π¨ CVE-2023-53943
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
π@cveNotify
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
π@cveNotify
www.glpi-project.org
Smart IT Service Management, Helpdesk & Asset Tracking | GLPI
Streamline your operations with GLPI. Our open source ITSM solution centralizes requests, assets, workflows, and support in one powerful platform.
π¨ CVE-2023-53944
EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini.
π@cveNotify
EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini.
π@cveNotify
www.easyphp.org
PHP DEVSERVER | LOCAL PHP DEVELOPMENT ENVIRONMENT
A complete and ready-to-use PHP development environment on Windows including the web server Apache, the SQL Server MySQL and others development tools.
π¨ CVE-2025-63949
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.
π@cveNotify
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.
π@cveNotify
GitHub
vulnerability-research/advisories/Hotel-Management-System/CVE-2025-63949.md at main Β· solonbarroso/vulnerability-research
Contribute to solonbarroso/vulnerability-research development by creating an account on GitHub.
π¨ CVE-2023-36338
Inventory Management System 1 was discovered to contain a SQL injection vulnerability.
π@cveNotify
Inventory Management System 1 was discovered to contain a SQL injection vulnerability.
π@cveNotify
Gist
CVE-2023-36338
CVE-2023-36338. GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2023-38913
SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script.
π@cveNotify
SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script.
π@cveNotify
Gist
CVE-2023-38913.md
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2023-53868
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
π@cveNotify
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script.
π@cveNotify
web.archive.org
Coppermine Photo Gallery
<? print $meta_description; ?>
π¨ CVE-2023-53874
GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause application instability.
π@cveNotify
GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause application instability.
π@cveNotify
Exploit Database
GOM Player 2.3.90.5360 - Buffer Overflow (PoC)
GOM Player 2.3.90.5360 - Buffer Overflow (PoC).. local exploit for Windows platform
π¨ CVE-2023-53875
GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction.
π@cveNotify
GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction.
π@cveNotify
Exploit Database
GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
GOM Player 2.3.90.5360 - Remote Code Execution (RCE).. remote exploit for Windows platform
π¨ CVE-2023-53876
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
π@cveNotify
Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code.
π@cveNotify
Academy LMS
Academy LMS - #1 WordPress LMS Plugin for eLearning Solution
Academy LMS is a feature-rich WordPress LMS plugin to create and sell online courses. Get all the features you need to manage your eLearning websites.
π¨ CVE-2023-53877
Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database.
π@cveNotify
Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database.
π@cveNotify
Exploit Database
Bus Reservation System 1.1 - Multiple-SQLi
Bus Reservation System 1.1 - Multiple-SQLi.. webapps exploit for PHP platform
π¨ CVE-2023-53879
NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition.
π@cveNotify
NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition.
π@cveNotify
π¨ CVE-2023-53881
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
π@cveNotify
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
π@cveNotify
Ruijie
Ruijie Networks | Network Devices and Solutions Provider
Ruijie Networks is a leading ICT company, headquartered in China. It has been committed to providing innovative scenario-based network products and solutions for customers in various industries.
π¨ CVE-2025-67896
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
π@cveNotify
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
π@cveNotify
π¨ CVE-2025-68279
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
π@cveNotify
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
π@cveNotify
GitHub
fix(component): gracefully handle invalid symlinks by nijel Β· Pull Request #17331 Β· WeblateOrg/weblate
Properly log the error instead of crashing.
Sort matches for consistent parsing order.
Also reject files with same link targets.
Reject downloading symlinked translations.
Filter out symlinked scre...
Sort matches for consistent parsing order.
Also reject files with same link targets.
Reject downloading symlinked translations.
Filter out symlinked scre...
π¨ CVE-2025-68385
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
π@cveNotify
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
π@cveNotify
Discuss the Elastic Stack
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)
Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-34) Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious scriptβ¦
π¨ CVE-2025-68386
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
π@cveNotify
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
π@cveNotify
Discuss the Elastic Stack
Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)
Kibana Improper Authorization (ESA-2025-38) Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permissionβ¦
π¨ CVE-2025-68387
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
π@cveNotify
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
π@cveNotify
Discuss the Elastic Stack
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)
Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ESA-2025-35) Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious scriptβ¦
π¨ CVE-2025-68389
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
π@cveNotify
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
π@cveNotify
Discuss the Elastic Stack
Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36)
Kibana Allocation of Resources Without Limits or Throttling (ESA-2025-36) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resourcesβ¦
π¨ CVE-2025-14897
A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
π@cveNotify
A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
π@cveNotify
π¨ CVE-2025-14898
A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
π¨ CVE-2025-64675
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
π@cveNotify
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
π@cveNotify