Latest CVE Feed
-
7.3
HIGHCVE-2025-7647
The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability ... Read more
Affected Products : llamaindex- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Misconfiguration
-
5.3
MEDIUMCVE-2025-11112
A security vulnerability has been detected in PHPGurukul Employee Record Management System 1.3. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument First name leads to cross site scripting. The attack can be laun... Read more
Affected Products : employee_record_management_system- Published: Sep. 28, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-11074
A flaw has been found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /login.php. This manipulation of the argument username/password causes sql injection. The attack may be initiated remotely. The e... Read more
Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2025-10341
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-11147
Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”.... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
4.8
MEDIUMCVE-2025-57873
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the bro... Read more
Affected Products : portal_for_arcgis- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
9.4
CRITICALCVE-2025-59934
Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. ... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-11064
A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Impacted is an unknown function of the file /admin/teachers.php. The manipulation of the argument department results in sql injection. It is possible to launch the att... Read more
Affected Products : online_learning_management_system- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
5.8
MEDIUMCVE-2025-11136
A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted upload. The atta... Read more
Affected Products : yifang- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-11050
A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may b... Read more
Affected Products : i-educar- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-11111
A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This affects an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remot... Read more
Affected Products :- Published: Sep. 28, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-59932
Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to cre... Read more
Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-11045
A vulnerability was identified in WAYOS LQ_04, LQ_05, LQ_06, LQ_07 and LQ_09 22.03.17. This affects an unknown function of the file /usb_paswd.asp. The manipulation of the argument Name leads to command injection. The attack can be initiated remotely. The... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-11116
A vulnerability was found in code-projects Simple Scheduling System 1.0. This affects an unknown part of the file /add.home.php. The manipulation of the argument faculty results in sql injection. The attack can be executed remotely. The exploit has been m... Read more
Affected Products :- Published: Sep. 28, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-9816
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and outp... Read more
Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
0.0
NACVE-2025-56234
AT_NA2000 from Nanda Automation Technology vendor has a denial-of-service vulnerability. For the processing of TCP RST packets, PLC AT_NA2000 has a wide acceptable range of sequence numbers. It does not require the sequence number to exactly match the nex... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Denial of Service
-
5.1
MEDIUMCVE-2025-11137
A vulnerability has been found in Gstarsoft GstarCAD up to 9.4.0. This affects an unknown function of the component File Renaming Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
-
5.9
MEDIUMCVE-2025-3193
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extrem... Read more
Affected Products : algoliasearch-helper- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-59945
SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and ... Read more
Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-9896
The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated at... Read more
Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Request Forgery