Latest CVE Feed
-
9.1
CRITICALCVE-2025-68435
Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessib... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-68434
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the applicatio... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.7
HIGHCVE-2025-68433
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious MCP... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Misconfiguration
-
7.7
HIGHCVE-2025-68432
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious L... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Misconfiguration
-
7.3
HIGHCVE-2025-68429
Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment var... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Information Disclosure
-
8.1
HIGHCVE-2025-68147
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Po... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-68145
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that con... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Path Traversal
-
6.3
MEDIUMCVE-2025-68144
In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpret... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68143
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without val... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Misconfiguration
-
7.6
HIGHCVE-2025-66029
Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these h... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Information Disclosure
-
9.1
CRITICALCVE-2025-63221
The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administra... Read more
Affected Products :- Published: Nov. 19, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authentication
-
5.1
MEDIUMCVE-2025-14836
A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation ... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-14834
A weakness has been identified in code-projects Simple Stock System 1.0. This affects an unknown function of the file /checkuser.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The explo... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-14833
A security flaw has been discovered in code-projects Online Appointment Booking System 1.0. The impacted element is an unknown function of the file /admin/deletemanagerclinic.php. Performing manipulation of the argument clinic results in sql injection. Th... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2023-53933
Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbit... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
5.1
MEDIUMCVE-2023-53932
Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view th... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2023-53931
Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in ... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2023-53930
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' para... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2023-53929
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an ad... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2023-53928
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting