Latest CVE Feed
-
9.3
CRITICALCVE-2025-66266
The RupsMon.exe service executable in UPSilon 2000 has insecure permissions, allowing the 'Everyone' group Full Control. A local attacker can replace the executable with a malicious binary to execute code with SYSTEM privileges or simply change the config... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Misconfiguration
-
9.3
CRITICALCVE-2023-53969
Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to th... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
9.3
CRITICALCVE-2025-36754
The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
9.3
CRITICALCVE-2023-53960
SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parame... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
9.2
CRITICALCVE-2024-58298
Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parame... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
9.2
CRITICALCVE-2023-53881
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary ... Read more
Affected Products : reyee_os- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
9.2
CRITICALCVE-2025-68275
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.... Read more
Affected Products : churchcrm- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
9.2
CRITICALCVE-2025-11541
Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs.... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
9.2
CRITICALCVE-2025-12049
Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other ope... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
9.2
CRITICALCVE-2025-66257
Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.2
CRITICALCVE-2024-5539
The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation serv... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
9.2
CRITICALCVE-2025-59366
An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to th... Read more
Affected Products : router- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authentication
-
9.2
CRITICALCVE-2025-40801
A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-65319
When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party ... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-61809
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthor... Read more
Affected Products : coldfusion- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-65318
When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party s... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
9.1
CRITICALCVE-2025-13780
pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on t... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
9.1
CRITICALCVE-2024-49587
Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and au... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-61318
Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, ... Read more
Affected Products : emlog- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Path Traversal
-
9.1
CRITICALCVE-2025-66844
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Server-Side Request Forgery