๐จ CVE-2025-15197
A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
GitHub
Code-projects Content Management System V1.0 editposts.php Arbitrary file upload vulnerability ยท Issue #7 ยท Limingqian123/CVE
Code-projects Content Management System V1.0 editposts.php Arbitrary file upload vulnerability NAME OF AFFECTED PRODUCT(S) Content Management System Vendor Homepage https://code-projects.org/conten...
๐จ CVE-2025-66862
A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
GitHub
CRGF-Vul/cxxfilt/crash3.md at main ยท caozhzh/CRGF-Vul
Reproduction of crashes generated in several fuzzing experiments by CRGF method - caozhzh/CRGF-Vul
๐จ CVE-2025-66863
An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
GitHub
CRGF-Vul/cxxfilt/crash2.md at main ยท caozhzh/CRGF-Vul
Reproduction of crashes generated in several fuzzing experiments by CRGF method - caozhzh/CRGF-Vul
๐จ CVE-2025-66865
An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
๐@cveNotify
GitHub
CRGF-Vul/cxxfilt/crash4.md at main ยท caozhzh/CRGF-Vul
Reproduction of crashes generated in several fuzzing experiments by CRGF method - caozhzh/CRGF-Vul
๐จ CVE-2025-66869
Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.
๐@cveNotify
Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.
๐@cveNotify
GitHub
Multiple Crashes in v0.4.8 of swftophp when fuzzing test ยท Issue #366 ยท libming/libming
Test Environment Ubuntu 20.04.6 LTS libming-v0.4.8(TAG_NAME="ming-0_4_8") Step to reproduce ./autogen.sh ./configure --disable-shared --disable-freetype make ./swftophp "PoC file&quo...
๐จ CVE-2025-66877
Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8.
๐@cveNotify
Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8.
๐@cveNotify
GitHub
Multiple Crashes in v0.4.8 of swftophp when fuzzing test ยท Issue #367 ยท libming/libming
Test Environment Ubuntu 20.04.6 LTS libming-v0.4.8(TAG_NAME="ming-0_4_8") Step to reproduce ./autogen.sh ./configure --disable-shared --disable-freetype make ./swftophp "PoC file&quo...
๐จ CVE-2024-25181
A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.
๐@cveNotify
A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.
๐@cveNotify
Gist
CVE-2024-25181
CVE-2024-25181. GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2025-15202
A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
GitHub
XSS vulnerability on /manage/task/list ยท Issue #374 ยท sohutv/cachecloud
XSS vulnerability on /manage/task/list Summary In the latest version (v3.2) of CacheCloud, the endpoint /manage/task/list does not encode user-controllable parameters when outputting them on web pa...
๐จ CVE-2025-15203
A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
GitHub
XSS vulnerability on /manage/app/resource/index ยท Issue #375 ยท sohutv/cachecloud
XSS vulnerability on /manage/app/resource/index Summary In the latest version (v3.2) of CacheCloud, the endpoint /manage/app/resource/index does not encode user-controllable parameters when outputt...
๐จ CVE-2024-25183
givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php.
๐@cveNotify
givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php.
๐@cveNotify
Gist
CVE-2024-25183
CVE-2024-25183. GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2025-15204
A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
GitHub
XSS vulnerability on /manage/quartz/list ยท Issue #376 ยท sohutv/cachecloud
XSS vulnerability on /manage/quartz/list Summary In the latest version (v3.2) of CacheCloud, the endpoint /manage/quartz/list does not encode user-controllable parameters when outputting them on we...
๐จ CVE-2025-15206
A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/add_area.php. Executing manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
๐@cveNotify
A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/add_area.php. Executing manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
๐@cveNotify
GitHub
Campcodes Supplier Management System V1.0 /Supply_Management_System/admin/add_area.php SQL injection ยท Issue #5 ยท IMZGforever/CVEs
NAME OF AFFECTED PRODUCT(S) Supplier Management System Vendor Homepage https://www.campcodes.com/projects/php/supplier-management-system-using-php-mysql/ AFFECTED AND/OR FIXED VERSION(S) Submitter ...
๐จ CVE-2025-15207
A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/view_products.php. The manipulation of the argument chkId[] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/view_products.php. The manipulation of the argument chkId[] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
GitHub
Campcodes Supplier Management System V1.0 /Supply_Management_System/admin/view_products.php SQL injection ยท Issue #6 ยท IMZGforever/CVEs
NAME OF AFFECTED PRODUCT(S) Supplier Management System Vendor Homepage https://www.campcodes.com/projects/php/supplier-management-system-using-php-mysql/ AFFECTED AND/OR FIXED VERSION(S) Submitter ...
๐จ CVE-2025-15208
A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
๐@cveNotify
๐จ CVE-2025-15209
A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
๐@cveNotify
A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
๐@cveNotify
๐จ CVE-2025-12816
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
๐@cveNotify
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
๐@cveNotify
GitHub
GitHub - digitalbazaar/forge: A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps
A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps - digitalbazaar/forge
๐จ CVE-2025-51741
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.
๐@cveNotify
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.
๐@cveNotify
Echo Global Logistics
Freight Shipping Solutions | Echo Global Logistics
Learn how Echo Global Logistics simplifies transportation management for shippers and carriers with tech-enabled, expert-backed freight shipping solutions.
๐จ CVE-2025-62703
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.
๐@cveNotify
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.
๐@cveNotify
GitHub
Adding security warnings to Flask RPCServer (#564) ยท fugue-project/fugue@6f25326
* Adding security warnings to Flask RPCServer
* lint
* changing documentation url
* f-string
* codacy analysis
* lint
* changing documentation url
* f-string
* codacy analysis
๐จ CVE-2025-63735
A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.
๐@cveNotify
A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.
๐@cveNotify
GitHub
GitHub - huthx/CVE-2025-63735-Ruckus-Unleashed-Reflected-XSS: Reflected XSS in Ruckus Unleashed 200.13.6.1.319 via the name parameter.
Reflected XSS in Ruckus Unleashed 200.13.6.1.319 via the name parameter. - huthx/CVE-2025-63735-Ruckus-Unleashed-Reflected-XSS
๐จ CVE-2025-66021
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
๐@cveNotify
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
๐@cveNotify
GitHub
XSS via noscript tag and improper sanitization in style tags
### Summary
It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to X...
It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to X...
๐จ CVE-2025-66575
VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem.
๐@cveNotify
VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem.
๐@cveNotify