CVE-2025-13595 - CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload
CVE ID : CVE-2025-13595
Published : Nov. 25, 2025, 10:28 p.m. | 33 minutes ago
Description : The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13595
Published : Nov. 25, 2025, 10:28 p.m. | 33 minutes ago
Description : The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13597 - AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload
CVE ID : CVE-2025-13597
Published : Nov. 25, 2025, 10:28 p.m. | 33 minutes ago
Description : The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13597
Published : Nov. 25, 2025, 10:28 p.m. | 33 minutes ago
Description : The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65952 - Console is vulnerable to path traversal regarding custom assets
CVE ID : CVE-2025-65952
Published : Nov. 25, 2025, 10:54 p.m. | 7 minutes ago
Description : Console is a network used to control Gorilla Tag mods' users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65952
Published : Nov. 25, 2025, 10:54 p.m. | 7 minutes ago
Description : Console is a network used to control Gorilla Tag mods' users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64657 - Azure Application Gateway Elevation of Privilege Vulnerability
CVE ID : CVE-2025-64657
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64657
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66250 - Unauthenticated Arbitrary File Upload (status_contents.php)
CVE ID : CVE-2025-66250
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66250
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66251 - Unauthenticated Path Traversal with Arbitrary File Deletion
CVE ID : CVE-2025-66251
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66251
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66252 - Infinite Loop Denial of Service via Failed File Deletion
CVE ID : CVE-2025-66252
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66252
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66253 - Unauthenticated OS Command Injection (start_upgrade.php)
CVE ID : CVE-2025-66253
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66253
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66254 - Unauthenticated Arbitrary File Deletion (upgrade_contents.php)
CVE ID : CVE-2025-66254
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66254
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66255 - Unauthenticated Arbitrary File Upload (upgrade_contents.php)
CVE ID : CVE-2025-66255
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66255
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66256 - Unauthenticated Arbitrary File Upload (patch_contents.php)
CVE ID : CVE-2025-66256
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66256
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66257 - Unauthenticated Arbitrary File Deletion (patch_contents.php)
CVE ID : CVE-2025-66257
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66257
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66258 - Stored Cross-Site Scripting via XML Injection
CVE ID : CVE-2025-66258
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `.bin`). The XSS executes when ajax.js processes and renders the XML file.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Invalid media: image
CVE ID : CVE-2025-66258
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `.bin`). The XSS executes when ajax.js processes and renders the XML file.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Invalid media: image
CVE-2025-66259 - Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters
CVE ID : CVE-2025-66259
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66259
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66260 - PostgreSQL SQL Injection (status_sql.php)
CVE ID : CVE-2025-66260
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66260
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66261 - Unauthenticated OS Command Injection (restore_settings.php)
CVE ID : CVE-2025-66261
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66261
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66262 - Arbitrary File Overwrite via Tar Extraction Path Traversal
CVE ID : CVE-2025-66262
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66262
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66263 - Unauthenticated Arbitrary File Read via Null Byte Injection
CVE ID : CVE-2025-66263
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
Severity: 8.9 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66263
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
Severity: 8.9 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66264 - Unquoted Service path in UPSilon2000V6.0 SYSTEM privilege service
CVE ID : CVE-2025-66264
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66264
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66265 - Insecure permissions in configuration directory (C:\\usr)
CVE ID : CVE-2025-66265
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66265
Published : Nov. 26, 2025, 1:16 a.m. | 1 hour, 48 minutes ago
Description : CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66025 - Caido Improperly Handles External Links in Markdown
CVE ID : CVE-2025-66025
Published : Nov. 26, 2025, 1:59 a.m. | 1 hour, 5 minutes ago
Description : Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido’s Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a finding generated through the scanner, or other plugins, clicking these injected links could redirect the Caido application to an attacker-controlled domain, enabling phishing style attacks. This issue has been patched in version 0.53.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66025
Published : Nov. 26, 2025, 1:59 a.m. | 1 hour, 5 minutes ago
Description : Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido’s Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a finding generated through the scanner, or other plugins, clicking these injected links could redirect the Caido application to an attacker-controlled domain, enabling phishing style attacks. This issue has been patched in version 0.53.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...