Latest CVE Feed
-
5.3
MEDIUMCVE-2025-11913
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The atta... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-11912
A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. ... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-11911
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-11910
A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible ... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
3.0
LOWCVE-2025-62505
LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery (SSRF) in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array together with imp... Read more
Affected Products : lobe_chat- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Server-Side Request Forgery
-
0.0
NACVE-2025-56320
Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored Cross-Site Scripting (XSS) in its chat box component. This allows a remote attacker to execute arbitrary code... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Cross-Site Scripting
-
0.0
NACVE-2025-56316
A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering.... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-56221
A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Authentication
-
0.0
NACVE-2025-56218
An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Misconfiguration
-
6.9
MEDIUMCVE-2025-34282
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a wa... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Server-Side Request Forgery
-
5.1
MEDIUMCVE-2025-34281
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in ... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-11909
A weakness has been identified in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The impacted element is the function queryLast of the file /RepairRecord.do?Action=QueryLast. Executing manipulation of the argument orderField can lead to sql injection... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-11908
A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. ... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Misconfiguration
-
4.0
MEDIUMCVE-2024-31573
XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.... Read more
Affected Products :- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Misconfiguration
-
5.4
MEDIUMCVE-2025-62430
ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 #145 allows stored cross-site scripting (XSS) in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Produ... Read more
Affected Products : clipbucket- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Cross-Site Scripting
-
6.7
MEDIUMCVE-2025-62424
ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, the /admin_area/template_editor.php endpoint is vulnerable to path traversal. The validation of the file-loading path is inadequate, allowing authenticated a... Read more
Affected Products : clipbucket- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Path Traversal
-
8.7
HIGHCVE-2025-62422
DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitr... Read more
Affected Products : dataease- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection
-
5.5
MEDIUMCVE-2025-62421
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a r... Read more
Affected Products : dataease- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Cross-Site Scripting
-
8.2
HIGHCVE-2025-62420
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but r... Read more
Affected Products : dataease- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Misconfiguration
-
8.2
HIGHCVE-2025-62419
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field ... Read more
Affected Products : dataease- Published: Oct. 17, 2025
- Modified: Oct. 17, 2025
- Vuln Type: Injection