Total
8367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11026 | 1 Vvveb | 1 Vvveb | 2025-10-08 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | |||||
| CVE-2025-61777 | 2025-10-08 | N/A | 9.4 CRITICAL | ||
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | |||||
| CVE-2025-61906 | 2025-10-08 | N/A | N/A | ||
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media not meant for publishing, and thus possibly exposing internal media. This risk of this actually impacting someone is very low, though. This can only be triggered by users with write access to an event. They also have to use the editor, which is usually an action taken if they want to publish media and not something users would use on internal media they do not want to publish. Finally, they have to first click on "Save & Publish" before then selecting the "Save" option. Nevertheless, while very unlikely, this can happen. This issue is fixed in Opencast 17.8 and 18.2. | |||||
| CVE-2025-11443 | 2025-10-08 | 2.6 LOW | 3.7 LOW | ||
| A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken. | |||||
| CVE-2025-48464 | 2025-10-08 | N/A | 4.7 MEDIUM | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim’s Sync account data such as account credentials and email protection information. | |||||
| CVE-2025-11406 | 2025-10-08 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangqian-system/src/main/java/com/kaifangqian/modules/system/controller/SysUserController.java. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2025-5098 | 1 Dynamixsoftware | 1 Printershare | 2025-10-08 | N/A | 9.1 CRITICAL |
| PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization. | |||||
| CVE-2025-59833 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 7.5 HIGH |
| Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0. | |||||
| CVE-2024-37895 | 1 Lobehub | 1 Lobe Chat | 2025-10-08 | N/A | 5.7 MEDIUM |
| Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-60449 | 1 Seacms | 1 Seacms | 2025-10-08 | N/A | 4.9 MEDIUM |
| An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory. | |||||
| CVE-2025-10222 | 1 Axxonsoft | 1 Axxon One | 2025-10-08 | N/A | 3.3 LOW |
| Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump component in AxxonSoft Axxon One VMS (C-Werk) 2.0.0 through 2.0.1 on Windows allows a local attacker to obtain licensing-related information such as timestamps, license states, and registry values via reading diagnostic export files created by the built-in troubleshooting tool. | |||||
| CVE-2025-11028 | 1 Vvveb | 1 Vvveb | 2025-10-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | |||||
| CVE-2025-56463 | 1 Mercusys | 2 Mw305r, Mw305r Firmware | 2025-10-07 | N/A | 6.8 MEDIUM |
| Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. | |||||
| CVE-2025-56161 | 1 Xany | 1 Yoshop2.0 | 2025-10-07 | N/A | 7.5 HIGH |
| YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic. | |||||
| CVE-2025-61665 | 1 Wegia | 1 Wegia | 2025-10-07 | N/A | 7.5 HIGH |
| WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0. | |||||
| CVE-2024-43046 | 1 Qualcomm | 620 315 5g Iot Modem, 315 5g Iot Modem Firmware, 9205 Lte Modem and 617 more | 2025-10-06 | N/A | 5.5 MEDIUM |
| There may be information disclosure during memory re-allocation in TZ Secure OS. | |||||
| CVE-2014-2368 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 7.5 HIGH | N/A |
| The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. | |||||
| CVE-2014-2367 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 7.5 HIGH | N/A |
| The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. | |||||
| CVE-2014-2366 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 9.0 HIGH | N/A |
| upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code. | |||||
| CVE-2025-61589 | 2025-10-06 | N/A | 5.9 MEDIUM | ||
| Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7. | |||||