๐จ CVE-2025-11438
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.
๐@cveNotify
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-11439
A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue.
๐@cveNotify
A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-11440
A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue.
๐@cveNotify
A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-11441
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
๐@cveNotify
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-48464
Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victimโs Sync account data such as account credentials and email protection information.
๐@cveNotify
Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victimโs Sync account data such as account credentials and email protection information.
๐@cveNotify
Tux-plorer Blog
Don't Leave Me Outdated!
We frequently receive operating system (OS) updates on our devices. While these updates can be annoying and often involving only minor changes or introducing of new features, others are critical security patches (CVE-2025-48464).
๐จ CVE-2025-11442
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.
๐@cveNotify
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-11443
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken.
๐@cveNotify
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken.
๐@cveNotify
Google Docs
OpnFormv1.9.3_Vulnerability_Findings
OpnForm v1.9.3 Vulnerability Findings Reporter: balejin Date: September 25, 2025 Table of Contents Table of Contents
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
2 Technical Findings
3 Unauthenticated Stored XSS on Form Text Input
3 Unrestricted File Uploadโฆ
๐จ CVE-2025-11444
A security vulnerability has been detected in TOTOLINK N600R up to 4.3.0cu.7866_B20220506. This impacts the function setWiFiBasicConfig of the file /cgi-bin/cstecgi.cgi of the component HTTP Request Handler. Such manipulation of the argument wepkey leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
A security vulnerability has been detected in TOTOLINK N600R up to 4.3.0cu.7866_B20220506. This impacts the function setWiFiBasicConfig of the file /cgi-bin/cstecgi.cgi of the component HTTP Request Handler. Such manipulation of the argument wepkey leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
GitHub
BinaryAudit/PoC/BOF/TOTOLINK/wepkey/wepkey.md at main ยท z472421519/BinaryAudit
Contribute to z472421519/BinaryAudit development by creating an account on GitHub.
๐จ CVE-2023-5347
An Improper Verification of Cryptographic Signature vulnerability in the update process of Korenix JetNet Series allows replacing the whole operating system including Trusted Executables. This issue affects JetNet devices older than firmware version 2024/01.
๐@cveNotify
An Improper Verification of Cryptographic Signature vulnerability in the update process of Korenix JetNet Series allows replacing the whole operating system including Trusted Executables. This issue affects JetNet devices older than firmware version 2024/01.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2025-11445
A vulnerability was detected in Kilo Code up to 4.86.0. Affected is the function ClineProvider of the file src/core/webview/ClineProvider.ts of the component Prompt Handler. Performing manipulation results in injection. The attack can be initiated remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue.
๐@cveNotify
A vulnerability was detected in Kilo Code up to 4.86.0. Affected is the function ClineProvider of the file src/core/webview/ClineProvider.ts of the component Prompt Handler. Performing manipulation results in injection. The attack can be initiated remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue.
๐@cveNotify
GitHub
Prevent writing to files outside workspace by default to enhance security by hassoncs ยท Pull Request #2244 ยท Kilo-Org/kilocode
The alwaysAllowWriteOutsideWorkspace flag in ClineProvider was set to true by default, allowing Kilo Code to write to arbitrary files outside the workspace. This change sets it to false by default,...
๐จ CVE-2023-5376
An Improper Authentication vulnerability in Korenix JetNet TFTP allows abuse of this service. This issue affects JetNet devices older than firmware version 2024/01.
๐@cveNotify
An Improper Authentication vulnerability in Korenix JetNet TFTP allows abuse of this service. This issue affects JetNet devices older than firmware version 2024/01.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2024-5411
Missing input validation and OS command integration of the input in the ORing IAP-420 web-interface allows authenticated command injection.This issue affects IAP-420 version 2.01e and below.
๐@cveNotify
Missing input validation and OS command integration of the input in the ORing IAP-420 web-interface allows authenticated command injection.This issue affects IAP-420 version 2.01e and below.
๐@cveNotify
seclists.org
Full Disclosure: CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420
๐จ CVE-2024-5420
Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.
๐@cveNotify
Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.
๐@cveNotify
seclists.org
Full Disclosure: CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100
๐จ CVE-2024-55544
Missing input validation in the ORing IAP-420 web-interface allows authenticated Command Injections on OS level.This issue affects IAP-420 version 2.01e and below.
๐@cveNotify
Missing input validation in the ORing IAP-420 web-interface allows authenticated Command Injections on OS level.This issue affects IAP-420 version 2.01e and below.
๐@cveNotify
CyberDanube
St. Pรถlten UAS | Multiple Vulnerabilities in ORing IAP | CyberDanube
The Oring IAP-420 is prone to multiple vulnerabilities. This allows an attacker to exploit weaknesses such as authenticated command injection, cross-site scripting, remote command execution and denial of service to gain unauthorized control, compromise userโฆ
๐จ CVE-2025-4646
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
๐@cveNotify
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
๐@cveNotify
GitHub
Releases ยท centreon/centreon
Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge. - centreon/centreon
๐จ CVE-2025-4648
The content of a SVG file, received as input
in Centreon web, was not properly checked. Allows Reflected XSS.
A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
๐@cveNotify
The content of a SVG file, received as input
in Centreon web, was not properly checked. Allows Reflected XSS.
A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
๐@cveNotify
GitHub
Releases ยท centreon/centreon
Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge. - centreon/centreon
๐จ CVE-2025-4975
When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.
๐@cveNotify
When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.
๐@cveNotify
Google Play
TP-Link Tapo - Apps on Google Play
Control your Tapo smart devices from anywhere.
๐จ CVE-2025-11469
A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The affected element is an unknown function of the file /pages/save_customer.php. Executing manipulation of the argument Contact can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
๐@cveNotify
A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The affected element is an unknown function of the file /pages/save_customer.php. Executing manipulation of the argument Contact can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
๐@cveNotify
GitHub
sourcecodester Hotel and Lodge Management System using PHP with Source Code V1.0 /pages/save_customer.php SQL injection ยท Issueโฆ
sourcecodester Hotel and Lodge Management System using PHP with Source Code V1.0 /pages/save_customer.php SQL injection NAME OF AFFECTED PRODUCT(S) Hotel and Lodge Management System using PHP Vendo...
๐จ CVE-2025-11470
A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
GitHub
File Upload vulnerability from sourcecodester Hotel and Lodge Management System using PHP with Source Code V1.0 /manage_website.phpโฆ
File Upload vulnerability from sourcecodester Hotel and Lodge Management System using PHP with Source Code V1.0 /manage_website.php A vulnerability, which was classified as critical, was found in s...
๐จ CVE-2025-3450
An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.
๐@cveNotify
An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.
๐@cveNotify
๐จ CVE-2025-10351
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.
๐@cveNotify
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in Melis Platform
INCIBE has coordinated the publication of three critical vulnerabilities affecting Melis Technology's