๐จ CVE-2025-10148
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
๐@cveNotify
curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.
๐@cveNotify
๐จ CVE-2025-10291
A weakness has been identified in linlinjava litemall up to 1.8.0. This affects the function WxAftersaleController of the file /wx/aftersale/cancel. Executing manipulation of the argument ID can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in linlinjava litemall up to 1.8.0. This affects the function WxAftersaleController of the file /wx/aftersale/cancel. Executing manipulation of the argument ID can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
๐จ CVE-2025-1250
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.
๐@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.
๐@cveNotify
โค1
๐จ CVE-2025-2256
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.
๐@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.
๐@cveNotify
โค1
๐จ CVE-2025-3650
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
๐@cveNotify
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
๐@cveNotify
WPScan
jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS
See details on jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS CVE 2025-3650. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2025-58781
WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic.
๐@cveNotify
WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic.
๐@cveNotify
Appย Store
WTW-EAGLE
WTW-EAGLE-24ๆ้ใฎใขใใคใซใชใขใผใใใใช็ฃ่ฆใฏใฉใคใขใณใใ
ใคใณใฟใผใใงใคในใฎในใฟใคใซใฏใ็ฐกๆฝใใคใใกใใทใงใใใซใงใ่คๆฐใฎใใฌใใฅใผใใฉใผใ ใใชใขใซใฟใคใ ใใฌใใฅใผใใใชในใใชใผใ ใQRใณใผใในใญใฃใณใPTZใณใณใใญใผใซใใใใชใญใฃใใใฃใใใใชไฟๅญใชใฉ...่ฉณ็ดฐ
ๆฉ่ฝๆงใใใชใใ่ฆใคใใใฎใๅพ ใฃใฆใใใใซใใใใใฆใณใญใผใ๏ผ
ใคใณใฟใผใใงใคในใฎในใฟใคใซใฏใ็ฐกๆฝใใคใใกใใทใงใใใซใงใ่คๆฐใฎใใฌใใฅใผใใฉใผใ ใใชใขใซใฟใคใ ใใฌใใฅใผใใใชในใใชใผใ ใQRใณใผใในใญใฃใณใPTZใณใณใใญใผใซใใใใชใญใฃใใใฃใใใใชไฟๅญใชใฉ...่ฉณ็ดฐ
ๆฉ่ฝๆงใใใชใใ่ฆใคใใใฎใๅพ ใฃใฆใใใใซใใใใใฆใณใญใผใ๏ผ
๐จ CVE-2023-5989
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies' LioXERP allows an authenticated user to execute Stored XSS.
This issue affects LioXERP: before v.146.
๐@cveNotify
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies' LioXERP allows an authenticated user to execute Stored XSS.
This issue affects LioXERP: before v.146.
๐@cveNotify
๐จ CVE-2024-1272
Inclusion of Sensitive Information in Source Code vulnerability in TNB Mobile Solutions Cockpit Software allows Retrieve Embedded Sensitive Data.This issue affects Cockpit Software: before v0.251.1.
๐@cveNotify
Inclusion of Sensitive Information in Source Code vulnerability in TNB Mobile Solutions Cockpit Software allows Retrieve Embedded Sensitive Data.This issue affects Cockpit Software: before v0.251.1.
๐@cveNotify
๐จ CVE-2024-1662
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02.
๐@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02.
๐@cveNotify
๐จ CVE-2024-1107
Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.
๐@cveNotify
Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.
๐@cveNotify
๐จ CVE-2024-1153
Improper Access Control vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.
๐@cveNotify
Improper Access Control vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.
๐@cveNotify
๐จ CVE-2024-4341
Improper Privilege Management vulnerability in Ekstrem Bir Bilgisayar Danismanlik Ic Ve Dis Ticaret Ltd. Sti. Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3928.
๐@cveNotify
Improper Privilege Management vulnerability in Ekstrem Bir Bilgisayar Danismanlik Ic Ve Dis Ticaret Ltd. Sti. Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3928.
๐@cveNotify
๐ฅ1
๐จ CVE-2024-12604
Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.
๐@cveNotify
Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.
๐@cveNotify
Tapandsign
Tap&Sign V.1.025 Sรผrรผm Notlarฤฑ | Tap&Sign Resmi Dokรผmantasyon
๐จ CVE-2025-1301
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yordam Informatics Library Automation System allows Reflected XSS.This issue affects Library Automation System: before 21.6.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yordam Informatics Library Automation System allows Reflected XSS.This issue affects Library Automation System: before 21.6.
๐@cveNotify
๐จ CVE-2025-2421
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection.This issue affects SambaBox: before 5.1.
๐@cveNotify
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection.This issue affects SambaBox: before 5.1.
๐@cveNotify
SambaBox
SambaBox v5.1 - SambaBox
SambaBox 5.1 has been released, delivering powerful new features and enhancements to boost performance, security, and flexibility.
๐จ CVE-2025-2488
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Profelis Informatics SambaBox allows Cross-Site Scripting (XSS).This issue affects SambaBox: before 5.1.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Profelis Informatics SambaBox allows Cross-Site Scripting (XSS).This issue affects SambaBox: before 5.1.
๐@cveNotify
SambaBox
SambaBox v5.1 - SambaBox
SambaBox 5.1 has been released, delivering powerful new features and enhancements to boost performance, security, and flexibility.
๐จ CVE-2025-21042
Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.
๐@cveNotify
Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.
๐@cveNotify
๐ฅ1
๐จ CVE-2025-21043
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
๐@cveNotify
Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
๐@cveNotify
๐ฅ1
๐จ CVE-2023-6436
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215.
๐@cveNotify
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215.
๐@cveNotify
๐จ CVE-2025-10264
Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras.
๐@cveNotify
Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras.
๐@cveNotify
๐จ CVE-2025-7448
Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack
๐@cveNotify
Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack
๐@cveNotify