๐จ CVE-2025-65854
Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.
๐@cveNotify
Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.
๐@cveNotify
Mineadmin
้ฆ้กต
MineAdminๆฏไธๆฌพไปฅPHPๅVueๅผๅ็้ซๆง่ฝๅๅฐ็ฎก็็ณป็ป๏ผๆๆฏๆ ๏ผSwoole + Hyperf + Vue3 + Vite5 + Arco Design
๐จ CVE-2025-67341
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.
๐@cveNotify
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.
๐@cveNotify
GitHub
/systemConfig/upload endpoint is vulnerable to stored XSS attacks ยท Issue #139 ยท jishenghua/jshERP
Affected Versions version โค 3.5 (latest version) Impact jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containin...
๐จ CVE-2025-67344
jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
๐@cveNotify
jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
๐@cveNotify
GitHub
/msg/add endpoint is vulnerable to stored XSS attacks ยท Issue #140 ยท jishenghua/jshERP
Affected Versions version โค 3.5 (latest version) Impact jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. /msg/add endpoint is vulnerable to stored XSS attacks. Via the /m...
๐จ CVE-2023-29144
Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection.
๐@cveNotify
Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection.
๐@cveNotify
Malwarebytes
Cyber Security Software and Anti-Malware | Malwarebytes
Protect your home and business PCs, Macs, iOS and Android devices from the latest cyber threats and malware, including ransomware.
๐จ CVE-2025-12874
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding (CL.TE) attack vector. This could allow an attacker to bypass access controls, poison web caches, hijack sessions, or trigger unintended internal requests. This issue affects Coexistence Manager for Notes 3.8.2045. Other versions may also be affected.
๐@cveNotify
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding (CL.TE) attack vector. This could allow an attacker to bypass access controls, poison web caches, hijack sessions, or trigger unintended internal requests. This issue affects Coexistence Manager for Notes 3.8.2045. Other versions may also be affected.
๐@cveNotify
Security Risk Advisors
Published Advisories - Security Risk Advisors
๐จ CVE-2025-14966
A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing manipulation of the argument custom/searchField can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
๐@cveNotify
A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing manipulation of the argument custom/searchField can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
๐@cveNotify
๐จ CVE-2018-5282
Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a SilentInstall XML document. NOTE: the vendor disputes this issue because neither a buffer overflow nor a crash can be reproduced; also, reading XML documents is implemented exclusively with managed code within the Microsoft .NET Framework
๐@cveNotify
Kentico 9.0 through 11.0 has a stack-based buffer overflow via the SqlName, SqlPswd, Database, UserName, or Password field in a SilentInstall XML document. NOTE: the vendor disputes this issue because neither a buffer overflow nor a crash can be reproduced; also, reading XML documents is implemented exclusively with managed code within the Microsoft .NET Framework
๐@cveNotify
Exploit Database
Kentico CMS 11.0 - Buffer Overflow
Kentico CMS 11.0 - Buffer Overflow. CVE-2018-5282 . dos exploit for Windows platform
๐จ CVE-2018-7046
Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
๐@cveNotify
Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
๐@cveNotify
๐จ CVE-2018-7205
Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
๐@cveNotify
Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
๐@cveNotify
๐จ CVE-2018-6842
Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.
๐@cveNotify
Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a crafted URL results in improper construction of a system page.
๐@cveNotify
Gist
Kentico CMS - 10.0, 11.0 - Multiple Vulnerabilities
GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2018-6843
Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.
๐@cveNotify
Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface.
๐@cveNotify
Gist
Kentico CMS - 10.0, 11.0 - Multiple Vulnerabilities
GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2017-17736
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
๐@cveNotify
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
๐@cveNotify
Levelblue
LevelBlue Blog
Discover expert insights on the latest cybersecurity trends, challenges, and best practices shaping the industry today.
๐จ CVE-2018-19453
Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type.
๐@cveNotify
Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type.
๐@cveNotify
Levelblue
LevelBlue Blog
Discover expert insights on the latest cybersecurity trends, challenges, and best practices shaping the industry today.
๐จ CVE-2024-7794
A vulnerability was found in itsourcecode Vehicle Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file mybill.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability was found in itsourcecode Vehicle Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file mybill.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
Itsourcecode Vehicle Management System Project in PHP 1.0 mybill.php SQL injection ยท Issue #5 ยท ppp-src/ha
Itsourcecode Vehicle Management System Project in PHP 1.0 mybill.php SQL injection NAME OF AFFECTED PRODUCT(S) Vehicle Management System Project in PHP Free Download Vendor Homepage https://itsourc...
๐จ CVE-2025-4363
A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=end_membership. The manipulation of the argument rid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=end_membership. The manipulation of the argument rid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
itsourcecode Gym Management System V1.0 /ajax.php?action=end_membership SQL injection ยท Issue #2 ยท arpcyber2/CVE
itsourcecode Gym Management System V1.0 /ajax.php?action=end_membership SQL injection NAME OF AFFECTED PRODUCT(S) Gym Management System Vendor Homepage https://itsourcecode.com/free-projects/php-pr...
๐จ CVE-2025-10939
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
๐@cveNotify
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed.
๐@cveNotify
๐จ CVE-2012-10018
The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Server-Side Request Forgery in versions up to, and including 6.1, 1.0 respectively. This makes it possible for attackers to forgery requests coming from a vulnerable site's server and ultimately perform an XSS attack if requesting an SVG file.
๐@cveNotify
The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Server-Side Request Forgery in versions up to, and including 6.1, 1.0 respectively. This makes it possible for attackers to forgery requests coming from a vulnerable site's server and ultimately perform an XSS attack if requesting an SVG file.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2025-10044
A flaw was found in Keycloak. Keycloakโs account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
๐@cveNotify
A flaw was found in Keycloak. Keycloakโs account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
๐@cveNotify
๐จ CVE-2017-20208
The RegistrationMagic โ Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.
๐@cveNotify
The RegistrationMagic โ Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.
๐@cveNotify
๐จ CVE-2025-8427
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โauto_playโ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โauto_playโ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
๐จ CVE-2025-12110
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
๐@cveNotify
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
๐@cveNotify