🚨 CVE-2025-11505
A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Impacted is an unknown function of the file /admin/new-appointment.php. The manipulation of the argument delid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
🎖@cveNotify
A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Impacted is an unknown function of the file /admin/new-appointment.php. The manipulation of the argument delid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
🎖@cveNotify
GitHub
phpgurukul Beauty Parlour Management System Project V1.1 /admin/new-appointment.php SQL injection · Issue #10 · f000x0/cve
NAME OF AFFECTED PRODUCT(S) Beauty Parlour Management System Vendor Homepage https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ AFFECTED AND/OR FIXED VERSION(S) submitter ...
🚨 CVE-2025-11508
A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
🔥1
🚨 CVE-2024-12687
Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.
This issue affects PlexTrac: from 1.61.3 before 2.8.1.
🎖@cveNotify
Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.
This issue affects PlexTrac: from 1.61.3 before 2.8.1.
🎖@cveNotify
Plextrac
Security Advisories | PlexTrac Documentation
🚨 CVE-2024-56378
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
🎖@cveNotify
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
🎖@cveNotify
GitLab
CMakeLists.txt · 30eada0d2bceb42c2d2a87361339063e0b9bea50 · poppler / poppler · GitLab
freedesktop.org GitLab login
🚨 CVE-2024-50660
File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality
🎖@cveNotify
File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality
🎖@cveNotify
Adportal
adportal.com - This website is for sale! - adportal Resources and Information.
This website is for sale! adportal.com is your first and best source for information about adportal. Here you will also find topics relating to issues of general interest. We hope you find what you are looking for!
🚨 CVE-2025-34172
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
🎖@cveNotify
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
🎖@cveNotify
GitHub
Validate haproxy stat areas. Fixes #16411 · pfsense/FreeBSD-ports@04d1328
FreeBSD ports tree with pfSense changes. Contribute to pfsense/FreeBSD-ports development by creating an account on GitHub.
🚨 CVE-2025-34174
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
🎖@cveNotify
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
🎖@cveNotify
GitHub
Status_Traffic_Totals input validation. Fixes #16413 · pfsense/FreeBSD-ports@9e412ed
FreeBSD ports tree with pfSense changes. Contribute to pfsense/FreeBSD-ports development by creating an account on GitHub.
🚨 CVE-2025-34175
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.
🎖@cveNotify
In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.
🎖@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 · pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
🚨 CVE-2025-34177
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
🎖@cveNotify
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
🎖@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 · pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
🚨 CVE-2025-34178
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
🎖@cveNotify
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.
🎖@cveNotify
GitHub
Suricata: Fix various validation and encoding issues. Fixes #16414 · pfsense/FreeBSD-ports@97852cc
- Fix handling of files/hashes on suricata_filecheck.php
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
- Ensure suricata_ip_reputation.php is checking the proper path to iprep files
- Encode various outputs on suricata_flow_stream.php and
su...
🚨 CVE-2025-11071
A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
GitHub
Multiple SQL Injection Vulnerabilities in SeaCMS v13.3.20250820 · Issue #93 · Hebing123/cve
Summary SeaCMS v13.3.20250820 contains multiple SQL injection vulnerabilities in the admin panel's cron task management module (admin_cron.php). Details Root Causes Direct SQL Concatenation: Us...
🚨 CVE-2025-11138
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
🎖@cveNotify
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
🎖@cveNotify
GitHub
wenkucms V3.4 Background Remote Code Execution (RCE) · Issue #1 · electroN1chahaha/wenkucms-RCE
The environment setup is omitted. This vulnerability can only be exploited with an administrator account. You can download the source code in https://gitee.com/mirweiye/wenkucms/ Vulnerability Anal...
🚨 CVE-2024-44542
SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter.
🎖@cveNotify
SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter.
🎖@cveNotify
GitHub
GitHub - sshipanoo/CVE-2024-44542
Contribute to sshipanoo/CVE-2024-44542 development by creating an account on GitHub.
🚨 CVE-2025-0399
A vulnerability was found in StarSea99 starsea-mall 1.0. It has been declared as critical. This vulnerability affects the function UploadController of the file src/main/java/com/siro/mall/controller/common/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in StarSea99 starsea-mall 1.0. It has been declared as critical. This vulnerability affects the function UploadController of the file src/main/java/com/siro/mall/controller/common/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
2 · Issue #3 · StarSea99/starsea-mall
基于springboot +thymeleaf 的小米商城管理系统. Contribute to StarSea99/starsea-mall development by creating an account on GitHub.
🚨 CVE-2025-0400
A vulnerability was found in StarSea99 starsea-mall 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/categories/update. The manipulation of the argument categoryName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in StarSea99 starsea-mall 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/categories/update. The manipulation of the argument categoryName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
4 · Issue #5 · StarSea99/starsea-mall
基于springboot +thymeleaf 的小米商城管理系统. Contribute to StarSea99/starsea-mall development by creating an account on GitHub.
🚨 CVE-2025-0698
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been classified as critical. Affected is an unknown function of the file /admin/sys/menu/list. The manipulation of the argument sort/order leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
🎖@cveNotify
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been classified as critical. Affected is an unknown function of the file /admin/sys/menu/list. The manipulation of the argument sort/order leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
🎖@cveNotify
GitHub
1 · Issue #19 · JoeyBling/bootplus
基于SpringBoot + Shiro + MyBatisPlus的权限管理框架. Contribute to JoeyBling/bootplus development by creating an account on GitHub.
🚨 CVE-2025-0699
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/sys/role/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
🎖@cveNotify
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/sys/role/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
🎖@cveNotify
GitHub
3 · Issue #21 · JoeyBling/bootplus
基于SpringBoot + Shiro + MyBatisPlus的权限管理框架. Contribute to JoeyBling/bootplus development by creating an account on GitHub.
🚨 CVE-2025-0700
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/sys/log/list. The manipulation of the argument logId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
🎖@cveNotify
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/sys/log/list. The manipulation of the argument logId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
🎖@cveNotify
GitHub
4 · Issue #22 · JoeyBling/bootplus
基于SpringBoot + Shiro + MyBatisPlus的权限管理框架. Contribute to JoeyBling/bootplus development by creating an account on GitHub.
🚨 CVE-2024-5413
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/scheduled.php, all parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/scheduled.php, all parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
www.incibe.es
Cross-Site Scripting Vulnerability in phpMyBackupPro
INCIBE has coordinated the publication of 3 high severity vulnerabilities affecting phpMyBackupPro, ve
🚨 CVE-2024-5414
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/get_file.php, 'view' parameter. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/get_file.php, 'view' parameter. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
www.incibe.es
Cross-Site Scripting Vulnerability in phpMyBackupPro
INCIBE has coordinated the publication of 3 high severity vulnerabilities affecting phpMyBackupPro, ve
🚨 CVE-2024-5415
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/backup.php, 'comments' and 'db' parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
A vulnerability have been discovered in PhpMyBackupPro affecting version 2.3 that could allow an attacker to execute XSS through /phpmybackuppro/backup.php, 'comments' and 'db' parameters. This vulnerabilities could allow an attacker to create a specially crafted URL and send it to a victim to retrieve their session details.
🎖@cveNotify
www.incibe.es
Cross-Site Scripting Vulnerability in phpMyBackupPro
INCIBE has coordinated the publication of 3 high severity vulnerabilities affecting phpMyBackupPro, ve