๐จ CVE-2014-2377
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.
๐@cveNotify
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.
๐@cveNotify
๐ฅ1
๐จ CVE-2025-42901
SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.
๐@cveNotify
SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.
๐@cveNotify
๐จ CVE-2025-42902
Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity.
๐@cveNotify
Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity.
๐@cveNotify
๐จ CVE-2025-42903
A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability.
๐@cveNotify
A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability.
๐@cveNotify
๐จ CVE-2025-42906
SAP Commerce Cloud contains a path traversal vulnerability that may allow users to access web applications such as the Administration Console from addresses where the Administration Console is not explicitly deployed. This could potentially bypass configured access restrictions, resulting in a low impact on confidentiality, with no impact on the integrity or availability of the application.
๐@cveNotify
SAP Commerce Cloud contains a path traversal vulnerability that may allow users to access web applications such as the Administration Console from addresses where the Administration Console is not explicitly deployed. This could potentially bypass configured access restrictions, resulting in a low impact on confidentiality, with no impact on the integrity or availability of the application.
๐@cveNotify
๐จ CVE-2025-42908
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.
๐@cveNotify
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.
๐@cveNotify
๐จ CVE-2025-42909
SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted.
๐@cveNotify
SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted.
๐@cveNotify
๐จ CVE-2025-42910
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
๐@cveNotify
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
๐@cveNotify
๐จ CVE-2025-42937
SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application.
๐@cveNotify
SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application.
๐@cveNotify
๐จ CVE-2025-42939
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.
๐@cveNotify
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.
๐@cveNotify
๐จ CVE-2025-42944
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.
๐@cveNotify
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.
๐@cveNotify
๐ฅ1
๐จ CVE-2025-10492
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
๐@cveNotify
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
๐@cveNotify
Jaspersoft Community
Jaspersoft Security Advisory: September 16, 2025 - Jaspersoft Library - CVE-2025-10492
Jaspersoft Library Deserialisation Vulnerability Original release date: September 16, 2025 Last revised: --- CVE-2025-10492 Source: Jaspersoft Products Affected JasperReports Library Community Edition 7.0.3 and below Jaspersoft Studio Community Edition 7.0.3โฆ
๐ฅ1
๐จ CVE-2025-10357
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
๐@cveNotify
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
๐@cveNotify
WPScan
Simple SEO < 2.0.32 - Contributor+ Stored XSS
See details on Simple SEO < 2.0.32 - Contributor+ Stored XSS CVE 2025-10357. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2025-10732
The SureForms โ Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
๐@cveNotify
The SureForms โ Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
๐@cveNotify
๐จ CVE-2025-4949
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
๐@cveNotify
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
๐@cveNotify
GitLab
CVE for https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281 (#64) ยท Issues ยท Eclipse Projects Security / cveโฆ
The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress...
๐จ CVE-2025-41703
An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.
๐@cveNotify
An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.
๐@cveNotify
๐จ CVE-2025-41704
An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.
๐@cveNotify
An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.
๐@cveNotify
๐จ CVE-2025-41705
An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.
๐@cveNotify
An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.
๐@cveNotify
๐จ CVE-2025-41706
The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.
๐@cveNotify
The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.
๐@cveNotify
๐จ CVE-2025-41707
The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.
๐@cveNotify
The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.
๐@cveNotify
๐จ CVE-2025-55078
In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
๐@cveNotify
In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
๐@cveNotify
GitHub
A kernel object pointer validation flaw in ThreadX system calls allows attackers to supply pointers to reserved memory regions.
### Summary
A kernel object pointer validation flaw in ThreadX system calls allows attackers to supply kernel pointers to reserved memory regions. This can cause the kernel to access invalid mem...
A kernel object pointer validation flaw in ThreadX system calls allows attackers to supply kernel pointers to reserved memory regions. This can cause the kernel to access invalid mem...