EUVD-2025-38262

AstrBot contains a directory traversal vulnerability...

CVE-2025-57698

AstrBot Project v3.5.22 is affected by a directory traversal vulnerability in the install_plugin_upload handler at /plugin/install-upload. The code parses the filename from the request body and assigns it directly to file_path without validation, then passes file_path to file.save, enabling an at...

DIAL CentrosNET App SQL注入漏洞

DIAL CentrosNET App is a mobile application for students, teachers and school administrators from the Spanish company DIAL. A SQL injection vulnerability exists in DIAL CentrosNET App version v2.64, which stems from incorrect manipulation of the parameter ultralogin in the file...

CVE-2025-11072

The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files...

PT-2025-46820

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions up to 9.9 Description pgAdmin 4 versions up to 9.9 on Windows systems are susceptible to a command injection issue. The root cause is the use of shell=True during backup and restore operations. This allows attackers to execu...

PT-2025-45082

Name of the Vulnerable Software and Affected Versions MelAbu WP Download Counter Button WordPress plugin versions through 1.8.6.7 Description The plugin does not properly check the location of files before allowing downloads. This could allow someone without an account to access and download any...

CVE-2025-12623

CVE-2025-12623 affects the fushengqian fuint system, specifically the code path in fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java (Authentication Token Handler). The Red Hat/NVD entries describe an authorization bypass that can be triggered remotel...

EUVD-2025-37472

A vulnerability was detected in PHPGurukul News Portal 1.0. The impacted element is an unknown function of the file /onps/settings.py. Performing manipulation results in insertion of sensitive information into debugging code. It is possible to initiate the attack remotely. The attack's complexity...

CarLux 安全漏洞

CarLux is a car booking system by the individual developer AKSHIT SONANI. A security vulnerability exists in CarLux version 1.0, which originates from a SQL injection vulnerability in the file /carlux/contact.php...

CVE-2025-63443

CVE-2025-63443 affects School Management System PHP v1.0. The vulnerability is a Cross-Site Scripting (XSS) in the login form, exploitable via the unvalidated/unsanitized password parameter sent to /login.php . The referenced sources consistently describe the issue as an XSS condition stemming fr...

CarLux 安全漏洞

CarLux is a car booking system by the individual developer AKSHIT SONANI. A security vulnerability exists in CarLux version 1.0, which stems from the file /carlux/booking.php being vulnerable to cross-site scripting attacks...

CVE-2025-12603 /etc/timezone can be Arbitrarily Written

/etc/timezone can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

CVE-2025-12137 Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the...

WordPress plugin User Extra Fields 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the openEditor function when the EDITOR environment variable and configuration file path that are passed unsanitized to a shell command. An attacker can execute arbitrary system commands by manipulating the EDITOR...

sqls 安全漏洞

sqls is the sqls-server open source a SQL language server written in Go. A security vulnerability exists in sqls version 0.2.28, which stems from the openEditor function not cleaning up the EDITOR environment variable and configuration file path, which could lead to a command injection attack...

CVE-2025-11201

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw...

CVE-2025-12347

A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editorfiles/save-file-ajax.php. Executing manipulation of the argument filepath/content can lead to unrestricted upload. The attack can be executed remotely. Th...

CVE-2025-12289

A flaw has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this vulnerability is an unknown functionality of the file /Point/index/activitystate/1/categoryid/1001. Executing manipulation of the argument categoryid can lead to...

CVE-2025-12290

A vulnerability has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this issue is some unknown functionality of the file /i/359. The manipulation of the argument keywords leads to cross site scripting. The attack is possible t...