Latest CVE Feed
-
8.2
HIGHCVE-2025-61536
FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer tha... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
8.2
HIGHCVE-2025-22381
Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
9.9
CRITICALCVE-2025-60306
code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations.... Read more
Affected Products : simple_car_rental_system- Published: Oct. 10, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Authentication
-
4.1
MEDIUMCVE-2025-60308
code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the admi... Read more
- Published: Oct. 10, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Cross-Site Scripting
-
9.4
CRITICALCVE-2025-60269
JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file.... Read more
Affected Products : jeewms- Published: Oct. 10, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-60268
An arbitrary file upload vulnerability exists in JeeWMS 20250820, which is caused by the lack of file checking in the saveFiles function in /jeewms/cgUploadController.do. An attacker with normal privileges was able to upload a malicious file that would le... Read more
Affected Products : jeewms- Published: Oct. 10, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Misconfiguration
-
9.2
CRITICALCVE-2017-20205
Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds chec... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Memory Corruption
-
9.3
CRITICALCVE-2018-25117
VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Supply Chain
-
9.3
CRITICALCVE-2023-7311
BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The `path` parameter is not properly validated and is echoed into a shell context, allowing an attacker to inject and execute arbit... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
4.3
MEDIUMCVE-2025-11176
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled ke... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-39969
In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is all... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-39970
In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for action_meta Fix condition to check 'greater or equal' to prevent OOB dereference.... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2025-59051
The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied i... Read more
Affected Products : freepbx- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
5.5
MEDIUMCVE-2025-33177
NVIDIA Jetson Linux and IGX OS contain a vulnerability in NvMap, where improper tracking of memory allocations could allow a local attacker to cause memory overallocation. A successful exploitation of this vulnerability might lead to denial of service.... Read more
Affected Products :- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Memory Corruption
-
9.5
CRITICALCVE-2025-62376
pwn.college DOJO is an education platform for learning cybersecurity. In versions up to and including commit 781d91157cfc234a434d0bab45cbcf97894c642e, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to acc... Read more
Affected Products :- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Authentication
-
0.0
NACVE-2025-39986
In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN dri... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Memory Corruption
-
0.0
NACVE-2025-39971
In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg().... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
-
0.0
NACVE-2025-39968
In the Linux kernel, the following vulnerability has been resolved: i40e: add max boundary check for VF filters There is no check for max filters that VF can request. Add it.... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Misconfiguration
-
0.0
NACVE-2025-39966
In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call file_operations release() synchronously, it puts the file on a work queue and it will be released eventu... Read more
Affected Products : linux_kernel- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Race Condition
-
7.5
HIGHCVE-2025-11501
The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the 'tax_query' parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection