Latest CVE Feed
-
9.8
CRITICALCVE-2025-65235
OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
7.7
HIGHCVE-2025-12758
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a se... Read more
Affected Products : validator- Published: Nov. 27, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Denial of Service
-
7.1
HIGHCVE-2025-11461
Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.... Read more
Affected Products : frappe_crm- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-64050
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is e... Read more
Affected Products : redaxo- Published: Nov. 25, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
4.8
MEDIUMCVE-2025-64049
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits a... Read more
Affected Products : redaxo- Published: Nov. 25, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
9.0
CRITICALCVE-2025-66224
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into th... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
8.9
HIGHCVE-2025-66263
Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_s... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-66262
Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arb... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.9
CRITICALCVE-2025-66261
Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-66260
PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-66225
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originall... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-66259
Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php use... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-66258
Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into ... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
9.2
CRITICALCVE-2025-66257
Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.9
CRITICALCVE-2025-66255
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation all... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-66254
Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter al... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.9
CRITICALCVE-2025-66253
Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec()... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-66289
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid i... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
8.4
HIGHCVE-2025-66252
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Denial of Service
-
9.1
CRITICALCVE-2025-66251
Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal