EUVD-2025-44058

A Cross-Site Request Forgery CSRF vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint e.g.,...

CVE-2025-63711

A Cross-Site Request Forgery CSRF vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint e.g.,...

CVE-2025-11967 Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload

The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the processcontactattributeimport function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above...

CVE-2025-12092 CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion

The CYAN Backup plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' functionality in all versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delet...

CVE-2025-64431

Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference IDOR attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belongin...

CVE-2025-34238

Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web...

CVE-2025-34239

Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction that allows an authenticated system administrator to execute arbitrary commands as the web server user www-data by supplying a crafted uploaded filename...

CVE-2025-34239

CVE-2025-34239 affects Advantech WebAccess/VPN before version 1.1.5. A command injection exists in AppManagementController.appUpgradeAction(), allowing an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted uploaded filename. V...

CVE-2025-34238 Advantech WebAccess/VPN < 1.1.5 Path Traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web...

CVE-2025-20374

A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. This vulnerability is due to an insufficient input validation associated to specific UI features. An attacker could exploit this...

CVE-2025-10683 Easy Email Subscription <= 1.3 - Authenticated (Admin+) SQL Injection via uid

The Easy Email Subscription plugin for WordPress is vulnerable to SQL Injection via the 'uid' parameter in all versions up to, and including, 1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2025-10683 Easy Email Subscription <= 1.3 - Authenticated (Admin+) SQL Injection via uid

The Easy Email Subscription plugin for WordPress is vulnerable to SQL Injection via the 'uid' parameter in all versions up to, and including, 1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

PT-2025-45356

Name of the Vulnerable Software and Affected Versions Advantech WebAccess/VPN versions prior to 1.1.5 Description The software contains a command injection issue in the AppManagementController.appUpgradeAction function. A system administrator with authentication can execute arbitrary commands as...

PT-2025-45355

Name of the Vulnerable Software and Affected Versions Advantech WebAccess/VPN versions prior to 1.1.5 Description The software contains a path traversal flaw in the AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction function. An authenticated network administrator can...

CVE-2025-64114

Summary: ClipBucket v5 (versions 5.5.2 and earlier) is vulnerable to an SQL injection through the ClipBucket Custom Fields plugin. The issue requires an authenticated administrator with plugin-management privileges and access to the Custom Fields plugin to execute arbitrary SQL against the databa...

CVE-2025-20376

The collection shows CVE-2025-20376 affecting Cisco Unified CCX web UI, due to insufficient input validation in the file upload mechanism. An authenticated, remote attacker could upload a malicious file via the web UI and execute arbitrary commands on the underlying system, with potential privile...

CVE-2025-3125 Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially...

CVE-2025-3125 Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially...

CVE-2025-3125

CVE-2025-3125 describes an arbitrary file upload vulnerability in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with administrative privileges can upload a malicious file to a user-controlled location on the serv...

PT-2025-45106

Name of the Vulnerable Software and Affected Versions WSO2 products affected versions not specified Description An issue exists where improper input validation in the CarbonAppUploader admin service endpoint allows an authenticated attacker with administrative privileges to upload a malicious fil...