๐จ CVE-2025-4819
A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
Ruoyi-v4.8.0 has an unauthorized offline vulnerability ยท Issue #4 ยท chujianxin0101/vuln
Vulnerability Author cds Vulnerability Description Ruoyi-v4.8.0 has an unauthorized offline vulnerability Vulnerability Type ultra vires Product Vendor https://gitee.com/y_project/RuoYi Affected Pr...
๐จ CVE-2025-5879
A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
Arbitrary File Upload vulnerability in WukongCRM-9.0-JAVA allows leads to Stored Cross-Site Scripting via ยท Issue #7 ยท Aiyakami/CVEโฆ
Arbitrary File Upload vulnerability in WukongCRM-9.0-JAVA allows leads to Stored Cross-Site Scripting via NAME OF AFFECTED PRODUCT(S) WukongCRM Vendor Homepage https://github.com/WukongSoftware AFF...
๐จ CVE-2025-6106
A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
WukongCRM v9.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/role/relatedUser. ยท Issue #2 ยท luokuang1/CVE
WukongCRM v9.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/role/relatedUser. NAME OF AFFECTED PRODUCT(S) WukongCRM Vendor Homepage https://github.com/WuKongOpenSource/Wuk...
๐จ CVE-2025-10384
A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
๐จ CVE-2025-23348
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
๐@cveNotify
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
๐@cveNotify
๐จ CVE-2025-23349
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
๐@cveNotify
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
๐@cveNotify
๐จ CVE-2025-23353
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
๐@cveNotify
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
๐@cveNotify
๐จ CVE-2025-23354
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
๐@cveNotify
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
๐@cveNotify
๐จ CVE-2025-11503
A vulnerability was determined in PHPGurukul Beauty Parlour Management System 1.1. This issue affects some unknown processing of the file /admin/manage-services.php. Executing manipulation of the argument delid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
๐@cveNotify
A vulnerability was determined in PHPGurukul Beauty Parlour Management System 1.1. This issue affects some unknown processing of the file /admin/manage-services.php. Executing manipulation of the argument delid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
๐@cveNotify
GitHub
phpgurukul Beauty Parlour Management System Project V1.1 /admin/manage-services.php SQL injection ยท Issue #9 ยท f000x0/cve
NAME OF AFFECTED PRODUCT(S) Beauty Parlour Management System Vendor Homepage https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ AFFECTED AND/OR FIXED VERSION(S) submitter ...
๐จ CVE-2025-11505
A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Impacted is an unknown function of the file /admin/new-appointment.php. The manipulation of the argument delid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
๐@cveNotify
A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Impacted is an unknown function of the file /admin/new-appointment.php. The manipulation of the argument delid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
๐@cveNotify
GitHub
phpgurukul Beauty Parlour Management System Project V1.1 /admin/new-appointment.php SQL injection ยท Issue #10 ยท f000x0/cve
NAME OF AFFECTED PRODUCT(S) Beauty Parlour Management System Vendor Homepage https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ AFFECTED AND/OR FIXED VERSION(S) submitter ...
๐จ CVE-2025-11508
A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
๐ฅ1
๐จ CVE-2024-12687
Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.
This issue affects PlexTrac: from 1.61.3 before 2.8.1.
๐@cveNotify
Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.
This issue affects PlexTrac: from 1.61.3 before 2.8.1.
๐@cveNotify
Plextrac
Security Advisories | PlexTrac Documentation
๐จ CVE-2024-56378
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
๐@cveNotify
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
๐@cveNotify
GitLab
CMakeLists.txt ยท 30eada0d2bceb42c2d2a87361339063e0b9bea50 ยท poppler / poppler ยท GitLab
freedesktop.org GitLab login
๐จ CVE-2024-50660
File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality
๐@cveNotify
File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality
๐@cveNotify
Adportal
adportal.com - This website is for sale! - adportal Resources and Information.
This website is for sale! adportal.com is your first and best source for information about adportal. Here you will also find topics relating to issues of general interest. We hope you find what you are looking for!
๐จ CVE-2025-34172
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
๐@cveNotify
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
๐@cveNotify
GitHub
Validate haproxy stat areas. Fixes #16411 ยท pfsense/FreeBSD-ports@04d1328
FreeBSD ports tree with pfSense changes. Contribute to pfsense/FreeBSD-ports development by creating an account on GitHub.
๐จ CVE-2025-34174
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
๐@cveNotify
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
๐@cveNotify
GitHub
Status_Traffic_Totals input validation. Fixes #16413 ยท pfsense/FreeBSD-ports@9e412ed
FreeBSD ports tree with pfSense changes. Contribute to pfsense/FreeBSD-ports development by creating an account on GitHub.
๐จ CVE-2025-34175
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.
๐@cveNotify
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.
๐@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 ยท pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
๐จ CVE-2025-34177
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
๐@cveNotify
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
๐@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 ยท pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
๐จ CVE-2025-34178
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
๐@cveNotify
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
๐@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 ยท pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
๐จ CVE-2025-11071
A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
๐@cveNotify
GitHub
Multiple SQL Injection Vulnerabilities in SeaCMS v13.3.20250820 ยท Issue #93 ยท Hebing123/cve
Summary SeaCMS v13.3.20250820 contains multiple SQL injection vulnerabilities in the admin panel's cron task management module (admin_cron.php). Details Root Causes Direct SQL Concatenation: Us...
๐จ CVE-2025-11138
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
๐@cveNotify
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
๐@cveNotify
GitHub
wenkucms V3.4 Background Remote Code Execution (RCE) ยท Issue #1 ยท electroN1chahaha/wenkucms-RCE
The environment setup is omitted. This vulnerability can only be exploited with an administrator account. You can download the source code in https://gitee.com/mirweiye/wenkucms/ Vulnerability Anal...