk of attack.
The CVE-2025-13435 vulnerability allows an attacker to manipulate the "filename" argument in the HttpClient Module of Dreampie Resty, leading to a path traversal attack, which can be performed remotely.
This vulnerability is a problem because it enables an attacker to access and potentially modify sensitive files on the system by traversing the directory path, which could lead to data breaches, unauthorized access, or other malicious activities, and the fact that the exploit has been publicly disclosed makes it more likely to be used by attackers.