Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-5627
code-projects Patient Record Management System sputum_form.php sql injection
Description: A vulnerability classified as critical was found in code-projects Patient Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /sputum_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In code-projects Patient Record Management System 1.0 wurde eine kritische Schwachstelle entdeckt. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /sputum_form.php. Dank der Manipulation des Arguments itr_no mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.02%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-5626
Campcodes Online Teacher Record Management System edit-subjects-detail.php sql injection
Description: A vulnerability classified as critical has been found in Campcodes Online Teacher Record Management System 1.0. Affected is an unknown function of the file /admin/edit-subjects-detail.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in Campcodes Online Teacher Record Management System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Datei /admin/edit-subjects-detail.php. Durch Beeinflussen des Arguments editid mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.03%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-5625
Campcodes Online Teacher Record Management System search-teacher.php sql injection
Description: A vulnerability was found in Campcodes Online Teacher Record Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /search-teacher.php. The manipulation of the argument searchteacher leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in Campcodes Online Teacher Record Management System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei /search-teacher.php. Durch das Beeinflussen des Arguments searchteacher mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.03%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-5624
D-Link DIR-816 QoSPortSetup stack-based overflow
Description: A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been declared as critical. This vulnerability affects the function QoSPortSetup of the file /goform/QoSPortSetup. The manipulation of the argument port0_group/port0_remarker/ssid0_group/ssid0_remarker leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. In D-Link DIR-816 1.10CNB05 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Es geht um die Funktion QoSPortSetup der Datei /goform/QoSPortSetup. Durch Manipulieren des Arguments port0_group/port0_remarker/ssid0_group/ssid0_remarker mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: CRITICAL (9.3)

EPSS Score: 0.07%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-49466
aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,
Description: aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,

CVSS: MEDIUM (5.8)

EPSS Score: 0.18%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-49008
Atheos Improper Input Validation Vulnerability Enables RCE in Common.php
Description: Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.

CVSS: CRITICAL (9.4)

EPSS Score: 0.08%

Source: CVE
June 5th, 2025 (5 days ago)

CVE-2025-48432
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape...
Description: An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVSS: MEDIUM (4.0)

EPSS Score: 0.05%

Source: CVE
June 5th, 2025 (5 days ago)
IBM Cloud login breaks for second time this week and Big Blue isn't saying why
Source: TheRegister
June 5th, 2025 (5 days ago)
[signxml] SignXML's signature verification with HMAC is vulnerable to a timing attack
Description: When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data. References https://github.com/XML-Security/signxml/security/advisories/GHSA-gmhf-gg8w-jw42 https://nvd.nist.gov/vuln/detail/CVE-2025-48995 https://github.com/XML-Security/signxml/commit/1b501faaacf34cf978a52dbc6915ec11e27611cd https://github.com/advisories/GHSA-gmhf-gg8w-jw42

CVSS: MEDIUM (6.9)

EPSS Score: 0.03%

Source: Github Advisory Database (PIP)
June 5th, 2025 (5 days ago)
[signxml] SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack
Description: When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm. Starting with signxml 4.0.4, specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user. References https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4 https://nvd.nist.gov/vuln/detail/CVE-2025-48994 https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600 https://github.com/advisories/GHSA-6vx8-pcwv-xhf4

CVSS: MEDIUM (6.9)

EPSS Score: 0.03%

Source: Github Advisory Database (PIP)
June 5th, 2025 (5 days ago)