CVE-2025-65095 - Lookyloo is vulnerable due to improper user input sanitization
CVE ID : CVE-2025-65095
Published : Nov. 19, 2025, 6:15 p.m. | 2 hours, 7 minutes ago
Description : Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65095
Published : Nov. 19, 2025, 6:15 p.m. | 2 hours, 7 minutes ago
Description : Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65103 - OpenSTAManager has an authenticated SQL Injection vulnerability in API via 'display' parameter
CVE ID : CVE-2025-65103
Published : Nov. 19, 2025, 7:09 p.m. | 1 hour, 14 minutes ago
Description : OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65103
Published : Nov. 19, 2025, 7:09 p.m. | 1 hour, 14 minutes ago
Description : OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63211 - Bridgetech VBC Server & Element Manager Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-63211
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63211
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64759 - Homarr is Vulnerable to Stored Cross-Site Scripting (XSS) and Possible Privilege Escalation via Malicious SVG Upload
CVE ID : CVE-2025-64759
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64759
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65094 - WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)
CVE ID : CVE-2025-65094
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65094
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65100 - Security Snapshot May Use Unintended Timestamp When Only ISAR_APT_SNAPSHOT_DATE Is Set
CVE ID : CVE-2025-65100
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65100
Published : Nov. 19, 2025, 7:15 p.m. | 1 hour, 7 minutes ago
Description : Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36371 - IBM i Information Disclosure
CVE ID : CVE-2025-36371
Published : Nov. 19, 2025, 7:45 p.m. | 38 minutes ago
Description : IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36371
Published : Nov. 19, 2025, 7:45 p.m. | 38 minutes ago
Description : IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-51661 - FileCodeBox Path Traversal Remote File Write
CVE ID : CVE-2025-51661
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-51661
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-51662 - FileCodeBox Stored XSS
CVE ID : CVE-2025-51662
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-51662
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-51663 - FileCodeBox IP Rate Limit Bypass Remote Denial of Service
CVE ID : CVE-2025-51663
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2.2 allows remote attackers to bypass ip-based rate limit protection and failed attempt restrictions by faking X-Real-IP and X-Forwarded-For HTTP headers. This can enable attackers to perform DoS attacks or brute force share codes.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-51663
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2.2 allows remote attackers to bypass ip-based rate limit protection and failed attempt restrictions by faking X-Real-IP and X-Forwarded-For HTTP headers. This can enable attackers to perform DoS attacks or brute force share codes.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63212 - GatesAir Flexiva-LX Session Hijacking Vulnerability
CVE ID : CVE-2025-63212
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63212
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63213 - QVidium Opera11 Remote Code Execution (RCE) Vulnerability
CVE ID : CVE-2025-63213
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63213
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63214 - Bridgetech VBC Server & Element Manager Account Creation/Deletion Vulnerability
CVE ID : CVE-2025-63214
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63214
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63932 - D-Link Router DIR-868L Remote Code Execution Vulnerability
CVE ID : CVE-2025-63932
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. The HNAP service provided by cgibin does not filter the HTTP SOAPAction header field. The unauthenticated remote attacker can execute the shell command.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63932
Published : Nov. 19, 2025, 8:15 p.m. | 4 hours, 8 minutes ago
Description : D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. The HNAP service provided by cgibin does not filter the HTTP SOAPAction header field. The unauthenticated remote attacker can execute the shell command.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13147 - External Service Interaction (DNS)
CVE ID : CVE-2025-13147
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13147
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13410 - Campcodes Retro Basketball Shoes Online Store receipt.php sql injection
CVE ID : CVE-2025-13410
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13410
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13411 - Campcodes Retro Basketball Shoes Online Store admin_football.php unrestricted upload
CVE ID : CVE-2025-13411
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13411
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13412 - Campcodes Retro Basketball Shoes Online Store admin_running.php cross site scripting
CVE ID : CVE-2025-13412
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13412
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-47914 - CVE-2025-47914 in golang.org/x/crypto/ssh/agent
CVE ID : CVE-2025-47914
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-47914
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58181 - CVE-2025-58181 in golang.org/x/crypto/ssh
CVE ID : CVE-2025-58181
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58181
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63371 - OneCommander Directory Traversal Vulnerability
CVE ID : CVE-2025-63371
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : Milos Paripovic OneCommander 3.102.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63371
Published : Nov. 19, 2025, 9:15 p.m. | 3 hours, 8 minutes ago
Description : Milos Paripovic OneCommander 3.102.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...