93 matches found
CVE-2025-10341
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x...
appRain CMF 跨站脚本漏洞
appRain CMF is a content management framework. A cross-site scripting vulnerability exists in appRain CMF due to improper validation of user input on the /apprain/developer/addons/update/bootstrap endpoint. An attacker could use this vulnerability to steal the victim's cookie-based authentication...
PT-2025-35913
Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: A stored authenticated Cross-Site Scripting XSS issue exists due to insufficient validation of user-supplied data. The vulnerability is present in the /apprain/information/manage/emailtemplate/add...
CVE-2025-34163 Dongsheng Logistics Software Unauthenticated Arbitrary File Upload
Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST reques...
CVE-2025-9429 mtons mblog Post submit cross site scripting
A security vulnerability has been detected in mtons mblog up to 3.5.0. This vulnerability affects unknown code of the file /post/submit of the component Post Handler. The manipulation of the argument content/title/ leads to cross site scripting. It is possible to initiate the attack remotely. The...
CVE-2025-53971
Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...
CVE-2025-8976
A vulnerability has been found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/index.php?module=content/post=post of the component Endpoint. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been...
CVE-2025-55171
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, the application does not check authentication at endpoint /html/personalizacaoremover.php allowing anonymous attacker without login to delete any Image files at endpoin...
CVE-2025-55168
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability was identified in the /html/saude/aplicarmedicamento.php endpoint, specifically in the idfichamedica parameter. This vulnerability allows...
CVE-2025-55150
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf endpoint to convert HTML to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization...
CVE-2025-8790
CVE-2025-8790 affects Portabilis i-Educar up to 2.9.0. The vulnerability is in the API Endpoint component, specifically the file /module/Api/pessoa, where manipulating the ID argument leads to improper authorization. The issue is exploitable remotely, with exploits disclosed publicly. Multiple so...
PT-2025-32463 · Unknown · Portabilis I-Educar
Name of the Vulnerable Software and Affected Versions: Portabilis i-Educar versions up to 2.9.0 Description: A critical issue exists in Portabilis i-Educar related to improper authorization. The vulnerability is located in the API Endpoint component, specifically within the /module/Api/pessoa fil...
CVE-2025-8515
A weakness has been identified in Intelbras InControl 2.21.60.9. This vulnerability affects unknown code of the file /v1/operador/ of the component JSON Endpoint. Executing manipulation can lead to information disclosure. It is possible to launch the attack remotely. A high complexity level is...
U.S. Dept Of Defense: SQL Injection in URI Path Leading to Full Database Disclosure on ████████
A time-based blind SQL injection vulnerability was discovered in the URI path of the /home/server-ocsp/ endpoint on a U.S. Government Public Key Infrastructure website. The vulnerability allowed an unauthenticated attacker to interact with the backend MySQL database and extract sensitive...
📄 Java-springboot-codebase 1.1 Arbitrary File Read
Java-sprintboot-codebase version 1.1 suffers from an arbitrary file read vulnerability. Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read Google Dork: Date: 23/May/2025 Exploit Author: d3sca Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase Software Link:...
CVE-2025-32943
The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server due to a path traversal in the HLS endpoint...
PT-2025-9587
Name of the Vulnerable Software and Affected Versions Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR version 1.0.118 Description The issue is related to an Insecure Direct Object References IDOR in the component "/getStudemtAllDetailsById?studentId=XX". This allows...
PT-2025-6004 · Qingscan · Qingscan
Name of the Vulnerable Software and Affected Versions: QingScan versions =1.8.0 Description: A reflected Cross-Site Scripting XSS vulnerability exists in "/webscan/sqlmap/index.html" due to improper input sanitization of the query parameter, allowing an attacker to inject malicious JavaScript...
PT-2025-3407 · Unknown · Phpgurukul Online Birth Certificate System
Name of the Vulnerable Software and Affected Versions: PHPGURUKUL Online Birth Certificate System version 1.0 Description: A Stored Cross-Site Scripting XSS issue was identified in the PHPGURUKUL Online Birth Certificate System. The issue arises via the profile name to the...
CVE-2025-0739
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTIONID" param of the endpoint "/demos/embedai/subscriptions/show/"...