Latest CVE Feed
-
9.8
CRITICALCVE-2025-68496
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-68565
Missing Authorization vulnerability in JayBee Twitch Player ttv-easy-embed-player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Twitch Player: from n/a through <= 2.1.3.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-14952
A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be ... Read more
Affected Products : supplier_management_system- Published: Dec. 19, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14950
A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possibl... Read more
Affected Products : scholars_tracking_system- Published: Dec. 19, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-64188
Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9.... Read more
Affected Products : soledad- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-13798
A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploi... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14571
A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may... Read more
Affected Products : advanced_library_management_system- Published: Dec. 12, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14004
A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. R... Read more
Affected Products : xunruicms- Published: Dec. 04, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Server-Side Request Forgery
-
9.8
CRITICALCVE-2025-14015
A weakness has been identified in H3C Magic B0 up to 100R002. This impacts the function EditWlanMacList of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-14940
A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack ... Read more
Affected Products : scholars_tracking_system- Published: Dec. 19, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-13675
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthentic... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2020-36897
QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath... Read more
Affected Products : qihang_media_web_digital_signage- Published: Dec. 10, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-54303
The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user ... Read more
Affected Products : torrent_suite_software- Published: Dec. 04, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-14639
A vulnerability was detected in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /uprec.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is n... Read more
Affected Products : student_management_system- Published: Dec. 14, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14216
A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remot... Read more
Affected Products : currency_exchange_system- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-41732
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.... Read more
- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-67506
PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it t... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-41730
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.... Read more
- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-13783
A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminCon... Read more
Affected Products : wtcms- Published: Nov. 30, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-65823
The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access t... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration