🚨 CVE-2025-66328
Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability.
🎖@cveNotify
Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability.
🎖@cveNotify
🚨 CVE-2025-66329
Permission control vulnerability in the window management module. Impact: Successful exploitation of this vulnerability may affect availability.
🎖@cveNotify
Permission control vulnerability in the window management module. Impact: Successful exploitation of this vulnerability may affect availability.
🎖@cveNotify
🚨 CVE-2025-66330
App lock verification bypass vulnerability in the file management app. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
🎖@cveNotify
App lock verification bypass vulnerability in the file management app. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
🎖@cveNotify
🚨 CVE-2025-14225
A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
GitHub
MY_VULN_2/D-Link/vuln-1/D-Link Vulnerability.md at main · Madgeaaaaa/MY_VULN_2
Contribute to Madgeaaaaa/MY_VULN_2 development by creating an account on GitHub.
🚨 CVE-2025-14226
A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well.
🎖@cveNotify
A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well.
🎖@cveNotify
GitHub
itsourcecode Student Management System V1.0 SQL Injection Vulnerability · Issue #17 · ltranquility/CVE
itsourcecode Student Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Student Managemen System Vendor Homepage https://itsourcecode.com/free-projects/php-project/stude...
🚨 CVE-2025-14227
A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
GitHub
Philipinho's Simple-PHP-Blog存在sql注入漏洞 · Issue #1 · woshinenbaba/CVE-
会发现这个id参数并未加过滤和强制类型转化因此可以进行sql注入 poc: POST /edit.php HTTP/1.1 Host: xxxxxx Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ...
🚨 CVE-2025-14262
A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions.
There is no workaround.
🎖@cveNotify
A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions.
There is no workaround.
🎖@cveNotify
KNIME
Security Advisories | KNIME
This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.
🚨 CVE-2025-27019
Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows
an attacker to utilize password-less user accounts and obtain
system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.
🎖@cveNotify
Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows
an attacker to utilize password-less user accounts and obtain
system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.
🎖@cveNotify
www.cvcn.gov.it
CVCN
Bootstrap Italia
🚨 CVE-2025-27020
Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system
.
This issue affects MTC-9: from R22.1.1.0275 before R23.0.
🎖@cveNotify
Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system
.
This issue affects MTC-9: from R22.1.1.0275 before R23.0.
🎖@cveNotify
www.cvcn.gov.it
CVCN
Bootstrap Italia
🚨 CVE-2025-66461
FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.
🎖@cveNotify
FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed.
🎖@cveNotify
jvn.jp
JVN#59242986: GS Yuasa FULLBACK Manager Pro registers Windows services with unquoted file paths
Japan Vulnerability Notes
🚨 CVE-2025-14228
A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. Impacted is an unknown function of the component Local Directory Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. Impacted is an unknown function of the component Local Directory Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
🚨 CVE-2025-14229
A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
🚨 CVE-2025-14230
A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. The impacted element is an unknown function of the file /admin/add_payroll.php. Performing manipulation of the argument detail_Id results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
🎖@cveNotify
A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. The impacted element is an unknown function of the file /admin/add_payroll.php. Performing manipulation of the argument detail_Id results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
🎖@cveNotify
🚨 CVE-2025-14244
A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
Gist
GreenCMS 2.3.0603 Stored XSS Vulnerability
GreenCMS 2.3.0603 Stored XSS Vulnerability. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2025-42615
In affected versions, vulnerability-lookup did not track or limit failed
One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)
verification. An attacker who already knew or guessed a valid username
and password could submit an arbitrary number of OTP codes without
causing the account to be locked or generating any specific alert for
administrators.
This lack of rate-limiting and lockout on OTP failures significantly
lowers the cost of online brute-force attacks against 2FA codes and
increases the risk of successful account takeover, especially if OTP
entropy is reduced (e.g. short numeric codes, user reuse, or predictable
tokens). Additionally, administrators had no direct visibility into
accounts experiencing repeated 2FA failures, making targeted attacks
harder to detect and investigate.
The patch introduces a persistent failed_otp_attempts counter on user
accounts, locks the user after 5 invalid OTP submissions, resets the
counter on successful verification, and surfaces failed 2FA attempts in
the admin user list. This enforces an account lockout policy for OTP
brute-force attempts and improves monitoring capabilities for suspicious
2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
🎖@cveNotify
In affected versions, vulnerability-lookup did not track or limit failed
One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)
verification. An attacker who already knew or guessed a valid username
and password could submit an arbitrary number of OTP codes without
causing the account to be locked or generating any specific alert for
administrators.
This lack of rate-limiting and lockout on OTP failures significantly
lowers the cost of online brute-force attacks against 2FA codes and
increases the risk of successful account takeover, especially if OTP
entropy is reduced (e.g. short numeric codes, user reuse, or predictable
tokens). Additionally, administrators had no direct visibility into
accounts experiencing repeated 2FA failures, making targeted attacks
harder to detect and investigate.
The patch introduces a persistent failed_otp_attempts counter on user
accounts, locks the user after 5 invalid OTP submissions, resets the
counter on successful verification, and surfaces failed 2FA attempts in
the admin user list. This enforces an account lockout policy for OTP
brute-force attempts and improves monitoring capabilities for suspicious
2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
🎖@cveNotify
vulnerability.circl.lu
gna-1 - gcve-1-2025-0033
Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.
🚨 CVE-2023-39784
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the list parameter in the save_virtualser_data function.
🎖@cveNotify
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the list parameter in the save_virtualser_data function.
🎖@cveNotify
tenda.com/
Tenda.com | Conquiste seu Apartamento
A gente coloca a conquista do seu apartamento ao seu alcance! Confira as nossas condições exclusivas e veja como utilizar o programa Minha Casa Minha Vida.
🚨 CVE-2023-39785
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the list parameter in the set_qosMib_list function.
🎖@cveNotify
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the list parameter in the set_qosMib_list function.
🎖@cveNotify
tenda.com/
Tenda.com | Conquiste seu Apartamento
A gente coloca a conquista do seu apartamento ao seu alcance! Confira as nossas condições exclusivas e veja como utilizar o programa Minha Casa Minha Vida.
🚨 CVE-2023-39786
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the time parameter in the sscanf function.
🎖@cveNotify
Tenda AC8V4 V16.03.34.06 was discovered to contain a stack overflow via the time parameter in the sscanf function.
🎖@cveNotify
tenda.com/
Tenda.com | Conquiste seu Apartamento
A gente coloca a conquista do seu apartamento ao seu alcance! Confira as nossas condições exclusivas e veja como utilizar o programa Minha Casa Minha Vida.
🚨 CVE-2023-40891
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter firewallEn at /goform/SetFirewallCfg.
🎖@cveNotify
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter firewallEn at /goform/SetFirewallCfg.
🎖@cveNotify
🚨 CVE-2023-40892
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter schedStartTime and schedEndTime at /goform/openSchedWifi.
🎖@cveNotify
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter schedStartTime and schedEndTime at /goform/openSchedWifi.
🎖@cveNotify
🚨 CVE-2023-40893
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter time at /goform/PowerSaveSet.
🎖@cveNotify
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter time at /goform/PowerSaveSet.
🎖@cveNotify