CVE-2025-9047 - Projectworlds Visitor Management System SQL Injection
CVE ID : CVE-2025-9047
Published : Aug. 15, 2025, 11:15 a.m. | 2 hours, 48 minutes ago
Description : A vulnerability has been found in projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /visitor_out.php. The manipulation of the argument rid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9047
Published : Aug. 15, 2025, 11:15 a.m. | 2 hours, 48 minutes ago
Description : A vulnerability has been found in projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /visitor_out.php. The manipulation of the argument rid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1929 - Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı SQL Injection Vulnerability
CVE ID : CVE-2025-1929
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Reel Sektör Hazine ve Risk Yönetimi Yazılımı: through 1.0.0.4.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1929
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Reel Sektör Hazine ve Risk Yönetimi Yazılımı: through 1.0.0.4.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54473 - Joomla Phoca Commander Authenticated Remote Code Execution
CVE ID : CVE-2025-54473
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54473
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54474 - "DJ-Classifieds SQL Injection Vulnerability"
CVE ID : CVE-2025-54474
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54474
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54475 - "Joomla JS Jobs Plugin SQL Injection Vulnerability"
CVE ID : CVE-2025-54475
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54475
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9050 - "Projectworlds Travel Management System SQL Injection Vulnerability"
CVE ID : CVE-2025-9050
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A vulnerability was found in projectworlds Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /addcategory.php. The manipulation of the argument t1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9050
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A vulnerability was found in projectworlds Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /addcategory.php. The manipulation of the argument t1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9051 - Projectworlds Travel Management System SQL Injection Vulnerability
CVE ID : CVE-2025-9051
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A vulnerability was determined in projectworlds Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /updatecategory.php. The manipulation of the argument t1 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9051
Published : Aug. 15, 2025, 12:15 p.m. | 1 hour, 48 minutes ago
Description : A vulnerability was determined in projectworlds Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /updatecategory.php. The manipulation of the argument t1 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9052 - Projectworlds Travel Management System SQL Injection Vulnerability
CVE ID : CVE-2025-9052
Published : Aug. 15, 2025, 1:15 p.m. | 48 minutes ago
Description : A vulnerability was identified in projectworlds Travel Management System 1.0. This affects an unknown part of the file /updatepackage.php. The manipulation of the argument s1 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9052
Published : Aug. 15, 2025, 1:15 p.m. | 48 minutes ago
Description : A vulnerability was identified in projectworlds Travel Management System 1.0. This affects an unknown part of the file /updatepackage.php. The manipulation of the argument s1 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9053 - Projectworlds Travel Management System SQL Injection
CVE ID : CVE-2025-9053
Published : Aug. 15, 2025, 1:15 p.m. | 48 minutes ago
Description : A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /updatesubcategory.php. The manipulation of the argument t1/s1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9053
Published : Aug. 15, 2025, 1:15 p.m. | 48 minutes ago
Description : A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /updatesubcategory.php. The manipulation of the argument t1/s1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-12573 - Apache Web Server Authentication Bypass
CVE ID : CVE-2024-12573
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-24752 Reason: This candidate is a reservation duplicate of CVE-2025-24752. Notes: All CVE users should reference CVE-2025-24752 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-12573
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-24752 Reason: This candidate is a reservation duplicate of CVE-2025-24752. Notes: All CVE users should reference CVE-2025-24752 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-24975 - Firebird Database Segfault and Encryption Key Vulnerability
CVE ID : CVE-2025-24975
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-24975
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54466 - Apache OFBiz Scrum Plugin Code Injection Vulnerability
CVE ID : CVE-2025-54466
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54466
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54989 - Firebird XDR Message Parsing Denial-of-Service
CVE ID : CVE-2025-54989
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and 5.0.3, there is an XDR message parsing NULL pointer dereference denial-of-service vulnerability in Firebird. This specific flaw exists within the parsing of xdr message from client. It leads to NULL pointer dereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6, and 5.0.3.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54989
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and 5.0.3, there is an XDR message parsing NULL pointer dereference denial-of-service vulnerability in Firebird. This specific flaw exists within the parsing of xdr message from client. It leads to NULL pointer dereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6, and 5.0.3.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55203 - Plane Stored XSS Vulnerability
CVE ID : CVE-2025-55203
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55203
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5046 - Autodesk AutoCAD Out-of-Bounds Read Vulnerability
CVE ID : CVE-2025-5046
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5046
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5047 - Autodesk AutoCAD Uninitialized Variable Vulnerability
CVE ID : CVE-2025-5047
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5047
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5048 - Autodesk AutoCAD DGN File Memory Corruption Vulnerability
CVE ID : CVE-2025-5048
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5048
Published : Aug. 15, 2025, 3:15 p.m. | 2 hours, 49 minutes ago
Description : A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49432 - FWDesign Ultimate Video Player Missing Authorization Vulnerability
CVE ID : CVE-2025-49432
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Video Player: from n/a through 10.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49432
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Video Player: from n/a through 10.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49897 - Gopiplus Vertical Scroll Slideshow Gallery SQL Injection
CVE ID : CVE-2025-49897
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49897
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49898 - Xolluteon Dropshix Cross-site Scripting (XSS)
CVE ID : CVE-2025-49898
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49898
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55207 - Astro Open Redirect Vulnerability
CVE ID : CVE-2025-55207
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press. This affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks. This issue has been patched in version 9.4.1.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55207
Published : Aug. 15, 2025, 4:15 p.m. | 1 hour, 49 minutes ago
Description : Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press. This affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks. This issue has been patched in version 9.4.1.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...