CVE-2025-15090 - UTT 进取 512W formConfigNoticeConfig strcpy buffer overflow
CVE ID : CVE-2025-15090
Published : Dec. 25, 2025, 11:15 p.m. | 2 hours, 10 minutes ago
Description : A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15090
Published : Dec. 25, 2025, 11:15 p.m. | 2 hours, 10 minutes ago
Description : A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15092 - UTT 进取 512W ConfigExceptMSN strcpy buffer overflow
CVE ID : CVE-2025-15092
Published : Dec. 26, 2025, 12:02 a.m. | 1 hour, 23 minutes ago
Description : A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15092
Published : Dec. 26, 2025, 12:02 a.m. | 1 hour, 23 minutes ago
Description : A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14913 - Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion
CVE ID : CVE-2025-14913
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14913
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15091 - UTT 进取 512W formPictureUrl strcpy buffer overflow
CVE ID : CVE-2025-15091
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15091
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68937 - Forgejo Symlink Destination Template Repository Write Access Vulnerability
CVE ID : CVE-2025-68937
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68937
Published : Dec. 26, 2025, 12:16 a.m. | 1 hour, 9 minutes ago
Description : Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15093 - sunkaifei FlyCMS Admin Login IndexAdminController.java cross site scripting
CVE ID : CVE-2025-15093
Published : Dec. 26, 2025, 1:02 a.m. | 23 minutes ago
Description : A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15093
Published : Dec. 26, 2025, 1:02 a.m. | 23 minutes ago
Description : A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15094 - sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting
CVE ID : CVE-2025-15094
Published : Dec. 26, 2025, 2:15 a.m. | 3 hours, 11 minutes ago
Description : A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15094
Published : Dec. 26, 2025, 2:15 a.m. | 3 hours, 11 minutes ago
Description : A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68938 - Gitea Authorization Bypass Vulnerability
CVE ID : CVE-2025-68938
Published : Dec. 26, 2025, 2:15 a.m. | 3 hours, 11 minutes ago
Description : Gitea before 1.25.2 mishandles authorization for deletion of releases.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68938
Published : Dec. 26, 2025, 2:15 a.m. | 3 hours, 11 minutes ago
Description : Gitea before 1.25.2 mishandles authorization for deletion of releases.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15095 - postmanlabs httpbin core.py cross site scripting
CVE ID : CVE-2025-15095
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15095
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15097 - Alteryx Server status improper authentication
CVE ID : CVE-2025-15097
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15097
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15098 - YunaiV yudao-cloud Business Process Management BpmSyncHttpRequestTrigger server-side request forgery
CVE ID : CVE-2025-15098
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15098
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68939 - Gitea File Extension Bypass Vulnerability
CVE ID : CVE-2025-68939
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68939
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68940 - Gitea Branch Deletion Permission Bypass Vulnerability
CVE ID : CVE-2025-68940
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68940
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68941 - Gitea Privilege Escalation Vulnerability
CVE ID : CVE-2025-68941
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68941
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68942 - Gitea Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-68942
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68942
Published : Dec. 26, 2025, 3:15 a.m. | 2 hours, 11 minutes ago
Description : Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52598 - Insufficient certificate validation
CVE ID : CVE-2025-52598
Published : Dec. 26, 2025, 4:07 a.m. | 1 hour, 19 minutes ago
Description : Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52598
Published : Dec. 26, 2025, 4:07 a.m. | 1 hour, 19 minutes ago
Description : Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52599 - Inadequate account permissions management
CVE ID : CVE-2025-52599
Published : Dec. 26, 2025, 4:12 a.m. | 1 hour, 14 minutes ago
Description : Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52599
Published : Dec. 26, 2025, 4:12 a.m. | 1 hour, 14 minutes ago
Description : Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68946 - Gitea JavaScript URL Scheme XSS Vulnerability
CVE ID : CVE-2025-68946
Published : Dec. 26, 2025, 4:14 a.m. | 1 hour, 13 minutes ago
Description : In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68946
Published : Dec. 26, 2025, 4:14 a.m. | 1 hour, 13 minutes ago
Description : In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15099 - simstudioai sim CRON Secret internal.ts improper authentication
CVE ID : CVE-2025-15099
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15099
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68943 - Gitea Information Disclosure Vulnerability
CVE ID : CVE-2025-68943
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68943
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68944 - Gitea Token Scope Mishandle Vulnerability
CVE ID : CVE-2025-68944
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68944
Published : Dec. 26, 2025, 4:15 a.m. | 1 hour, 11 minutes ago
Description : Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...