CVE-2025-37160 - Authenticated Broken Access Control (BAC) in REST API Configuration Service
CVE ID : CVE-2025-37160
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-37160
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-37163 - Authenticated Command Injection Vulnerability in HPE Aruba Networking Management Software (AirWave) CLI
CVE ID : CVE-2025-37163
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-37163
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52639 - HCL Connections is vulnerable to sensitive information disclosure
CVE ID : CVE-2025-52639
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52639
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54320 - Ascertia SigningHub Email Bombing Vulnerability
CVE ID : CVE-2025-54320
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54320
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54321 - Ascertia SigningHub Email Bombing Vulnerability
CVE ID : CVE-2025-54321
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54321
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54770 - Grub2: use-after-free in net_set_vlan
CVE ID : CVE-2025-54770
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54770
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54771 - Grub2: use-after-free in grub_file_close()
CVE ID : CVE-2025-54771
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54771
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-56499 - Mihomo Arbitrary File Read Vulnerability
CVE ID : CVE-2025-56499
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-56499
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60455 - Modular Max Serve Deserialization Code Execution Vulnerability
CVE ID : CVE-2025-60455
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60455
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61661 - Grub2: out-of-bounds write
CVE ID : CVE-2025-61661
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61661
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61662 - Grub2: missing unregister call for gettext command may lead to use-after-free
CVE ID : CVE-2025-61662
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61662
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61663 - Grub2: missing unregister call for normal commands may lead to use-after-free
CVE ID : CVE-2025-61663
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61663
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61664 - Grub2: missing unregister call for normal_exit command may lead to use-after-free
CVE ID : CVE-2025-61664
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61664
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63225 - Eurolab ELTS100_UBX Unauthenticated Administrative Access
CVE ID : CVE-2025-63225
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63225
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63693 - DzzOffice Cross-Site Scripting (XSS) Vulnerability
CVE ID : CVE-2025-63693
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63693
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63749 - pnetlab Qemu Command Injection Vulnerability
CVE ID : CVE-2025-63749
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63749
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63955 - PHPGurukul Student Record System CSRF Vulnerability
CVE ID : CVE-2025-63955
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63955
Published : Nov. 18, 2025, 7:15 p.m. | 2 hours, 31 minutes ago
Description : A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-37161 - Unauthenticated Remote Denial-of-Service (DoS) Vulnerability in Web Management Interface
CVE ID : CVE-2025-37161
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-37161
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-37162 - Authenticated Command Injection Vulnerability Leading to Arbitrary Remote Command Execution
CVE ID : CVE-2025-37162
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-37162
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63226 - Sencore SMP100 Session Hijacking Vulnerability
CVE ID : CVE-2025-63226
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63226
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63227 - Mozart FM Transmitter Unrestricted File Upload Vulnerability
CVE ID : CVE-2025-63227
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63227
Published : Nov. 18, 2025, 8:15 p.m. | 1 hour, 31 minutes ago
Description : The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...