Latest CVE Feed
-
9.8
CRITICALCVE-2025-9762
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to uploa... Read more
Affected Products :- Published: Sep. 30, 2025
- Modified: Oct. 02, 2025
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2025-59740
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more
Affected Products : e-tms- Published: Oct. 02, 2025
- Modified: Oct. 02, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10779
A vulnerability was found in D-Link DCS-935L up to 1.13.01. The impacted element is the function sub_402280 of the file /HNAP1/. The manipulation of the argument HNAP_AUTH/SOAPAction results in stack-based buffer overflow. The attack may be launched remot... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-11139
A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Affected is the function uploadStudioFile of the component com.artery.form.services.FormStudioUpdater. This manipulation of the argument filepath causes path traversal. Remote exploitation of... Read more
Affected Products : zhiyou_erp- Published: Sep. 29, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-10789
A vulnerability was identified in SourceCodester Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteslide.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10851
A security flaw has been discovered in Campcodes Gym Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attac... Read more
Affected Products : gym_management_system- Published: Sep. 23, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-57602
Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot ... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 23, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-10802
A flaw has been found in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/remove.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit... Read more
Affected Products : online_bidding_system- Published: Sep. 22, 2025
- Modified: Sep. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-57601
AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 23, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-57441
The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuratio... Read more
- Published: Sep. 22, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Information Disclosure
-
9.8
CRITICALCVE-2025-10799
A security flaw has been discovered in code-projects Hostel Management System 1.0. The affected element is an unknown function of the file /justines/admin/mod_reservation/index.php?view=view. Performing manipulation of the argument ID results in sql injec... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-35042
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-10793
A vulnerability was detected in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/admin_account_delete.php. Performing manipulation of the argument user_id results in sql injection. It is p... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10785
A vulnerability was detected in Campcodes Grocery Sales and Inventory System 1.0. This affects an unknown part of the file /manage_user.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The ex... Read more
Affected Products : grocery_sales_and_inventory_system- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-26399
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass ... Read more
Affected Products : web_help_desk- Published: Sep. 23, 2025
- Modified: Sep. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10832
A vulnerability was found in SourceCodester Pet Grooming Management Software 1.0. The affected element is an unknown function of the file /admin/fetch_product_details.php. The manipulation of the argument barcode results in sql injection. The attack may b... Read more
Affected Products : pet_grooming_management_software- Published: Sep. 23, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-59736
Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a... Read more
Affected Products : e-tms- Published: Oct. 02, 2025
- Modified: Oct. 02, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10782
A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Affected is an unknown function of the file /admin/class.php. Performing manipulation of the argument class_name results in sql injection. The attack is possible to be... Read more
Affected Products : online_learning_management_system- Published: Sep. 22, 2025
- Modified: Sep. 23, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10796
A vulnerability was found in code-projects Hostel Management System 1.0. This vulnerability affects unknown code of the file /justines/admin/login.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. T... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-10801
A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown function of the file /admin/edit_tax.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be c... Read more
Affected Products : pet_grooming_management_software- Published: Sep. 22, 2025
- Modified: Sep. 24, 2025
- Vuln Type: Injection