Total
5182 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11124 | 1 Fabianros | 1 Project Monitoring System | 2025-10-03 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in code-projects Project Monitoring System 1.0. Affected is an unknown function of the file /onlineJobSearchEngine/postjob.php. Such manipulation of the argument txtapplyto leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-11119 | 1 Angeljudesuarez | 1 Hostel Management System | 2025-10-03 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in itsourcecode Hostel Management System 1.0. Impacted is an unknown function of the file /justines/index.php of the component POST Request Handler. Performing manipulation of the argument from results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-23061 | 1 Mongoosejs | 1 Mongoose | 2025-10-03 | N/A | 9.0 CRITICAL |
| Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. | |||||
| CVE-2025-1497 | 1 Mljar | 1 Plotai | 2025-10-03 | N/A | 9.8 CRITICAL |
| A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability. | |||||
| CVE-2025-5513 | 1 Quequnlong | 1 Shiyi-blog | 2025-10-03 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in quequnlong shiyi-blog up to 1.2.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /dev-api/api/comment/add. The manipulation of the argument content leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10234 | 1 Scada-lts | 1 Scada-lts | 2025-10-02 | 3.3 LOW | 2.4 LOW |
| A vulnerability was detected in Scada-LTS up to 2.7.8.1. This vulnerability affects unknown code of the file /data_point_edit.shtm of the component Data Point Edit Module. The manipulation of the argument Text Renderer properties results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10235 | 1 Scada-lts | 1 Scada-lts | 2025-10-02 | 3.3 LOW | 2.4 LOW |
| A flaw has been found in Scada-LTS up to 2.7.8.1. This issue affects some unknown processing of the file /reports.shtm of the component Reports Module. This manipulation of the argument Colour causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10366 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
| A flaw has been found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected is an unknown function of the file /htdocs/inc.setWlanIpMail.php. This manipulation of the argument Email address causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11112 | 1 Phpgurukul | 1 Employee Record Management System | 2025-10-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in PHPGurukul Employee Record Management System 1.3. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument First name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-10271 | 1 10oa | 1 10oa | 2025-10-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in erjinzhi 10OA 1.0. This impacts an unknown function of the file /trial/mvc/finder. The manipulation of the argument Name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10272 | 1 10oa | 1 10oa | 2025-10-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in erjinzhi 10OA 1.0. Affected is an unknown function of the file /trial/mvc/catalogue. This manipulation of the argument Name causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10274 | 1 10oa | 1 10oa | 2025-10-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in erjinzhi 10OA 1.0. Affected by this issue is some unknown functionality of the file /trial/mvc/item. Performing manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59952 | 2025-10-02 | N/A | N/A | ||
| MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0. | |||||
| CVE-2025-61588 | 2025-10-02 | N/A | N/A | ||
| RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. In versions 2.0.2 and below of risc0-zkvm-platform, when the zkVM guest calls sys_read, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program. Other affected packages include risc0-aggregation versions below 0.9, risc0-zkos-v1compat below 2.1.0, risc0-zkvm versions between 3.0.0-rc.1 and 3.0.1. This issue has been fixed in the following versions: risc0-zkvm-platform 2.1.0, risc0-zkos-v1compat 2.1.0, risc0-aggregation 0.9, and risc0-zkvm 2.3.2 and 3.0.3. | |||||
| CVE-2025-56588 | 2025-10-02 | N/A | 8.8 HIGH | ||
| Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter. | |||||
| CVE-2025-26260 | 1 Plenti | 1 Plenti | 2025-10-02 | N/A | 8.8 HIGH |
| Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. | |||||
| CVE-2025-2974 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3219 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-59251 | 1 Microsoft | 1 Edge Chromium | 2025-10-02 | N/A | 7.6 HIGH |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2024-51941 | 1 Apache | 1 Ambari | 2025-10-02 | N/A | 8.8 HIGH |
| A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari. | |||||