Lista CVE - 2025 / Dicembre
Visualizzazione 2501 - 2600 di 3706 CVE per Dicembre 2025 (Pagina 26 di 38)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-14607 | 2025-12-13 | OFFIS DCMTK dcmdata dcbytstr.cc makeDicomByteString memory corruption |
| CVE-2025-14617 | 2025-12-13 | Jehovahs Witnesses JW Library App org.jw.jwlibrary.mobile.activity.SiloContainer path traversal |
| CVE-2025-14619 | 2025-12-13 | code-projects Student File Management System login_query.php sql injection |
| CVE-2025-14620 | 2025-12-13 | code-projects Student File Management System login_query.php sql injection |
| CVE-2025-14621 | 2025-12-13 | code-projects Student File Management System update_user.php sql injection |
| CVE-2025-14622 | 2025-12-13 | code-projects Student File Management System save_user.php sql injection |
| CVE-2025-14623 | 2025-12-13 | code-projects Student File Management System update_student.php sql injection |
| CVE-2025-14636 | 2025-12-13 | Tenda AX9 httpd image_check weak hash |
| CVE-2025-14637 | 2025-12-13 | itsourcecode Online Pet Shop Management System addcnp.php sql injection |
| CVE-2025-14638 | 2025-12-14 | itsourcecode Online Pet Shop Management System update_cnp.php sql injection |
| CVE-2025-14639 | 2025-12-14 | itsourcecode Student Management System uprec.php sql injection |
| CVE-2025-14640 | 2025-12-14 | code-projects Student File Management System save_student.php sql injection |
| CVE-2025-14641 | 2025-12-14 | code-projects Computer Laboratory System admin_pic.php unrestricted upload |
| CVE-2025-14642 | 2025-12-14 | code-projects Computer Laboratory System technical_staff_pic.php unrestricted upload |
| CVE-2025-14643 | 2025-12-14 | code-projects Simple Attendance Record System check.php sql injection |
| CVE-2025-14644 | 2025-12-14 | itsourcecode Student Management System update_subject.php sql injection |
| CVE-2025-67896 | 2025-12-14 | Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation. |
| CVE-2025-13126 | 2025-12-14 | wpForo Forum <= 2.4.12 - Unauthenticated SQL Injection |
| CVE-2025-67897 | 2025-12-14 | In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a... |
| CVE-2025-12537 | 2025-12-14 | Addon Elements for Elementor <= 1.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-14645 | 2025-12-14 | code-projects Student File Management System delete_user.php sql injection |
| CVE-2025-12696 | 2025-12-14 | HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset |
| CVE-2025-14646 | 2025-12-14 | code-projects Student File Management System delete_student.php sql injection |
| CVE-2025-14647 | 2025-12-14 | code-projects Computer Book Store admin_delete.php sql injection |
| CVE-2025-14648 | 2025-12-14 | DedeBIZ catalog_add.php command injection |
| CVE-2025-14649 | 2025-12-14 | itsourcecode Online Cake Ordering System supplier.php sql injection |
| CVE-2025-14650 | 2025-12-14 | itsourcecode Online Cake Ordering System product.php sql injection |
| CVE-2025-14651 | 2025-12-14 | MartialBE one-hub docker-compose.yml hard-coded key |
| CVE-2025-14652 | 2025-12-14 | itsourcecode Online Cake Ordering System admindetail.php sql injection |
| CVE-2025-14653 | 2025-12-14 | itsourcecode Student Management System addrecord.php sql injection |
| CVE-2025-14654 | 2025-12-14 | Tenda AC20 httpd setPptpUserList formSetPPTPUserList stack-based overflow |
| CVE-2025-14655 | 2025-12-14 | Tenda AC20 httpd SetSysAutoRebbotCfg formSetRebootTimer stack-based overflow |
| CVE-2025-14656 | 2025-12-14 | Tenda AC20 openSchedWifi httpd buffer overflow |
| CVE-2025-14659 | 2025-12-14 | D-Link DIR-860LB1/DIR-868LB1 DHCP command injection |
| CVE-2025-14660 | 2025-12-14 | DecoCMS Mesh Workspace Domain api.ts createTool access control |
| CVE-2025-14661 | 2025-12-14 | itsourcecode Student Managemen System advisers.php sql injection |
| CVE-2025-14662 | 2025-12-14 | code-projects Student File Management System Update User update_user.php cross site scripting |
| CVE-2025-14663 | 2025-12-14 | code-projects Student File Management System update_student.php cross site scripting |
| CVE-2025-14664 | 2025-12-14 | Campcodes Supplier Management System view_unit.php sql injection |
| CVE-2025-14665 | 2025-12-14 | Tenda WH450 HTTP Request DhcpListClient stack-based overflow |
| CVE-2025-14666 | 2025-12-14 | itsourcecode COVID Tracking System page sql injection |
| CVE-2025-14667 | 2025-12-14 | itsourcecode COVID Tracking System page sql injection |
| CVE-2025-14668 | 2025-12-14 | campcodes Advanced Online Examination System loginExe.php sql injection |
| CVE-2025-14672 | 2025-12-14 | gmg137 snap7-rs s7_micro_client.cpp opWriteArea heap-based overflow |
| CVE-2025-14673 | 2025-12-14 | gmg137 snap7-rs client.rs as_ct_write heap-based overflow |
| CVE-2025-14674 | 2025-12-14 | aizuda snail-job QLExpressEngine.java QLExpressEngine.doEval injection |
| CVE-2025-13281 | 2025-12-14 | Portworx Half-Blind SSRF in kube-controller-manager |
| CVE-2025-67898 | 2025-12-14 | MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827. |
| CVE-2025-67899 | 2025-12-14 | uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. |
| CVE-2025-67900 | 2025-12-14 | NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable. |
| CVE-2025-14691 | 2025-12-14 | Mayan EDMS authentication cross site scripting |
| CVE-2025-14692 | 2025-12-14 | Mayan EDMS authentication redirect |
| CVE-2025-67901 | 2025-12-14 | openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data,... |
| CVE-2023-36337 | 2025-12-15 | A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2023-36338 | 2025-12-15 | Inventory Management System 1 was discovered to contain a SQL injection vulnerability. |
| CVE-2023-38913 | 2025-12-15 | SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script. |
| CVE-2024-44598 | 2025-12-15 | FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. |
| CVE-2024-44599 | 2025-12-15 | FNT Command 13.4.0 is vulnerable to Directory Traversal. |
| CVE-2025-51962 | 2025-12-15 | A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of... |
| CVE-2025-55703 | 2025-12-15 | An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This... |
| CVE-2025-55893 | 2025-12-15 | TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName. |
| CVE-2025-55895 | 2025-12-15 | TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote). |
| CVE-2025-55901 | 2025-12-15 | TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter. |
| CVE-2025-60786 | 2025-12-15 | A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file. |
| CVE-2025-65176 | 2025-12-15 | An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the... |
| CVE-2025-65213 | 2025-12-15 | MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An... |
| CVE-2025-65430 | 2025-12-15 | An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect.... |
| CVE-2025-65431 | 2025-12-15 | An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore... |
| CVE-2025-65742 | 2025-12-15 | An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request. |
| CVE-2025-65778 | 2025-12-15 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution... |
| CVE-2025-65779 | 2025-12-15 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true... |
| CVE-2025-65780 | 2025-12-15 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields),... |
| CVE-2025-65781 | 2025-12-15 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId... |
| CVE-2025-65782 | 2025-12-15 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially... |
| CVE-2025-65835 | 2025-12-15 | The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a... |
| CVE-2025-66434 | 2025-12-15 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc).... |
| CVE-2025-66435 | 2025-12-15 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc).... |
| CVE-2025-66436 | 2025-12-15 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc).... |
| CVE-2025-66437 | 2025-12-15 | An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict... |
| CVE-2025-66438 | 2025-12-15 | A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a... |
| CVE-2025-66439 | 2025-12-15 | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by... |
| CVE-2025-66440 | 2025-12-15 | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by... |
| CVE-2025-66843 | 2025-12-15 | grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads... |
| CVE-2025-66844 | 2025-12-15 | In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to... |
| CVE-2025-66963 | 2025-12-15 | An issue in Hitron HI3120 v.7.2.4.5.2b1 allows a local attacker to obtain sensitive information via the Logout option in the index.html |
| CVE-2025-67809 | 2025-12-15 | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration.... |
| CVE-2025-14693 | 2025-12-15 | Ugreen DH2100+ USB symlink |
| CVE-2025-14694 | 2025-12-15 | ketr JEPaaS readAllPostil sql injection |
| CVE-2025-14695 | 2025-12-15 | SamuNatsu HaloBot Inter-plugin API index.js html_renderer dynamically-managed code resources |
| CVE-2025-14696 | 2025-12-15 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System UpdatePasswordBatch password recovery |
| CVE-2025-14697 | 2025-12-15 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System ExportFiles file access |
| CVE-2025-14698 | 2025-12-15 | atlaszz AI Photo Team Galleryit App gallery.photogallery.pictures.vault.album path traversal |
| CVE-2025-14699 | 2025-12-15 | Municorn FAX App biz.faxapp.app path traversal |
| CVE-2025-13740 | 2025-12-15 | Lightweight Accordion <= 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-67906 | 2025-12-15 | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. |
| CVE-2025-14702 | 2025-12-15 | Smartbit CommV Smartschool App be.smartschool.mobile.SplashActivity path traversal |
| CVE-2025-14703 | 2025-12-15 | Shiguangwu sgwbox N3 POST Message fsnotify improper authentication |
| CVE-2025-14704 | 2025-12-15 | Shiguangwu sgwbox N3 API eshell path traversal |
| CVE-2025-14705 | 2025-12-15 | Shiguangwu sgwbox N3 SHARESERVER Feature command injection |
| CVE-2025-14706 | 2025-12-15 | Shiguangwu sgwbox N3 NETREBOOT http_eshell_server command injection |