CVE-2024-44652 - Kashipara Ecommerce Website SQL Injection
CVE ID : CVE-2024-44652
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email, username, user_firstname, user_lastname, and user_address parameters in user_register.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44652
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email, username, user_firstname, user_lastname, and user_address parameters in user_register.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46334 - Kashipara School Management System Cross Site Scripting (XSS)
CVE ID : CVE-2024-46334
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-46334
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46336 - Kashipara School Management System XSS
CVE ID : CVE-2024-46336
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-46336
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13193 - Libvirt: information disclosure via world-readable vm snapshots
CVE ID : CVE-2025-13193
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13193
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13290 - code-projects Simple Food Ordering System saveorder.php sql injection
CVE ID : CVE-2025-13290
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A vulnerability has been found in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /saveorder.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13290
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A vulnerability has been found in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /saveorder.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13291 - Campcodes Supplier Management System confirm_order.php sql injection
CVE ID : CVE-2025-13291
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A vulnerability was found in Campcodes Supplier Management System 1.0. This affects an unknown part of the file /manufacturer/confirm_order.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13291
Published : Nov. 17, 2025, 5:15 p.m. | 24 minutes ago
Description : A vulnerability was found in Campcodes Supplier Management System 1.0. This affects an unknown part of the file /manufacturer/confirm_order.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13319 - Authenticated SQL injection in API - Digi On-Prem Manager
CVE ID : CVE-2025-13319
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13319
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58410 - GPU DDK - Multiple calls into PhysmemGEMPrimeExport can inherit write access permission for an existing read-only dma_buf import PMR
CVE ID : CVE-2025-58410
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58410
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62519 - phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
CVE ID : CVE-2025-62519
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62519
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63917 - Adobe PDFPatcher XXE Filesystem Disclosure and Exfiltration
CVE ID : CVE-2025-63917
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63917
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63918 - Adobe PDFPatcher Directory Traversal Vulnerability
CVE ID : CVE-2025-63918
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63918
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58407 - GPU DDK - TOCTOU bug affecting psFWMemContext->uiPageCatBaseRegSet
CVE ID : CVE-2025-58407
Published : Nov. 17, 2025, 5:18 p.m. | 21 minutes ago
Description : Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58407
Published : Nov. 17, 2025, 5:18 p.m. | 21 minutes ago
Description : Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55058 - Apache Struts SQL Injection
CVE ID : CVE-2025-55058
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-20 Improper Input Validation
Severity: 4.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55058
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-20 Improper Input Validation
Severity: 4.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55059 - Apache Struts Cross-site Scripting Vulnerability
CVE ID : CVE-2025-55059
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55059
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64342 - ESF-IDF's ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability
CVE ID : CVE-2025-64342
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64342
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64756 - glob CLI: Command injection via -c/--cmd executes matches with shell:true
CVE ID : CVE-2025-64756
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64756
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64758 - @dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message
CVE ID : CVE-2025-64758
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64758
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44654 - PHPGurukul Complaint Management System SQL Injection Vulnerability
CVE ID : CVE-2024-44654
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44654
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44655 - PHPGurukul Complaint Management System Cross Site Scripting (XSS)
CVE ID : CVE-2024-44655
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44655
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44658 - PHPGurukul Complaint Management System SQL Injection
CVE ID : CVE-2024-44658
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44658
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44660 - PHPGurukul Online Shopping Portal SQL Injection
CVE ID : CVE-2024-44660
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44660
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...