๐จ CVE-2025-6892
An Incorrect Authorization vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be exploited after a legitimate user has logged in, as the system fails to properly validate session context or privilege boundaries. An attacker may leverage this flaw to perform unauthorized privileged operations. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Incorrect Authorization vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be exploited after a legitimate user has logged in, as the system fails to properly validate session context or privilege boundaries. An attacker may leverage this flaw to perform unauthorized privileged operations. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐จ CVE-2025-5318
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
๐@cveNotify
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
๐@cveNotify
๐จ CVE-2025-6893
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
โค1
๐จ CVE-2025-6894
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative `ping` function, which is restricted to higher-privileged roles. This vulnerability enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible. Repeated exploitation could lead to minor resource consumption. While the overall impact is limited, it may result in some loss of confidentiality and availability on the affected device. There is no impact on the integrity of the device, and the vulnerability does not affect any subsequent systems.
๐@cveNotify
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative `ping` function, which is restricted to higher-privileged roles. This vulnerability enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible. Repeated exploitation could lead to minor resource consumption. While the overall impact is limited, it may result in some loss of confidentiality and availability on the affected device. There is no impact on the integrity of the device, and the vulnerability does not affect any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐ฅ1
๐จ CVE-2025-11898
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
๐@cveNotify
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
๐@cveNotify
๐จ CVE-2025-11899
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.
๐@cveNotify
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.
๐@cveNotify
๐จ CVE-2025-11900
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
๐@cveNotify
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
๐@cveNotify
๐จ CVE-2025-6949
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐จ CVE-2025-6950
An Use of Hard-coded Credentials vulnerability has been identified in Moxaโs network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Use of Hard-coded Credentials vulnerability has been identified in Moxaโs network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐จ CVE-2025-11849
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
๐@cveNotify
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
๐@cveNotify
Gist
Mammoth.js Path Traversal & DoS
Mammoth.js Path Traversal & DoS. GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2025-55092
In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
๐@cveNotify
In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
๐@cveNotify
GitHub
Potential out of bound read in _nx_ipv4_option_process()
The _nx_ipv4_option_process() function is called to process IPv4 options. It loops over the options, making sure it can read at least 1 byte in each iterations (type). When processing NX_IP_OPTION_...
๐จ CVE-2025-55093
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
๐@cveNotify
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
๐@cveNotify
GitHub
Out of bound read and write in _nx_ipv4_packet_receive() when handling unicast DHCP messages
IPv4 processing contains code that will process DHCP unicast messages when the interface IP address is zero. In this case it will read the port from the UDP packet. In order to do that, it will per...
๐จ CVE-2025-55087
In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
๐@cveNotify
In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
๐@cveNotify
GitHub
SNMPv3: No checks before parsing security parameters
### Summary
When processing security parameters in an SNMPv3 request, the client can perform an Out-of-Bounds (OOB) read beyond the allocated buffer. This occurs due to the absence of buffer len...
When processing security parameters in an SNMPv3 request, the client can perform an Out-of-Bounds (OOB) read beyond the allocated buffer. This occurs due to the absence of buffer len...
๐จ CVE-2025-55094
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
๐@cveNotify
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
๐@cveNotify
GitHub
Potential out-of-bounds read in _nx_icmpv6_validate_options()
The `_nx_icmpv6_validate_options()` function is responsible for parsing and validating ICMPv6 options within a received ICMPv6 packet. It operates on a raw pointer to a buffer of `NX_ICMPV6_OPTION`...
๐จ CVE-2025-55096
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()
when parsing a descriptor of an USB HID device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()
when parsing a descriptor of an USB HID device.
๐@cveNotify
GitHub
Inadequate bounds check and potential underflow in _ux_host_class_hid_report_descriptor_get()
The `_ux_host_class_hid_report_descriptor_get()` retrieves and parses a HID report descriptor from a USB HID device. It iteratively calls `_ux_host_class_hid_report_item_analyse()` to parse individ...
๐จ CVE-2025-55097
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_streaming_sampling_get()
The function `_ux_host_class_audio_streaming_sampling_get()` parses a USB audio streaming interface descriptor to extract supported audio sampling characteristics. It iterates through descriptors i...
๐จ CVE-2025-55098
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get()
when parsing a descriptor of an USB audio device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get()
when parsing a descriptor of an USB audio device.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_device_type_get()
The `_ux_host_class_audio_device_type_get()` function traverses the USB audio configuration descriptor to extract the device type by locating the Class-Specific Interface Header Descriptor (`CS_INT...
๐จ CVE-2025-55099
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_alternate_setting_locate()
The function `_ux_host_class_audio_alternate_setting_locate()` walks through a USB audio configuration descriptor, parsing each section to identify alternate interface settings and extract sampling...
๐จ CVE-2025-55100
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio10_sam_parse_func()
The function `_ux_host_class_audio10_sam_parse_func()` parses the sampling characteristics from a USB Audio Class 1.0 descriptor. Specifically, it reads from packed_audio_descriptor, expecting it t...
๐ฅ1
๐จ CVE-2025-11895
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
๐@cveNotify
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
๐@cveNotify
๐จ CVE-2025-2749
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
๐@cveNotify
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
๐@cveNotify