Latest CVE Feed
-
5.9
MEDIUMCVE-2025-59154
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structur... Read more
Affected Products : openfire- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-59144
debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added ... Read more
Affected Products : debug- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
8.8
HIGHCVE-2025-59143
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
8.8
HIGHCVE-2025-59142
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but w... Read more
Affected Products : color-string- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
8.8
HIGHCVE-2025-59140
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware pay... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
6.8
MEDIUMCVE-2025-56448
The Positron PX360BT SW REV 8 car alarm system is vulnerable to a replay attack due to a failure in implementing rolling code security. The alarm system does not properly rotate or invalidate used codes, allowing repeated reuse of captured transmissions. ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authentication
-
4.8
MEDIUMCVE-2025-43800
Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a craf... Read more
- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-52344
Multiple Cross Site Scripting (XSS) vulnerabilities in input fields in Explorance Blue 8.1.2 allows attackers to inject arbitrary JavaScript code on the user's browser via the Group name and Project Description input fields.... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-58172
drawnix is an all in one open-source whiteboard tool. In drawnix versions through 0.2.1, a cross-site scripting (XSS) vulnerability exists in the debug logging functionality. User controlled content is inserted directly into the DOM via innerHTML without ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-59145
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
9.8
CRITICALCVE-2025-57174
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the b... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cryptography
-
9.8
CRITICALCVE-2025-4688
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection.This issue affects SINAV.LINK Exam Result Module: before 1.2.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Injection
-
2.1
LOWCVE-2025-43798
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOT... Read more
Affected Products : dxp- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-59162
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch vers... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
4.8
MEDIUMCVE-2025-6947
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the SIP Proxy module. This vulnerability requires an authenticated administrator session to a locally... Read more
Affected Products : firebox- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.8
MEDIUMCVE-2025-10475
A weakness has been identified in SpyShelter up to 15.4.0.1015. Affected is an unknown function in the library SpyShelter.sys of the component IOCTL Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Denial of Service
-
8.8
HIGHCVE-2025-59141
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware pa... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
2.3
LOWCVE-2025-10316
The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before 3.2.2, from 4.0.0 before 4.2.3, from 5.0.0 before 5.0.2.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-45091
Seafile versions 11.0.18-Pro, 12.0.10, and 12.0.10-Pro are vulnerable to a stored Cross-Site Scripting (XSS) attack. An authenticated attacker can exploit this vulnerability by modifying their username to include a malicious XSS payload in notification an... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
3.1
LOWCVE-2025-59399
libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation.... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Denial of Service