Latest CVE Feed
-
9.8
CRITICALCVE-2025-66259
Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php use... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-66258
Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into ... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
9.2
CRITICALCVE-2025-66257
Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.9
CRITICALCVE-2025-66255
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation all... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
9.1
CRITICALCVE-2025-66254
Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter al... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.9
CRITICALCVE-2025-66253
Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec()... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-66289
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid i... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
8.4
HIGHCVE-2025-66252
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Denial of Service
-
9.1
CRITICALCVE-2025-66251
Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-66250
Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary ... Read more
- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-66290
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restric... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2025-21621
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to exe... Read more
- Published: Nov. 25, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-66291
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, withou... Read more
Affected Products : orangehrm- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2025-65237
A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-63700
An issue was discovered in clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. NOTE: this is disputed by the Supplier because there is no available information to reproduce ... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-45311
Insecure permissions in fail2ban-client v0.11.2 allows attackers with limited sudo privileges to perform arbitrary operations as root. NOTE: this is disputed by multiple parties because the action for a triggered rule can legitimately be an arbitrary oper... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-64344
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua... Read more
Affected Products : suricata- Published: Nov. 26, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Memory Corruption
-
4.9
MEDIUMCVE-2025-66303
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expr... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Denial of Service
-
6.8
MEDIUMCVE-2025-66302
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vu... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2025-66297
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalat... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Injection