EUVD-2025-31375

Malicious code in bioql PyPI...

EUVD-2022-5085

Malicious code in bioql PyPI...

EUVD-2025-28551

Malicious code in bioql PyPI...

CVE-2025-60447

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to...

PT-2025-39905

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS is a free, self-hostable RSS aggregator susceptible to a flaw where a crafted page can mislead a user into executing arbitrary JavaScript code or elevating privileges within FreshRSS. Thi...

CVE-2025-10993 MuYuCMS Template Management admin.php code injection

A security flaw has been discovered in MuYuCMS up to 2.7. Affected by this issue is some unknown functionality of the file /admin.php of the component Template Management. The manipulation results in code injection. It is possible to launch the attack remotely...

CVE-2025-58384

CVE-2025-58384 affects DOXENSE WATCHDOC prior to version 6.1.1.5332. The issue is Deserialization of Untrusted Data via the .NET Remoting library used in the Watchdoc administration interface, enabling remote code execution. Impact is high (remote code execution with network access and no user in...

CVE-2025-10909

Mangati NovoSGA (versions up to 2.2.9) is affected by a Cross-site Scripting (XSS) vulnerability in the SVG File Handler, specifically via manipulation of the logoNavbar/logoLogin arguments in the /admin path. The issue can be exploited remotely; multiple sources report that the exploit is public...

Vulnerability fixed in Fortra's GoAnywhere MFT

Fortra has fixed a vulnerability in GoAnywhere MFT License Servlet Specifically. The vulnerability is in the deserialization of a controlled object within the License Servlet. An attacker could use a forged license response signature to perform command injection, which could lead to unauthorized...

CVE-2025-57295

CVE-2025-57295 affects H3C NX15V100R015 firmware. The root account has no password and the H3C user account uses the default password, both stored in /etc/shadow, enabling attackers with network access to gain unauthorized root-level access via the admin interface or other services. This can lead...

CVE-2025-10617

CVE-2025-10617 affects SourceCodester Online Polling System 1.0. The vulnerability is in the sensitive file /admin/positions.php , where manipulation of the ID argument leads to an SQL injection. The attack can be initiated remotely and, per sources, the exploit has been publicly released. Connec...

CVE-2025-59518

In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server. Mitigation As a temporary...

PT-2025-38225

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Exam Form Submission version 1.0 Description: A SQL injection issue exists due to the manipulation of the email parameter within an unknown function of the /admin/index.php file. This allows for remote exploitation. The...

CVE-2009-20006 osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility admin/filemanager.php. The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to...

Unspecified Vulnerability in Dreamer CMS (CNVD-2025-21438)

Dreamer CMS is a dreamer content management system. A security vulnerability exists in Dreamer CMS 4.1.3.2 and earlier versions, which stems from improper handling of the file /admin/user/updatePwd, which could lead to weak password requirements. No details of the vulnerability are provided at th...

CVE-2025-10429 SourceCodester Pet Grooming Management Software ajax_product.php sql injection

A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajaxproduct.php. The manipulation of the argument dropservices results in sql injection. The attack can be launched remotely. The...

CVE-2025-9994

The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access...

CVE-2025-40689

SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'...

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs information disclosure. - Gain insight into internal file...

CVE-2025-54376

Hoverfly (versions