Latest CVE Feed
-
9.8
CRITICALCVE-2025-68932
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows atta... Read more
Affected Products : freshrss- Published: Dec. 27, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Cryptography
-
9.8
CRITICALCVE-2025-66913
JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14500
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The... Read more
Affected Products : icewarp- Published: Dec. 23, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-68974
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress So... Read more
Affected Products : wordpress_social_login_and_register_\(discord\,_google\,_twitter\,_linkedin\)- Published: Dec. 30, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2026-0607
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remote... Read more
Affected Products : online_music_site- Published: Jan. 06, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2023-54327
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentica... Read more
- Published: Dec. 30, 2025
- Modified: Jan. 16, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2019-25237
V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-15078
A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the argument sy results in sql injection. The attack may be launched remotely. The ex... Read more
Affected Products : student_management_system- Published: Dec. 25, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2022-50695
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generat... Read more
Affected Products : stream first_firmware first impact_firmware impact pulse_firmware pulse impact_eco_firmware impact_eco pulse_eco_firmware +8 more products- Published: Dec. 30, 2025
- Modified: Jan. 16, 2026
- Vuln Type: Denial of Service
-
9.8
CRITICALCVE-2025-68983
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11.... Read more
Affected Products : greenmart- Published: Dec. 30, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-67325
Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution.... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2025-68506
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-15243
A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has... Read more
Affected Products : simple_stock_system- Published: Dec. 30, 2025
- Modified: Jan. 02, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-15183
A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This impacts an unknown function of the file /home/viewtakenfd.php. The manipulation of the argument tfid leads to sql injection. The attack is possible to be ... Read more
Affected Products : refugee_food_management_system- Published: Dec. 29, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-15208
A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can... Read more
Affected Products : refugee_food_management_system- Published: Dec. 29, 2025
- Modified: Jan. 07, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2022-50794
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'u... Read more
Affected Products : stream first_firmware first impact_firmware impact pulse_firmware pulse impact_eco_firmware impact_eco pulse_eco_firmware +8 more products- Published: Dec. 30, 2025
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-51511
Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads.... Read more
Affected Products : cadmium_cms- Published: Dec. 23, 2025
- Modified: Jan. 06, 2026
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2025-68926
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both... Read more
Affected Products : rustfs- Published: Dec. 30, 2025
- Modified: Jan. 16, 2026
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-14388
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which opera... Read more
Affected Products : phastpress- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-15256
A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command inje... Read more
- Published: Dec. 30, 2025
- Modified: Jan. 13, 2026
- Vuln Type: Injection