π¨ CVE-2025-65779
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
π@cveNotify
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
π@cveNotify
GitHub
GitHub - wekan/wekan: The Open Source kanban, built with Meteor. GitHub issues/PRs are only for FLOSS Developers, not for supportβ¦
The Open Source kanban, built with Meteor. GitHub issues/PRs are only for FLOSS Developers, not for support, support is at https://wekan.fi/commercial-support/ . New English strings for new feature...
π¨ CVE-2019-11510
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
π@cveNotify
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
π@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
π¨ CVE-2020-0601
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
π@cveNotify
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
π@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
π¨ CVE-2020-1350
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.
π@cveNotify
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.
π@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
π¨ CVE-2020-1472
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
π@cveNotify
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
π@cveNotify
π₯1
π¨ CVE-2025-14584
A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
GitHub
itsourcecode COVID Tracking System V1.0 "/cts/admin/login.php" SQL injection Β· Issue #1 Β· Wegetmore/CVE
itsourcecode COVID Tracking System V1.0 "/cts/admin/login.php" SQL injection NAME OF AFFECTED PRODUCT(S) COVID Tracking System Vendor Homepage https://itsourcecode.com/free-projects/php-p...
π¨ CVE-2025-14585
A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=zone. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
π@cveNotify
A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=zone. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
π@cveNotify
GitHub
itsourcecode COVID Tracking System V1.0 "/cts/admin/?page=zone" SQL injection Β· Issue #1 Β· Ggeee3/CVE
itsourcecode COVID Tracking System V1.0 "/cts/admin/?page=zone" SQL injection NAME OF AFFECTED PRODUCT(S) COVID Tracking System Vendor Homepage https://itsourcecode.com/free-projects/php-...
π¨ CVE-2025-14586
A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
GitHub
TOTOLINK_X5000R/1.md at main Β· awigwu76/TOTOLINK_X5000R
Contribute to awigwu76/TOTOLINK_X5000R development by creating an account on GitHub.
π¨ CVE-2025-14587
A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
π@cveNotify
A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
π@cveNotify
GitHub
itsourcecode Online Pet Shop Management System V1.0 "/pet1/available.php" SQL injection Β· Issue #1 Β· tzm113/CVE
itsourcecode Online Pet Shop Management System V1.0 "/pet1/available.php" SQL injection NAME OF AFFECTED PRODUCT(S) Online Pet Shop Management System Vendor Homepage https://itsourcecode....
π¨ CVE-2025-14588
A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
GitHub
itsourcecode Student Management System V1.0 SQL Injection Vulnerability Β· Issue #24 Β· ltranquility/CVE
itsourcecode Student Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Student Managemen System Vendor Homepage https://itsourcecode.com/free-projects/php-project/stude...
π¨ CVE-2025-14636
A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited.
π@cveNotify
A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited.
π@cveNotify
GitHub
IOT_Firmware_Update/Tenda/AX9_Inte.md at main Β· IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
π¨ CVE-2025-12885
The Embed Any Document β Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
π@cveNotify
The Embed Any Document β Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
π@cveNotify
π¨ CVE-2025-68460
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
π@cveNotify
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
π@cveNotify
GitHub
Fix Information Disclosure vulnerability in the HTML style sanitizer Β· roundcube/roundcubemail@08de250
reported by somerandomdev
π¨ CVE-2025-68461
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
π@cveNotify
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
π@cveNotify
GitHub
Fix Cross-Site-Scripting vulnerability via SVG's animate tag Β· roundcube/roundcubemail@bfa0326
reported by Valentin T., CrowdStrike
π¨ CVE-2025-27063
Memory corruption during video playback when video session open fails with time out error.
π@cveNotify
Memory corruption during video playback when video session open fails with time out error.
π@cveNotify
π¨ CVE-2025-47319
Information disclosure while exposing internal TA-to-TA communication APIs to HLOS
π@cveNotify
Information disclosure while exposing internal TA-to-TA communication APIs to HLOS
π@cveNotify
π¨ CVE-2025-47320
Memory corruption while processing MFC channel configuration during music playback.
π@cveNotify
Memory corruption while processing MFC channel configuration during music playback.
π@cveNotify
π¨ CVE-2025-47321
Memory corruption while copying packets received from unix clients.
π@cveNotify
Memory corruption while copying packets received from unix clients.
π@cveNotify
π¨ CVE-2025-47323
Memory corruption while routing GPR packets between user and root when handling large data packet.
π@cveNotify
Memory corruption while routing GPR packets between user and root when handling large data packet.
π@cveNotify
π¨ CVE-2025-47325
Information disclosure while processing system calls with invalid parameters.
π@cveNotify
Information disclosure while processing system calls with invalid parameters.
π@cveNotify