Latest CVE Feed
- 
                                
                                6.1MEDIUMCVE-2025-52885Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free (write) vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw p... Read more Affected Products : poppler- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Memory Corruption
 
- 
                                
                                6.1MEDIUMCVE-2025-52647The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks.... Read more Affected Products : bigfix_webui- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Misconfiguration
 
- 
                                
                                5.5MEDIUMCVE-2025-11626MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service... Read more Affected Products : wireshark- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                5.5MEDIUMCVE-2025-61912python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                5.5MEDIUMCVE-2025-61911python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Injection
 
- 
                                
                                8.8HIGHCVE-2025-11589A security flaw has been discovered in CodeAstro Gym Management System 1.0. Affected is an unknown function of the file /admin/user-payment.php. Performing manipulation of the argument plan results in sql injection. It is possible to initiate the attack r... Read more Affected Products : gym_management_system- Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Injection
 
- 
                                
                                8.8HIGHCVE-2025-11588A vulnerability was identified in CodeAstro Gym Management System 1.0. This impacts an unknown function of the file /customer/index.php. Such manipulation of the argument fullname leads to sql injection. The attack may be performed from remote. The exploi... Read more Affected Products : gym_management_system- Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Injection
 
- 
                                
                                9.8CRITICALCVE-2025-11586A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely... Read more - Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Memory Corruption
 
- 
                                
                                9.8CRITICALCVE-2025-11585A vulnerability was found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /useredit.php. The manipulation of the argument uid results in sql injection. The attack can be executed remotely. The exploi... Read more - Published: Oct. 10, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
 
- 
                                
                                9.8CRITICALCVE-2025-11584A vulnerability has been found in code-projects Online Job Search Engine 1.0. The affected element is an unknown function of the file /searchjob.php. The manipulation of the argument txtspecialization leads to sql injection. Remote exploitation of the att... Read more - Published: Oct. 10, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
 
- 
                                
                                5.1MEDIUMCVE-2025-62245Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments... Read more - Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                5.3MEDIUMCVE-2025-62158Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploade... Read more Affected Products : learning- Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Misconfiguration
 
- 
                                
                                8.8HIGHCVE-2025-61930Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST requ... Read more Affected Products : emlog- Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                9.6CRITICALCVE-2025-61929Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes t... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Injection
 
- 
                                
                                7.2HIGHCVE-2025-61927Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context i... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Misconfiguration
 
- 
                                
                                6.5MEDIUMCVE-2025-61925Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on o... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Misconfiguration
 
- 
                                
                                2.7LOWCVE-2025-61921Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used whe... Read more Affected Products : sinatra- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                7.5HIGHCVE-2025-61920Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or... Read more Affected Products : authlib- Published: Oct. 10, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                7.5HIGHCVE-2025-61919Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcin... Read more Affected Products : rack- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                8.3HIGHCVE-2025-55903A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documen... Read more Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Cross-Site Scripting
 
 
                         
                         
                         
                                             
                                            