Latest CVE Feed
-
9.8
CRITICALCVE-2025-63721
HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.... Read more
Affected Products : hummerrisk- Published: Dec. 08, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-14664
A vulnerability was identified in Campcodes Supplier Management System 1.0. This issue affects some unknown processing of the file /admin/view_unit.php. The manipulation of the argument chkId[] leads to sql injection. Remote exploitation of the attack is ... Read more
Affected Products : supplier_management_system- Published: Dec. 14, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-67165
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.... Read more
Affected Products : pagekit- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-68537
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-36937
In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed fo... Read more
Affected Products : android- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-66439
An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the d... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14649
A vulnerability was detected in itsourcecode Online Cake Ordering System 1.0. Affected by this issue is some unknown functionality of the file /cakeshop/supplier.php. Performing manipulation of the argument supplier results in sql injection. The attack ca... Read more
- Published: Dec. 14, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-65602
A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.... Read more
Affected Products : chancms- Published: Dec. 10, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-46279
A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. An app may be able to identify what other apps a user ... Read more
- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-68496
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-66043
Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger the... Read more
Affected Products : libbiosig- Published: Dec. 11, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-14344
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-14570
A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initi... Read more
Affected Products : advanced_library_management_system- Published: Dec. 12, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-14640
A flaw has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /admin/save_student.php. Executing manipulation of the argument stud_no can lead to sql injection. The attack may be launche... Read more
Affected Products : student_file_management_system- Published: Dec. 14, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-50398
Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password.... Read more
- Published: Dec. 16, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-54947
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely... Read more
Affected Products : streampark- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cryptography
-
9.8
CRITICALCVE-2024-58299
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain... Read more
Affected Products : ftp_server- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-14952
A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be ... Read more
Affected Products : supplier_management_system- Published: Dec. 19, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-15011
A vulnerability was found in code-projects Simple Stock System 1.0. Impacted is an unknown function of the file /logout.php. The manipulation of the argument uname results in sql injection. The attack can be executed remotely. The exploit has been made pu... Read more
Affected Products : simple_stock_system- Published: Dec. 22, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-59385
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentica... Read more
- Published: Dec. 16, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authentication