๐จ CVE-2025-11898
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
๐@cveNotify
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
๐@cveNotify
๐จ CVE-2025-11899
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.
๐@cveNotify
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.
๐@cveNotify
๐จ CVE-2025-11900
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
๐@cveNotify
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
๐@cveNotify
๐จ CVE-2025-6949
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Execution with Unnecessary Privileges vulnerability has been identified in Moxaโs network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐จ CVE-2025-6950
An Use of Hard-coded Credentials vulnerability has been identified in Moxaโs network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
An Use of Hard-coded Credentials vulnerability has been identified in Moxaโs network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
๐@cveNotify
Moxa
CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliancesโฆ
๐จ CVE-2025-11849
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
๐@cveNotify
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
๐@cveNotify
Gist
Mammoth.js Path Traversal & DoS
Mammoth.js Path Traversal & DoS. GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2025-55092
In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
๐@cveNotify
In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
๐@cveNotify
GitHub
Potential out of bound read in _nx_ipv4_option_process()
The _nx_ipv4_option_process() function is called to process IPv4 options. It loops over the options, making sure it can read at least 1 byte in each iterations (type). When processing NX_IP_OPTION_...
๐จ CVE-2025-55093
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
๐@cveNotify
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
๐@cveNotify
GitHub
Out of bound read and write in _nx_ipv4_packet_receive() when handling unicast DHCP messages
IPv4 processing contains code that will process DHCP unicast messages when the interface IP address is zero. In this case it will read the port from the UDP packet. In order to do that, it will per...
๐จ CVE-2025-55087
In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
๐@cveNotify
In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
๐@cveNotify
GitHub
SNMPv3: No checks before parsing security parameters
### Summary
When processing security parameters in an SNMPv3 request, the client can perform an Out-of-Bounds (OOB) read beyond the allocated buffer. This occurs due to the absence of buffer len...
When processing security parameters in an SNMPv3 request, the client can perform an Out-of-Bounds (OOB) read beyond the allocated buffer. This occurs due to the absence of buffer len...
๐จ CVE-2025-55094
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
๐@cveNotify
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
๐@cveNotify
GitHub
Potential out-of-bounds read in _nx_icmpv6_validate_options()
The `_nx_icmpv6_validate_options()` function is responsible for parsing and validating ICMPv6 options within a received ICMPv6 packet. It operates on a raw pointer to a buffer of `NX_ICMPV6_OPTION`...
๐จ CVE-2025-55096
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()
when parsing a descriptor of an USB HID device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()
when parsing a descriptor of an USB HID device.
๐@cveNotify
GitHub
Inadequate bounds check and potential underflow in _ux_host_class_hid_report_descriptor_get()
The `_ux_host_class_hid_report_descriptor_get()` retrieves and parses a HID report descriptor from a USB HID device. It iteratively calls `_ux_host_class_hid_report_item_analyse()` to parse individ...
๐จ CVE-2025-55097
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_streaming_sampling_get()
The function `_ux_host_class_audio_streaming_sampling_get()` parses a USB audio streaming interface descriptor to extract supported audio sampling characteristics. It iterates through descriptors i...
๐จ CVE-2025-55098
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get()
when parsing a descriptor of an USB audio device.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get()
when parsing a descriptor of an USB audio device.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_device_type_get()
The `_ux_host_class_audio_device_type_get()` function traverses the USB audio configuration descriptor to extract the device type by locating the Class-Specific Interface Header Descriptor (`CS_INT...
๐จ CVE-2025-55099
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio_alternate_setting_locate()
The function `_ux_host_class_audio_alternate_setting_locate()` walks through a USB audio configuration descriptor, parsing each section to identify alternate interface settings and extract sampling...
๐จ CVE-2025-55100
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
๐@cveNotify
In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
๐@cveNotify
GitHub
Potential out-of-bounds read in _ux_host_class_audio10_sam_parse_func()
The function `_ux_host_class_audio10_sam_parse_func()` parses the sampling characteristics from a USB Audio Class 1.0 descriptor. Specifically, it reads from packed_audio_descriptor, expecting it t...
๐ฅ1
๐จ CVE-2025-11895
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
๐@cveNotify
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
๐@cveNotify
๐จ CVE-2025-2749
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
๐@cveNotify
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
๐@cveNotify
๐จ CVE-2023-28814
Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
๐@cveNotify
Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
๐@cveNotify
Hikvision
ๅ
ณไบๆตทๅบทๅจ่ง้จๅ็ปผๅๅฎ้ฒ็ฎก็ๅนณๅฐไบงๅๅญๅจไปปๆๆไปถไธไผ ๆผๆด็ๅฎๅ
จๅ
ฌๅ
ๆฅๆ๏ผ2023-6-25
๐จ CVE-2023-28815
Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
๐@cveNotify
Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
๐@cveNotify
Hikvision
ๅ
ณไบๆตทๅบทๅจ่ง้จๅ็ปผๅๅฎ้ฒ็ฎก็ๅนณๅฐ็ปไปถๅญๅจๆ้ๆๅๆผๆด็ๅฎๅ
จๅ
ฌๅ
ๆฅๆ๏ผ2023-6-25
๐จ CVE-2025-46400
In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function.
๐@cveNotify
In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function.
๐@cveNotify
๐จ CVE-2025-54253
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
๐@cveNotify
Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
๐@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe Experience Manager | APSB25-82