CVE-2025-58158 - "Harness Git LFS Arbitrary File Write Vulnerability"
CVE ID : CVE-2025-58158
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58158
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9377 - "TP-Link Archer C7/EU and TL-WR841N/ND(MS) Remote Command Execution Vulnerability"
CVE ID : CVE-2025-9377
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9377
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9665 - Code-projects Simple Grading System SQL Injection Vulnerability
CVE ID : CVE-2025-9665
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : A weakness has been identified in code-projects Simple Grading System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_student.php of the component Admin Panel. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9665
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : A weakness has been identified in code-projects Simple Grading System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_student.php of the component Admin Panel. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9666 - "Code-projects Simple Grading System SQL Injection Vulnerability"
CVE ID : CVE-2025-9666
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : A security vulnerability has been detected in code-projects Simple Grading System 1.0. Affected by this issue is some unknown functionality of the file /delete_student.php of the component Admin Panel. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9666
Published : Aug. 29, 2025, 6:15 p.m. | 31 minutes ago
Description : A security vulnerability has been detected in code-projects Simple Grading System 1.0. Affected by this issue is some unknown functionality of the file /delete_student.php of the component Admin Panel. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-41471 - Copyparty Cross Site Scripting Vulnerability
CVE ID : CVE-2023-41471
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : Cross Site Scripting vulnerability in copyparty v.1.9.1 allows a local attacker to execute arbitrary code via a crafted payload to the WEEKEND-PLANS function.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2023-41471
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : Cross Site Scripting vulnerability in copyparty v.1.9.1 allows a local attacker to execute arbitrary code via a crafted payload to the WEEKEND-PLANS function.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43773 - Liferay Portal Remote Code Execution Vulnerability
CVE ID : CVE-2025-43773
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43773
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9667 - "Code-Projects Simple Grading System SQL Injection"
CVE ID : CVE-2025-9667
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A vulnerability was detected in code-projects Simple Grading System 1.0. This affects an unknown part of the file /delete_account.php of the component Admin Panel. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9667
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A vulnerability was detected in code-projects Simple Grading System 1.0. This affects an unknown part of the file /delete_account.php of the component Admin Panel. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9669 - Jinher OA SQL Injection Vulnerability
CVE ID : CVE-2025-9669
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A vulnerability has been found in Jinher OA 1.0. This issue affects some unknown processing of the file GetTreeDate.aspx. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9669
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A vulnerability has been found in Jinher OA 1.0. This issue affects some unknown processing of the file GetTreeDate.aspx. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9670 - Mixmark-io Turndown Regular Expression Denial of Service (ReDoS)
CVE ID : CVE-2025-9670
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9670
Published : Aug. 29, 2025, 7:15 p.m. | 3 hours, 32 minutes ago
Description : A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46484 - TRENDnet TV-IP410 OS Command Injection
CVE ID : CVE-2024-46484
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-46484
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56577 - Evope Core Cryptographic Key Disclosure
CVE ID : CVE-2025-56577
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56577
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9671 - "UAB Paytend App Android Component Export Vulnerability"
CVE ID : CVE-2025-9671
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9671
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9672 - Rejseplanen App Android Manifest XML Component Export Vulnerability
CVE ID : CVE-2025-9672
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A security vulnerability has been detected in Rejseplanen App up to 8.2.2. Affected is an unknown function of the file AndroidManifest.xml of the component de.hafas.android.rejseplanen. The manipulation leads to improper export of android application components. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9672
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A security vulnerability has been detected in Rejseplanen App up to 8.2.2. Affected is an unknown function of the file AndroidManifest.xml of the component de.hafas.android.rejseplanen. The manipulation leads to improper export of android application components. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9673 - Kakao Hey Kakao App Android Manifest XML Component Export Vulnerability
CVE ID : CVE-2025-9673
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A vulnerability was detected in Kakao 헤이카카오 Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9673
Published : Aug. 29, 2025, 8:15 p.m. | 2 hours, 32 minutes ago
Description : A vulnerability was detected in Kakao 헤이카카오 Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58066 - Ntpd-rs NTS Protocol Denial of Service Vulnerability
CVE ID : CVE-2025-58066
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58066
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58067 - Basecamp Google Sign-In Open Redirect Vulnerability
CVE ID : CVE-2025-58067
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58067
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9674 - Transbyte Scooper News App Android Application Component Export Vulnerability
CVE ID : CVE-2025-9674
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A flaw has been found in Transbyte Scooper News App up to 1.2 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.hatsune.eagleee. This manipulation causes improper export of android application components. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9674
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A flaw has been found in Transbyte Scooper News App up to 1.2 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.hatsune.eagleee. This manipulation causes improper export of android application components. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9675 - Voice Changer App AndroidManifest.xml Component Export Vulnerability
CVE ID : CVE-2025-9675
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A vulnerability was determined in Voice Changer App up to 1.1.0. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.tuyangkeji.changevoice. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9675
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A vulnerability was determined in Voice Changer App up to 1.1.0. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.tuyangkeji.changevoice. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9676 - NCSOFT Universe App Android Application Component Export Vulnerability
CVE ID : CVE-2025-9676
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A vulnerability was identified in NCSOFT Universe App up to 1.3.0. Impacted is an unknown function of the file AndroidManifest.xml of the component com.ncsoft.universeapp. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9676
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A vulnerability was identified in NCSOFT Universe App up to 1.3.0. Impacted is an unknown function of the file AndroidManifest.xml of the component com.ncsoft.universeapp. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9677 - Modo Legend of the Phoenix Android Application Component Export Vulnerability
CVE ID : CVE-2025-9677
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9677
Published : Aug. 29, 2025, 9:15 p.m. | 1 hour, 32 minutes ago
Description : A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55173 - Next.js Image Optimization File Download Content Injection Vulnerability
CVE ID : CVE-2025-55173
Published : Aug. 29, 2025, 10:15 p.m. | 32 minutes ago
Description : Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55173
Published : Aug. 29, 2025, 10:15 p.m. | 32 minutes ago
Description : Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...