PT-2025-51152

Name of the Vulnerable Software and Affected Versions DedeBIZ versions up to 6.5.9 Description A security issue exists in DedeBIZ that allows for remote command injection. This is due to manipulation of a functionality within the file /src/admin/catalog add.php. The exploit for this issue has bee...

Directory Traversal

NiceGUI is vulnerable to Directory Traversal. The vulnerability is due to improper validation in the App.addmediafiles function, which allows an attacker to access and read arbitrary files from the server filesystem...

Reflected Cross-Site Scripting (XSS)

NiceGUI is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is due to improper sanitization or encoding in the ui.addcss, ui.addscss, and ui.addsass functions, which allows an attacker to inject closing tags and execute arbitrary JavaScript...

EUVD-2025-203100

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting XSS vulnerability via the /msg/add endpoint...

CVE-2025-67344

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting XSS vulnerability via the /msg/add endpoint...

CVE-2025-67344

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting XSS vulnerability via the /msg/add endpoint...

CVE-2025-14515

A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/addunit.php. Such manipulation of the argument txtunitDetails leads to sql injection. The attack can be launched remotely. The exploit has been...

CVE-2025-14514

A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/adddistributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be...

CVE-2025-67725

Tornado (Python) vulnerable in versions

CVE-2025-67725 Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

CVE-2025-66918

edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting XSS in admin/add-session.php via the "title" parameter...

MailEnable Failed Parameter Cross-Site Scripting Vulnerability

MailEnable is a commercial email server software designed for Windows operating systems that provides end-to-end email hosting and collaboration solutions. MailEnable suffers from a cross-site scripting vulnerability that originates from the lack of effective filtering and escaping of user-suppli...

WordPress Add Custom Codes plugin Cross-Site Request Forgery Vulnerability

WordPress Add Custom Codes plugin is a free tool that allows users to add custom codes to WordPress websites. The WordPress Add Custom Codes plugin suffers from a cross-site request forgery vulnerability that stems from the WEB application not adequately verifying that a request is coming from a...

jshERP 安全漏洞

jshERP Huaxia ERP is a homegrown ERP system by the individual developer of China's Ji Sheng Hua. A security vulnerability exists in jshERP v3.5 and earlier versions, which stems from a stored cross-site scripting vulnerability in the /msg/add endpoint...

CVE-2025-67344

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting XSS vulnerability via the /msg/add endpoint...

PT-2025-50955

Name of the Vulnerable Software and Affected Versions jshERP versions prior to 3.5 Description The software is susceptible to a stored Cross Site Scripting XSS issue. The vulnerability exists through the /msg/add API endpoint. An attacker could potentially inject malicious scripts that are then...

CVE-2025-67344

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting XSS vulnerability via the /msg/add endpoint...

CVE-2025-67344

CVE-2025-67344 affects jshERP v3.5 and earlier, with a stored Cross-Site Scripting (XSS) vulnerability in the /msg/add endpoint. The issue is reported across multiple feeds (e.g., Red Hat, EUVD, NVD, OSV) and is described as stored XSS in the message-adding functionality, potentially enabling scr...

CVE-2025-66918

edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting XSS in admin/add-session.php via the "title" parameter...

CVE-2025-14519

A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed...