Latest CVE Feed
-
6.0
MEDIUMCVE-2025-49643
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.... Read more
Affected Products : zabbix- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Denial of Service
-
4.8
MEDIUMCVE-2025-13795
A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the component Edit Student Info Page. This manipulation of the argu... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
6.8
MEDIUMCVE-2025-27232
An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.... Read more
Affected Products : zabbix- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Path Traversal
-
4.2
MEDIUMCVE-2025-66433
HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3.... Read more
Affected Products : htcondor- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authentication
-
5.0
MEDIUMCVE-2025-66432
In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authentication
-
8.4
HIGHCVE-2025-66223
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same ... Read more
Affected Products : openobserve- Published: Nov. 29, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
5.9
MEDIUMCVE-2025-41739
An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Race Condition
-
6.1
MEDIUMCVE-2025-66036
Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7.... Read more
Affected Products :- Published: Nov. 29, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
4.8
MEDIUMCVE-2025-41070
Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be... Read more
Affected Products :- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
7.8
HIGHCVE-2025-41700
An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.... Read more
Affected Products : development_system- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Misconfiguration
-
6.1
MEDIUMCVE-2025-13819
Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks.... Read more
Affected Products :- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Misconfiguration