CVE-2025-13274 - Campcodes School Fees Payment Management System ajax.php sql injection
CVE ID : CVE-2025-13274
Published : Nov. 17, 2025, 10:15 a.m. | 3 hours, 22 minutes ago
Description : A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13274
Published : Nov. 17, 2025, 10:15 a.m. | 3 hours, 22 minutes ago
Description : A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13275 - Iqbolshoh php-business-website about.php unrestricted upload
CVE ID : CVE-2025-13275
Published : Nov. 17, 2025, 11:15 a.m. | 2 hours, 22 minutes ago
Description : A security vulnerability has been detected in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This affects an unknown part of the file /admin/about.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13275
Published : Nov. 17, 2025, 11:15 a.m. | 2 hours, 22 minutes ago
Description : A security vulnerability has been detected in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This affects an unknown part of the file /admin/about.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13276 - g33kyrash Online-Banking-System index.php sql injection
CVE ID : CVE-2025-13276
Published : Nov. 17, 2025, 11:15 a.m. | 2 hours, 22 minutes ago
Description : A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13276
Published : Nov. 17, 2025, 11:15 a.m. | 2 hours, 22 minutes ago
Description : A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11681 - Denial of Service condition in M-Files Server
CVE ID : CVE-2025-11681
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : Denial-of-service condition in M-Files Server versions before 25.11.15392.1 allows an authenticated user to cause the MFserver process to crash.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11681
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : Denial-of-service condition in M-Files Server versions before 25.11.15392.1 allows an authenticated user to cause the MFserver process to crash.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13277 - code-projects Nero Social Networking Site friendsphoto.php sql injection
CVE ID : CVE-2025-13277
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A flaw has been found in code-projects Nero Social Networking Site 1.0. This issue affects some unknown processing of the file /friendsphoto.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13277
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A flaw has been found in code-projects Nero Social Networking Site 1.0. This issue affects some unknown processing of the file /friendsphoto.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40834 - Mendix RichText Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-40834
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40834
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40936 - "Parasolid PS/IGES Out-of-Bounds Read Vulnerability"
CVE ID : CVE-2025-40936
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755)
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40936
Published : Nov. 17, 2025, 12:15 p.m. | 1 hour, 22 minutes ago
Description : A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755)
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13278 - projectworlds Advanced Library Management System borrowed_book_search.php sql injection
CVE ID : CVE-2025-13278
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrowed_book_search.php. Such manipulation of the argument datefrom/dateto leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13278
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrowed_book_search.php. Such manipulation of the argument datefrom/dateto leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13279 - code-projects Nero Social Networking Site profilefriends.php sql injection
CVE ID : CVE-2025-13279
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability was found in code-projects Nero Social Networking Site 1.0. The affected element is an unknown function of the file /profilefriends.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13279
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability was found in code-projects Nero Social Networking Site 1.0. The affected element is an unknown function of the file /profilefriends.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13280 - CodeAstro Simple Inventory System Login index.php sql injection
CVE ID : CVE-2025-13280
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability was determined in CodeAstro Simple Inventory System 1.0. The impacted element is an unknown function of the file /index.php of the component Login. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13280
Published : Nov. 17, 2025, 1:15 p.m. | 22 minutes ago
Description : A vulnerability was determined in CodeAstro Simple Inventory System 1.0. The impacted element is an unknown function of the file /index.php of the component Login. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4321 - DoS in RS9116W-WiSeConnect L2CAP protocol due to reception of malformed packets
CVE ID : CVE-2025-4321
Published : Nov. 17, 2025, 3:15 p.m. | 2 hours, 23 minutes ago
Description : In a Bluetooth device, using RS9116-WiseConnect SDK experiences a Denial of Service, if it receives malformed L2CAP packets, only hard reset will bring the device to normal operation
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4321
Published : Nov. 17, 2025, 3:15 p.m. | 2 hours, 23 minutes ago
Description : In a Bluetooth device, using RS9116-WiseConnect SDK experiences a Denial of Service, if it receives malformed L2CAP packets, only hard reset will bring the device to normal operation
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13288 - Tenda CH22 PPTPUserSetting fromPptpUserSetting buffer overflow
CVE ID : CVE-2025-13288
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 24 minutes ago
Description : A security vulnerability has been detected in Tenda CH22 1.0.0.1. This impacts the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13288
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 24 minutes ago
Description : A security vulnerability has been detected in Tenda CH22 1.0.0.1. This impacts the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13289 - 1000projects Design & Development of Student Database Management System SubjectDetails.php sql injection
CVE ID : CVE-2025-13289
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 24 minutes ago
Description : A vulnerability was detected in 1000projects Design & Development of Student Database Management System 1.0. Affected is an unknown function of the file /TeacherLogin/Academics/SubjectDetails.php. The manipulation of the argument SubCode results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13289
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 24 minutes ago
Description : A vulnerability was detected in 1000projects Design & Development of Student Database Management System 1.0. Affected is an unknown function of the file /TeacherLogin/Academics/SubjectDetails.php. The manipulation of the argument SubCode results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63708 - SourceCodester AI Font Matcher XSS
CVE ID : CVE-2025-63708
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63708
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63747 - QaTraq Default Administrative Account Credentials Vulnerability
CVE ID : CVE-2025-63747
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63747
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63748 - QaTraq PHP File Upload Vulnerability
CVE ID : CVE-2025-63748
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63748
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63916 - MyScreenTools OS Command Injection Vulnerability
CVE ID : CVE-2025-63916
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63916
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64046 - OpenRapid RapidCMS XSS
CVE ID : CVE-2025-64046
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64046
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65083 - GoSign Desktop Proxy Server TLS Certificate Validation Bypass
CVE ID : CVE-2025-65083
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files.
Severity: 3.2 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65083
Published : Nov. 17, 2025, 4:15 p.m. | 1 hour, 23 minutes ago
Description : GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files.
Severity: 3.2 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44641 - PHPGurukul Small CRM SQL Injection
CVE ID : CVE-2024-44641
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the oldpass parameter in change-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44641
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the oldpass parameter in change-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44644 - PHPGurukul Small CRM SQL Injection Vulnerability
CVE ID : CVE-2024-44644
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the frm_id and aremark parameters in manage-tickets.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44644
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the frm_id and aremark parameters in manage-tickets.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...