CVE-2025-41244 VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246)

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate...

PT-2025-39851

Name of the Vulnerable Software and Affected Versions VMware vCenter affected versions not specified Description VMware vCenter contains an SMTP header injection vulnerability. An attacker with non-administrative privileges on vCenter, who has permission to create scheduled tasks, may be able to...

CVE-2025-11040

CVE-2025-11040 affects code-projects Hostel Management System 1.0. The vulnerability is a SQL injection in the file /justines/admin/mod_users/index.php?view=view, caused by unsafely manipulating the parameter ID. It is exploitable remotely and an exploit is publicly available. Multiple connected ...

CVE-2025-59826 FlagForgeCTF Vulnerable to Unauthorized Problem Creation

Flag Forge is a Capture The Flag CTF platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0...

CVE-2025-8282

CVE-2025-8282 affects the SureForms WordPress plugin prior to 1.9.1. The issue is an input sanitization/escaping flaw in parameters output on pages, enabling stored Cross‑Site Scripting (XSS) for admin and higher-privilege users. Impact is admin users could inject malicious scripts into pages ren...

CVE-2025-8282 SureForms < 1.9.1 - Admin+ Stored XSS

The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks...

PT-2025-39216

Name of the Vulnerable Software and Affected Versions Flag Forge versions prior to 2.2.0 Description Flag Forge is a Capture The Flag CTF platform. Non-admin users are able to create arbitrary challenges, which could lead to the introduction of malicious, incorrect, or misleading content...

Sensitive Information Disclosure

Liferay Portal is vulnerable to Sensitive Information Disclosure.The vulnerability is due to improper tenant isolation because admin users of a virtual instance can add pages outside the default instance, allowing tenants to enumerate all other tenants...

CVE-2025-43953

In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen...

CVE-2025-9079

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.10.x = 10.10.1, 10.9.x = 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory...

CVE-2025-10650 Improper SSH Key Handling in Internal Debug Builds May Grant Cluster-Level Access to Non-Administrative Users

SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 a...

CVE-2025-10650 Improper SSH Key Handling in Internal Debug Builds May Grant Cluster-Level Access to Non-Administrative Users

SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 a...

CVE-2025-10616

A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited...

CVE-2025-10616

A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited...

CVE-2025-10616 itsourcecode E-Commerce Website users.php unrestricted upload

A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited...

PT-2025-38275

Name of the Vulnerable Software and Affected Versions: itsourcecode E-Commerce Website version 1.0 Description: A security flaw has been discovered that allows for unrestricted upload. The issue affects an unknown function within the /admin/users.php file and can be exploited remotely. The exploi...

Linux Distros Unpatched Vulnerability : CVE-2018-5690

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site scripting XSS vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb...

GHSA-XRCQ-533Q-8RXW TYPO3 Bookmark Toolbar vulnerable to denial of service

An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar...

CVE-2025-9111 WPBOT < 7.1.0 - Admin+ Stored XSS

The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-9111

The CVE-2025-9111 entry applies to the WordPress plugin “AI ChatBot for WordPress” (WPBOT) versions before 7.1.0. The issue is a failure to sufficiently sanitise and escape some settings, which could allow stored XSS by high-privilege users (e.g., admins), even when unfiltered_html is disallowed ...