π¨ CVE-2025-6541
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
π@cveNotify
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
π@cveNotify
π¨ CVE-2025-6542
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
π@cveNotify
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
π@cveNotify
π¨ CVE-2025-7850
A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways.
π@cveNotify
A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways.
π@cveNotify
π¨ CVE-2025-7851
An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
π@cveNotify
An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
π@cveNotify
π¨ CVE-2025-6542
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
π@cveNotify
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
π@cveNotify
π¨ CVE-2025-8078
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on the affected device by passing a crafted string as an argument to a CLI command.
π@cveNotify
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on the affected device by passing a crafted string as an argument to a CLI command.
π@cveNotify
Zyxel
Zyxel security advisory for post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls |β¦
CVEs: CVE-2025-8078, CVE-2025-9133 Summary Zyxel has released patches addressing a post-authentication command injection vulnerability and a missing authorization vulnerability in certain versions of the ZLD firewall firmware. Users are advised to installβ¦
π¨ CVE-2025-9133
A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attackerβwho has completed only the first stage of the two-factor authentication (2FA) processβto view and download the system configuration from an affected device.
π@cveNotify
A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attackerβwho has completed only the first stage of the two-factor authentication (2FA) processβto view and download the system configuration from an affected device.
π@cveNotify
Zyxel
Zyxel security advisory for post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls |β¦
CVEs: CVE-2025-8078, CVE-2025-9133 Summary Zyxel has released patches addressing a post-authentication command injection vulnerability and a missing authorization vulnerability in certain versions of the ZLD firewall firmware. Users are advised to installβ¦
π₯1
π¨ CVE-2024-45497
A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.
π@cveNotify
A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.
π@cveNotify
π¨ CVE-2025-62694
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.
π@cveNotify
π¨ CVE-2025-62701
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
π@cveNotify
π¨ CVE-2025-62702
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.
π@cveNotify
π₯1
π¨ CVE-2025-10916
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
π@cveNotify
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
π@cveNotify
WPScan
FormGent < 1.0.4 - Unauthenticated Arbitrary File Deletion
See details on FormGent < 1.0.4 - Unauthenticated Arbitrary File Deletion CVE 2025-10916. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2025-11949
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
π@cveNotify
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
π@cveNotify
π¨ CVE-2025-12004
Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.
π@cveNotify
Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.
π@cveNotify
π¨ CVE-2025-26392
SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. This vulnerability requires authentication from a low-privilege account.
π@cveNotify
SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. This vulnerability requires authentication from a low-privilege account.
π@cveNotify
π¨ CVE-2025-10612
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45.
π@cveNotify
π₯1
π¨ CVE-2025-5496
ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.
π@cveNotify
ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.
π@cveNotify
Manageengine
CVE-2025-5496: Endpoint Central Local Privilege Escalation Fix
Security update for CVE-2025-5496 - Arbitrary File Deletion in dcconfig.exe leading to local privilege escalation in Endpoint Central
π¨ CVE-2025-7473
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.
π@cveNotify
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.
π@cveNotify
Manageengine
Parsing XML data - Knowledge Base
π¨ CVE-2024-25560
When BIG-IP AFM is licensed and provisioned, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
When BIG-IP AFM is licensed and provisioned, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
TMM vulnerability CVE-2024-25560
Security Advisory Description When a DNS profile is applied to a virtual server, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-25560) Impact Traffic is disrupted while the TMM process restarts. This vulnerabilityβ¦
π¨ CVE-2024-31156
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
BIG-IP Configuration utility XSS vulnerability CVE-2024-31156
Security Advisory Description A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2024-31156) Impactβ¦
π¨ CVE-2024-32761
Under certain conditions, a potential data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. However, this issue cannot be exploited by an attacker because it is not consistently reproducible and is beyond an attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
π@cveNotify
Under certain conditions, a potential data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. However, this issue cannot be exploited by an attacker because it is not consistently reproducible and is beyond an attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
π@cveNotify
F5
BIG-IP TMM tenants on VELOS and rSeries vulnerability CVE-2024-32761
Security Advisory Description Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occursβ¦