🚨 CVE-2025-60266
In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in address/list is not securely filtered, resulting in a SQL injection vulnerability.
🎖@cveNotify
In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in address/list is not securely filtered, resulting in a SQL injection vulnerability.
🎖@cveNotify
Gitee
云网软件/小菜低代码开发平台(免费): ⭐⭐⭐小菜低代码开发平台|低代码平台|低代码开发平台|后台管理系统|快速开发平台,研发15年,服务过上千家客户,Springboot+Vue3框架,是一款企业级的低代码开发平台。基于小菜低代码开发平台可以快速搭建…
🚨 CVE-2025-60304
code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field.
🎖@cveNotify
code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field.
🎖@cveNotify
🚨 CVE-2025-60267
In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability.
🎖@cveNotify
In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability.
🎖@cveNotify
Gitee
云网软件/小菜低代码开发平台(免费): ⭐⭐⭐小菜低代码开发平台|低代码平台|低代码开发平台|后台管理系统|快速开发平台,研发15年,服务过上千家客户,Springboot+Vue3框架,是一款企业级的低代码开发平台。基于小菜低代码开发平台可以快速搭建…
🚨 CVE-2025-60316
SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter.
🎖@cveNotify
SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter.
🎖@cveNotify
GitHub
Vulnerability-Research/CVE-2025-60316/README.md at main · ChuckBartowski7/Vulnerability-Research
Contribute to ChuckBartowski7/Vulnerability-Research development by creating an account on GitHub.
🚨 CVE-2025-54654
Permission control vulnerability in the Gallery module. Successful exploitation of this vulnerability may affect service confidentiality
🎖@cveNotify
Permission control vulnerability in the Gallery module. Successful exploitation of this vulnerability may affect service confidentiality
🎖@cveNotify
🚨 CVE-2025-55996
Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface
🎖@cveNotify
Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface
🎖@cveNotify
GitHub
GitHub - thawkhant/viber-desktop-html-injection: Public writeup for CVE-2025-55996 (Viber Desktop HTML Injection)
Public writeup for CVE-2025-55996 (Viber Desktop HTML Injection) - thawkhant/viber-desktop-html-injection
🚨 CVE-2025-55835
File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering.
🎖@cveNotify
File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering.
🎖@cveNotify
🚨 CVE-2025-45583
Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password.
🎖@cveNotify
Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password.
🎖@cveNotify
2barbie on Notion
2024 - Audi UTR 2.0 Report | Notion
Audi UTR 2.0 response disclosure report
🚨 CVE-2025-45584
Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.
🎖@cveNotify
Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.
🎖@cveNotify
2barbie on Notion
2024 - Audi UTR 2.0 Report | Notion
Audi UTR 2.0 response disclosure report
🚨 CVE-2025-45585
Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters.
🎖@cveNotify
Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters.
🎖@cveNotify
2barbie on Notion
2024 - Audi UTR 2.0 Report | Notion
Audi UTR 2.0 response disclosure report
🚨 CVE-2025-45586
An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request.
🎖@cveNotify
An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request.
🎖@cveNotify
2barbie on Notion
2024 - Audi UTR 2.0 Report | Notion
Audi UTR 2.0 response disclosure report
🚨 CVE-2025-45587
A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
🎖@cveNotify
A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
🎖@cveNotify
2barbie on Notion
2024 - Audi UTR 2.0 Report | Notion
Audi UTR 2.0 response disclosure report
🚨 CVE-2025-10367
A vulnerability has been found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/cardEdit.php. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A vulnerability has been found in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/cardEdit.php. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
GitHub
CVE/RPi-Jukebox-RFID/xss2.md at main · YZS17/CVE
CVE of XU17. Contribute to YZS17/CVE development by creating an account on GitHub.
🚨 CVE-2025-57318
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
🚨 CVE-2025-57320
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
🚨 CVE-2025-57324
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
🚨 CVE-2025-57317
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess function of apidoc-core versions thru 0.15.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess function of apidoc-core versions thru 0.15.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
🎖@cveNotify
GitHub
PoCs/JavaScript/prototype-pollution/CVE-2025-57317 at main · OrangeShieldInfos/PoCs
Collection of Proof-of-Concepts. Contribute to OrangeShieldInfos/PoCs development by creating an account on GitHub.
🚨 CVE-2025-59831
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
🎖@cveNotify
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
🎖@cveNotify
GitHub
fix: Command Injection vulnerability reported by lirantal · snowyu/git-commiters.js@7f0abfe
Statistical summary of various infomation about git committer. - fix: Command Injection vulnerability reported by lirantal · snowyu/git-commiters.js@7f0abfe
🚨 CVE-2025-11005
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.
🎖@cveNotify
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.
🎖@cveNotify
GitHub
u42-vulnerability-disclosures/2025/PANW-2025-0005/PANW-2025-0005.md at main · PaloAltoNetworks/u42-vulnerability-disclosures
Contribute to PaloAltoNetworks/u42-vulnerability-disclosures development by creating an account on GitHub.
🚨 CVE-2025-11011
A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/json_export.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named 4b23dcaf0ce951a31299ebdd61df69f9ce99a76d. It is suggested to install a patch to address this issue.
🎖@cveNotify
A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/json_export.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named 4b23dcaf0ce951a31299ebdd61df69f9ce99a76d. It is suggested to install a patch to address this issue.
🎖@cveNotify
GitHub
fix: validate __type field before accessing in fromJson (#1009) · BehaviorTree/BehaviorTree.CPP@4b23dca
Co-authored-by: ahuo <ahuo2865189826@gmail.com>
🚨 CVE-2025-11012
A vulnerability was determined in BehaviorTree up to 4.7.0. This affects the function ParseScript of the file /src/script_parser.cpp of the component Diagnostic Message Handler. Executing manipulation of the argument error_msgs_buffer can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called cb6c7514efa628adb8180b58b4c9ccdebbe096e3. A patch should be applied to remediate this issue.
🎖@cveNotify
A vulnerability was determined in BehaviorTree up to 4.7.0. This affects the function ParseScript of the file /src/script_parser.cpp of the component Diagnostic Message Handler. Executing manipulation of the argument error_msgs_buffer can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called cb6c7514efa628adb8180b58b4c9ccdebbe096e3. A patch should be applied to remediate this issue.
🎖@cveNotify
GitHub
fix: use dynamically growing error buffer in ParseScript (#1007) · BehaviorTree/BehaviorTree.CPP@cb6c751
* fix: use dynamically growing error buffer in ParseScript
* style: format code
* fix: use dynamically growing error buffer in ValidateScript
---------
Co-authored-by: ahuo <ahuo28651898...
* style: format code
* fix: use dynamically growing error buffer in ValidateScript
---------
Co-authored-by: ahuo <ahuo28651898...