CVE-2025-65236 - OpenCode Systems USSD Gateway SQL Injection Vulnerability
CVE ID : CVE-2025-65236
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65236
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65237 - OpenCode Systems USSD Gateway XSS
CVE ID : CVE-2025-65237
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65237
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65238 - OpenCode Systems USSD Gateway Privilege Escalation Vulnerability
CVE ID : CVE-2025-65238
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65238
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65239 - OpenCode Systems USSD Gateway Access Control Vulnerability
CVE ID : CVE-2025-65239
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65239
Published : Nov. 26, 2025, 5:15 p.m. | 1 hour, 51 minutes ago
Description : Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65966 - OneUptime Unauthorized User Creation via API
CVE ID : CVE-2025-65966
Published : Nov. 26, 2025, 6:10 p.m. | 57 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65966
Published : Nov. 26, 2025, 6:10 p.m. | 57 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66028 - OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
CVE ID : CVE-2025-66028
Published : Nov. 26, 2025, 6:11 p.m. | 55 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66028
Published : Nov. 26, 2025, 6:11 p.m. | 55 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11461 - Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller
CVE ID : CVE-2025-11461
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11461
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13084 - Opto 22 groov View Exposure of Sensitive Information Through Metadata
CVE ID : CVE-2025-13084
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13084
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20373 - Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks
CVE ID : CVE-2025-20373
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20373
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2486 - UEFI Shell accessible in AAVMF with Secure Boot enabled on Ubuntu
CVE ID : CVE-2025-2486
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2486
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55469 - Youlai-Boot Privilege Escalation Vulnerability
CVE ID : CVE-2025-55469
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55469
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55471 - Youlai-Boot User Data Exposure
CVE ID : CVE-2025-55471
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55471
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64126 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64126
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64126
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64127 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64127
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64127
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64128 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64128
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64128
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64129 - Zenitel TCIV-3+ Out-of-bounds Write
CVE ID : CVE-2025-64129
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64129
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64130 - Zenitel TCIV-3+ Cross-site Scripting
CVE ID : CVE-2025-64130
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64130
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2021-4472 - Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature
CVE ID : CVE-2021-4472
Published : Nov. 26, 2025, 6:31 p.m. | 36 minutes ago
Description : The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2021-4472
Published : Nov. 26, 2025, 6:31 p.m. | 36 minutes ago
Description : The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-26155 - NCP Secure Enterprise Client Untrusted Search Path Vulnerability
CVE ID : CVE-2025-26155
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-26155
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65669 - Classroomio Course Deletion Authorization Bypass Vulnerability
CVE ID : CVE-2025-65669
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65669
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65672 - Classroomio IDOR Vulnerability
CVE ID : CVE-2025-65672
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65672
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...