🚨 CVE-2025-15176
A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue.
🎖@cveNotify
A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue.
🎖@cveNotify
GitHub
upf: Fix remote DoS in IPv6 jumbo handling by replacing assert with s… · open5gs/open5gs@b72d834
…afe error handling
Replace `ogs_assert(nxt == 0)` with validation and graceful error return
when parsing IPv6 jumbo payload where plen=0 but NextHeader is non-zero.
This prevents open5gs-upfd fro...
Replace `ogs_assert(nxt == 0)` with validation and graceful error return
when parsing IPv6 jumbo payload where plen=0 but NextHeader is non-zero.
This prevents open5gs-upfd fro...
🚨 CVE-2015-10145
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
🎖@cveNotify
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
🎖@cveNotify
奇安信 X 实验室
Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI
Overview
In August 2024, XLab observed a premeditated large-scale DDoS attack targeting the distribution platforms of the chinese game Black Myth: Wukong, namely Steam and Perfect World.This attack operation was divided into four waves, with the attackers…
In August 2024, XLab observed a premeditated large-scale DDoS attack targeting the distribution platforms of the chinese game Black Myth: Wukong, namely Steam and Perfect World.This attack operation was divided into four waves, with the attackers…
🚨 CVE-2023-7331
A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue.
🎖@cveNotify
A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue.
🎖@cveNotify
GitHub
backend-sql-injection-protection · PKrystian/Full-Stack-Bank@25c9965
create_user.php
delete_user.php
edit_user.php
Added sql statement using prepare and bind param
users.php:
Added sql using prepare and bind param
Added account number generator always starting w...
delete_user.php
edit_user.php
Added sql statement using prepare and bind param
users.php:
Added sql using prepare and bind param
Added account number generator always starting w...
🚨 CVE-2023-22699
Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
🎖@cveNotify
Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
🎖@cveNotify
Patchstack
Broken Access Control in WordPress MainWP Wordfence Extension Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
🚨 CVE-2023-23985
Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4.
🎖@cveNotify
Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4.
🎖@cveNotify
Patchstack
Content Spoofing in WordPress Quiz Maker Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
🚨 CVE-2025-68946
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
🎖@cveNotify
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
🎖@cveNotify
Gitea
Gitea 1.20.1 is released | Gitea Blog
Gitea 1.20.1 is now released including 21 merged PRs.
🚨 CVE-2025-15210
A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
🚨 CVE-2025-15211
A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
🎖@cveNotify
A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
🎖@cveNotify
🚨 CVE-2025-15212
A vulnerability was detected in code-projects Refugee Food Management System 1.0. This issue affects some unknown processing of the file /home/regfood.php. Performing manipulation of the argument a results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
🎖@cveNotify
A vulnerability was detected in code-projects Refugee Food Management System 1.0. This issue affects some unknown processing of the file /home/regfood.php. Performing manipulation of the argument a results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
🎖@cveNotify
🚨 CVE-2025-15245
A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
🎖@cveNotify
tzh00203 on Notion
D-Link DCS850L v1.02.09 Path Traversal Vulnerability in Firmware Update | Notion
Vulnerability Title: Path Traversal and Command Injection Vulnerabilities in Firmware Upload Service of D-Link DCS-850L v1.02.09
🚨 CVE-2025-15354
A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
🎖@cveNotify
A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
🎖@cveNotify
GitHub
itsourcecode Society Management System Project V1.0 /admin/add_admin.php SQL injection · Issue #2 · BUPT2025201/CVE
itsourcecode Society Management System Project V1.0 /admin/add_admin.php SQL injection NAME OF AFFECTED PRODUCT(S) Society Management System Vendor Homepage https://itsourcecode.com/free-projects/p...
🔥1
🚨 CVE-2025-68943
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
🎖@cveNotify
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
🎖@cveNotify
Gitea
1.21.8/9/10 are released | Gitea Blog
Gitea 1.21.10 is now released. 1.21.10 includs 8 merged PRs. You are highly recommanded to upgrade to this version ASAP. This is also include the bug fixes in 1.21.8 and 1.21.9 which weren't announcemented. 1.21.8 includes 50 merged PRs and 1.21.9 includes…
🚨 CVE-2025-68944
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
🎖@cveNotify
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
🎖@cveNotify
Gitea
Gitea 1.22.2 is released | Gitea Blog
We are proud to present the release of Gitea version 1.22.2.
🚨 CVE-2025-68945
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
🎖@cveNotify
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
🎖@cveNotify
Gitea
Gitea 1.21.2 is released | Gitea Blog
Gitea 1.21.2 are now released. 1.21.2 includs 35 merged PRs and fixes for security vulnerability. You are highly recommanded to upgrade to this version ASAP.
🚨 CVE-2025-15107
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.
🎖@cveNotify
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.
🎖@cveNotify
GitHub
[Vulnerability] sqle JWT_SECRET AND Valid credentials HardCoded · Issue #3186 · actiontech/sqle
版本信息(Version) ≤4.2511.0 问题描述(Describe) sqle 存在硬编码的JWT鉴权密钥以及合法有效的JWT凭证 sqle contains a hard-coded JWT authentication key and a valid JWT credential. 截图或日志(Log) https://github.com/actiontech/sqle/blo...
🚨 CVE-2025-67703
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5
🚨 CVE-2025-67704
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5
🚨 CVE-2025-67705
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5
🚨 CVE-2025-67706
ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.
🎖@cveNotify
ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5
🚨 CVE-2025-67707
ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.
🎖@cveNotify
ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5
🚨 CVE-2025-67708
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
🎖@cveNotify
ArcGIS Blog
ArcGIS Server Security 2025 Update 2 Patch
ArcGIS Server Security 2025 update 2 is available, resolving 10 Medium severity vulnerabilities in ArcGIS Server versions 10.9.1 thru 11.5