Latest CVE Feed
-
7.5
HIGHCVE-2025-10091
A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Re... Read more
Affected Products : jinher_oa- Published: Sep. 08, 2025
- Modified: Sep. 08, 2025
- Vuln Type: XML External Entity
-
7.5
HIGHCVE-2025-56406
An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP s... Read more
Affected Products :- Published: Sep. 10, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-52044
In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 17, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-59049
Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from u... Read more
Affected Products :- Published: Sep. 10, 2025
- Modified: Sep. 11, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-43375
The issue was addressed with improved checks. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process.... Read more
Affected Products : xcode- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-9848
A security vulnerability has been detected in ScriptAndTools Real Estate Management System 1.0. The affected element is an unknown function of the file /admin/userlist.php. Such manipulation leads to execution after redirect. The attack can be executed re... Read more
Affected Products : real_estate_management_system- Published: Sep. 03, 2025
- Modified: Sep. 10, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-8696
If an unauthenticated user sends a large amount of data to the Stork UI, it may cause memory and disk use problems for the system running the Stork server. This issue affects Stork versions 1.0.0 through 2.3.0.... Read more
Affected Products : stork- Published: Sep. 10, 2025
- Modified: Sep. 11, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-29421
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function.... Read more
Affected Products : perfreeblog- Published: Aug. 25, 2025
- Modified: Aug. 26, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-36853
A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in th... Read more
Affected Products :- Published: Sep. 08, 2025
- Modified: Sep. 08, 2025
-
7.5
HIGHCVE-2025-53326
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeYatri Gutenify allows PHP Local File Inclusion. This issue affects Gutenify: from n/a through 1.5.6.... Read more
Affected Products :- Published: Aug. 28, 2025
- Modified: Aug. 29, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-58754
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memor... Read more
Affected Products : axios- Published: Sep. 12, 2025
- Modified: Sep. 15, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-6984
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() witho... Read more
Affected Products : langchain- Published: Sep. 04, 2025
- Modified: Sep. 04, 2025
- Vuln Type: XML External Entity
-
7.5
HIGHCVE-2025-6203
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resu... Read more
Affected Products : vault- Published: Aug. 28, 2025
- Modified: Aug. 29, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-55238
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability... Read more
- Published: Sep. 04, 2025
- Modified: Sep. 10, 2025
-
7.5
HIGHCVE-2025-29420
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function.... Read more
Affected Products : perfreeblog- Published: Aug. 25, 2025
- Modified: Aug. 26, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-10448
A flaw has been found in Campcodes Online Job Finder System 1.0. This affects an unknown function of the file /index.php?q=result&searchfor=bycompany. This manipulation of the argument Search causes sql injection. The attack can be initiated remotely. The... Read more
Affected Products : online_job_finder_system- Published: Sep. 15, 2025
- Modified: Sep. 15, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-7731
Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read ... Read more
Affected Products : melsec_iq-fx5u-32mt\/es_firmware melsec_iq-fx5u-32mt\/ds_firmware melsec_iq-fx5u-32mt\/ess_firmware melsec_iq-fx5u-32mt\/dss_firmware melsec_iq-fx5u-32mr\/es_firmware melsec_iq-fx5u-32mr\/ds_firmware melsec_iq-fx5u-64mt\/es_firmware melsec_iq-fx5u-64mt\/ds_firmware melsec_iq-fx5u-64mt\/ess_firmware melsec_iq-fx5u-64mt\/dss_firmware +11 more products- Published: Sep. 01, 2025
- Modified: Sep. 02, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-58358
Markdownify is a Model Context Protocol server for converting almost anything to Markdown. Versions below 0.0.2 contain a command injection vulnerability, caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an a... Read more
Affected Products :- Published: Sep. 04, 2025
- Modified: Sep. 04, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-57889
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 InPost Gallery allows PHP Local File Inclusion. This issue affects InPost Gallery: from n/a through 2.1.4.5.... Read more
Affected Products : inpost_gallery- Published: Sep. 05, 2025
- Modified: Sep. 05, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-9935
A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotel... Read more
Affected Products : n600r_firmware- Published: Sep. 04, 2025
- Modified: Sep. 04, 2025
- Vuln Type: Injection