CVE-2025-59548 - DNN Vulnerable to Reflected Cross-Site Scripting (XSS) in CKEditor File Browser
CVE ID : CVE-2025-59548
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59548
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59821 - DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile
CVE ID : CVE-2025-59821
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59821
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8410 - Use After Free vulnerability in RTI Connext Professional (Security Plugins) allows File Manipulation.
CVE ID : CVE-2025-8410
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : Use After Free vulnerability in RTI Connext Professional (Security Plugins) allows File Manipulation.This issue affects Connext Professional: from 7.5.0 before 7.6.0.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8410
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : Use After Free vulnerability in RTI Connext Professional (Security Plugins) allows File Manipulation.This issue affects Connext Professional: from 7.5.0 before 7.6.0.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9197 - CVE-2022-1234: Adobe Acrobat PDF Parsing Vulnerability
CVE ID : CVE-2025-9197
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9197
Published : Sept. 23, 2025, 6:15 p.m. | 1 hour, 7 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54081 - SunshineService Has Unquoted Service Path That Allows Local SYSTEM Code Execution
CVE ID : CVE-2025-54081
Published : Sept. 23, 2025, 6:18 p.m. | 1 hour, 4 minutes ago
Description : Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54081
Published : Sept. 23, 2025, 6:18 p.m. | 1 hour, 4 minutes ago
Description : Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59534 - CryptoLib command Injection vulnerability in initialize_kerberos_keytab_file_login()
CVE ID : CVE-2025-59534
Published : Sept. 23, 2025, 6:25 p.m. | 57 minutes ago
Description : CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.2, there is a command Injection vulnerability in initialize_kerberos_keytab_file_login(). The vulnerability exists because the code directly interpolates user-controlled input into a shell command and executes it via system() without any sanitization or validation. This issue has been patched in version 1.4.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59534
Published : Sept. 23, 2025, 6:25 p.m. | 57 minutes ago
Description : CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.2, there is a command Injection vulnerability in initialize_kerberos_keytab_file_login(). The vulnerability exists because the code directly interpolates user-controlled input into a shell command and executes it via system() without any sanitization or validation. This issue has been patched in version 1.4.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58674 - WordPress core <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
CVE ID : CVE-2025-58674
Published : Sept. 23, 2025, 6:47 p.m. | 35 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector. This issue affects WordPress: from n/a through 6.8.2.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58674
Published : Sept. 23, 2025, 6:47 p.m. | 35 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector. This issue affects WordPress: from n/a through 6.8.2.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59822 - Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section
CVE ID : CVE-2025-59822
Published : Sept. 23, 2025, 6:54 p.m. | 28 minutes ago
Description : Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59822
Published : Sept. 23, 2025, 6:54 p.m. | 28 minutes ago
Description : Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-45326 - PocketVJ CP Remote Code Execution Vulnerability
CVE ID : CVE-2025-45326
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : An issue in PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1 allows remote attackers to execute arbitrary code via the submit_size.php component.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-45326
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : An issue in PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1 allows remote attackers to execute arbitrary code via the submit_size.php component.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-51005 - "tcpreplay Heap Buffer Overflow Vulnerability"
CVE ID : CVE-2025-51005
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : A heap-buffer-overflow vulnerability exists in the tcpliveplay utility of the tcpreplay-4.5.1. When a crafted pcap file is processed, the program incorrectly handles memory in the checksum calculation logic at do_checksum_math_liveplay in tcpliveplay.c, leading to a possible denial of service.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-51005
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : A heap-buffer-overflow vulnerability exists in the tcpliveplay utility of the tcpreplay-4.5.1. When a crafted pcap file is processed, the program incorrectly handles memory in the checksum calculation logic at do_checksum_math_liveplay in tcpliveplay.c, leading to a possible denial of service.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56146 - Indian Bank IndSMART NuWebViewActivity SSL Certificate Validation Weakness
CVE ID : CVE-2025-56146
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Indian Bank IndSMART Android App 3.8.1 is vulnerable to Missing SSL Certificate Validation in NuWebViewActivity.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56146
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Indian Bank IndSMART Android App 3.8.1 is vulnerable to Missing SSL Certificate Validation in NuWebViewActivity.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57637 - D-Link DI-7100G Buffer Overflow Denial of Service and Remote Code Execution
CVE ID : CVE-2025-57637
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Buffer overflow vulnerability in D-Link DI-7100G 2020-02-21 in the sub_451754 function of the jhttpd service in the viav4 parameter allowing attackers to cause a denial of service or execute arbitrary code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57637
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Buffer overflow vulnerability in D-Link DI-7100G 2020-02-21 in the sub_451754 function of the jhttpd service in the viav4 parameter allowing attackers to cause a denial of service or execute arbitrary code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57638 - Tenda AC9 Buffer Overflow Vulnerability
CVE ID : CVE-2025-57638
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Buffer overflow vulnerability in Tenda AC9 1.0 via the user supplied sys.vendor configuration value.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57638
Published : Sept. 23, 2025, 7:15 p.m. | 4 hours, 7 minutes ago
Description : Buffer overflow vulnerability in Tenda AC9 1.0 via the user supplied sys.vendor configuration value.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57636 - D-Link C1 OS Command Injection Vulnerability
CVE ID : CVE-2025-57636
Published : Sept. 23, 2025, 8:15 p.m. | 3 hours, 7 minutes ago
Description : OS Command injection vulnerability in D-Link C1 2020-02-21. The sub_47F028 function in jhttpd contains a command injection vulnerability via the HTTP parameter "time".
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57636
Published : Sept. 23, 2025, 8:15 p.m. | 3 hours, 7 minutes ago
Description : OS Command injection vulnerability in D-Link C1 2020-02-21. The sub_47F028 function in jhttpd contains a command injection vulnerability via the HTTP parameter "time".
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59825 - astral-tokio-tar has a path traversal in tar extraction
CVE ID : CVE-2025-59825
Published : Sept. 23, 2025, 8:15 p.m. | 3 hours, 7 minutes ago
Description : astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59825
Published : Sept. 23, 2025, 8:15 p.m. | 3 hours, 7 minutes ago
Description : astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56311 - C-Data Technology Co. FD602GW-DX-R410 Router CSRF Reboot Vulnerability
CVE ID : CVE-2025-56311
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : In Shenzhen C-Data Technology Co. FD602GW-DX-R410 (firmware v2.2.14), the web management interface contains an authenticated CSRF vulnerability on the reboot endpoint (/boaform/admin/formReboot). An attacker can craft a malicious webpage that, when visited by an authenticated administrator, causes the router to reboot without explicit user consent. This lack of CSRF protection on a sensitive administrative function can lead to denial of service by disrupting network availability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56311
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : In Shenzhen C-Data Technology Co. FD602GW-DX-R410 (firmware v2.2.14), the web management interface contains an authenticated CSRF vulnerability on the reboot endpoint (/boaform/admin/formReboot). An attacker can craft a malicious webpage that, when visited by an authenticated administrator, causes the router to reboot without explicit user consent. This lack of CSRF protection on a sensitive administrative function can lead to denial of service by disrupting network availability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58354 - Kata Containers coco-tdx malicious host can circumvent initdata verification
CVE ID : CVE-2025-58354
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58354
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59826 - FlagForgeCTF Vulnerable to Unauthorized Problem Creation
CVE ID : CVE-2025-59826
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59826
Published : Sept. 23, 2025, 9:15 p.m. | 2 hours, 6 minutes ago
Description : Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-21927 - VMware vCenter Server Denial of Service (DoS)
CVE ID : CVE-2024-21927
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-21927
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-21935 - Dell PowerEdge Redfish API File Manipulation Vulnerability
CVE ID : CVE-2024-21935
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to manipulate Redfish® API commands to remove files from the local root directory, potentially resulting in data corruption.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-21935
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to manipulate Redfish® API commands to remove files from the local root directory, potentially resulting in data corruption.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54855 - AutomationDirect CLICK PLUS Cleartext Storage of Sensitive Information
CVE ID : CVE-2025-54855
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54855
Published : Sept. 23, 2025, 10:15 p.m. | 1 hour, 7 minutes ago
Description : Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...