CVE-2025-37163

A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system...

CVE-2025-58034

An Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability CWE-78 vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may...

CVE-2025-40545

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

CVE-2025-40545

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

CVE-2025-40545 SolarWinds Observability Self-Hosted Open Redirection Vulnerability

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

CVE-2025-40545

Affected product: SolarWinds Observability Self-Hosted. Vulnerability: Open redirection due to improper URL sanitization in the application. Root cause / nature: URL handling allows manipulation of the redirect target. Impact (as stated): Potential to redirect users to a malicious site (confident...

EUVD-2025-197926

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

CVE-2025-26391 SolarWinds Observability Self-Hosted XSS Vulnerability

SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account...

CVE-2025-11267 VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'veucustomcss' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes i...

CVE-2025-54320

In Ascertia SigningHub up to version 8.6.8, the Invite Users function lacks rate limiting, enabling an authenticated attacker to automate invites and trigger an email bombing scenario. Affected software: Ascertia SigningHub (versions through 8.6.8). Underlying issue: insufficient throttling on th...

EUVD-2021-34717

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAILPW parameter, directly into system-level operations without...

CVE-2025-64444

Improper neutralization of special elements used in an OS command 'OS Command Injection' issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS...

PT-2025-47034

Name of the Vulnerable Software and Affected Versions Application Server affected versions not specified Description An authenticated attacker with “aaConfigTools” privilege can modify App Objects’ help files, potentially leading to a persistent cross-site scripting XSS injection. Successful...

About Remote Code Execution – Microsoft SharePoint “ToolShell” (CVE-2025-49704) vulnerability

About Remote Code Execution - Microsoft SharePoint "ToolShell" CVE-2025-49704 vulnerability. This vulnerability is from the Microsoft's July Patch Tuesday. SharePoint is a web application developed by Microsoft for corporate intranet portals, document management, and collaborative work...

CVE-2025-9055

The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account...

CVE-2025-9524

The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account...

CVE-2025-9055

The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. This flaw can only be exploited after authenticating with an administrator-privileged service account...

CVE-2025-9524

CVE-2025-9524 affects Axis VAPIX API port.cgi. Root cause: insufficient input validation in port.cgi, leading to process crashes and potential availability impact. Exploitation requires authentication with a viewer/operator/admin service account. CVSS~3.1: 4.3 (NETWORK, LOW attacker interaction, ...

CVE-2025-11855 Age Restriction <= 3.0.2 - Subscriber+ Privilege Escalation

The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the agerestrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password...

CVE-2025-12658 Preload Current Images <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'complete' parameter in the 'preloadprogressbar' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes...