Latest CVE Feed
-
6.1
MEDIUMCVE-2025-42920
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input i... Read more
Affected Products : supplier_relationship_management- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-58449
Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing f... Read more
Affected Products :- Published: Sep. 08, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authentication
-
9.3
CRITICALCVE-2025-58450
pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from inject... Read more
Affected Products :- Published: Sep. 08, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Injection
-
4.3
MEDIUMCVE-2025-42918
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-42915
Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentialit... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authorization
-
8.4
HIGHCVE-2025-55849
WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee... Read more
Affected Products :- Published: Sep. 08, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Injection
-
7.3
HIGHCVE-2025-9161
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Misconfiguration
-
6.7
MEDIUMCVE-2025-43722
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper privilege management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.... Read more
Affected Products : powerscale_onefs- Published: Sep. 08, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authorization
-
8.2
HIGHCVE-2025-33045
APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access. The successful exploitation of these vulnerabilities can lead... Read more
Affected Products : aptio_v- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Information Disclosure
-
8.6
HIGHCVE-2025-9065
A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® s... Read more
Affected Products : thinmanager- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Server-Side Request Forgery
-
4.6
MEDIUMCVE-2025-43776
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,... Read more
- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Cross-Site Scripting
-
5.9
MEDIUMCVE-2025-47416
A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc. so imported by ctpd that may lead to unauthorized execution of an attacker-defined file that gets prioritized by the ConsoleFindCommandMatchList. A third-party researcher... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Path Traversal
-
4.3
MEDIUMCVE-2025-42923
Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and avail... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.5
HIGHCVE-2025-10115
A vulnerability was determined in SiempreCMS up to 1.3.6. This affects an unknown part of the file user_search_ajax.php. This manipulation of the argument name/userName causes sql injection. The attack may be initiated remotely. The exploit has been publi... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Injection
-
3.1
LOWCVE-2025-8277
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to c... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Denial of Service
-
9.1
CRITICALCVE-2025-42958
Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalit... Read more
Affected Products : netweaver- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-42917
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality an... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-42912
SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and avai... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-7350
A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to remote code execution by uploading and running malicious configurations without authentication.... Read more
Affected Products :- Published: Sep. 09, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Authentication
-
8.6
HIGHCVE-2025-58444
The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious... Read more
Affected Products :- Published: Sep. 08, 2025
- Modified: Sep. 09, 2025
- Vuln Type: Cross-Site Scripting