{
"Source": "CVE FEED",
"Title": "CVE-2025-9959 - Smolagents Python Sandbox Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-9959
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9959 - Smolagents Python Sandbox Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-9959
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-56689 - Quest One Identity MFA Bypass Remote Authentication Bypass",
"Content": "CVE ID : CVE-2025-56689
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : An issue was discovered in Quest One Identity 7.5.1.20903. A crafted response manipulation can bypass the OTP on MFA page which leads to access the PAM portal without OTP allowing attackers to control an arbitrary account.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-56689 - Quest One Identity MFA Bypass Remote Authentication Bypass",
"Content": "CVE ID : CVE-2025-56689
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : An issue was discovered in Quest One Identity 7.5.1.20903. A crafted response manipulation can bypass the OTP on MFA page which leads to access the PAM portal without OTP allowing attackers to control an arbitrary account.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-56760 - Memos Local File Write Vulnerability",
"Content": "CVE ID : CVE-2025-56760
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-56760 - Memos Local File Write Vulnerability",
"Content": "CVE ID : CVE-2025-56760
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-56761 - Memos Stored Cross Site Scripting (XSS) Vulnerability",
"Content": "CVE ID : CVE-2025-56761
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-56761 - Memos Stored Cross Site Scripting (XSS) Vulnerability",
"Content": "CVE ID : CVE-2025-56761
Published : Sept. 3, 2025, 5:15 p.m. | 1 hour, 36 minutes ago
Description : Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "03 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9927 - Projectworlds Travel Management System SQL Injection",
"Content": "CVE ID : CVE-2025-9927
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : A vulnerability was identified in projectworlds Travel Management System 1.0. The affected element is an unknown function of the file /viewpackage.php. Such manipulation of the argument t1 leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9927 - Projectworlds Travel Management System SQL Injection",
"Content": "CVE ID : CVE-2025-9927
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : A vulnerability was identified in projectworlds Travel Management System 1.0. The affected element is an unknown function of the file /viewpackage.php. Such manipulation of the argument t1 leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9928 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9928
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : A security flaw has been discovered in projectworlds Travel Management System 1.0. The impacted element is an unknown function of the file /viewcategory.php. Performing manipulation of the argument t1 results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9928 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9928
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : A security flaw has been discovered in projectworlds Travel Management System 1.0. The impacted element is an unknown function of the file /viewcategory.php. Performing manipulation of the argument t1 results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-58056 - Netty HTTP Request Smuggling Vulnerability",
"Content": "CVE ID : CVE-2025-58056
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-58056 - Netty HTTP Request Smuggling Vulnerability",
"Content": "CVE ID : CVE-2025-58056
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-8268 - "WordPress AI Engine Plugin Unauthenticated File Access and Deletion Vulnerability"",
"Content": "CVE ID : CVE-2025-8268
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-8268 - "WordPress AI Engine Plugin Unauthenticated File Access and Deletion Vulnerability"",
"Content": "CVE ID : CVE-2025-8268
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-55748 - XWiki Platform Configuration File Information Disclosure",
"Content": "CVE ID : CVE-2025-55748
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-55748 - XWiki Platform Configuration File Information Disclosure",
"Content": "CVE ID : CVE-2025-55748
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-57833 - Django FilteredRelation SQL Injection",
"Content": "CVE ID : CVE-2025-57833
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-57833 - Django FilteredRelation SQL Injection",
"Content": "CVE ID : CVE-2025-57833
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-55747 - XWiki Platform Webjars API File Disclosure",
"Content": "CVE ID : CVE-2025-55747
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-55747 - XWiki Platform Webjars API File Disclosure",
"Content": "CVE ID : CVE-2025-55747
Published : Sept. 3, 2025, 9:15 p.m. | 1 hour, 43 minutes ago
Description : XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9925 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9925
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : A vulnerability was found in projectworlds Travel Management System 1.0. This issue affects some unknown processing of the file /detail.php. The manipulation of the argument pid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9925 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9925
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : A vulnerability was found in projectworlds Travel Management System 1.0. This issue affects some unknown processing of the file /detail.php. The manipulation of the argument pid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9926 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9926
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : A vulnerability was determined in projectworlds Travel Management System 1.0. Impacted is an unknown function of the file /viewsubcategory.php. This manipulation of the argument t1 causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9926 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9926
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : A vulnerability was determined in projectworlds Travel Management System 1.0. Impacted is an unknown function of the file /viewsubcategory.php. This manipulation of the argument t1 causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9365 - Fuji Electric FRENIC-Loader 4 Deserialization RCE",
"Content": "CVE ID : CVE-2025-9365
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9365 - Fuji Electric FRENIC-Loader 4 Deserialization RCE",
"Content": "CVE ID : CVE-2025-9365
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-56139 - LinkedIn Mobile Application for Android Cross-Site Scripting (XSS) Vulnerability",
"Content": "CVE ID : CVE-2025-56139
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : LinkedIn Mobile Application for Android version 4.1.1087.2 fails to update link preview metadata (image, title, description) when a user replaces the original URL in a post or comment before publishing. As a result, the stale preview remains visible while the clickable link points to a different URL, which can be malicious. This UI misrepresentation enables attackers to deceive users by displaying trusted previews for harmful links, facilitating phishing attacks and user confusion.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-56139 - LinkedIn Mobile Application for Android Cross-Site Scripting (XSS) Vulnerability",
"Content": "CVE ID : CVE-2025-56139
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : LinkedIn Mobile Application for Android version 4.1.1087.2 fails to update link preview metadata (image, title, description) when a user replaces the original URL in a post or comment before publishing. As a result, the stale preview remains visible while the clickable link points to a different URL, which can be malicious. This UI misrepresentation enables attackers to deceive users by displaying trusted previews for harmful links, facilitating phishing attacks and user confusion.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-55162 - "Envoy OAuth2 Session Expiration Cookie Hijacking"",
"Content": "CVE ID : CVE-2025-55162
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. This failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active and allowing the next user of the same browser to gain unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7, 1.34.5 and 1.35.1.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-55162 - "Envoy OAuth2 Session Expiration Cookie Hijacking"",
"Content": "CVE ID : CVE-2025-55162
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. This failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active and allowing the next user of the same browser to gain unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7, 1.34.5 and 1.35.1.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-53690 - Sitecore Experience Manager/Xperience Platform Deserialization Code Injection Vulnerability",
"Content": "CVE ID : CVE-2025-53690
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-53690 - Sitecore Experience Manager/Xperience Platform Deserialization Code Injection Vulnerability",
"Content": "CVE ID : CVE-2025-53690
Published : Sept. 3, 2025, 8:15 p.m. | 2 hours, 43 minutes ago
Description : Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Severity: 9.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9923 - Campcodes Sales and Inventory System Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-9923
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : A flaw has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /index.php. Executing manipulation of the argument page can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9923 - Campcodes Sales and Inventory System Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-9923
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : A flaw has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /index.php. Executing manipulation of the argument page can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9924 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9924
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /enquiry.php. The manipulation of the argument t2 leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9924 - Projectworlds Travel Management System SQL Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9924
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /enquiry.php. The manipulation of the argument t2 leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-36193 - IBM Transformation Advisor Privilege Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-36193
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-36193 - IBM Transformation Advisor Privilege Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-36193
Published : Sept. 3, 2025, 7:15 p.m. | 3 hours, 43 minutes ago
Description : IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9934 - TOTOLINK X5000R Command Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9934
Published : Sept. 4, 2025, 1:09 a.m. | 1 hour, 51 minutes ago
Description : A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument pid results in command injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9934 - TOTOLINK X5000R Command Injection Vulnerability",
"Content": "CVE ID : CVE-2025-9934
Published : Sept. 4, 2025, 1:09 a.m. | 1 hour, 51 minutes ago
Description : A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument pid results in command injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "04 Sep 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹