Total
5182 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9931 | 1 Jinher | 1 Jinher Oa | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in Jinher OA 1.0. Affected is an unknown function of the file /jc6/platform/sys/login!changePassWord.action of the component POST Request Handler. The manipulation of the argument Account results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2025-51387 | 1 Axosoft | 1 Gitkraken Desktop | 2025-10-09 | N/A | 9.8 CRITICAL |
| The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabled. These configurations allow the application to be executed in Node.js mode, enabling attackers to pass arguments that result in arbitrary code execution. | |||||
| CVE-2025-61593 | 1 Anysphere | 1 Cursor | 2025-10-09 | N/A | 7.1 HIGH |
| Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files through prompt injection, thus achieving remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive filesystems. This issue is fixed in a commit, 25b418f, but has yet to be released as of October 3, 2025. | |||||
| CVE-2025-11390 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in PHPGurukul Cyber Cafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php of the component POST Parameter Handler. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-11425 | 1 Projectworlds | 1 Advanced Library Management System | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /edit_admin.php. The manipulation of the argument firstname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Other parameters might be affected as well. | |||||
| CVE-2025-11421 | 1 Fabian | 1 Voting System | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in code-projects Voting System 1.0. The affected element is an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument Firstname/Lastname/Platform causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2025-11433 | 1 Itsourcecode | 1 Leave Management System | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A security flaw has been discovered in itsourcecode Leave Management System 1.0. This impacts the function redirect of the file /module/employee/controller.php?action=reset of the component Query Parameter Handler. Performing manipulation of the argument ID results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-11435 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch. | |||||
| CVE-2025-11437 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector. | |||||
| CVE-2025-11485 | 1 Remyandrade | 1 Student Grades Management System | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function add_user of the file /admin.php of the component Manage Users Page. This manipulation of the argument first_name/last_name causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-11539 | 2025-10-09 | N/A | 9.9 CRITICAL | ||
| Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16. | |||||
| CVE-2025-2979 | 1 Wcms | 1 Wcms | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3251 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation of the argument motto leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-61774 | 2025-10-08 | N/A | N/A | ||
| PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable. | |||||
| CVE-2025-11360 | 2025-10-08 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in jakowenko double-take up to 1.13.1. The impacted element is the function app.use of the file api/src/app.js of the component API. The manipulation of the argument X-Ingress-Path results in cross site scripting. The attack can be executed remotely. Upgrading to version 1.13.2 is sufficient to resolve this issue. The patch is identified as e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50. The affected component should be upgraded. | |||||
| CVE-2025-10758 | 1 Htmly | 1 Htmly | 2025-10-08 | 3.3 LOW | 2.4 LOW |
| A security vulnerability has been detected in htmly up to 3.1.0. The impacted element is an unknown function of the file /htmly/admin/field/post of the component Custom Field Handler. Such manipulation of the argument label leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2787 | 1 Knime | 1 Business Hub | 2025-10-08 | N/A | 8.8 HIGH |
| KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of the following versions of KNIME Business Hub: * 1.13.3 or above * 1.12.4 or above * 1.11.4 or above * 1.10.4 or above * | |||||
| CVE-2025-59954 | 1 Eng | 1 Knowage | 2025-10-08 | N/A | 9.8 CRITICAL |
| Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service. This issue is fixed in version 8.1.27. | |||||
| CVE-2025-0706 | 1 Joeybling | 1 Bootplus | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/sys/admin.html. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-11282 | 1 Frappe | 1 Learning | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||