Latest CVE Feed
-
7.5
HIGHCVE-2025-65562
The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/un... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-65561
An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-65559
An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
9.8
CRITICALCVE-2025-63389
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unautho... Read more
Affected Products : ollama- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-63387
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement prope... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-56157
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-14960
A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1.0. Impacted is an unknown function of the file /editeddonor.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the at... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-14959
A weakness has been identified in code-projects Simple Stock System 1.0. This issue affects some unknown processing of the file /market/signup.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remot... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2025-14958
A security flaw has been discovered in floooh sokol up to 33e2271c431bf21de001e972f72da17a984da932. This vulnerability affects the function _sg_pipeline_common_init in the library sokol_gfx.h. Performing manipulation results in heap-based buffer overflow.... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
6.3
MEDIUMCVE-2025-14955
A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to lau... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
6.8
MEDIUMCVE-2025-41697
An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
4.6
MEDIUMCVE-2025-41696
An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-41695
An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerabilit... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-41694
A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-41693
A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2025-41692
A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-55181
Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads ... Read more
Affected Products : proxygen- Published: Dec. 02, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-14823
In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The value... Read more
Affected Products : screenconnect- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
6.1
MEDIUMCVE-2025-9787
Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.... Read more
Affected Products : manageengine_applications_manager- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
0.0
NACVE-2025-68324
In the Linux kernel, the following vulnerability has been resolved: scsi: imm: Fix use-after-free bug caused by unfinished delayed work The delayed work item 'imm_tq' is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCS... Read more
Affected Products : linux_kernel- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Race Condition