π¨ CVE-2025-11550
A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.
π@cveNotify
A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.
π@cveNotify
GitHub
BinaryAudit/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md at main Β· z472421519/BinaryAudit
Contribute to z472421519/BinaryAudit development by creating an account on GitHub.
π¨ CVE-2025-11551
A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
π¨ CVE-2025-11552
A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
π@cveNotify
A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
π@cveNotify
π¨ CVE-2025-11553
A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
π@cveNotify
A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
π@cveNotify
π¨ CVE-2025-11555
A vulnerability was detected in Campcodes Online Learning Management System 1.0. This affects an unknown part of the file /admin/calendar_of_events.php. The manipulation of the argument date_start results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
π@cveNotify
A vulnerability was detected in Campcodes Online Learning Management System 1.0. This affects an unknown part of the file /admin/calendar_of_events.php. The manipulation of the argument date_start results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
π@cveNotify
GitHub
campcodes Online Learning Management System Project V1.0 /admin/calendar_of_events.php SQL injection Β· Issue #2 Β· Rowantu/CVE
campcodes Online Learning Management System Project V1.0 /admin/calendar_of_events.php SQL injection NAME OF AFFECTED PRODUCT(S) Online Learning Management System Vendor Homepage https://www.campco...
π¨ CVE-2025-11556
A flaw has been found in code-projects Simple Leave Manager 1.0. This vulnerability affects unknown code of the file /user.php. This manipulation of the argument table causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
π@cveNotify
A flaw has been found in code-projects Simple Leave Manager 1.0. This vulnerability affects unknown code of the file /user.php. This manipulation of the argument table causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
π@cveNotify
π¨ CVE-2025-10004
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
π@cveNotify
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
π@cveNotify
GitLab
GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8
Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2025-11340
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
π@cveNotify
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
π@cveNotify
GitLab
GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8
Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2025-2934
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.
π@cveNotify
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.
π@cveNotify
GitLab
GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8
Learn more about GitLab Patch Release: 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
π¨ CVE-2025-11558
A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/user_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
π@cveNotify
A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/user_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
π@cveNotify
π¨ CVE-2025-60358
radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations.
π@cveNotify
radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations.
π@cveNotify
GitHub
Fix memleak in function _load_relocations by xiaoxiaoafeifei Β· Pull Request #24224 Β· radareorg/radare2
Mark this if you consider it ready to merge
I've added tests (optional)
I wrote some lines in the book (optional)
Description
I've added tests (optional)
I wrote some lines in the book (optional)
Description
π¨ CVE-2025-60359
radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
π@cveNotify
radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
π@cveNotify
GitHub
fix potential memleak in function r_bin_object_new by xiaoxiaoafeifei Β· Pull Request #24215 Β· radareorg/radare2
Mark this if you consider it ready to merge
I've added tests (optional)
I wrote some lines in the book (optional)
Description
I've added tests (optional)
I wrote some lines in the book (optional)
Description
π¨ CVE-2025-60360
radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
π@cveNotify
radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
π@cveNotify
GitHub
fix memleak in function r2r_subprocess_init by xiaoxiaoafeifei Β· Pull Request #24245 Β· radareorg/radare2
Mark this if you consider it ready to merge
I've added tests (optional)
I wrote some lines in the book (optional)
Description
I've added tests (optional)
I wrote some lines in the book (optional)
Description
π¨ CVE-2025-60361
radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
π@cveNotify
radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
π@cveNotify
GitHub
Fix memleak in function bochs_open and revert PR-24289 by xiaoxiaoafeifei Β· Pull Request #24312 Β· radareorg/radare2
Mark this if you consider it ready to merge
I've added tests (optional)
I wrote some lines in the book (optional)
Description
Fix memleak in function bochs_open
Revert Fix memleak in fu...
I've added tests (optional)
I wrote some lines in the book (optional)
Description
Fix memleak in function bochs_open
Revert Fix memleak in fu...
π¨ CVE-2025-60781
PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) in the worksheet.php file via the participant_name parameter.
π@cveNotify
PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) in the worksheet.php file via the participant_name parameter.
π@cveNotify
gold-textbook-8ff on Notion
php-education-management Stored XSS Vulnerability | Notion
system description
π¨ CVE-2025-60783
There is a SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 via login.php. The vulnerability allows attackers to manipulate the application's database through specially crafted SQL query strings.
π@cveNotify
There is a SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 via login.php. The vulnerability allows attackers to manipulate the application's database through specially crafted SQL query strings.
π@cveNotify
gold-textbook-8ff on Notion
Restaurant-Management-System-DBMS-project SQL injection | Notion
system description
π¨ CVE-2025-61301
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.
π@cveNotify
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.
π@cveNotify
π¨ CVE-2025-61303
Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
π@cveNotify
Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
π@cveNotify
GitHub
GitHub - eGkritsis/CVE-2025-61303: Critical Vulnerability (9.8) - RecordedFuture Triage dynamic analysis engine can fail to recordβ¦
Critical Vulnerability (9.8) - RecordedFuture Triage dynamic analysis engine can fail to record malicious behavior when samples produce very high-volume recursive process forking, causing inconsist...
π¨ CVE-2025-62656
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.
π@cveNotify
Phabricator
T403291 CVE-2025-62656: GlobalBlocking Special:GlobalBlockList vulnerable to message key stored XSS
The `Special:GlobalBlockList` page is vulnerable to message key XSS through several messages.
π¨ CVE-2025-62657
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PageForms extension allows Stored XSS.This issue affects MediaWiki PageForms extension: 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki PageForms extension allows Stored XSS.This issue affects MediaWiki PageForms extension: 1.44.
π@cveNotify
Phabricator
T405357 CVE-2025-62657: Stored XSS through system messages in PageForms
Multiple system messages are inserted as raw HTML by the PageForms extension, allowing for stored XSS.
π¨ CVE-2025-62658
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.
π@cveNotify
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.
π@cveNotify
Phabricator
T406380 CVE-2025-62658: SQL injection in WatchAnalytics through Special:ClearPendingReviews
The [[ https://www.mediawiki.org/wiki/Extension:WatchAnalytics | WatchAnalytics ]] extension does not properly escape userβ¦