CVE-2025-65966 - OneUptime Unauthorized User Creation via API
CVE ID : CVE-2025-65966
Published : Nov. 26, 2025, 6:10 p.m. | 57 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65966
Published : Nov. 26, 2025, 6:10 p.m. | 57 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66028 - OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
CVE ID : CVE-2025-66028
Published : Nov. 26, 2025, 6:11 p.m. | 55 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66028
Published : Nov. 26, 2025, 6:11 p.m. | 55 minutes ago
Description : OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11461 - Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller
CVE ID : CVE-2025-11461
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11461
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13084 - Opto 22 groov View Exposure of Sensitive Information Through Metadata
CVE ID : CVE-2025-13084
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13084
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20373 - Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks
CVE ID : CVE-2025-20373
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20373
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2486 - UEFI Shell accessible in AAVMF with Secure Boot enabled on Ubuntu
CVE ID : CVE-2025-2486
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2486
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55469 - Youlai-Boot Privilege Escalation Vulnerability
CVE ID : CVE-2025-55469
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55469
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55471 - Youlai-Boot User Data Exposure
CVE ID : CVE-2025-55471
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55471
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64126 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64126
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64126
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64127 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64127
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64127
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64128 - Zenitel TCIV-3+ OS Command Injection
CVE ID : CVE-2025-64128
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64128
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64129 - Zenitel TCIV-3+ Out-of-bounds Write
CVE ID : CVE-2025-64129
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64129
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64130 - Zenitel TCIV-3+ Cross-site Scripting
CVE ID : CVE-2025-64130
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64130
Published : Nov. 26, 2025, 6:15 p.m. | 51 minutes ago
Description : Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2021-4472 - Python-mistralclient: mistral-dashboard: local file inclusion through the 'create workbook' feature
CVE ID : CVE-2021-4472
Published : Nov. 26, 2025, 6:31 p.m. | 36 minutes ago
Description : The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2021-4472
Published : Nov. 26, 2025, 6:31 p.m. | 36 minutes ago
Description : The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-26155 - NCP Secure Enterprise Client Untrusted Search Path Vulnerability
CVE ID : CVE-2025-26155
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-26155
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65669 - Classroomio Course Deletion Authorization Bypass Vulnerability
CVE ID : CVE-2025-65669
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65669
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65672 - Classroomio IDOR Vulnerability
CVE ID : CVE-2025-65672
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65672
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65675 - Classroomio LMS Stored XSS
CVE ID : CVE-2025-65675
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65675
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65676 - Classroomio LMS Stored Cross-Site Scripting (XSS)
CVE ID : CVE-2025-65676
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65676
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65681 - Overhang.IO (tutor-open-edx) Information Disclosure
CVE ID : CVE-2025-65681
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65681
Published : Nov. 26, 2025, 7:15 p.m. | 1 hour, 52 minutes ago
Description : An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12571 - Allocation of Resources Without Limits or Throttling in GitLab
CVE ID : CVE-2025-12571
Published : Nov. 26, 2025, 8:15 p.m. | 52 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12571
Published : Nov. 26, 2025, 8:15 p.m. | 52 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...