Les dernières vulnérabilités publiées sur la National Vulnerability Database (NVD)

CVE-2025-52621 - HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-52621
Partager : LinkedIn / Twitter / Facebook

CVE-2025-52620 - HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-52620
Partager : LinkedIn / Twitter / Facebook

CVE-2025-52619 - HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-52619
Partager : LinkedIn / Twitter / Facebook

CVE-2025-52618 - HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-52618
Partager : LinkedIn / Twitter / Facebook

CVE-2025-43201 - This issue was addressed with improved checks. This issue is fixed in Apple Music Classical 2.3 for Android. An app may be able to unexpectedly leak a user's credentials.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-43201
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8959 - HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8959
Partager : LinkedIn / Twitter / Facebook

CVE-2025-44201 - Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-44201
Partager : LinkedIn / Twitter / Facebook

CVE-2025-36088 - IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-36088
Partager : LinkedIn / Twitter / Facebook

CVE-2025-43490 - A potential security vulnerability has been identified in the HPAudioAnalytics service included in the HP Hotkey Support software, which might allow escalation of privilege. HP is releasing software updates to mitigate the potential vulnerability.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-43490
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55285 - @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55285
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9060 - A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9060
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8996 - Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8996
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8995 - Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8995
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8675 - Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8675
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8362 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8362
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8361 - Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8361
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8092 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8092
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7961 - Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7961
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8066 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bunkerity Bunker Web on Linux allows Phishing.This issue affects Bunker Web: 1.6.2.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8066
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55207 - Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press. This affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks. This issue has been patched in version 9.4.1.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55207
Partager : LinkedIn / Twitter / Facebook

CVE-2025-49898 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-49898
Partager : LinkedIn / Twitter / Facebook

CVE-2025-49897 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-49897
Partager : LinkedIn / Twitter / Facebook

CVE-2025-49432 - Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Video Player: from n/a through 10.1.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-49432
Partager : LinkedIn / Twitter / Facebook

CVE-2025-5048 - A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-5048
Partager : LinkedIn / Twitter / Facebook

CVE-2025-5047 - A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-5047
Partager : LinkedIn / Twitter / Facebook

CVE-2025-5046 - A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-5046
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55203 - Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users' browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application's database. When another user views the affected content, the injected code executes in their browser, running in the application's context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55203
Partager : LinkedIn / Twitter / Facebook

CVE-2025-54989 - Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and 5.0.3, there is an XDR message parsing NULL pointer dereference denial-of-service vulnerability in Firebird. This specific flaw exists within the parsing of xdr message from client. It leads to NULL pointer dereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6, and 5.0.3.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-54989
Partager : LinkedIn / Twitter / Facebook

CVE-2025-54466 - Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-54466
Partager : LinkedIn / Twitter / Facebook

CVE-2025-24975 - Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-24975
Partager : LinkedIn / Twitter / Facebook

CVE-2024-12573 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-24752 Reason: This candidate is a reservation duplicate of CVE-2025-24752. Notes: All CVE users should reference CVE-2025-24752 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2024-12573
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9053 - A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /updatesubcategory.php. The manipulation of the argument t1/s1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9053
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9052 - A vulnerability was identified in projectworlds Travel Management System 1.0. This affects an unknown part of the file /updatepackage.php. The manipulation of the argument s1 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9052
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9051 - A vulnerability was determined in projectworlds Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /updatecategory.php. The manipulation of the argument t1 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9051
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9050 - A vulnerability was found in projectworlds Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /addcategory.php. The manipulation of the argument t1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9050
Partager : LinkedIn / Twitter / Facebook

CVE-2025-54475 - A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-54475
Partager : LinkedIn / Twitter / Facebook

CVE-2025-54474 - A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-54474
Partager : LinkedIn / Twitter / Facebook

CVE-2025-54473 - An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-54473
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1929 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazilim Teknolojileri Ltd. Sti. Reel Sektör Hazine ve Risk Yönetimi Yazilimi allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Reel Sektör Hazine ve Risk Yönetimi Yazilimi: through 1.0.0.4.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-1929
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9047 - A vulnerability has been found in projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /visitor_out.php. The manipulation of the argument rid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9047
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9046 - A vulnerability was identified in Tenda AC20 16.03.08.12. This issue affects the function sub_46A2AC of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9046
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9028 - A vulnerability was found in code-projects Online Medicine Guide 1.0. This issue affects some unknown processing of the file /adphar.php. The manipulation of the argument phuname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9028
Partager : LinkedIn / Twitter / Facebook

CVE-2025-26709 - There is an unauthorized access vulnerability in ZTE F50. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-26709
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9027 - A vulnerability has been found in code-projects Online Medicine Guide 1.0. This vulnerability affects unknown code of the file /addelivery.php. The manipulation of the argument deName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9027
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9026 - A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9026
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9025 - A vulnerability was determined in code-projects Simple Cafe Ordering System 1.0. Affected by this issue is some unknown functionality of the file /portal.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9025
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9024 - A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1. Affected by this vulnerability is an unknown functionality of the file /book-appointment.php. The manipulation of the argument Message leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9024
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9023 - A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Affected is the function formSetSchedLed of the file /goform/SetLEDCfg. The manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9023
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8905 - The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8905
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8720 - The Plugin README Parser plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘target' parameter in all versions up to, and including, 1.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8720
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8091 - The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8091
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8080 - The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8080
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7778 - The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7778
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7688 - The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7688
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7662 - The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7662
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7650 - The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.50 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7650
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7641 - The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server, which can cause a complete loss of availability.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7641
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7507 - The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-7507
Partager : LinkedIn / Twitter / Facebook

CVE-2025-5844 - The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subHeadingTagName' parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-5844
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9022 - A vulnerability was identified in SourceCodester Online Bank Management System up to 1.0. This issue affects some unknown processing of the file /bank/statements.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9022
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9021 - A vulnerability was determined in SourceCodester Online Bank Management System up to 1.0. This vulnerability affects unknown code of the file /bank/transfer.php. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9021
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9020 - A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4. This issue affects the function MavlinkReceiver::handle_message_serial_control of the file src/modules/mavlink/mavlink_receiver.cpp of the component Mavlink Shell Closing Handler. The manipulation of the argument _mavlink_shell leads to use after free. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of the patch is 4395d4f00c49b888f030f5b43e2a779f1fa78708. It is recommended to apply a patch to fix this issue.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9020
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8604 - The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8604
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9019 - A vulnerability has been found in tcpreplay 4.5.1. This vulnerability affects the function mask_cidr6 of the file cidr.c of the component tcpprep. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The researcher is able to reproduce this with the latest official release 4.5.1 and the current master branch. The code maintainer cannot reproduce this for 4.5.2-beta1. In his reply the maintainer explains that "[i]n that case, this is a duplicate that was fixed in 4.5.2."
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9019
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9017 - A vulnerability has been found in PHPGurukul Zoo Management System 2.1. This vulnerability affects unknown code of the file /admin/add-foreigner-ticket.php. The manipulation of the argument visitorname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9017
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9016 - A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. This affects an unknown part of the file C:\Program Files\OEM\????????\AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9016
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8451 - The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘data-gallery-items' parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8451
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8013 - The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8013
Partager : LinkedIn / Twitter / Facebook

CVE-2025-6679 - The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-6679
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9013 - A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.0. This vulnerability affects unknown code of the file /shopping/password-recovery.php. The manipulation of the argument emailid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9013
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9012 - A vulnerability was identified in PHPGurukul Online Shopping Portal Project 2.0. This affects an unknown part of the file shopping/bill-ship-addresses.php. The manipulation of the argument billingpincode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9012
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9011 - A vulnerability was determined in PHPGurukul Online Shopping Portal Project 2.0. Affected by this issue is some unknown functionality of the file /shopping/signup.php. The manipulation of the argument emailid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9011
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9010 - A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/booking_report.php. The manipulation of the argument from_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9010
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9009 - A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Affected is an unknown function of the file /admin/email_setup.php. The manipulation of the argument Name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9009
Partager : LinkedIn / Twitter / Facebook

CVE-2025-31961 - HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-31961
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9008 - A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/sms_setting.php. The manipulation of the argument uname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9008
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9007 - A vulnerability has been found in Tenda CH22 1.0.0.1. Affected by this issue is the function formeditFileName of the file /goform/editFileName. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9007
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9006 - A vulnerability was identified in Tenda CH22 1.0.0.1. Affected by this vulnerability is the function formdelFileName of the file /goform/delFileName. The manipulation leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9006
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9005 - A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9005
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9004 - A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9004
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9003 - A vulnerability has been found in D-Link DIR-818LW 1.04. This vulnerability affects unknown code of the file /bsc_lan.php of the component DHCP Reserved Address Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9003
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9002 - A vulnerability was identified in Surbowl dormitory-management-php 1.0. This affects an unknown part of the file login.php. The manipulation of the argument Account leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9002
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9001 - A vulnerability was determined in LemonOS up to nightly-2024-07-12 on LemonOS. Affected by this issue is the function HTTPGet of the file /Applications/Steal/main.cpp of the component HTTP Client. The manipulation of the argument chunkSize leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9001
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8867 - The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. This is due to insufficient input sanitization and output escaping on user supplied attributes such as chart categories, titles, and tooltip settings. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8867
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8680 - The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. This makes it possible for authenticated attackers, with subscriber-level access and above to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8680
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8676 - The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the get_active_plugins function. This makes it possible for authenticated attackers, with subscriber-level access and above to extract sensitive data including installed plugin information.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8676
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8342 - The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8342
Partager : LinkedIn / Twitter / Facebook

CVE-2025-6025 - The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-6025
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55726 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55726
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55725 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55725
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55724 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55724
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55723 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55723
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55722 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55722
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55721 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55721
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55720 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55720
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55719 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55719
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55718 - Rejected reason: Not used
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-55718
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9000 - A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Affected by this vulnerability is an unknown functionality of the component reg File Handler. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-9000
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8993 - A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/expense_report.php. The manipulation of the argument from_date leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8993
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8992 - A vulnerability has been found in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://cve.nohackme.com/index.php?action=detail&id=CVE-2025-8992
Partager : LinkedIn / Twitter / Facebook

Soutenez No Hack Me sur Tipeee

Les annonces ayant été modifiées dernièrement

CVE-2025-8986 - A vulnerability was determined in SourceCodester COVID 19 Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8986
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8985 - A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8985
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8984 - A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Affected is an unknown function of the file /admin/operations/expense_category.php. The manipulation of the argument expense_name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8984
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8983 - A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/operations/expense.php. The manipulation of the argument expense_for leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8983
Partager : LinkedIn / Twitter / Facebook

CVE-2025-51965 - OURPHP thru 8.6.1 is vulnerable to Cross-Site Scripting (XSS) via the "Name" field of the "Complete Profile" functionality under the "My User Center" page, which can be accessed after registering through the front-end interface.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-51965
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50861 - The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of service or logic abuse.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50861
Partager : LinkedIn / Twitter / Facebook

CVE-2025-52335 - EyouCMS 1.7.3 is vulnerale to Cross Site Scripting (XSS) in index.php, which can be exploited to obtain sensitive information.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-52335
Partager : LinkedIn / Twitter / Facebook

CVE-2023-43687 - An issue was discovered in Malwarebytes before 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). There is a Race condition that leads to code execution because of a lack of locks between file verification and execution.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-43687
Partager : LinkedIn / Twitter / Facebook

CVE-2025-9043 - The service executable path in Seagate Toolkit on Versions prior to 2.34.0.33 on Windows allows an attacker with Admin privileges to exploit a vulnerability as classified under CWE-428: Unquoted Search Path or Element. An attacker with write permissions to the root could place a malicious Program.exe file, which would execute with SYSTEM privileges.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-9043
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50817 - A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50817
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50515 - An issue was discovered in phome Empirebak 2010 in ebak2008/upload/class/config.php allowing attackers to execute arbitrary code when the config file was loaded.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50515
Partager : LinkedIn / Twitter / Facebook

CVE-2025-20265 - A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. This vulnerability is due to a lack of proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level. Note: For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-20265
Partager : LinkedIn / Twitter / Facebook

CVE-2023-43692 - An issue was discovered in Malwarebytes before 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). Out-of-bound reads in strings detection utilities lead to system crashes.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-43692
Partager : LinkedIn / Twitter / Facebook

CVE-2023-43683 - An issue was discovered in Malwarebytes 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). A Stack buffer out-of-bounds access exists because of an integer underflow when handling newline characters.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-43683
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50518 - A use-after-free vulnerability exists in the coap_delete_pdu_lkd function within coap_pdu.c of the libcoap library. This issue occurs due to improper handling of memory after the freeing of a PDU object, leading to potential memory corruption or the possibility of executing arbitrary code.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50518
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8876 - Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8876
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8875 - Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8875
Partager : LinkedIn / Twitter / Facebook

CVE-2025-43983 - KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the device admin username and password), modify critical device settings, and send arbitrary SMS messages.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-43983
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27847 - In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-27847
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27846 - In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-27846
Partager : LinkedIn / Twitter / Facebook

CVE-2025-27845 - In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated permissions to the UI.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-27845
Partager : LinkedIn / Twitter / Facebook

CVE-2025-43984 - An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-43984
Partager : LinkedIn / Twitter / Facebook

CVE-2023-5342 - The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2023-5342
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8940 - A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this vulnerability is the function strcpy of the file /goform/saveParentControlInfo. The manipulation of the argument Time leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8940
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8939 - A vulnerability was determined in Tenda AC20 up to 16.03.08.12. Affected is an unknown function of the file /goform/WifiGuestSet. The manipulation of the argument shareSpeed leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8939
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8936 - A vulnerability was determined in 1000 Projects Sales Management System 1.0. Affected by this issue is some unknown functionality of the file /superstore/dist/dordupdate.php. The manipulation of the argument select2 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8936
Partager : LinkedIn / Twitter / Facebook

CVE-2025-0309 - An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-0309
Partager : LinkedIn / Twitter / Facebook

CVE-2024-7402 - Netskope has identified a potential gap in its agent (Netskope Client) in which a malicious insider can potentially tamper the Netskope Client configuration by performing MITM (Man-in-the-Middle) activity on the Netskope Client communication channel. A successful exploitation would require administrative privileges on the machine, and could result in temporarily altering the configuration of Netskope Client or permanently disabling or removing the agent from the machine.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2024-7402
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8935 - A vulnerability was found in 1000 Projects Sales Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /superstore/custcmp.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8935
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8934 - A vulnerability has been found in 1000 Projects Sales Management System 1.0. Affected is an unknown function of the file /sales.php. The manipulation of the argument select2112 leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8934
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8933 - A vulnerability was identified in 1000 Projects Sales Management System 1.0. This issue affects some unknown processing of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8933
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8932 - A vulnerability was determined in 1000 Projects Sales Management System 1.0. This vulnerability affects unknown code of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8932
Partager : LinkedIn / Twitter / Facebook

CVE-2025-55197 - pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-55197
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8926 - A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8926
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45313 - A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45313
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8920 - A vulnerability was identified in Portabilis i-Diario 1.6. Affected by this vulnerability is an unknown functionality of the file /dicionario-de-termos-bncc of the component Dicionário de Termos BNCC Page. The manipulation of the argument Planos de ensino leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8920
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8919 - A vulnerability was determined in Portabilis i-Diario up to 1.6. Affected is an unknown function of the file /objetivos-de-aprendizagem-e-habilidades of the component History Page. The manipulation of the argument código/objetivo habilidade leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8919
Partager : LinkedIn / Twitter / Facebook

CVE-2025-8770 - An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-8770
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7739 - An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-7739
Partager : LinkedIn / Twitter / Facebook

CVE-2025-7734 - An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-7734
Partager : LinkedIn / Twitter / Facebook

CVE-2025-6186 - An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-6186
Partager : LinkedIn / Twitter / Facebook

CVE-2025-5819 - An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-5819
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50617 - A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046ed68 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wps_set in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50617
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50616 - A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046f984 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_advanced_set in the payload, which can cause the program to crash and lead to a Denial of Service (DoS) attack.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50616
Partager : LinkedIn / Twitter / Facebook

CVE-2025-50615 - A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00470c50 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_mac_filter_set in the payload, which can cause the program to crash and lead to a Denial of Service (DoS) attack.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-50615
Partager : LinkedIn / Twitter / Facebook

CVE-2025-45317 - A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-45317
Partager : LinkedIn / Twitter / Facebook

CVE-2025-2937 - An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-2937
Partager : LinkedIn / Twitter / Facebook

CVE-2025-2614 - An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-2614
Partager : LinkedIn / Twitter / Facebook

CVE-2025-2498 - An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-2498
Partager : LinkedIn / Twitter / Facebook

CVE-2025-1477 - An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints.
15/08/2025 | https://nvd.nist.gov/vuln/detail/CVE-2025-1477
Partager : LinkedIn / Twitter / Facebook