๐จ CVE-2025-58210
Missing Authorization vulnerability in ThemeMove Makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through 1.8.5.
๐@cveNotify
Missing Authorization vulnerability in ThemeMove Makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through 1.8.5.
๐@cveNotify
Patchstack
WordPress Makeaholic Theme <= 1.8.5 - Broken Access Control Vulnerability - Patchstack
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-8663
Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12.
๐@cveNotify
Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12.
๐@cveNotify
upKeeper Support
CVE-2025-8663 Insertion of Sensitive Information into Log File
Severity: High (7.0-8.9)CVE ID: CVE-2025-8663DetailsThis advisory address a vulnerability where users of the administration web or administration API can get sensitive information from the event hi...
๐จ CVE-2025-9378
The Vayu Blocks โ Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
The Vayu Blocks โ Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
๐ฅ1
๐จ CVE-2024-5657
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
๐@cveNotify
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
๐@cveNotify
๐จ CVE-2024-51941
A remote code injection vulnerability exists in the Ambari Metrics and
AMS Alerts feature, allowing authenticated users to inject and execute
arbitrary code. The vulnerability occurs when processing alert
definitions, where malicious input can be injected into the alert script
execution path. An attacker with authenticated access can exploit this
vulnerability to execute arbitrary commands on the server. The issue has
been fixed in the latest versions of Ambari.
๐@cveNotify
A remote code injection vulnerability exists in the Ambari Metrics and
AMS Alerts feature, allowing authenticated users to inject and execute
arbitrary code. The vulnerability occurs when processing alert
definitions, where malicious input can be injected into the alert script
execution path. An attacker with authenticated access can exploit this
vulnerability to execute arbitrary commands on the server. The issue has
been fixed in the latest versions of Ambari.
๐@cveNotify
๐จ CVE-2025-53882
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
๐@cveNotify
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
๐@cveNotify
๐จ CVE-2025-46809
A Plaintext Storage of a Password vulnerability in SUSE exposes the credentials for the HTTP proxy in the log files. This issue affects Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.1: from ? before 4.3.33-150400.3.55.2; Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.7.23.1: from ? before 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Image SLES15-SP4-Manager-Proxy-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; SUSE Manager Proxy Module 4.3: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2.
๐@cveNotify
A Plaintext Storage of a Password vulnerability in SUSE exposes the credentials for the HTTP proxy in the log files. This issue affects Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.1: from ? before 4.3.33-150400.3.55.2; Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.7.23.1: from ? before 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Image SLES15-SP4-Manager-Proxy-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; SUSE Manager Proxy Module 4.3: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2.
๐@cveNotify
๐จ CVE-2025-9817
SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service
๐@cveNotify
SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service
๐@cveNotify
GitLab
Fuzz job crash: fuzz-2025-07-26-10818768582.pcap (#20642) ยท Issues ยท Wireshark Foundation / Wireshark ยท GitLab
Problems have been found with the following capture file: https://www.wireshark.org/download/automated/captures/fuzz-2025-07-26-10818768582.pcap.gz stderr:
๐ฅ1
๐จ CVE-2014-125127
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.
๐@cveNotify
The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service (DoS) attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application needs it. An attacker can exploit this by sending requests with large payloads, causing excessive memory consumption and potentially exhausting available server memory, leading to application crashes or service unavailability. The vulnerability was fixed in v1.2 by implementing lazy loading of request bodies.
๐@cveNotify
GitHub
Vulnerabilities-Proofs-of-Concept/2014/CVE-2014-125127 at main ยท Checkmarx/Vulnerabilities-Proofs-of-Concept
Contribute to Checkmarx/Vulnerabilities-Proofs-of-Concept development by creating an account on GitHub.
๐จ CVE-2024-13063
Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing.This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing.This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
๐จ CVE-2024-13064
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akinsoft MyRezzta allows Cross-Site Scripting (XSS).This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akinsoft MyRezzta allows Cross-Site Scripting (XSS).This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
๐จ CVE-2024-13065
Improper Enforcement of Behavioral Workflow, Uncontrolled Resource Consumption vulnerability in Akinsoft MyRezzta allows Input Data Manipulation, CAPEC - 125 - Flooding.This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
Improper Enforcement of Behavioral Workflow, Uncontrolled Resource Consumption vulnerability in Akinsoft MyRezzta allows Input Data Manipulation, CAPEC - 125 - Flooding.This issue affects MyRezzta: from s2.02.02 before v2.05.01.
๐@cveNotify
๐จ CVE-2024-43115
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
๐@cveNotify
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script.
This issue affects Apache DolphinScheduler: before 3.2.2.
Users are recommended to upgrade to version 3.3.1, which fixes the issue.
๐@cveNotify
โค1
๐จ CVE-2025-1740
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01.
๐@cveNotify
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force.This issue affects MyRezzta: from s2.03.01 before v2.05.01.
๐@cveNotify
๐จ CVE-2024-27286
Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a public stream to a private stream, Zulip would successfully move the message, -- but active users who did not have access to the private stream, but whose client had already received the message, would continue to see the message in the public stream until they reloaded their client. Additionally, Zulip did not remove view permissions on the message from recently-active users, allowing the message to show up in the "All messages" view or in search results, but not in "Inbox" or "Recent conversations" views. While the bug has been present since moving messages between streams was first introduced in version 3.0, this option became much more common starting in Zulip 8.0, when the default option in the picker for moving the very last message in a conversation was changed. This issue is fixed in Zulip Server 8.3. No known workarounds are available.
๐@cveNotify
Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a public stream to a private stream, Zulip would successfully move the message, -- but active users who did not have access to the private stream, but whose client had already received the message, would continue to see the message in the public stream until they reloaded their client. Additionally, Zulip did not remove view permissions on the message from recently-active users, allowing the message to show up in the "All messages" view or in search results, but not in "Inbox" or "Recent conversations" views. While the bug has been present since moving messages between streams was first introduced in version 3.0, this option became much more common starting in Zulip 8.0, when the default option in the picker for moving the very last message in a conversation was changed. This issue is fixed in Zulip Server 8.3. No known workarounds are available.
๐@cveNotify
GitHub
CVE-2024-27286: Delete dangling UserMessage rows. ยท zulip/zulip@3db1733
This cleans up dangling UserMessage rows for moved messages which were
affected by bugs in one of the previous two commits.
affected by bugs in one of the previous two commits.
๐จ CVE-2025-8191
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
๐@cveNotify
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
๐@cveNotify
GitHub
macrozheng/mall
mall้กน็ฎๆฏไธๅฅ็ตๅ็ณป็ป๏ผๅ
ๆฌๅๅฐๅๅ็ณป็ปๅๅๅฐ็ฎก็็ณป็ป๏ผๅบไบSpring Boot+MyBatisๅฎ็ฐ๏ผ้็จDockerๅฎนๅจๅ้จ็ฝฒใ ๅๅฐๅๅ็ณป็ปๅ
ๅซ้ฆ้กต้จๆทใๅๅๆจ่ใๅๅๆ็ดขใๅๅๅฑ็คบใ่ดญ็ฉ่ฝฆใ่ฎขๅๆต็จใไผๅไธญๅฟใๅฎขๆทๆๅกใๅธฎๅฉไธญๅฟ็ญๆจกๅใ ๅๅฐ็ฎก็็ณป็ปๅ
ๅซๅๅ็ฎก็ใ่ฎขๅ็ฎก็ใไผๅ็ฎก็ใไฟ้็ฎก็ใ่ฟ่ฅ็ฎก็ใๅ
ๅฎน็ฎก็ใ็ป่ฎกๆฅ่กจใ่ดขๅก็ฎก็ใๆ้็ฎก็ใ่ฎพ็ฝฎ็ญๆจกๅใ - macrozheng...
๐จ CVE-2025-8343
A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
Path Traversal Vulnerability in ShStaticFileAPI ยท Issue #1028 ยท openviglet/shio
Path Traversal Vulnerability in ShStaticFileAPI Dear Shio Project Maintainers, I hope this message finds you well. I am writing to report a security vulnerability that I have identified in the Shio...
๐จ CVE-2025-25006
Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
๐จ CVE-2025-25007
Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
๐จ CVE-2025-33051
Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
๐จ CVE-2025-8701
A vulnerability was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /OL_OprationLog/GetPageList. The manipulation of the argument optUser leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /OL_OprationLog/GetPageList. The manipulation of the argument optUser leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
cve_vul1 ยท Issue #1 ยท si12/xxx
WOES Intelligent Optimization Energy-saving System - GetPageList Interface - SQL Injection function location: The parameters 'optUser' and 'Department' have injection points, which ...