Alarms sound over attacks via Microsoft NTLM vulnerability
ASUS routers with AiCloud vulnerable to auth bypass exploit
2025’s Top OSINT Tools: A Fresh Take on Open-Source Intel
Bypassing Google’s authentication to access their Internal Admin panels — Vishnu Prasad P G | by Vishnu Prasad P G | InfoSec Write-ups
Pennsylvania State Education Association Data Breach Exposes Over 500,000 Individuals - Security Spotlight
This Week In Cybersecurity: 14th April to 18th April - Security Spotlight
FBI: Scammers pose as FBI IC3 employees to 'help' recover lost funds
Interlock ransomware gang pushes fake IT tools in ClickFix attacks
ASUS warns of critical auth bypass flaw in routers using AiCloud
OpenAI details ChatGPT-o3, o4-mini, o4-mini-high usage limits
Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
Ahold Delhaize Data Breach Confirmed After INC Ransomware Claims Responsibility - Security Spotlight
SonicWall SMA VPN devices targeted in attacks since January
Attempted fraud totaling $4B averted by Microsoft amid escalating AI-powered scams
Nascent SheByte PhaaS platform gains traction, report finds
7 Steps to Take After a Credential-Based cyberattack
Chinese hackers target Russian govt with upgraded RAT malware
Cisco Webex bug lets hackers gain code execution via meeting links
Attacks involving old SonicWall SMA100 vulnerability underway
ClickFix increasingly utilized in state-backed malware attacks
Updated attack arsenal flaunted by Mustang Panda
Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
The Zoom attack you didn't see coming
How the HackersTent Team Recovered $3M Stolen Cryptocurrency
Entertainment venue management firm Legends International disclosed a data breach
U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
Midnight Blizzard Targets European Diplomats with Wine Tasting Lure
[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach
TryHackMe: Pickle Rick Walkthrough | by Akash Falaskar | Apr, 2025 | InfoSec Write-ups
WAF Bypass Masterclass: Using SQLMap with Proxychains and Tamper Scripts Against Cloudflare & ModSecurity | by coffinxp | Apr, 2025 | InfoSec Write-ups
Automating GraphQL Bug Bounty Hunting with GrapeQL | by Aleksa Zatezalo | Apr, 2025 | InfoSec Write-ups
šŸ”„Burp Suite Beyond Basics: Hidden Features That Save Time and Find More Bugs | by Abhijeet Kumawat | Apr, 2025 | InfoSec Write-ups
Entertainment venue management firm Legends International disclosed a data breach
Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT
PKWARE Quantum Readiness Assessment secures data from quantum computing threats
CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
The UK’s phone theft crisis is a wake-up call for digital security
Widely available AI tools signal new era of malicious bot activity
When ransomware strikes, what’s your move?
Securing digital products under the Cyber Resilience Act
New infosec products of the week: April 18, 2025
Entertainment services giant Legends International discloses data breach
Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
Moving CVEs past one-nation control
CISA Urges Action on Potential Oracle Cloud Credential Compromise
Windows NTLM hash leak flaw exploited in phishing attacks on governments
Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
Chrome extensions with 6 million installs have hidden tracking code
Care what you share
Jira Down, Atlassian Users Face Widespread Service Disruption - Security Spotlight
Over 16,000 Fortinet Devices Compromised via Symlink Backdoor Exploit - Security Spotlight
UK Law Firm Fined £60,000 Over Ransomware Data Breach That Exposed Sensitive Case Files - Security Spotlight
Qrator Labs Reports Mitigating Year’s Largest DDoS Attack to Date
Mustang Panda Targets Myanmar With StarProxy, EDR Bypass, and TONESHELL Updates
Mass Ransomware Campaign Hits S3 Buckets Using Stolen AWS Keys
Unlocking the Power of MetaTrader - Your Ultimate Trading Tool
Ahold Delhaize confirms data theft after INC ransomware claims attack
NTLM Hash Exploit Targets Poland and Romania Days After Patch
Senators Urge Cyber-Threat Sharing Law Extension Before Deadline
Microsoft: Office 2016 and Office 2019 reach end of support in October
CTM360 Tracks Global Surge in SMS-Based Reward and Toll Scams
How CISO's Can Survive and Thrive in a Complex Cyber Landscape
AI-based Gamma platform harnessed in multi-stage phishing intrusion
China-linked BRICKSTORM backdoor involved in Europe-targeted cyberespionage
Novel BPFDoor backdoor component facilitates covert attacks
Node.js malvertising campaign targets crypto users
SafeLine Bot Management: Self-hosted alternative to Cloudflare
Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
New Windows Server emergency updates fix container launch issue
CISA warns of increased breach risks following Oracle Cloud leak
Apple released emergency updates for actively exploited flaws
Artificial Intelligence – What's all the fuss?
State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
Blockchain Offers Security Benefits – But Don't Neglect Your Passwords
Unmasking the new XorDDoS controller and infrastructure
U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers
Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution
Cyber threats against energy sector surge as global tensions mount
Gurucul introduces self-driving SIEM powered by AI enhancements
Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201)
CISA tags SonicWall VPN flaw as actively exploited in attacks
Elevating Cybersecurity: A CISO's Guide to Influencing Leadership and Driving Business Resilience
CISA Throws Lifeline to CVE Program with Contract Extension
Identity Attacks Now Comprise a Third of Intrusions
Microsoft Thwarts $4bn in Fraud Attempts
Network Edge Devices the Biggest Entry Point for Attacks on SMBs
šŸ•µļøā€ā™‚ļøšŸ’» ā€œI Didn’t Plan to Find a P1… But My Script Had Other Plans šŸ§ šŸ’£ā€ | by Lord Heaven | Apr, 2025 | InfoSec Write-ups
šŸ“ā€ā˜ ļøThe Ultimate Subdomain Enumeration Guide: Tools, Tricks, and Hidden Secrets | by Abhijeet Kumawat | Apr, 2025 | InfoSec Write-ups
Rise of the Zombie Process: How the Dead Can Still Haunt Your System | by Anmol Singh Yadav | Apr, 2025 | InfoSec Write-ups
Secret tricks to get hidden information in Bug Bounty | by Mr Horbio | Apr, 2025 | InfoSec Write-ups
Ebryx LLMSec protects LLMs and autonomous AI agents in production environments
Symbiotic Security v1 empowers developers to write secure code
ICO Issues Merseyside-Based Law Firm £60,000 Fine After Cyber-Attack
You Need to Get on Hack the Box Academy | by grepStrength | InfoSec Write-ups
CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices
Microsoft vulnerabilities: What's improved, what's at risk
When AI agents go rogue, the fallout hits the enterprise
Inside PlugValley: How this AI vishing-as-a-service group operates
Review: Hands-On Industrial Internet of Things
Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks
4chan Offline After Cyberattack: Hackers Claim Full Admin Access and Leak Internal Data - Security Spotlight
Endue Software Data Breach Exposes Health Information of Over 118,000 Patients Across U.S. Infusion Centers - Security Spotlight
Landmark Admin Data Breach: 1.6 Million Affected Individuals - Security Spotlight
MedEx Ambulance Data Breach: 118,000 Patient Records Exposed - Security Spotlight
Interlock ransomware evolves tactics with ClickFix, infostealers
Over 16,000 Fortinet devices compromised with symlink backdoor
CISA's 11-Month Extension Ensures Continuity of MITRE's CVE Program
Apple fixes two zero-days exploited in targeted iPhone attacks
Google blocked over 5 billion ads in 2024 amid rise in AI-powered scams
Experts Uncover Four New Privilege Escalation Flaws in Windows Task Scheduler
CVE Program Stays Online as CISA Backs Temporary MITRE Extension
Hertz Data Breach Exposes Customer Information in Cleo Zero-Day Attack
BidenCash Market Dumps 1 Million Stolen Credit Cards on Russian Forum
Jira Down: Atlassian users experiencing degraded performance
Google begins unifying search country domains to Google.com
BreachForums purportedly disrupted by pro-Palestinian hackers
Credential theft achieved by malicious MEXC order-hijacking PyPI package
Infostealer deployed via bogus PDFCandy converter
Google Blocked 5.1B Harmful Ads and Suspended 39.2M Advertiser Accounts in 2024
SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions
Hertz Confirms Data Breach After Hackers Stole Customer PII
Cozy Bear targets EU diplomats with wine-tasting invites (again)
Cyware strengthens threat intelligence management
Entrust Cryptographic Security Platform provides visibility into cryptographic risk posture
41% of Attacks Bypass Defenses: Adversarial Exposure Validation Fixes That
CISA extends funding to ensure 'no lapse in critical CVE services'
92% of Mobile Apps Found to Use Insecure Cryptographic Methods
Chinese Hackers Exploit Backdoor to Spy on European Businesses
Vulnerability Roundup - Cisco Talos Blog
Eclipse and STMicroelectronics vulnerabilities
From Third-Party Vendors to U.S. Tariffs: The New Cyber Risks Facing Supply Chains
New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
Gamma AI Platform Abused in Phishing Chain to Spoof Microsoft SharePoint Logins
Product Walkthrough: A Look Inside Wing Security's Layered SaaS Identity Defense
Funding uncertainty may spell the end of MITRE's CVE program
Microsoft: Some devices offered Windows 11 upgrades despite Intune blocks
Microsoft warns of blue screen crashes caused by April updates
Chaos Reigns as MITRE Set to Cease CVE and CWE Operations
Scalper Bots Enabling DVSA Driving Test Black Market
Sophos Annual Threat Report appendix: Most frequently encountered malware and abused software
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
Government contractor Conduent disclosed a data breach
Cyber Threats Against Energy Sector Surge as Global Tensions Mount
MITRE warns that funding for critical CVE program expires today
Closing the Browser Security Gap: Defending Against Modern Web-Based T
Cybersecurity Employment: Making Sense of Conflicting Messaging
Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
Cato Networks unveils GenAI security controls for Cato CASB
NEC Identity Cloud Service simplifies identity verification
šŸ–„ļø Mr. Robot CTF Walkthrough | TryHackMe | by Akash Falaskar | Apr, 2025 | InfoSec Write-ups
Best Cybersecurity Certifications for Beginners and Experts in 2025 | by Aleksei Aleinikov | Apr, 2025 | InfoSec Write-ups
How I hacked into Delhi University Admin Dashboard : A case study | by ARoy | Apr, 2025 | InfoSec Write-ups
ā€œSysmon Unleashed: Tracking and Tackling Malicious Activity on Windowsā€ | by Aashish Baweja | Apr, 2025 | InfoSec Write-ups
U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert
Strategic AI readiness for cybersecurity: From hype to reality
Attack Flow: Learn how cyber adversaries combine and sequence offensive techniques
Browser extensions make nearly every employee a potential attack vector
When companies merge, so do their cyber threats
The future of authentication: Why passwordless is the way forward
Ransomware Negotiations: Mastering an Attacker’s Mindset
Best Crypto Tax Software in 2025: A Comprehensive Guide
When Your Friend Thinks You Are a Real Hacker | by Vijay Kumar Gupta | Mar, 2025 | Medium
Bye-bye Three-way Handshake, and Hello to 0-RTT | by Prof Bill Buchanan OBE FRSE | Apr, 2025 | Medium
Recall Is Back: The ā€œDumbest AIā€ That Will Track Everything You Do! | by Prof Bill Buchanan OBE FRSE | Apr, 2025 | Medium
The Three Protocols That Could Bring Down The Internet (And Life as We Know It): DNS, PKI and BGP | by Prof Bill Buchanan OBE FRSE | Apr, 2025 | Medium
Two Months Undetected: A BEC Scheme Lurking in Plain Sight | by Katlyn Gallo | Dark Roast Security | Apr, 2025 | Medium
Navigating Security Risks in LLM-Driven Multi-Agent Systems: A Developer’s Guide | by Shuai Guo, PhD | Data Science Collective | Apr, 2025 | Medium
Is Your LLM Application Safe?. 10 Must know Techniques to Safeguard… | by Vivedha Elango | Apr, 2025 | Generative AI
Covert Channel Chronicles: The RAMBO Attack | by z3r0trust | Radio Hackers | Mar, 2025 | Medium
Medium: Read and write stories.
Explore topics
Medium
GitHub - b3rito/b3acon: b3acon - a mail-based C2 that communicates via an in-memory C# IMAP client dynamically compiled in memory using PowerShell.
b3acon
- YouTube
CVE-2025-25364: Speedify VPN MacOS privilege Escalation
How Fraudsters Swindle Community College Financial AidĀ  | Voice of San Diego
The Zoom attack you didn't see coming - Help Net Security
Global Telecom Networks Host Hidden Chinese Surveillance Nodes
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation | Cleafy
- YouTube
Implement Auto-Delete Clipboard History to Prevent... - Samsung Community - 3200743
Cross-Site WebSocket Hijacking Exploitation in 2025 - Include Security Research Blog
Understanding the X-Forwarded-For HTTP Header | DevSec Blog
Everyone knows your location, Part 2: try it yourself and share the results
- YouTube
Computer Networking Basics Every Business Owner Must Know for Cybersecurity
Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) - Help Net Security
ā€˜Hello Pervert’ Style Email Spoofing Used in Sextortion Scams - TechNadu
- YouTube
AWS Security Changes - Track Documentation & Security Updates
Open Source SCA
GitHub - gh0st359/xserum: XSerum is a powerful web attack payload generator designed for red teamers, ethical hackers, and researchers. It supports a wide range of attack types including XSS, CSRF, HTML Injection, CSP Bypass, and more — with advanced obfu
Krebs Organizational Announcement | Chris Krebs | 75 comments
No burner phones for Swiss diplomats on US visits - SWI swissinfo.ch
reuters.com
Analysis of 5000+ Malicious Open Source Packages — Safe and Trusted OSS
CVE Board Launch the CVE Foundation After U.S, Funding ExpiresCISA Announces Renewed Funding Contract for MITRE-Backed Program, CVE Board Launch the CVE Foundation - TechNadu
How dare you trust the user agent for bot detection?
- YouTube
@metacurity.com on Bluesky
MITRE CVE program handed last minute reprieve amid funding lapse concerns | IT Pro
- YouTube
CVE Foundation
Security Checklist for Vibe Coded Apps
GitHub - aliasrobotics/cai: Cybersecurity AI (CAI), an open Bug Bounty-ready Artificial Intelligence
SAP Emarsys SDK for Android Sensitive Data Leak (CVE-2023-6542) | RCE Security
CVE Foundation
- YouTube
Project cannot be built, half the repo is missing. Open source, but not really? Ā· Issue #784 Ā· strongbox-password-safe/Strongbox Ā· GitHub
Just a moment...
OH-MY-DC: OIDC Misconfigurations in CI/CD
MITRE CVE Updates to Stop After U.S. Funding Expires - TechNadu
- YouTube
Funding Expires for Key Cyber Vulnerability Database – Krebs on Security
Mint stablecoins using the Capital One API. Proof of concept.
Insecure Api Web Application for triggering SAST scan on Static Application Security Testing.
aws_sb3security_v4
Minerva Proof of Concept with Spring Boot 3 and AI-MC-Server
security-testing-github
"Open-source toolkit (Python Library, Registry API, CLI) for secure, decentralized AI agent interoperability using A2A/MCP."
A concept for image bank for healthcare purposes. This application serves as proof of concept with primary focus on healthcare and serving images for model training
⚔ Windows RAM & Performance Optimizer | Clean, Kill, Boost
Proof-of-concept
The Indian Document Extractor is a serverless, event-driven document processing system powered by AWS services. This proof of concept showcases how to build an intelligent pipeline that can extract, process, and analyze information from uploaded Indian do
hack night @ github
This repository is intended for small Proof of Concepts (POCs) and quick tryouts. It serves as a sandbox for experimenting with various features, libraries, and ideas in a React + TypeScript environment.
A simple HTML site to host our AI chatbot for haq security
ONVIF PTZ Control Script A command line tool for controlling PTZ cameras via ONVIF (including WS-Security Digest).
allograft_proof_of_concept
HeckerPwnapple A cybersecurity toolkit blending meme culture with ethical hacking. Designed for network auditing and vulnerability testing, it emphasizes modular workflows and collaboration. For authorized use only—misuse may violate policies or laws .
-Microcontroller-Based-Fingerprint-Authentication-System-for-Enhanced-Security
proof of concept
This is for advances security log monitoring
[Proof of Concept] - Engaging Networks standalone component that creates a customizable One-Click Donation UX on "Thank You" pages
Proof of concept attack chain for SSRF to Redis RCE on a vulnerable Laravel PHP app.
Send files with HDMI (Proof of Concept)
Pre-emptive Genetic Disease Screening [HOF HACKS]
Proof of Concept for working with Bible Annotations
A proof of concept tool to hopefully help generate 2D animations/spritesheets
Field-tested DevSecOps notes, security hardening guides, and cloud-native security practices - straight from real-world experience
Proof of concept for updating Android widgets more frequently than the default interval.
Combined Hack Pack 001 and 002 to create a Tank!
Proof of concept for agent AI customer service representative bot.
Єакатон True Tech Hack 2025
A Python toolkit providing security checks for domains, URLs, IPs, and more. Integrate easily into any Python application, use via terminal CLI, or run as an MCP server to enrich LLM context with real-time threat insights.
caddy-security
security2025.github.io
A dinky little budget app for the niche way I want to budget. This is just a proof of concept for a future Android app.
Capstone project for building a GenAI-driven Security Assistant using LangGraph, Gemini, and SerpAPI.
Early proof-of-concept validating the packaging and direct loading of pre-quantized LLM weights. Forms the foundation for the AiBiter format, aiming to streamline efficient deployment of compressed language models.
JWT-security-with-spring-boot
BusPwn V1.0 is a powerful Modbus hacking framework designed for testing and exploiting vulnerabilities in Modbus-based systems commonly found in Industrial Control Systems (ICS) and Operational Technology (OT).
spring-security-jwt
Main repo containing small proof of concept projects
yet another hacker conference badge
OAuth server by spring security
An internet monitor tool for cyber-security.
An AI-powered proof-of-concept for an e-commerce product recommendation and semantic search system. Built with Kotlin, Spring Boot 3, Spring AI, Ollama (local LLM), ChromaDB (vector store), and an AnalogJS frontend.
Professional FiveM Developer & UI/UX Designer - Creator of ESX & QBCore solutions, security tools, and gaming interfaces.
OracleSecurity
Free Valorant trigger bot 2025 with ESP and aimbot. Download advanced hacks now!
A Bash utility that automatically discovers all site users in your CloudPanel installation and jails each one into a JailKit‑powered chroot environment—preserving SSH/SFTP access while enforcing per‑site isolation for enhanced security.
DomainThreatScanner is a Python-based tool that allows users to input multiple domain names and retrieve threat intelligence data using the VirusTotal API. It generates professional PDF reports summarizing the security status of each domain, helping secur
Learning GitHub Advanced security
Place for source code and proof of concepts discussed on pampuna.nl
A personal website and portfolio highlighting my journey in cybersecurity, ethical hacking, and web development, featuring my projects, skills, and achievements.
Proof of concept that shows how to configure Zabbix to monitor successful startup of an application.
Project of Hack Hazards
Proof‑of‑concept Windows IPC speed benchmark using custom exceptions and the Debugging API.
h4ck for Fortnite provides powerful tools to elevate your gameplay. With features like aimbots, wallhacks, and resource generators, you can gain an edge over your opponents. Designed for both casual and competitive players, this hack enhances your Fortnit
Build a basic proof-of-concept pipeline that uses raw voice data samples to detect cognitive stress or decline indicators using NLP + audio feature extraction.
This repository contains the project on analyzing attitudes towards biometric authentication for online security. It includes data collected via a Google Form and analysis of user perceptions regarding biometric security methods.
hacking
spring-boot-3-jwt-security
Proof-of-concept screenshot cache using Puppeteer and file-based locking
security-scanner
Work in progress, highly proof of concept lobby password cracker for the game "Bean Battles" on steam.
This Repo is a set of PoC (Proof Of Concepts) of a Variety of CTF that i do.
A comprehensive security checklist for MCP-based AI tools. Built by SlowMist to safeguard LLM plugin ecosystems.
Powerful cheat panel for Genshin Impact that combines essential hacks like Auto-Farm, ESP, and GodMode in one sleek interface.
Hands-on cybersecurity portfolio featuring TryHackMe labs, ethical hacking practice, and self-guided Kali Linux projects. Focused on penetration testing, Linux fundamentals, and offensive security skills.
Build a basic proof-of-concept pipeline that uses raw voice data samples to detect cognitive stress or decline indicators using NLP + audio feature extraction.
This project documents my work completing a hands-on lab focused on securing enterprise infrastructures using encrypted VPN communication, user authentication, and secure firewall configuration. It forms part of my ongoing journey to become a Linux System
Powerful cheat panel for Genshin Impact that combines essential hacks like Auto-Farm, ESP, and GodMode in one sleek interface.
Hacking-Tool
Powerful cheat panel for Genshin Impact that combines essential hacks like Auto-Farm, ESP, and GodMode in one sleek interface.
A network security using Artificial Intelligence and Quantum Concepts simulations
ANDROID SECURITY APP
Event Manager Application using Spring Boot, Spring Security and Javascript
Refresh a Hacker News [HN] page and highlight new comments since the last visit.
ComputerSecurityProj
Powerful and fully customizable mod menu for Zenless Zone Zero with game-breaking tweaks, visual hacks, and fast toggles for total control.
Das Software-Tool unterstützt die Anwendung der sogenannten Method for Enhancing User Experience and Information Security (kurz MEUSec). Damit lassen sich User Experience und Informationssicherheit von Wallets evaluieren.
This project demonstrates how to deploy an ASP.NET MVC application with the Contrast Security .NET Framework agent in a Windows Docker container on AWS Elastic Container Service (ECS).
Powerful and fully customizable mod menu for Zenless Zone Zero with game-breaking tweaks, visual hacks, and fast toggles for total control.
opensearch-security-monitoring-demo
Powerful and fully customizable mod menu for Zenless Zone Zero with game-breaking tweaks, visual hacks, and fast toggles for total control.
Security-Report-Extracting-Plateform
Proof of concept for ingesting novel sized stories into a vector/graph RAG hybrid for analysis and interaction.
Little Proof of Concept Projects
CTF for Network Security
CASPIRA: A multimodal AI framework for cardiovascular disease prediction, integrating clinical data and cardiac imaging. A proof-of-concept project open to future enhancements and collaboration.
Proof-of-Concept project using ConnectRPC client on Cloudflare Workers
A streamlined installer for Go binaries with enhanced security features
SpringBootSecuritySSO
å­˜ę”¾ē½‘ē»œå®‰å…Øę•™ę
EPITECH Cyber-Security MODULE 5 - Secure the development and production environment for an app.
Lab2.6 – SĆ©curiser un Smart Contract avec OpenZeppelin et SĆ©curisation de la Front-End ReactJs
DataDroper is a simple yet powerful proof-of-concept (PoC) script that targets and exploits a known unsecured endpoint to extract sensitive data. This tool is built for demonstrating the real-world impact of poor endpoint security and misconfigurations du
A minimal proof-of-concept implementation of a "masked-diffusion" language model (inspired by LLaDA).
Extra-secure-PGP-encryption-proof-of-concept
A collection of Proof-of-Concept implementations of various anti-disassembly techniques for ARM32 and ARM64 architectures.
AI Playgrounds, a repository created to explore, experiment, and prototype Proof of Concepts (POCs) around AI tools and technologies using Python.
Guide Ć  suivre
This repository contains a proof-of-concept pipeline designed to detect early signs of cognitive decline using simulated voice samples and NLP feature analysis.
ć‚ćˆć¦č„†å¼±ćŖAIę©Ÿčƒ½ć‚’ä½œć£ć¦åÆ¾ē­–ć™ć‚‹ćƒ‡ćƒ¢
A proof-of-concept for a Google Sheets add-on that interactively generates Venn diagrams
Proof of concept for R3F4CT0R
SpringSecurity
security-specialist
LPE: BackupOperator to Domain Admin Active Directory Proof of Concept
Os detection, Banner finding, Port scanner
A hands-on lab built in Cisco Packet Tracer to practice VLAN configuration and switch-level security using port security and sticky MAC. This project simulates real-world scenarios like segmenting departments and blocking unauthorized devices .
High-performance cross-platform ICMP/TCP network sweep scanner written in C++ Supports full CIDR range input, ICMP ping, TCP fallback, RTT-based color output, and multithreading. Ideal for sysadmins, security pros, and network engineers.
Code submission part of Tidal Hack - Major League Hackathon[MLH] 2025
A standalone Python tool for extracting static features from various file types (PE, ELF, MachO, PDF, Scripts), primarily focused on applications in security analysis, malware research, and generating datasets for Machine Learning models.
Proof of concept agentic solver for nfuncs from DEF CON Quals 2025
A centralized collection of cybersecurity compliance documentation, frameworks, policies, and best practices for maintaining regulatory and organizational security standards.
beginner-security-tools
Proof of concept of System-Oriented Language
A collection of cybersecurity projects focused on practical skills in network security, ethical hacking, penetration testing, and security protocols. Includes detailed documentation, scripts, and real-world scenarios for hands-on learning and showcasing e
PK-Report-Proof-of-Concept
Official blog of RealSec Labs — sharing insights, walkthroughs, and research on cybersecurity, ethical hacking, red teaming, blue teaming, and cutting-edge security tools. Powered by realseclabs.com
This project is a Java-based multi-threaded simulation of blockchain block mining. It illustrates essential blockchain concepts such as proof-of-work, hashing, and concurrency. Blocks are mined concurrently using multiple threads to efficiently achieve a
Marvel Rivals Aimbot Hack 2025 - Download & Play Undetected
A Hacker News clone built using @marko/run and the Tags API.
Security Policies for ProfitFill
This repository contains the implementation and documentation of a 128-bit high-speed data encryption system based on the Advanced Encryption Standard (AES) algorithm. The project is focused on achieving optimized performance and security for data encrypt
Our project for the Hack hazards 25 hackathon
Running a proof of concept with zingg.ai to compare it to dedupe's ML matching entity resolution library
Jn-security-system
Tembo Proof of Concept
A simple proof of concept app that identifies songs via microphone input and displays guitar chords in real-time.
Hacklib v2, a simple javascript library for creating hacks on websites
Proof of concepts
A ROM Hack of Pokemon Crystal with mild edits for improved QOL
Proof-of-Concept of real-time object detection application in C++/Qt platform
A hands‑on, end‑to‑end lab that simulates an IAM environment in MicrosoftĀ Azure
A proof of concept implementation demonstrating the usage of BullMQ for handling email queues with Redis.
security_teacher
A series of proofs-of-concept for using PHP with different LLM providers including Google Vertex AI (json file auth), Google Gemini (API key auth) and AWS Bedrock
Proof-of-concept microservices system with Spring Boot, JWT authentication, Kafka, VueJS, and Docker
SLSA (Salsa) L3 Complaint Reusable Workflows
LTS scan is a lightweight and asynchronous command-line tool for scanning SSL/TLS configurations using the Qualys SSL Labs API. It supports bulk domain scanning with output in CSV or JSON formats, making it ideal for audits, compliance, and cybersecurity
This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords. The vulnerability has long since been fixed, so this project has ended and will not be supported or updated any
fs-common-security
A proof of concept of an overlay-based writable layer for arbitrary packages
SmarthomeSecurity-system
Proof of Concept for CVE-2020-0665, a.k.a. SID Filter Bypass.
A complete Employee Management System using Spring Boot, allowing the creation, updating, and deletion of employee data with security and authentication.
Python-based keylogger tool with GUI and security features.
Learn and hack your way through fun challenges in the Cardano ecosystem
The Project Data Analytics Community is a community of project professionals, data analysts and industry experts dedicated to improving project delivery through the power of data and analytics. As part of this community we regularly run our Project:Hack H
Proof-of-concept NIS "decompiler"/"parser" for BlackBox-era Need for Speed games.
The Hackers Music - The Ultimate Music Player!
Proof of concept AI Agent with Streamlit Chatbot
A modern, modular web interface for Asterisk PBX including M365, LDAP, security, and call center features.
encryption and description in cyber security
Bluetooth Denial-of-Service (DoS) attack
Dirty hack for Play Integrity
Go implementation of the Community ID flow hashing standard bro, community-id, flow-hashing, network-monitoring, network-security, network-security-monitoring, suricata, zeek
A curated collection of cybersecurity notes and resources in PDF format, covering key modules and topics for learners and professionals
This tool is for educational and ethical hacking purposes only.
GitHubAdvancedSecurity
Through the analysis of advanced security concepts, students will learn how to develop secure code that complies with security testing protocols. In addition to exploring and implementing security concepts through code, students will also learn why and ho
i want to implement the strong password in cyber secuerity in the projrext
PowerShell scripts designed to audit the security of Apache Tomcat configurations, focusing on password storage and compliance with NIST 800-53 IA-5 and CIS Tomcat Benchmark 4.1. The scripts identify insecure configurations, such as plaintext passwords or
ansible-security-patches
Proof of concept to talk to iqube MS Display via LVDS
The ICS344 course project involves setting up and attacking a vulnerable service, analyzing the attack with a SIEM (Security Information and Event Management) platform, and proposing a defensive strategy.
A proof of concept to allow MCP enabled clients such as coding tools (vscode, cursor, claude code) to request information about your SN environment.
Wireless Systems Security final project codebase
Jupyter-book Hacks!
This tool is for educational and ethical hacking purposes only.
Documentación de notas para resolver las rooms de tryhackme
Target_List
Personal cybersecurity portfolio showcasing hands-on projects in offensive and defensive security.
MLI Week 1 project - training embedding models and a Hacker News article score predictor
AkshatOnSecurity
OWASP LLM Top 10: A Python 3.11 framework for detecting, testing, and reporting security vulnerabilities in large language model (LLM) applications. Features AWS integration, CI/CD with GitHub Actions, IaC, and automated prompt injection detection demos.
task 4 Cyber Security intern
A lightweight, extensible vulnerability scanner for identifying security risks in networks, systems, and web applications. Detects open ports, outdated software, and misconfigurations while generating structured reports. Ideal for security professionals a
Secured REST API with OAuth2 Instructions: Implemented OAuth2 authentication for a Spring Boot REST API. Used Spring Security and integrated with a third-party provider (GitHub).
request_security_checker
This is a POC (Proof of concept) for the upcoming M.tech final year project named Mystery of Kiradu
Proof-of-Concept for Memory Latency Gauntlet (MLG) PoW
SecurityCamera
Spacemesh PoET service reference implementation proof-of-concept, proof-of-sequential-work, proof-of-space, proof-of-space-time
Treehacks '25 Security Cam Project
A personal portfolio of my cybersecurity and network architecture projects
Physical-Security
Proof of Concept MCP for playing TTRPGs with LLMs, DM'd by LLMs
šŸ› ļø Hacker Lab & Cyber Playground by r3conxploit | Ethical Hacking • OSINT • Red Teaming • Stego • Terminal Art
This project focuses on identifying security weaknesses in a network by performing vulnerability assessment and penetration testing on a specific IP address. Tools like Nmap, Nessus, Metasploit, and Wireshark were used for scanning, analysis, and exploita
A simple but, hopefully intuitive, To Do list - used as a proof of concept for the use of AI tools to generate a codebase
As a foundational step in my cybersecurity journey, I designed and built a home cyber lab to simulate real-world environments for learning, experimentation, and hands-on practice. The lab was created using virtual machines and open-source tools to explore
Notion Armor is a web application that uses Artificial Intelligence and Machine Learning to find SOC2 violations and remediate them in Notion workspaces for IT administrators. Notion Armor can also monitor the security posture and health of their organiza
DevSecOps pipeline for NiveFlix, a Netflix clone, utilizing Docker, Kubernetes, and CI/CD automation. Integrates security scanning tools like Trivy and Snyk to ensure a secure and scalable application environment.
SecurityResearch
This is to analyze the repository in Datadog Code Security
Security Operations Chef
Block access from specific countries, IPs, and malicious bots to improve security, performance, and control over your WordPress site.
security.github.io
proof of concept of an audio analyzer for Java Sound and a simple GUI
Nexture is a full-stack AI-powered job and career platform built to impress both recruiters and hiring managers. It intelligently matches resumes with job roles, auto-applies with approval, and includes a smart recruiter dashboard with admin tools, AI ins
java_spring_security
Code2008hacking.github.io
Proof of concept project for an outbox pattern implementation with an H2 database and Kafka message broker
A basic Contact management project to learn the ways of Spring, Spring Security and Thymeleaf.
A bash script to easily manage multiple GitHub accounts with SSH keys and GPG signing on the same machine. Perfect for developers who need to maintain separate work and personal GitHub accounts with proper security practices.
Multi-view Prohibited Item X-ray Security Image Synthetic Dataset
Generate RSA key pairs in PEM format with optional encryption and literal newline formatting for easy integration with services like AWS Secrets Manager
Security installer
NixVault is a comprehensive Linux security hardening tool designed to safeguard your system from internal vulnerabilities and external threats. Built with a focus on simplicity and power, NixVault automates best-practice configurations, manages sensitive
holbertonschool-cyber_security
Privacy-and-Security-in-Online-Social-Media
DarkConsole é um simulador de invasão hacker em C++ que roda diretamente no terminal. Inspirado nos filmes de espionagem e ficção científica, este projeto cria uma experiência visual imersiva, onde cada tecla pressionada gera linhas de código falso e mens
Wifi-hacking
jwt-security-project
Proof of concept for R.E.A.L.M.
for testing api security
crablabx-securityplus
Hands-on walkthrough of deploying a virtual server (EC2) on AWS using the console. Covers AMI selection, key pairs, security groups, and SSH access.
securityPrj
security-feed
spring-auth-security-mvc
SpringSecurityBasic
Hacking-the-electronic-diary
GCP Professional Cloud Security Engineer Exam Preparation
This project is a proof of concept for running a local-first multi-agent system using: šŸ¤– Local LLMs via Ollama 🧩 Simple function/tool-call detection using <tool_call>... šŸ” Brave Search API or optional Brave MCP plugin server 🧠 Two collaborating agents
SecurityServices
Interaktives Bash-Skript zur Absicherung von Debian/Ubuntu-Servern – automatisiert Konfigurationen für SSH, Fail2ban, UFW, MSMTP und mehr. Beta-Version, Feedback willkommen!
HACK{O}LUTION 2025 - Hackathon Registration Platform.
NetworkSecurity
clinica-spring-security
A GenAI agent and tool registry system to securely vend scoped down JIT credentials
Reverse engnireeing and hacking a cheap smartwatch with phy6222 mcu
Just playing around with Garak AI for security testing of LLMs
šŸ” Repositorio de ciberseguridad con comandos de Kali Linux, scripts Ćŗtiles, apuntes organizados en Obsidian y recursos para hacking Ć©tico. Ideal para estudiar, practicar y documentar conocimientos en seguridad informĆ”tica.
security
A rhythm game controlled via your hand with Tensorflow. Winner of "Best Gamified Hack" for Bitcamp 2025!
MPCA project
A full-featured image sharing backend built with Node.js, TypeScript, AWS, and Redis — designed for scale, security, and real-world deployment.
PhantomRecon is a CLI-based, modular, agent-driven red team automation tool designed to demonstrate autonomous offensive security workflows powered by AI (Google's Gemini via Agent Development Kit - ADK).
ģŠ¤ķ”„ė§ ģ‹œķė¦¬ķ‹° JWT źµ¬ķ˜„ ģ‹¤ģŠµ
NetworkSecurity
This is a proof-of-concept and passion project for a reconnaissance tool for subdomain enumeration. It takes inspiration and fills a similar role to others such as Amass and Subfinder.
cloud-computing-security-essentials
DataSecurity-Grupi12
PayTracker API é uma solução de controle financeiro pessoal construída com Java 23, Spring Boot, JWT para autenticação, e PostgreSQL com Flyway para versionamento de banco. Inclui envio de e-mails com JavaMailSender e agendamento de tarefas com Spring Sch
This is my final year project that is called block sentinel which is a blockchain based security tool aim to secure the cenralized database in different system
A security project
I have always wanted to create rom hacks. This is my first time working on it and test.nds is where we start! I have learned a lot from King of NDS hacking discord server. They are very helpful people. Everyday I learn new things. It's a great experience.
Software Projects proof-of-concept Dapp
A detailed, fictional internal security audit for Botium Toys—highlighting cybersecurity assessment, vulnerability identification, and risk mitigation recommendations as part of my portfolio.
RS-Security-dev
Building Restful API with Spring Boot, Postgres and Spring Security
This repository contains the codes I implemented to improve my understanding of the subject at hand.
Repo containing code serving as Proof of concept(Prototype) for actual work that will be done later during SOB for Project idea "Create transaction selection dashboards"
Regras e informaƧƵes do jogo Cyber Security Adventure Quest
web安全
Estudos-CyberSecurity
CA-AMFA--Context-Aware-Adaptive-Multi-Factor-Authentication-for-IoT-Based-Household-Security-Systems
This is a comprehensive Full Stack E-Commerce Backend Application built using Spring Boot, integrating modern enterprise-level backend features like Spring Data JPA, Spring Security 6, JWT Authentication, and deployment support on AWS.
Rare Code Base is a free learning platform for hacking, programming, tools, and more.
SoLa Cybersecurity Bootcamp powered by What If Security, LLC
This is just for educational purpose, we don't want to harm anybody but only for educational purpose
Testing Aws security with terraform
DataSecurity_Detyra2
Data-Security
Onims.com is an agro-allied platform designed to bridge the gap between farmers and the Market (consumers), we are geared toward finding the solution to the urgent need for food security and sustainable food production by providing farmers and farms with
Project 3 for CS4440 at the University of Utah. Exploring web security and vulnerabilities.
cyber_security
CyberSecurityApp
A lightweight HTTP-SOCKS bridge enabling minreq to connect to Tor, with a proof-of-concept implementation comparing direct HTTP, SOCKS proxy, Arti integration, and HTTP-SOCKS bridging approaches.
School Management System is a digital platform that automates key tasks—such as student registration, attendance, exam scheduling, grading, fee processing, and reporting—to streamline school operations and enhance communication among educators, students,
Project-1-CI-CD-Pipeline-Security
CyberSecurity-Projects
Scripts (win/nix) to run multiple wireshark filters on a pcap
Hush Poll is a real-time polling application designed to create and manage polls with privacy and security in mind. The application allows users to create various types of polls, collect responses in real-time, and analyze results with data visualization.
Hands-on Terraform examples: Provision AWS EC2, VPC, security groups, and modules. Learn infrastructure-as-code (IaC) deployment workflows and best practices.
A Spring Boot API for managing tasks and comments with JWT authentication and PostgreSQL. Uses Spring Data JPA, Spring Security, JUnit tests with mocking, and supports paging. Docker for easy deployment. Implements role-based access (Admin, User) and prov
This tool provides a secure, GUI-based solution for identifying and managing inactive user accounts in Azure Active Directory. It combines robust security practices with an intuitive interface to help administrators maintain clean, secure directories.
Computer Systems Security Analysis – Course (Exam Q/A)
cloud-security-app
Security-image
A collection of 100+ essential skills to master ethical hacking, penetration testing, and cybersecurity. This repository is a roadmap for becoming a Super Hacker, covering everything from scripting and automation to advanced exploitation techniques.
Security Challenge. In a group, search for various means to pass root on the ISO given to you.
Hacker Fab V2 Stepper UV LED PCB
A proof-of-concept for the Gatherers-Historic project, showcasing early resource gathering mechanics.
Ethical-hacking-guide
Security-Testing---GitHub-Actions
Blockchain dev, .py scripting guru, self taught Ethical Hacker, web2/3 security researcher with 2 years experience in securing smart contracts, memecoin trader, shiller
Exam_Security
Vayo is a cutting-edge Road Transport Network Telematics platform that enhances efficiency, security, and control for fleet owners, logistics companies, and truck drivers. With advanced tracking and smart analytics, it ensures optimized routes, real-time
ImageVault API is a RESTful service for securely storing, retrieving, and managing image files. It serves as the backend API for the ImageVault app, leveraging Spring Boot, Spring Security, and JWT for robust authentication and authorization.
Om-Security-Services
PlantSense-Hack-n-Win 2.0
āœ‚ļøCheck IP Behind CDN or a third-partyāœ‚ļø
Calgary Hacks 2025 Hackathon Winner šŸŽ‰ Fin-Track is a financial tracking app to track your spending with an always on display to remind you of your spendings.
DitherMe creates Watch Dogs 2 DedSec-style dithered images and GIFs, replicating the iconic glitchy hacker aesthetic
Documentación de los retos CTF
Documentación de los retos CTF
Security_Event_logger_and_Analyzer
Cyber-Security-Zero-To-Hero
Collected notes from THM aiding in Security Operations and Tools for Incident Response Situations
Focused on the safety and security of Embodied AI
Walk-throughs for various methods to disrupt ESP32Marauder evil portals.
This Python tool is a powerful Facebook account verification tool used to check Facebook profiles and save checked accounts to .txt file.
AsyncRAT stands as a Remote Access Tool (RAT) conceived for the purpose of distant supervision and command over remote computers through an encrypted connection ensuring security.
Playwright proxy authentication & scraping example for Smartproxy
`vind` is a tool to create containers that look and work like virtual machines, on Docker.
Top 10 Malware detection projects focus on developing systems and techniques to identify and mitigate malicious software (malware) that can compromise the security of computer systems. Includes Source Code, PPT, Synopsis, Report, Documents, Base Research
Neural.Image_Genv3.0 is web app. hacker-inspired interface. Powered by reverse engineered API!!
Dominate Albion Online with our advanced external cheat! Featuring ESP, Auto-Loot, Resource Locator, Speed Hack, Players ESP, Misc Tools, and Mods, this hack gives you unmatched control. Track enemies, gather resources faster, outplay opponents, and custo
This project outlines a comprehensive approach to implementing secure OTA updates, crucial for modern vehicles that rely heavily on software for their functionality. By wirelessly updating vehicle software and firmware, OTA technology offers a seamless me
black ops 6 cheat, bo6 hack, cod bo6 cheat, call of duty bo6 hack, bo6 cheats, cheats bo6, bo6 aimbot, aimbot bo6, bo6 cheats download, cod black ops 6 hack, bo6 wallhack, hack black ops 6, cod bo6 cheats 2024, bo6 cheat pc, cheat bo6 2024, black ops 6 ha
black ops 6 cheat, bo6 hack, cod bo6 cheat, call of duty bo6 hack, bo6 cheats, cheats bo6, bo6 aimbot, aimbot bo6, bo6 cheats download, cod black ops 6 hack, bo6 wallhack, hack black ops 6, cod bo6 cheats 2024, bo6 cheat pc, cheat bo6 2024, black ops 6 ha
This tool includes an HWID spoofer, customizable aimbot, character ESP, and 2D radar for enhanced gameplay. gta-5-hack gta-5-cheat gta-5-mod-menu gta-5 gta-v-mod-menu gta-v-hack gta-online-mod-menu gta-online-hack gta-online-esp gta-5-esp gta-5-aimbot gta
This tool includes an HWID spoofer, customizable aimbot, character ESP, and 2D radar for enhanced gameplay. gta-5-hack gta-5-cheat gta-5-mod-menu gta-5 gta-v-mod-menu gta-v-hack gta-online-mod-menu gta-online-hack gta-online-esp gta-5-esp gta-5-aimbot gta
Basic starter project for quarkus to perform proof of concepts
Valinor-OS is a cutting-edge operating system that prioritizes user-friendly design and seamless performance for both personal and professional use. With its sleek interface and robust security features, Valinor-OS provides a modern computing experience t
SpringBootSecurityJWT
A cyber security project.
Repositorio que recopila apuntes, scripts y herramientas para operaciones de Red Team y hacking ético. Proporciona recursos esenciales para la simulación de ataques y la evaluación de la seguridad en sistemas informÔticos.
ugly hacks to make some .deb files
A proof of concept app that stores the full graph network (officers, persons with significant control) of a UK company in Neo4j using the Companies House Public Data API
SecurityIncidentArchive
machiavelli.github.io
S3ntinl's Hacking Blog
We track 5 million open-source packages, exposing vulnerabilities before they get CVE numbers. Many never do.
Murderous Hack is a forum for discussing various tech-related topics.
This Node.js project features secure authentication using JWT, enabling user registration, login, and logout. It implements Role-Based Access Control (RBAC) to manage resource access based on roles like Admin, Client, and Moderator. The system ensures sca
AzureSecuritySuite is a comprehensive tool designed to enhance the security posture of your Azure environment. This suite provides automated scanning capabilities across various Azure resources, including Virtual Machines, Storage Accounts, App Services,
SecuritySoftwares-Main port for ISM
The Undocumented Public API For The Hack The Box Platform
A CLI for Kubernetes workload identity
This repository contains ROAR policies related to data privacy and information security
Implementation of the 'Hack' Computer as described in the book 'The Elements of Computing Systems'.
This WebCTRL add-on provides MFA for logins through an authenticator app or emailed security codes.
Zen protects your Java app against attacks with one line of code. Get peace of mind— at runtime.
Blog para falar sobre Tecnologia
ŠŸŃ€Š¾Š±ŠøŠ² Telegram-боты Šø сервисы OSINT/Геанона: Š“Š»Ń пробива по Š½Š¾Š¼ŠµŃ€Ńƒ телефона, проверки авто по VIN/Š³Š¾ŃŠ½Š¾Š¼ŠµŃ€Ńƒ, поиска по фото, проверки паспорта Šø базы Š“Š˜Š‘Š”Š”, IP, email Šø ŃŠ¾Ń†ŃŠµŃ‚ŃŠ¼. Все Ганные о Š»ŃŽŠ“ŃŃ…, авто Šø контрагентах в оГном месте!
A VirtualMachine Manager that can be ran on Windows or Linux. Offers High Performance, Customizability, and Security
ut.code(); äŗ”ęœˆē„­ćƒ»é§’å “ē„­ä¼ē”»ć€Œćƒćƒƒć‚«ćƒ¼ć«ćŖć‚ć†ć€
Content Security Policy Report Manager. Multi-container application using Docker Compose. Work in progress.
holbertonschool-cyber_security
AWS IAM Automation Scripts using Python and boto3. Automate IAM user creation, policy management, and group operations to enhance cloud security and operational efficiency. Streamline IAM tasks with structured CSV input and Python scripts.
WASMATE, a transformative force, not only empowers developers with efficient WebAssembly runtimes for Web2.0 applications but also propels them into the decentralized future of Web3.0, unleashing a contagious wave of innovation and security in the web dev
Awesome-Jailbreak-on-LLMs is a collection of state-of-the-art, novel, exciting jailbreak methods on LLMs. It contains papers, codes, datasets, evaluations, and analyses.
Fast and easy to use CLI-based file encryption program šŸ“¦
Cubic is a lightweight command line manager for virtual machines with focus on simplicity and security.
A collection of proof of concepts written in ruby.
Permguard is an Open Source Multi-Zone, Multi-Tenant, ZTAuth* Provider
Bypass hack cheat Respondus LockDown Browser for online exams. Key features include remote software usage, Alt+Tab window switching, and screenshot capture.
Locking Down Networks, Unlocking Confidence - Security | Networking | Privacy
A collection of tools for azure security
🧪 Proof of Concept for a RESTful API made with Node.js 22 (LTS) and Express.js 4 in TypeScript
A wireless access point orchestration framework that leverages Linux networking subsystems to create software-defined network infrastructure with captive portal authentication, NAT routing capabilities, and DHCP services directly from Android terminal env
Copies of security configurations I used for my ubuntu homelab server.
uBlock-Origin rule-set boilerplates for admins and regular users (including me)
HackingAndCyberSecurity
PHP web application for Information Security education, utilizing OpenStack for security testing practices
"Hack"-and-slash platformer game with Unix-like terminal made in Godot Engine
Matrox NMOS Advanced Streaming Architecture
🧪 Proof of Concept for a RESTful API made with Go and Gin
🧪 Proof of Concept for a Web API made with .NET 8 (LTS) and ASP.NET Core
Proof-of-concept tool for automatically building and running EPICS IOCs on TwinCAT/BSD PLCs
šŸ›” All-in-One Security Solution for Garry’s Mod servers (Anticheat, Banbypass, VPN and more)
Find relevant incidents, logs, events, and alerts to all of your incidents.
A proof of concept domain name registrar implemented in Go which requires GPG signed change requests.
[PROOF OF CONCEPT - NOT FOR EVERYDAY USE] Universal linux launcher for anime games
A curation of awesome tools, documents and projects about LLM Security.
This is an essay (which turned into a journal) I wrote to send to the government in preparation for my upcoming Continuing Disability Review. That's when Social Security reviews my medical records and makes the decision to continue my disability benefits
Welcome to GeekCentral, your one-stop destination for a wealth of information tailored specifically for computer enthusiasts
These hacks give you access to ESP and more on the webgame, Voxiom.
Protecting your data has never been more important. My cyber security blog is here to help you stay ahead of the game. I cover a wide range of topics, including phishing attacks, ransomware, data breaches, and much more.
RASP (Runtime Application Self-Protection) solution for protecting Android apps against being run on vulnerable devices.
The WingStack IDE project is an Integrated Development Environment for my proof-of-concept language "WingStack". Write your code, see it highlighted in real time and run it with its javascript interpreter.
Comfortably monitor your Internet traffic šŸ•µļøā€ā™‚ļø
šŸ›”ļø The missing GraphQL security security layer for Apollo GraphQL and Yoga / Envelop servers šŸ›”ļø
An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application.
CG Secure package for Joomla 4.x
Common Cloud Native Tools
Drop-in proof-of-concept Python/Django app, fully integrated with your ButterCMS account
the only repository you've ever needed. supercharge your application today with this ultra performant library.
A free, open-source, robust yet user-friendly, compact and cross-platform tool for OpenPGP encryption. It stands out as an exceptional GUI frontend for the modern GnuPG (gpg).
Wi-Fi Framework for creating proof-of-concepts, automated experiments, test suites, fuzzers, and more.
Threat Hunting queries for various attacks
This a program I made for fun that records your key and mouse strokes and stores them into a file.
Backup Docker Volumes to Local (alias dobaulo) is a comprehensive solution that leverages rsync to create incremental backups of Docker volumes, providing seamless recovery for both file and database data. Ideal for ensuring the integrity and security of
CodeQL Security Queries
Controller for managing Trunk & Branch Network Interfaces on EKS Cluster using Security Group For Pod feature and IPv4 Addresses for Windows Node.
EMBA - The firmware security analyzer
REST API backend for Reconmap
Travel related apps and hacks.
Firefox user.js for speed, privacy, and security. Your favorite browser, but better.
Notes from various sources for preparing to take the OSCP, Capture the Flag challenges, and Hack the Box machines.
Protect your secrets using Gitleaks-Action
A C-based sdk for delivering secure applications over a Ziti Network
Basic Atomic Swap Proof of Concept
K8博客 k8gege.org
exploits and proof-of-concept vulnerability demonstration files from the team at Hacker House
Tools for maintaining access to systems and proof-of-concept demonstrations.
This plugin integrates Polyspace (R) products with Jenkins for automated analysis. Polyspace (R) static code analysis products can prove absence of critical run-time errors using formal methods, find hundreds of classes of bugs, and check for adherence to
fast, extensible, versatile event router for Suricata's EVE-JSON format
A proof of concept for throttling an API endpoint using Kafka and Go
Binary Analysis Next Generation (BANG)
ā¤for real-time DataOps - where the application and data fabric blends - Lenses
Mozilla Monitor arms you with tools to keep your personal information safe. Find out what hackers already know about you and learn how to stay a step ahead of them.
http://firewalla.com
šŸ”‘ Second factor TOTP (RFC 6238) provider for Nextcloud
:mailbox_with_mail: YAM (short for 'Yet Another Mailer') is a MIME-compliant open-source Internet email client written for Amiga-based computer systems (AmigaOS4, AmigaOS3, MorphOS, AROS). It supports POP3, SMTP, TLSv1/SSLv3 connection security, multiple
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
Source code for the Minecraft mod "SecurityCraft".
Advisories, proof of concept files and exploits that have been made public by @pedrib.
Spring Security
CVE-2024-11421 -- Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: The developer has disputed this as a vulnerability. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2024-13650 -- The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'PAFE Before After Image Comparison Slider' widget in all versions up to, and including, 2.4.34 due to insufficient input sanitization and output es
CVE-2024-29643 -- An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
CVE-2024-41447 -- A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.
CVE-2024-45651 -- IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0
CVE-2024-46089 -- 74cms <=3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin.
CVE-2024-49808 -- IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions.
CVE-2024-53591 -- An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.
CVE-2024-57493 -- An issue in redoxOS relibc before commit 98aa4ea5 allows a local attacker to cause a denial of service via the setsockopt function.
CVE-2025-0467 -- Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.
CVE-2025-1697 -- A potential security vulnerability has been identified in the HP Touchpoint Analytics Service for certain HP PC products with versions prior to 4.2.2439. This vulnerability could potentially allow a local attacker to escalate privileges. HP is providing s
CVE-2025-1863 -- Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the authentication function is disabled on the affected products. Therefore, when connected to a network with default settings
CVE-2025-2162 -- The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disall
CVE-2025-24914 -- When installing Nessus to a non-default location on a Windows host, Nessus versions prior to 10.8.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non
CVE-2025-2492 -- An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions.
CVE-2025-25427 -- A Stored cross-site scripting (XSS) vulnerability in upnp page of the web Interface in TP-Link WR841N v14 <= Build 231119 Rel.67074n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution o
CVE-2025-25427 -- A Stored cross-site scripting (XSS)
CVE-2025-25983 -- An issue in Macro-video Technologies Co.,Ltd V380 Pro android application 2.1.44 and V380 Pro android application 2.1.64 allows an attacker to obtain sensitive information via the QE code based sharing component.
CVE-2025-25984 -- An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via UART component.
CVE-2025-25985 -- An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via the /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini components.
CVE-2025-2613 -- The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sa
CVE-2025-27599 -- Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to
CVE-2025-28059 -- An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails
CVE-2025-28197 -- Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.
CVE-2025-28228 -- A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext.
CVE-2025-28229 -- Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges.
CVE-2025-28230 -- Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.
CVE-2025-28231 -- Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
CVE-2025-28232 -- Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.
CVE-2025-28233 -- Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract ses
CVE-2025-28235 -- An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext.
CVE-2025-28236 -- Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package
CVE-2025-28237 -- An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload.
CVE-2025-28238 -- Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
CVE-2025-28242 -- Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
CVE-2025-28355 -- Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value set to none
CVE-2025-29058 -- An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.
CVE-2025-29209 -- TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.
CVE-2025-2950 -- IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address
CVE-2025-29512 -- Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.
CVE-2025-29513 -- Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator.
CVE-2025-29625 -- A buffer overflow vulnerability in Astrolog v7.70 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via an overly long environment variable passed to FileOpen function.
CVE-2025-29784 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search q
CVE-2025-29953 -- Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.
CVE-2025-30158 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attribut
CVE-2025-30357 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the
CVE-2025-3056 -- The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a
CVE-2025-3106 -- The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on u
CVE-2025-31118 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature (view_topic.php) does not implement any spam prevention mechanism. This allows authenticated users to continuously p
CVE-2025-31120 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application
CVE-2025-32377 -- Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models (LLMs). A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication ev
CVE-2025-32389 -- NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refe
CVE-2025-32434 -- PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loa
CVE-2025-32442 -- Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ cont
CVE-2025-32790 -- Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrat
CVE-2025-32795 -- Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-a
CVE-2025-32796 -- Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal us
CVE-2025-32953 -- z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the `makefile-ubuntu.yml` workflow file uses `actions/upload-artifact@v4` to upload the `z80pack-ubuntu` artifact. This artifact is a zip of the current d
CVE-2025-3520 -- The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access a
CVE-2025-3598 -- The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and outp
CVE-2025-36625 -- In Nessus versions prior to 10.8.4, a non-authenticated attacker could alter Nessus logging entries by manipulating http requests to the application.
CVE-2025-3783 -- A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-product.php. The manipulation of the argument Avatar leads to
CVE-2025-3785 -- A vulnerability has been found in D-Link DWR-M961 1.1.36 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formStaticDHCP of the component Authorization Interface. The manipulation of the argument Hostname leads to st
CVE-2025-3786 -- A vulnerability was found in Tenda AC15 up to 15.03.05.19 and classified as critical. This issue affects the function fromSetWirelessRepeat of the file /goform/WifiExtraSet. The manipulation of the argument mac leads to buffer overflow. The attack may be
CVE-2025-3787 -- A vulnerability was found in PbootCMS 3.2.5. It has been classified as problematic. Affected is an unknown function of the component Image Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The ex
CVE-2025-3788 -- A vulnerability was found in baseweb JSite 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /a/sys/user/save. The manipulation of the argument Name leads to cross site scripting. The attack c
CVE-2025-3789 -- A vulnerability was found in baseweb JSite 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /a/sys/area/save. The manipulation of the argument Name leads to cross site scripting. The attack may be lau
CVE-2025-3790 -- A vulnerability classified as critical has been found in baseweb JSite 1.0. This affects an unknown part of the file /druid/index.html of the component Apache Druid Monitoring Console. The manipulation leads to improper access controls. It is possible to
CVE-2025-3791 -- A vulnerability classified as critical was found in symisc UnQLite up to 957c377cb691a4f617db9aba5cc46d90425071e2. This vulnerability affects the function jx9MemObjStore of the file /data/src/benchmarks/unqlite/unqlite.c. The manipulation leads to heap-ba
CVE-2025-3792 -- A vulnerability, which was classified as critical, has been found in SeaCMS up to 13.3. This issue affects some unknown processing of the file /admin_link.php?action=delall. The manipulation of the argument e_id leads to sql injection. The attack may be i
CVE-2025-3795 -- A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launch
CVE-2025-3796 -- A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. This affects an unknown part of the file /admin/contact-us.php. The manipulation of the argument pagetitle/pagedes/email/mobnumber/timing leads to sql inj
CVE-2025-39469 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
CVE-2025-39470 -- Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.
CVE-2025-39471 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pantherius Modal Survey.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
CVE-2025-42599 -- Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-s
CVE-2025-43903 -- NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
CVE-2022-26323 -- Incorrect Use of Privileged APIs vulnerability in OpenTextā„¢ Operations Bridge Manager, OpenTextā„¢ Operations Bridge Suite (Containerized), OpenTextā„¢ UCMDB ( Classic and Containerized) allows Privilege Escalation.Ā 
CVE-2024-11924 -- The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the un
CVE-2024-12530 -- Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.
CVE-2024-13925 -- The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result
CVE-2024-40124 -- Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature.
CVE-2024-42177 -- HCL MyXalytics is affected by SSL/TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system
CVE-2024-42178 -- HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.
CVE-2024-53924 -- Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.
CVE-2024-55211 -- An issue in Think Router Tk-Rt-Wr135G V3.0.2-X000 allows attackers to bypass authentication via a crafted cookie.
CVE-2024-55238 -- OpenMetadata <=1.4.1 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the WorkflowDAO interface. The workflowtype and status parameters can be used to build a SQL query.
CVE-2024-56518 -- Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI.
CVE-2025-1290 -- A race condition Use-After-Free vulnerability exists in the virtio_transport_space_update function within the Kernel 5.4 on ChromeOS. Concurrent allocation and freeing of the virtio_vsock_sock structure
CVE-2025-1525 -- The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disall
CVE-2025-1532 -- Phoneservice module is affected by code injection vulnerability, successful exploitation of this vulnerability may affect service confidentiality and integrity.
CVE-2025-2188 -- There is a whitelist mechanism bypass in GameCenter ,successful exploitation of this vulnerability may affect service confidentiality and integrity.
CVE-2025-2197 -- Browser is affected by type confusion vulnerability, successful exploitation of this vulnerability may affect service availability.
CVE-2025-22340 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Data Dash allows Stored XSS. This issue affects Data Dash: from n/a through 1.2.3.
CVE-2025-22565 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bill Zimmerman vooPlayer v4 allows Reflected XSS. This issue affects vooPlayer v4: from n/a through 4.0.4.
CVE-2025-22636 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vicente Ruiz GƔlvez VR-Frases allows Reflected XSS. This issue affects VR-Frases: from n/a through 3.0.1.
CVE-2025-22651 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wppluginboxdev Stylish Google Sheet Reader allows Reflected XSS. This issue affects Stylish Google Sheet Reader: from n/a through 4.0.
CVE-2025-22655 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Caio Web Dev CWD – Stealth Links allows SQL Injection. This issue affects CWD – Stealth Links: from n/a through 1.3.
CVE-2025-22692 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rachanaS Sponsered Link allows Reflected XSS. This issue affects Sponsered Link: from n/a through 4.0.
CVE-2025-22771 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Studio Hyperset The Great Firewords of China allows Stored XSS. This issue affects The Great Firewords of China: from n/a through 1.2.
CVE-2025-22774 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRUDLab CRUDLab Scroll to Top allows Reflected XSS. This issue affects CRUDLab Scroll to Top: from n/a through 1.0.1.
CVE-2025-22796 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in platcom WP-Asambleas allows Reflected XSS. This issue affects WP-Asambleas: from n/a through 2.85.0.
CVE-2025-23443 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Claire Ryan Author Showcase allows Reflected XSS. This issue affects Author Showcase: from n/a through 1.4.3.
CVE-2025-23448 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier allows Reflected XSS. This issue affects visualslider Sldier: from n/a through 1.1.1.
CVE-2025-23773 -- Missing Authorization vulnerability in mingocommerce Delete All Posts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Delete All Posts: from n/a through 1.1.1.
CVE-2025-23782 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TotalSuite TotalContest Lite allows Reflected XSS. This issue affects TotalContest Lite: from n/a through 2.8.1.
CVE-2025-23855 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fyljp SpiderDisplay allows Reflected XSS. This issue affects SpiderDisplay: from n/a through 1.9.1.
CVE-2025-23858 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order allows Reflected XSS. This issue affects Custom Users Order: from n/a through 4.2.
CVE-2025-23906 -- Missing Authorization vulnerability in wpseek WordPress Dashboard Tweeter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Dashboard Tweeter: from n/a through 1.3.2.
CVE-2025-23958 -- Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0.
CVE-2025-24539 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator allows Reflected XSS. This issue affects DeBounce Email Validator: from n/a through 5.6.5.
CVE-2025-24548 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Autoglot Autoglot – Automatic WordPress Translation allows Reflected XSS. This issue affects Autoglot – Automatic WordPress Translation: from n/a through
CVE-2025-24550 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JobScore Job Manager allows Stored XSS. This issue affects Job Manager: from n/a through 2.2.
CVE-2025-24553 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Akadrama Shipping with Venipak for WooCommerce allows Reflected XSS. This issue affects Shipping with Venipak for WooCommerce: from n/a through 1.22.3.
CVE-2025-24577 -- Missing Authorization vulnerability in Ays Pro Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Poll Maker: from n/a through 5.5.0.
CVE-2025-24581 -- Missing Authorization vulnerability in Themefic Instantio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Instantio: from n/a through 3.3.7.
CVE-2025-24583 -- Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 12 Step Meeting List: from n/a through 3.16.5.
CVE-2025-24586 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitsstech Shipment Tracker for Woocommerce allows Reflected XSS. This issue affects Shipment Tracker for Woocommerce: from n/a through 1.4.23.
CVE-2025-24619 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action allows Reflected XSS. This issue affects WP Log Action: from n/a through 0.51.
CVE-2025-24621 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Reflected XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.15.
CVE-2025-24624 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasTech HT Event allows Reflected XSS. This issue affects HT Event: from n/a through 1.4.6.
CVE-2025-24637 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture allows Reflected XSS. This issue affects Beacon Lead Magnets and Lead Capture: from n/a through 1.5.7.
CVE-2025-24640 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan-Lucian Stefancu Empty Tags Remover allows Reflected XSS. This issue affects Empty Tags Remover: from n/a through 1.0.
CVE-2025-24645 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rob Scott Eazy Under Construction allows Reflected XSS. This issue affects Eazy Under Construction: from n/a through 1.0.
CVE-2025-24651 -- Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3.
CVE-2025-24655 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 1.0.39.
CVE-2025-24670 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter allows Reflected XSS. This issue affects Term Taxonomy Converter: from n/a through 1.2.
CVE-2025-24737 -- Missing Authorization vulnerability in Mat Bao Corporation WP Helper Premium allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Helper Premium: from n/a through 4.6.1.
CVE-2025-24745 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Classified Listing allows Reflected XSS. This issue affects Classified Listing: from n/a through 4.0.1.
CVE-2025-24752 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Reflected XSS. This issue affects Essential Addons for Elementor: from n/a through 6.0.14.
CVE-2025-25234 -- Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability.Ā A malicious actor with network access to UAG may be able to bypass administrator-configured CORS restrictions to gain access to sensitive networks.
CVE-2025-25454 -- Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via wanSpeed2.
CVE-2025-25455 -- Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via wanMTU2.
CVE-2025-25457 -- Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via cloneType2.
CVE-2025-26268 -- DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. The validity of the scan cursor was not checked.
CVE-2025-26269 -- DragonflyDB Dragonfly through 1.28.2 allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer.
CVE-2025-26477 -- Dell ECS version 3.8.1.4 and prior contain an Improper Input Validation vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.
CVE-2025-26478 -- Dell ECS version 3.8.1.4 and prior contain an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure.
CVE-2025-26968 -- Missing Authorization vulnerability in webbernaut Cloak Front End Email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloak Front End Email: from n/a through 1.9.5.
CVE-2025-27282 -- Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files. This issue affects Theme File Duplicator: from n/a through 1.3.
CVE-2025-27283 -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in rockgod100 Theme File Duplicator allows Path Traversal. This issue affects Theme File Duplicator: from n/a through 1.3.
CVE-2025-27284 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content allows Reflected XSS. This issue affects Flagged Content: from n/a through 1.0.2.
CVE-2025-27285 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Easy Form by AYS allows Reflected XSS. This issue affects Easy Form by AYS: from n/a through 2.6.9.
CVE-2025-27286 -- Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider allows Object Injection. This issue affects Saoshyant Slider: from n/a through 3.0.
CVE-2025-27287 -- Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz allows Object Injection. This issue affects SS Quiz: from n/a through 2.0.5.
CVE-2025-27288 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1.
CVE-2025-27289 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Antoine Guillien Restrict Taxonomies allows Reflected XSS. This issue affects Restrict Taxonomies: from n/a through 1.3.3.
CVE-2025-27291 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxgallery WordPress Photo Gallery – Image Gallery allows Reflected XSS. This issue affects WordPress Photo Gallery – Image Gallery: from n/a through 2.0.
CVE-2025-27292 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPyog WPYog Documents allows Reflected XSS. This issue affects WPYog Documents: from n/a through 1.3.3.
CVE-2025-27293 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webparexapp Shipmozo Courier Tracking allows Reflected XSS. This issue affects Shipmozo Courier Tracking: from n/a through 1.0.
CVE-2025-27295 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpion Live css allows Stored XSS. This issue affects Live css: from n/a through 1.3.
CVE-2025-27299 -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Asia MyTicket Events allows Path Traversal. This issue affects MyTicket Events: from n/a through 1.2.4.
CVE-2025-27302 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Claudio Adrian Marrero CHATLIVE allows SQL Injection. This issue affects CHATLIVE: from n/a through 2.0.1.
CVE-2025-27308 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmstactics WP Video Posts allows Reflected XSS. This issue affects WP Video Posts: from n/a through 3.5.1.
CVE-2025-27309 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeannot Muller flickr-slideshow-wrapper allows Stored XSS. This issue affects flickr-slideshow-wrapper: from n/a through 5.4.6.
CVE-2025-27310 -- Missing Authorization vulnerability in Radius of Thought Page and Post Lister allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Page and Post Lister: from n/a through 1.2.1.
CVE-2025-27313 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer allows Reflected XSS. This issue affects Google Maps GPX Viewer: from n/a through 3.6.
CVE-2025-27314 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News allows Stored XSS. This issue affects Kush Micro News: from n/a through 1.6.7.
CVE-2025-27319 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivan82 User List allows Reflected XSS. This issue affects User List: from n/a through 1.5.1.
CVE-2025-27322 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bappa Mal QR Code for WooCommerce allows Reflected XSS. This issue affects QR Code for WooCommerce: from n/a through 1.2.0.
CVE-2025-27324 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 17track 17TRACK for WooCommerce allows Reflected XSS. This issue affects 17TRACK for WooCommerce: from n/a through 1.2.10.
CVE-2025-27333 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alvego Protected wp-login allows Reflected XSS. This issue affects Protected wp-login: from n/a through 2.1.
CVE-2025-27337 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur Fontsampler allows Reflected XSS. This issue affects Fontsampler: from n/a through 0.4.14.
CVE-2025-27338 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphems List Urls allows Reflected XSS. This issue affects List Urls: from n/a through 0.2.
CVE-2025-27343 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop WooCommerce HTML5 Video allows Reflected XSS. This issue affects WooCommerce HTML5 Video: from n/a through 1.7.10.
CVE-2025-27345 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro allows Reflected XSS. This issue affects Booking Ultra Pro: from n/a through 1.1.19.
CVE-2025-27346 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gerrygooner Rebuild Permalinks allows Reflected XSS. This issue affects Rebuild Permalinks: from n/a through 1.6.
CVE-2025-27354 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phil88530 Simple Email Subscriber allows Reflected XSS. This issue affects Simple Email Subscriber: from n/a through 2.3.
CVE-2025-28009 -- A SQL Injection vulnerability exists in the `u` parameter of the progress-body-weight.php endpoint of Dietiqa App v1.0.20.
CVE-2025-28101 -- An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.
CVE-2025-29015 -- Code Astro Internet Banking System 2.0.0 is vulnerable to Cross Site Scripting (XSS) via the name parameter in /admin/pages_account.php.
CVE-2025-2903 -- An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitiv
CVE-2025-29039 -- An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8
CVE-2025-29040 -- An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41737c
CVE-2025-29041 -- An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41710c
CVE-2025-29042 -- An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the macaddr key value to the function 0x42232c
CVE-2025-29043 -- An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x417234
CVE-2025-29044 -- Buffer Overflow vulnerability in Netgear- R61 router V1.0.1.28 allows a remote attacker to execute arbitrary code via the QUERY_STRING key value
CVE-2025-29045 -- Buffer Overflow vulnerability in ALFA_CAMPRO-co-2.29 allows a remote attacker to execute arbitrary code via the newap_text_0 key value
CVE-2025-29046 -- Buffer Overflow vulnerability inALFA WiFi CampPro router ALFA_CAMPRO-co-2.29 allows a remote attacker to execute arbitrary code via the GAPSMinute3 key value
CVE-2025-29047 -- Buffer Overflow vulnerability inALFA WiFi CampPro router ALFA_CAMPRO-co-2.29 allows a remote attacker to execute arbitrary code via the hiddenIndex in the function StorageEditUser
CVE-2025-29180 -- In FOXCMS <=1.25, the installdb.php file has a time - based blind SQL injection vulnerability. The url_prefix, domain, and my_website POST parameters are directly concatenated into SQL statements without filtering.
CVE-2025-29181 -- FOXCMS <= V1.25 is vulnerable to SQL Injection via $param['title'] in /admin/util/Field.php.
CVE-2025-29316 -- An issue in DataPatrol Screenshot watermark, printing watermark agent v.3.5.2.0 allows a physically proximate attacker to obtain sensitive information
CVE-2025-29449 -- An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function.
CVE-2025-29450 -- An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the site settings component.
CVE-2025-29451 -- An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Mail Setting component.
CVE-2025-29452 -- An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Proxy Manager component.
CVE-2025-29453 -- An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.
CVE-2025-29454 -- An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.
CVE-2025-29455 -- An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.
CVE-2025-29456 -- An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.
CVE-2025-29457 -- An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function.
CVE-2025-29458 -- An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function.
CVE-2025-29459 -- An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function.
CVE-2025-29460 -- An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function.
CVE-2025-29461 -- An issue in a-blogcms 3.1.15 allows a remote attacker to obtain sensitive information via the /bid/1/admin/entry-edit/ path.
CVE-2025-2947 -- IBM i 7.6Ā 
CVE-2025-29661 -- Litepubl CMS <= 7.0.9 is vulnerable to RCE in admin/service/run.
CVE-2025-29662 -- A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access.
CVE-2025-29722 -- A CSRF vulnerability in Commercify v1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users. The issue exists due to missing CSRF protection on sensitive endpoints.
CVE-2025-29931 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected product does not properly validate a length field in a serialized message which it uses to determine the amount of memory to be allocated for deseriali
CVE-2025-31006 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress allows Reflected XSS. This issue affects Activity Reactions For Buddypress: from n/a through 1.0.22.
CVE-2025-31018 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FireDrum FireDrum Email Marketing allows Reflected XSS. This issue affects FireDrum Email Marketing: from n/a through 1.64.
CVE-2025-31030 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jbhovik Ray Enterprise Translation allows PHP Local File Inclusion. This issue affects Ray Enterprise Translation: from n/a through 1.
CVE-2025-3113 -- A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This a
CVE-2025-3124 -- A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn't otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Ov
CVE-2025-31338 -- A missing authorization vulnerability in the retrieve teacher Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to obtain partial user data by accessing the API functionality.
CVE-2025-31339 -- An unrestricted upload of file with dangerous type vulnerability in the course management function of Wisdom Master Pro versions 5.0 through 5.2 allows remote authenticated users to craft a malicious file.
CVE-2025-31340 -- A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a m
CVE-2025-31380 -- Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site allows Password Recovery Exploitation. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.11.
CVE-2025-32415 -- In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer underflow. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafte
CVE-2025-32415 -- In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a craft
CVE-2025-3246 -- An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance
CVE-2025-32490 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebsiteDefender wp secure allows Stored XSS. This issue affects wp secure: from n/a through 1.2.
CVE-2025-32504 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silvasoft Silvasoft boekhouden allows Reflected XSS. This issue affects Silvasoft boekhouden: from n/a through 3.0.5.
CVE-2025-32506 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BenDlz AT Internet SmartTag allows Reflected XSS. This issue affects AT Internet SmartTag: from n/a through 0.2.
CVE-2025-32507 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aakif Kadiwala Event Espresso – Custom Email Template Shortcode allows Reflected XSS. This issue affects Event Espresso – Custom Email Template Shortcode
CVE-2025-32508 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ComMotion Course Booking System allows Reflected XSS. This issue affects Course Booking System: from n/a through 6.0.7.
CVE-2025-32511 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Excellent Dynamics Make Email Customizer for WooCommerce allows Reflected XSS. This issue affects Make Email Customizer for WooCommerce: from n/a through
CVE-2025-32512 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revampcrm Revamp CRM for WooCommerce allows Reflected XSS. This issue affects Revamp CRM for WooCommerce: from n/a through 1.1.2.
CVE-2025-32513 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalprocessing Nomupay Payment Processing Gateway allows Reflected XSS. This issue affects Nomupay Payment Processing Gateway: from n/a through 7.1.6.
CVE-2025-32514 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote allows Reflected XSS. This issue affects WooCommerce Estimate and Quote: from n/a through 1.0.2.5.
CVE-2025-32515 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in terminalafrica Terminal Africa allows Reflected XSS. This issue affects Terminal Africa: from n/a through 1.13.17.
CVE-2025-32516 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ilGhera Related Videos for JW Player allows Reflected XSS. This issue affects Related Videos for JW Player: from n/a through 1.2.0.
CVE-2025-32520 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Ali Saleem WordPress Health and Server Condition – Integrated with Google Page Speed allows Reflected XSS. This issue affects WordPress Health and Ser
CVE-2025-32521 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block allows Reflected XSS. This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a throug
CVE-2025-32522 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPExperts.io License Manager for WooCommerce allows Reflected XSS. This issue affects License Manager for WooCommerce: from n/a through 3.0.9.
CVE-2025-32526 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101.
CVE-2025-32527 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pey22 T&P Gallery Slider allows Stored XSS. This issue affects T&P Gallery Slider: from n/a through 1.2.
CVE-2025-32528 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds allows Reflected XSS. This issue affects iCal Feeds: from n/a through 1.5.3.
CVE-2025-32529 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iONE360 iONE360 configurator allows Reflected XSS. This issue affects iONE360 configurator: from n/a through 2.0.56.
CVE-2025-32530 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Wallet System for WooCommerce allows Reflected XSS. This issue affects Wallet System for WooCommerce: from n/a through 2.6.5.
CVE-2025-32531 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix FAQ allows Reflected XSS. This issue affects Arconix FAQ: from n/a through 1.9.5.
CVE-2025-32532 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pei Yong Goh UXsniff allows Reflected XSS. This issue affects UXsniff: from n/a through 1.2.4.
CVE-2025-32533 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matat Technologies Deliver via Shipos for WooCommerce allows Reflected XSS. This issue affects Deliver via Shipos for WooCommerce: from n/a through 2.1.7
CVE-2025-32535 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digireturn DN Shipping by Weight for WooCommerce allows Reflected XSS. This issue affects DN Shipping by Weight for WooCommerce: from n/a through 1.2.
CVE-2025-32540 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in feedify Feedify – Web Push Notifications allows Reflected XSS. This issue affects Feedify – Web Push Notifications: from n/a through 2.4.5.
CVE-2025-32544 -- Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.
CVE-2025-32545 -- Cross-Site Request Forgery (CSRF) vulnerability in SOFTAGON WooCommerce Products without featured images allows Reflected XSS. This issue affects WooCommerce Products without featured images: from n/a through 0.1.
CVE-2025-32546 -- Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3.
CVE-2025-32548 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in borisolhor Hamburger Icon Menu Lite allows Reflected XSS. This issue affects Hamburger Icon Menu Lite: from n/a through 1.0.
CVE-2025-32552 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory MSRP (RRP) Pricing for WooCommerce allows Reflected XSS. This issue affects MSRP (RRP) Pricing for WooCommerce: from n/a through 1.8.1.
CVE-2025-32554 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.7.3.
CVE-2025-32557 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rico Macchi WP Featured Screenshot allows Reflected XSS. This issue affects WP Featured Screenshot: from n/a through 1.3.
CVE-2025-32560 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohammad I. Okfie WP-Hijri allows Reflected XSS. This issue affects WP-Hijri: from n/a through 1.5.3.
CVE-2025-32561 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in plugins.club WP_DEBUG Toggle allows Reflected XSS. This issue affects WP_DEBUG Toggle: from n/a through 1.1.
CVE-2025-32562 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com WP Easy Poll allows Reflected XSS. This issue affects WP Easy Poll: from n/a through 2.2.9.
CVE-2025-32564 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tomroyal Stop Registration Spam allows Reflected XSS. This issue affects Stop Registration Spam: from n/a through 1.24.
CVE-2025-32566 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashraful Sarkar Naiem License For Envato allows Reflected XSS. This issue affects License For Envato: from n/a through 1.0.0.
CVE-2025-32571 -- Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10.
CVE-2025-32572 -- Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus allows Object Injection. This issue affects Kata Plus: from n/a through 1.5.2.
CVE-2025-32573 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
CVE-2025-32578 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mapro Collins Coming Soon Countdown allows Reflected XSS. This issue affects Coming Soon Countdown: from n/a through 2.2.
CVE-2025-32582 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EXEIdeas International WP AutoKeyword allows Stored XSS. This issue affects WP AutoKeyword: from n/a through 1.0.
CVE-2025-32583 -- Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post allows Remote Code Inclusion. This issue affects PDF 2 Post: from n/a through 2.4.0.
CVE-2025-32588 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Credova Financial Credova_Financial allows Reflected XSS. This issue affects Credova_Financial: from n/a through 2.4.8.
CVE-2025-32590 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tzin111 Web2application allows Reflected XSS. This issue affects Web2application: from n/a through 5.6.
CVE-2025-32592 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Stored XSS. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through
CVE-2025-32593 -- Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Product Frontend for WooCommerce: from n/a through 1.0.6.
CVE-2025-32594 -- Insertion of Sensitive Information Into Sent Data vulnerability in WPMinds Simple WP Events allows Retrieve Embedded Sensitive Data. This issue affects Simple WP Events: from n/a through 1.8.17.
CVE-2025-32596 -- Improper Control of Generation of Code ('Code Injection') vulnerability in Rameez Iqbal Real Estate Manager allows Code Injection. This issue affects Real Estate Manager: from n/a through 7.3.
CVE-2025-32602 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aiiddqd WooMS allows Reflected XSS. This issue affects WooMS: from n/a through 9.12.
CVE-2025-32604 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping allows Reflected XSS. This issue affects AWSA Shipping: from n/a through 1.3.0.
CVE-2025-32605 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through 1.1.1.
CVE-2025-32606 -- Cross-Site Request Forgery (CSRF) vulnerability in Deepak Khokhar Listings for Buildium allows Stored XSS. This issue affects Listings for Buildium: from n/a through 0.1.4.
CVE-2025-32608 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Movylo Movylo Marketing Automation allows Reflected XSS. This issue affects Movylo Marketing Automation: from n/a through 2.0.7.
CVE-2025-32609 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Picture-Planet GmbH Verowa Connect allows Reflected XSS. This issue affects Verowa Connect: from n/a through 3.0.4.
CVE-2025-32611 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in We Are De WooCommerce TBC Credit Card Payment Gateway (Free) allows Reflected XSS. This issue affects WooCommerce TBC Credit Card Payment Gateway (Free):
CVE-2025-32613 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bowo Debug Log Manager allows Stored XSS. This issue affects Debug Log Manager: from n/a through 2.3.4.
CVE-2025-32615 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clinked Clinked Client Portal allows Reflected XSS. This issue affects Clinked Client Portal: from n/a through 1.10.
CVE-2025-32620 -- Missing Authorization vulnerability in fromdoppler Doppler Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Doppler Forms: from n/a through 2.4.5.
CVE-2025-32622 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in allows Reflected XSS. This issue affects OTP-less one tap Sign in: from n/a through 2.0.58.
CVE-2025-32625 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pootlepress Mobile Pages allows Reflected XSS. This issue affects Mobile Pages: from n/a through 1.0.2.
CVE-2025-32626 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Job Manager allows SQL Injection. This issue affects JS Job Manager: from n/a through 2.0.2.
CVE-2025-32628 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham Crowdfunding for WooCommerce allows Reflected XSS. This issue affects Crowdfunding for WooCommerce: from n/a through 3.1.12.
CVE-2025-32630 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Reflected XSS. This issue affects WP-BusinessDirectory: from n/a through 3.1
CVE-2025-32634 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP allows Reflected XSS. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP
CVE-2025-32635 -- Insertion of Sensitive Information Into Sent Data vulnerability in Hive Support Hive Support allows Retrieve Embedded Sensitive Data. This issue affects Hive Support: from n/a through 1.2.2.
CVE-2025-32636 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in matthewrubin Local Magic allows SQL Injection. This issue affects Local Magic: from n/a through 2.6.0.
CVE-2025-32637 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ketanajani WP Donate allows Stored XSS. This issue affects WP Donate: from n/a through 2.0.
CVE-2025-32638 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile ShopApper allows Stored XSS. This issue affects ShopApper: from n/a through 0.4.39.
CVE-2025-32639 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wecantrack Affiliate Links Lite allows Reflected XSS. This issue affects Affiliate Links Lite: from n/a through 3.1.0.
CVE-2025-32646 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Question Answer allows Reflected XSS. This issue affects Question Answer: from n/a through 1.2.70.
CVE-2025-32647 -- Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer allows Object Injection. This issue affects Question Answer: from n/a through 1.2.70.
CVE-2025-32648 -- Incorrect Privilege Assignment vulnerability in Projectopia Projectopia allows Privilege Escalation. This issue affects Projectopia: from n/a through 5.1.16.
CVE-2025-32649 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gb-plugins GB Gallery Slideshow allows Reflected XSS. This issue affects GB Gallery Slideshow: from n/a through 1.3.
CVE-2025-32651 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in serpednet SERPed.net allows Reflected XSS. This issue affects SERPed.net: from n/a through 4.6.
CVE-2025-32652 -- Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra allows Using Malicious Files. This issue affects Solace Extra: from n/a through 1.3.1.
CVE-2025-32653 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lee Blue Cart66 Cloud allows Reflected XSS. This issue affects Cart66 Cloud: from n/a through 2.3.7.
CVE-2025-32655 -- Cross-Site Request Forgery (CSRF) vulnerability in DevriX Restrict User Registration allows Stored XSS. This issue affects Restrict User Registration: from n/a through 1.0.1.
CVE-2025-32658 -- Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection. This issue affects HelpGent: from n/a through 2.2.4.
CVE-2025-32660 -- Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2.
CVE-2025-32662 -- Deserialization of Untrusted Data vulnerability in Stylemix uListing allows Object Injection. This issue affects uListing: from n/a through 2.2.0.
CVE-2025-32665 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebbyTemplate Office Locator allows SQL Injection. This issue affects Office Locator: from n/a through 1.3.0.
CVE-2025-32666 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support allows Reflected XSS. This issue affects Hive Support: from n/a through 1.2.2.
CVE-2025-32670 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark Parnell Spark GF Failed Submissions allows Reflected XSS. This issue affects Spark GF Failed Submissions: from n/a through 1.3.5.
CVE-2025-32674 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Product Excel Import Export & Bulk Edit for WooCommerce allows Reflected XSS. This issue affects Product Excel Import Export & Bulk Edit for Wo
CVE-2025-32682 -- Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG Lite allows Upload a Web Shell to a Web Server. This issue affects MapSVG Lite: from n/a through 8.5.34.
CVE-2025-32686 -- Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0.
CVE-2025-3294 -- The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to
CVE-2025-3295 -- The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected s
CVE-2025-3453 -- The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and includin
CVE-2025-3479 -- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user contro
CVE-2025-3487 -- The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ā€˜limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and out
CVE-2025-3509 -- A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. Th
CVE-2025-3615 -- The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authent
CVE-2025-3651 -- Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions below 10.8.2.33 allows attackers to execute arbitrary commands via unauthorized access to the Agent service.
CVE-2025-3651 -- Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier
CVE-2025-3760 -- A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 thro
CVE-2025-3762 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been rated as critical. Affected by this issue is some unknown functionality of the component MPUT Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely.
CVE-2025-3763 -- A vulnerability classified as critical has been found in SourceCodester Phone Management System 1.0. This affects the function main of the component Password Handler. The manipulation of the argument s leads to buffer overflow. Local access is required to
CVE-2025-3764 -- A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This vulnerability affects unknown code of the file /edit-product.php. The manipulation of the argument Avatar leads to unrestricted uploa
CVE-2025-3765 -- A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file /edit-photo.php. The manipulation of the argument Avatar leads to
CVE-2025-39414 -- Cross-Site Request Forgery (CSRF) vulnerability in Mike spam-stopper allows Stored XSS. This issue affects spam-stopper: from n/a through 3.1.3.
CVE-2025-39415 -- Cross-Site Request Forgery (CSRF) vulnerability in Jayesh Parejiya Social Media Links allows Stored XSS. This issue affects Social Media Links: from n/a through 1.0.3.
CVE-2025-39416 -- Cross-Site Request Forgery (CSRF) vulnerability in Ichi translit it! allows Stored XSS. This issue affects translit it!: from n/a through 1.6.
CVE-2025-39417 -- Cross-Site Request Forgery (CSRF) vulnerability in Eslam Mahmoud Redirect wordpress to welcome or landing page allows Stored XSS. This issue affects Redirect wordpress to welcome or landing page: from n/a through 2.0.
CVE-2025-39418 -- Cross-Site Request Forgery (CSRF) vulnerability in ajayver RSS Manager allows Stored XSS. This issue affects RSS Manager: from n/a through 0.06.
CVE-2025-39419 -- Cross-Site Request Forgery (CSRF) vulnerability in David Miller Revision Diet allows Stored XSS. This issue affects Revision Diet: from n/a through 1.0.1.
CVE-2025-39420 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ruudkok WP Twitter Button allows Stored XSS. This issue affects WP Twitter Button: from n/a through 1.4.1.
CVE-2025-39421 -- Cross-Site Request Forgery (CSRF) vulnerability in Mustafa KUCUK WP Sticky Side Buttons allows Stored XSS. This issue affects WP Sticky Side Buttons: from n/a through 2.1.
CVE-2025-39422 -- Cross-Site Request Forgery (CSRF) vulnerability in PResponsive WP Social Bookmarking allows Stored XSS. This issue affects WP Social Bookmarking: from n/a through 3.6.
CVE-2025-39423 -- Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header allows Stored XSS. This issue affects Add to Header: from n/a through 1.0.
CVE-2025-39424 -- Cross-Site Request Forgery (CSRF) vulnerability in simplemaps Simple Maps allows Stored XSS. This issue affects Simple Maps: from n/a through 0.98.
CVE-2025-39425 -- Cross-Site Request Forgery (CSRF) vulnerability in pixelgrade Style Manager allows Cross Site Request Forgery. This issue affects Style Manager: from n/a through 2.2.7.
CVE-2025-39426 -- Cross-Site Request Forgery (CSRF) vulnerability in illow illow – Cookies Consent allows Cross Site Request Forgery. This issue affects illow – Cookies Consent: from n/a through 0.2.0.
CVE-2025-39427 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beth Tucker Long WP Post to PDF Enhanced allows Stored XSS. This issue affects WP Post to PDF Enhanced: from n/a through 1.1.1.
CVE-2025-39428 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maros Pristas Gravity Forms CSS Themes with Fontawesome and Placeholders allows Stored XSS. This issue affects Gravity Forms CSS Themes with Fontawesome
CVE-2025-39429 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fƶldesi, MihƔly SzƩchenyi 2020 Logo allows PHP Local File Inclusion. This issue affects SzƩchenyi 2020 Logo: from n/a through 1.1.
CVE-2025-39430 -- Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage allows Stored XSS. This issue affects mLanguage: from n/a through 1.6.1.
CVE-2025-39431 -- Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin allows Stored XSS. This issue affects Amazon Showcase WordPress Plugin: from n/a through 2.2.
CVE-2025-39432 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist allows Stored XSS. This issue affects bbPress2 shortcode whitelist: from n/a through 2.2.1.
CVE-2025-39433 -- Cross-Site Request Forgery (CSRF) vulnerability in beke_ro Bknewsticker allows Stored XSS. This issue affects Bknewsticker: from n/a through 1.0.5.
CVE-2025-39434 -- Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.
CVE-2025-39435 -- Cross-Site Request Forgery (CSRF) vulnerability in davidfcarr My Marginalia allows Stored XSS. This issue affects My Marginalia: from n/a through 1.0.6.
CVE-2025-39436 -- Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0.
CVE-2025-39437 -- Cross-Site Request Forgery (CSRF) vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3.
CVE-2025-39438 -- Cross-Site Request Forgery (CSRF) vulnerability in momen2009 Theme Changer allows Cross Site Request Forgery. This issue affects Theme Changer: from n/a through 1.3.
CVE-2025-39439 -- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Markus Drubba wpLike2Get allows Retrieve Embedded Sensitive Data. This issue affects wpLike2Get: from n/a through 1.2.9.
CVE-2025-39440 -- Cross-Site Request Forgery (CSRF) vulnerability in Rajesh Broken Links Remover allows Stored XSS. This issue affects Broken Links Remover: from n/a through 1.2.2.
CVE-2025-39441 -- Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Dashboard Notepads allows Stored XSS. This issue affects Dashboard Notepads: from n/a through 1.2.1.
CVE-2025-39442 -- Cross-Site Request Forgery (CSRF) vulnerability in MessageMetric Review Wave – Google Places Reviews allows Stored XSS. This issue affects Review Wave – Google Places Reviews: from n/a through 1.4.7.
CVE-2025-39443 -- Cross-Site Request Forgery (CSRF) vulnerability in Soft8Soft LLC Verge3D allows Cross Site Request Forgery. This issue affects Verge3D: from n/a through 4.9.0.
CVE-2025-39444 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxfoundry MaxButtons allows Stored XSS. This issue affects MaxButtons: from n/a through 9.8.3.
CVE-2025-39452 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion. This issue affects WPCafe: from n/a through 2.2.32.
CVE-2025-39453 -- Cross-Site Request Forgery (CSRF) vulnerability in algol.plus Advanced Dynamic Pricing for WooCommerce allows Cross Site Request Forgery. This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.9.3.
CVE-2025-39455 -- Cross-Site Request Forgery (CSRF) vulnerability in ip2location IP2Location Variables allows Reflected XSS. This issue affects IP2Location Variables: from n/a through 2.9.5.
CVE-2025-39456 -- Missing Authorization vulnerability in iTRON WP Logger allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Logger: from n/a through 2.2.
CVE-2025-39457 -- Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.8.
CVE-2025-39461 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache allows PHP Local File Inclusion. This issue affects Docket Cache: from n/a through 24.07.02.
CVE-2025-39462 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in teamzt Smart Agreements allows PHP Local File Inclusion. This issue affects Smart Agreements: from n/a through 1.0.3.
CVE-2025-39464 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar allows Reflected XSS. This issue affects AdminQuickbar: from n/a through 1.9.1.
CVE-2025-39519 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtpHarry Bulk Page Stub Creator allows Reflected XSS. This issue affects Bulk Page Stub Creator: from n/a through 1.1.
CVE-2025-39521 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator allows Reflected XSS. This issue affects Contact Form vCard Generator: from n/a through 2.4.
CVE-2025-39526 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6.
CVE-2025-39527 -- Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7.
CVE-2025-39532 -- Missing Authorization vulnerability in spicethemes Spice Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spice Blocks: from n/a through 2.0.7.1.
CVE-2025-39533 -- Missing Authorization vulnerability in Starfish Reviews Starfish Review Generation & Marketing allows Privilege Escalation. This issue affects Starfish Review Generation & Marketing: from n/a through 3.1.14.
CVE-2025-39535 -- Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.7.
CVE-2025-39542 -- Incorrect Privilege Assignment vulnerability in Jauhari Xelion Xelion Webchat allows Privilege Escalation. This issue affects Xelion Webchat: from n/a through 9.1.0.
CVE-2025-39550 -- Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15.
CVE-2025-39551 -- Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection. This issue affects FluentBoards: from n/a through 1.47.
CVE-2025-39554 -- Missing Authorization vulnerability in Elliot Sowersby / RelyWP AI Text to Speech allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AI Text to Speech: from n/a through 3.0.3.
CVE-2025-39558 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks allows Reflected XSS. This issue affects CRM Perks: from n/a through 1.1.7.
CVE-2025-39559 -- Missing Authorization vulnerability in Eivin Landa Bring Fraktguiden for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bring Fraktguiden for WooCommerce: from n/a through 1.11.4.
CVE-2025-39562 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Payment Form for PayPal Pro allows Stored XSS. This issue affects Payment Form for PayPal Pro: from n/a through 1.1.72.
CVE-2025-39567 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free allows Reflected XSS. This issue affects Web Directory Free: from n/a through 1.7.8.
CVE-2025-39568 -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Arture B.V. StoreContrl Woocommerce allows Path Traversal. This issue affects StoreContrl Woocommerce: from n/a through 4.1.3.
CVE-2025-39569 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in taskbuilder Taskbuilder allows Blind SQL Injection. This issue affects Taskbuilder: from n/a through 4.0.1.
CVE-2025-39580 -- Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8.
CVE-2025-39583 -- Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.10.2.
CVE-2025-39586 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8.
CVE-2025-39587 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder allows SQL Injection. This issue affects Cost Calculator Builder: from n/a through 3.2.65.
CVE-2025-39588 -- Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0.
CVE-2025-39594 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Arigato Autoresponder and Newsletter allows Reflected XSS. This issue affects Arigato Autoresponder and Newsletter: from n/a through 2.7.2.4.
CVE-2025-39595 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Quentn.com GmbH Quentn WP allows SQL Injection. This issue affects Quentn WP: from n/a through 1.2.8.
CVE-2025-39596 -- Weak Authentication vulnerability in Quentn.com GmbH Quentn WP allows Privilege Escalation. This issue affects Quentn WP: from n/a through 1.2.8.
CVE-2025-42921 -- In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin
CVE-2025-43012 -- In JetBrains Toolbox App before 2.6 command injection in SSH plugin was possible
CVE-2025-43013 -- In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
CVE-2025-43014 -- In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
CVE-2025-43015 -- In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces
CVE-2025-43708 -- VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference='../../../set/set[2]' is used, aka an "insecure deserialization" issue.
CVE-2025-43715 -- Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted
CVE-2025-43717 -- In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.
CVE-2023-32197 -- A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5.
CVE-2024-10680 -- The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is dis
CVE-2024-13452 -- The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthen
CVE-2024-22036 -- A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot
CVE-2024-22314 -- IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.12 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVE-2024-22314 -- IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.12 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVE-2024-40068 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at id_generator/admin/?page=templates/manage_template&id=1.
CVE-2024-40069 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain Stored Cross Site Scripting (XSS) via id_generator/classes/Users.php?f=save, and the point of vulnerability is in the POST parameter 'firstname' and 'lastname'.
CVE-2024-40070 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/Users.php?f=save. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2024-40071 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP f
CVE-2024-40072 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at id_generator/admin/?page=generate/index&id=1.
CVE-2024-40073 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the template parameter at id_generator/admin/?page=generate&template=4.
CVE-2024-40074 -- Sourcecodester Online ID Generator System 1.0 was discovered to contain Stored Cross Site Scripting (XSS) via id_generator/classes/SystemSettings.php?f=update_settings, and the point of vulnerability is in the POST parameter 'short_name'.
CVE-2024-52281 -- A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field.
CVE-2024-53303 -- A remote code execution (RCE) vulnerability in the upload_file function of LRQA Nettitude PoshC2 after commit 123db87 allows authenticated attackers to execute arbitrary code via a crafted POST request.
CVE-2024-53304 -- An issue in LRQA Nettitude PoshC2 after commit 09ee2cf allows unauthenticated attackers to connect to the C2 server and execute arbitrary commands via posing as an infected machine.
CVE-2024-53305 -- An issue in the component /models/config.py of Whoogle search v0.9.0 allows attackers to execute arbitrary code via supplying a crafted search query.
CVE-2024-55371 -- Wallos <= 2.38.2 has a file upload vulnerability in the restore backup function, which allows authenticated users to restore backups by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an authentic
CVE-2024-55372 -- Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unaut
CVE-2024-56736 -- Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.
CVE-2024-58248 -- nopCommerce before 4.80.0 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
CVE-2024-58249 -- In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.
CVE-2025-0101 -- A low privileged user can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes some functions to work unexpected or stop working at all. Both during runtime and after a restart.
CVE-2025-0757 -- Overview
CVE-2025-1566 -- DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 129.0.6668.36 allows network observers to expose plaintext DNS queries via failure to properly tunnel DNS traffic during VPN state transitions.
CVE-2025-1568 -- Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 131.0.6778.268 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects and potentially achieve Remote Code Execution and
CVE-2025-1704 -- ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks allows enrolled users with local access to unenroll devices
CVE-2025-1980 -- The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution.
CVE-2025-1981 -- Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks.
CVE-2025-1982 -- Local File Inclusion vulnerability in Ready's attachment upload panel allows low privileged user to provide link to a local file using the file:// protocol thus allowing the attacker to read content of the file. This vulnerability can be use to read conte
CVE-2025-1983 -- A cross-site scripting (XSS) vulnerability in Ready_'s File Explorer upload functionality allows injection of arbitrary JavaScript code in filename. Injected content is stored on server and is executed every time a user interacts with the uploaded file.
CVE-2025-20150 -- A vulnerability in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to enumerate LDAP user accounts.
CVE-2025-20178 -- A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary commands as root on the underlying operating system.
CVE-2025-20236 -- A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user.
CVE-2025-2073 -- Out-of-Bounds Read in ip_set_bitmap_ip.c in Google ChromeOS Kernel Versions 6.1, 5.15, 5.10, 5.4, 4.19. on All devices where Termina is used allows an attacker with CAP_NET_ADMIN privileges to cause memory corruption and potentially escalate privileges vi
CVE-2025-22872 -- The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse
CVE-2025-2291 -- Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
CVE-2025-2314 -- The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient i
CVE-2025-24839 -- Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override propert
CVE-2025-24911 -- Overview
CVE-2025-25230 -- Omnissa Horizon Client for Windows contains an LPE Vulnerability.Ā A malicious actor with local access where Horizon Client for Windows is installed may be able to elevate privileges.
CVE-2025-2564 -- Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archive
CVE-2025-26153 -- A Stored XSS vulnerability exists in the message compose feature of Chamilo LMS 1.11.28. Attackers can inject malicious scripts into messages, which execute when victims, such as administrators, reply to the message.
CVE-2025-27495 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateTrace' method. This could allow an unauthenticated remote attacker to byp
CVE-2025-27538 -- Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA
CVE-2025-27539 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'VerifyUser' method. This could allow an unauthenticated remote attacker to bypa
CVE-2025-27540 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'Authenticate' method. This could allow an unauthenticated remote attacker to by
CVE-2025-27571 -- Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access su
CVE-2025-27936 -- Mattermost Plugin MSTeams versions <2.1.0 and Mattermost ServerĀ versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allowsĀ an attacker to retrieve the webhook secret o
CVE-2025-28072 -- PHPGurukul Pre-School Enrollment System is vulnerable to Directory Traversal in manage-teachers.php.
CVE-2025-29648 -- SQL Injection vulnerability exists in the TP-Link EAP120 router s login dashboard (version 1.0), allowing an unauthenticated attacker to inject malicious SQL statements via the login fields.
CVE-2025-29649 -- SQL Injection vulnerability exists in the TP-Link TL-WR840N router s login dashboard (version 1.0), allowing an unauthenticated attacker to inject malicious SQL statements via the username and password fields.
CVE-2025-29650 -- SQL Injection vulnerability exists in the TP-Link M7200 4G LTE Mobile Wi-Fi Router Firmware Version: 1.0.7 Build 180127 Rel.55998n, allowing an unauthenticated attacker to inject malicious SQL statements via the username and password fields.
CVE-2025-29651 -- SQL Injection vulnerability exists in the TP-Link M7650 4G LTE Mobile Wi-Fi Router Firmware Version: 1.0.7 Build 170623 Rel.1022n, allowing an unauthenticated attacker to inject malicious SQL statements via the username and password fields.
CVE-2025-29652 -- SQL Injection vulnerability exists in the TP-Link M7000 4G LTE Mobile Wi-Fi Router Firmware Version: 1.0.7 Build 180127 Rel.55998n, allowing an unauthenticated attacker to inject malicious SQL statements via the username and password fields
CVE-2025-29653 -- SQL Injection vulnerability exists in the TP-Link M7450 4G LTE Mobile Wi-Fi Router Firmware Version: 1.0.2 Build 170306 Rel.1015n, allowing an unauthenticated attacker to inject malicious SQL statements via the username and password fields.
CVE-2025-29708 -- SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services.
CVE-2025-29709 -- SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio.
CVE-2025-29710 -- SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.
CVE-2025-29905 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'RestoreFromBackup' method. This could allow an authenticated remote attacker to
CVE-2025-30002 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariables' method. This could allow an authenticated remote att
CVE-2025-30003 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectConnections' method. This could allow an authenticated remote atta
CVE-2025-30030 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ImportDatabase' method. This could allow an authenticated remote attacker to by
CVE-2025-30031 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateUsers' method. This could allow an authenticated remote attacker to bypas
CVE-2025-30032 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateDatabaseSettings' method. This could allow an authenticated remote attack
CVE-2025-30100 -- Dell Alienware Command Center 6.x, versions prior to 6.7.37.0 contain an Improper Access Control Vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVE-2025-30215 -- NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in th
CVE-2025-3077 -- The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied at
CVE-2025-30960 -- Missing Authorization vulnerability in NotFound FS Poster. This issue affects FS Poster: from n/a through 6.5.8.
CVE-2025-3104 -- The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticat
CVE-2025-31200 -- A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in
CVE-2025-31201 -- This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authen
CVE-2025-31343 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateTcmSettings' method. This could allow an authenticated remote attacker to
CVE-2025-31349 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateSmtpSettings' method. This could allow an authenticated remote attacker t
CVE-2025-31350 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateBufferingSettings' method. This could allow an authenticated remote attac
CVE-2025-31351 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateProject' method. This could allow an authenticated remote attacker to byp
CVE-2025-31352 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateGateways' method. This could allow an authenticated remote attacker to by
CVE-2025-31353 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateOpcSettings' method. This could allow an authenticated remote attacker to
CVE-2025-31363 -- Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstreamĀ which allows an authenticated user toĀ exfiltrate data from an arbitrary server accessible to the victim via performin
CVE-2025-31478 -- Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email a
CVE-2025-32385 -- EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the
CVE-2025-32433 -- Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH pr
CVE-2025-3247 -- The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthent
CVE-2025-32475 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateProject' method. This could allow an authenticated remote attacker to byp
CVE-2025-32783 -- XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. Th
CVE-2025-32787 -- SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. Versions 5.02.5184 to 5.02.5187 are vulnerable to NULL dereference in `DeleteIPv6DefaultRouterInRA` called by `StorePacket`. Before dereferencing, `DeleteIPv6DefaultRouterInRA` do
CVE-2025-32789 -- EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of
CVE-2025-32791 -- The Backstage Scaffolder plugin houses types and utilities for building scaffolder-related modules. A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permi
CVE-2025-32817 -- A Improper Link Resolution vulnerability (CWE-59) in the SonicWall Connect Tunnel Windows (32 and 64 bit) client, this results in unauthorized file overwrite, potentially leading to denial of service or file corruption.
CVE-2025-32822 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'DeleteProject' method. This could allow an authenticated remote attacker to byp
CVE-2025-32823 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockProject' method. This could allow an authenticated remote attacker to bypas
CVE-2025-32825 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetProjects' method. This could allow an authenticated remote attacker to bypas
CVE-2025-32826 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetActiveProjects' method. This could allow an authenticated remote attacker to
CVE-2025-32827 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ActivateProject' method. This could allow an authenticated remote attacker to b
CVE-2025-32828 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectCrossCommunications' method. This could allow an authenticated rem
CVE-2025-32829 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockProjectCrossCommunications' method. This could allow an authenticated remot
CVE-2025-32830 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockProject' method. This could allow an authenticated remote attacker to byp
CVE-2025-32831 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectUserRights' method. This could allow an authenticated remote attac
CVE-2025-32832 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockProjectUserRights' method. This could allow an authenticated remote attacke
CVE-2025-32833 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockProjectUserRights' method. This could allow an authenticated remote attac
CVE-2025-32834 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariablesWithImport' method. This could allow an authenticated
CVE-2025-32835 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariableArchivingBuffering' method. This could allow an authent
CVE-2025-32836 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetConnectionVariables' method. This could allow an authenticated remote attack
CVE-2025-32837 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetActiveConnectionVariables' method. This could allow an authenticated remote
CVE-2025-32838 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ImportConnectionVariables' method. This could allow an authenticated remote att
CVE-2025-32839 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetGateways' method. This could allow an authenticated remote attacker to bypas
CVE-2025-32840 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockGateway' method. This could allow an authenticated remote attacker to bypas
CVE-2025-32841 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockGateway' method. This could allow an authenticated remote attacker to byp
CVE-2025-32842 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetUsers' method. This could allow an authenticated remote attacker to bypass a
CVE-2025-32843 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockUser' method. This could allow an authenticated remote attacker to bypass a
CVE-2025-32844 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockUser' method. This could allow an authenticated remote attacker to bypass
CVE-2025-32845 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateGeneralSettings' method. This could allow an authenticated remote attacke
CVE-2025-32846 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockGeneralSettings' method. This could allow an authenticated remote attacker
CVE-2025-32847 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockGeneralSettings' method. This could allow an authenticated remote attacke
CVE-2025-32848 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockSmtpSettings' method. This could allow an authenticated remote attacker to
CVE-2025-32849 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockSmtpSettings' method. This could allow an authenticated remote attacker t
CVE-2025-32850 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockTcmSettings' method. This could allow an authenticated remote attacker to b
CVE-2025-32851 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockTcmSettings' method. This could allow an authenticated remote attacker to
CVE-2025-32852 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockDatabaseSettings' method. This could allow an authenticated remote attacker
CVE-2025-32853 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockDatabaseSettings' method. This could allow an authenticated remote attack
CVE-2025-32854 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockOpcSettings' method. This could allow an authenticated remote attacker to b
CVE-2025-32855 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockOpcSettings' method. This could allow an authenticated remote attacker to
CVE-2025-32856 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockBufferingSettings' method. This could allow an authenticated remote attacke
CVE-2025-32857 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockBufferingSettings' method. This could allow an authenticated remote attac
CVE-2025-32858 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateWebServerGatewaySettings' method. This could allow an authenticated remot
CVE-2025-32859 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockWebServerGatewaySettings' method. This could allow an authenticated remote
CVE-2025-32860 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockWebServerGatewaySettings' method. This could allow an authenticated remot
CVE-2025-32861 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateTraceLevelSettings' method. This could allow an authenticated remote atta
CVE-2025-32862 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'LockTraceLevelSettings' method. This could allow an authenticated remote attack
CVE-2025-32863 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UnlockTraceLevelSettings' method. This could allow an authenticated remote atta
CVE-2025-32864 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetSettings' method. This could allow an authenticated remote attacker to bypas
CVE-2025-32865 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateLog' method. This could allow an authenticated remote attacker to bypass
CVE-2025-32866 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetLogs' method. This could allow an authenticated remote attacker to bypass au
CVE-2025-32867 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateBackup' method. This could allow an authenticated remote attacker to bypa
CVE-2025-32868 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ExportCertificate' method. This could allow an authenticated remote attacker to
CVE-2025-32869 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ImportCertificate' method. This could allow an authenticated remote attacker to
CVE-2025-32870 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetTraces' method. This could allow an authenticated remote attacker to bypass
CVE-2025-32871 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'MigrateDatabase' method. This could allow an authenticated remote attacker to b
CVE-2025-32872 -- A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'GetOverview' method. This could allow an authenticated remote attacker to bypas
CVE-2025-3495 -- Delta Electronics COMMGR v1 and v2Ā uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.
CVE-2025-3619 -- Heap buffer overflow in Codecs in Google Chrome on Windows prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CVE-2025-3620 -- Use after free in USB in Google Chrome prior to 135.0.7049.95 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2025-3663 -- A vulnerability, which was classified as critical, has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513. This issue affects the function setWiFiEasyCfg/setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component Password Handler. The manipula
CVE-2025-3664 -- A vulnerability, which was classified as critical, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to lau
CVE-2025-3665 -- A vulnerability has been found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this vulnerability is the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The att
CVE-2025-3666 -- A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513 and classified as critical. Affected by this issue is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launch
CVE-2025-3667 -- A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been classified as critical. This affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to initiate t
CVE-2025-3668 -- A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. This vulnerability affects the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack c
CVE-2025-3674 -- A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been declared as critical. Affected by this vulnerability is the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. Th
CVE-2025-3675 -- A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been rated as critical. Affected by this issue is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may
CVE-2025-3676 -- A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remote
CVE-2025-3677 -- A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the function split_files/apply_delta_low_cpu_mem of the file fastchat/model/apply_delta.py. The manipulation leads to deserialization. An attack h
CVE-2025-3678 -- A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component HELP Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely.
CVE-2025-3679 -- A vulnerability, which was classified as critical, was found in PCMan FTP Server 2.0.7. Affected is an unknown function of the component HOST Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exp
CVE-2025-3680 -- A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as critical. Affected by this vulnerability is an unknown functionality of the component LANG Command Handler. The manipulation leads to buffer overflow. The attack can be launched re
CVE-2025-3681 -- A vulnerability was found in PCMan FTP Server 2.0.7 and classified as critical. Affected by this issue is some unknown functionality of the component MODE Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The
CVE-2025-3682 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been classified as critical. This affects an unknown part of the component PASV Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exp
CVE-2025-3683 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been declared as critical. This vulnerability affects unknown code of the component SIZE Command Handler. The manipulation leads to buffer overflow. The attack can be initiated remotely. The expl
CVE-2025-3684 -- A vulnerability was found in Xianqi Kindergarten Management System 2.0 Bulid 20190808. It has been rated as critical. This issue affects some unknown processing of the file stu_list.php of the component Child Management. The manipulation of the argument s
CVE-2025-3685 -- A vulnerability classified as critical has been found in code-projects Patient Record Management System 1.0. Affected is an unknown function of the file /edit_fpatient.php. The manipulation of the argument ID leads to sql injection. It is possible to laun
CVE-2025-3686 -- A vulnerability classified as problematic was found in misstt123 oasys 1.0. Affected by this vulnerability is the function image of the file /show. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclos
CVE-2025-3687 -- A vulnerability, which was classified as problematic, has been found in misstt123 oasys 1.0. Affected by this issue is some unknown functionality of the component Sticky Notes Handler. The manipulation leads to cross-site request forgery. The attack may b
CVE-2025-3688 -- A vulnerability, which was classified as problematic, was found in mirweiye Seven Bears Library CMS 2023. This affects an unknown part of the component Background Management Page. The manipulation leads to cross site scripting. It is possible to initiate
CVE-2025-3689 -- A vulnerability has been found in PHPGurukul Men Salon Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection.
CVE-2025-3690 -- A vulnerability was found in PHPGurukul Men Salon Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/edit-services.php. The manipulation of the argument cost leads to sql injection. The attack m
CVE-2025-3691 -- A vulnerability was found in mirweiye Seven Bears Library CMS 2023. It has been classified as problematic. Affected is an unknown function of the component Add Link Handler. The manipulation leads to server-side request forgery. It is possible to launch t
CVE-2025-3692 -- A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /oews/classes/Master.php?f=save_product. The manipulation leads to cross site
CVE-2025-3693 -- A vulnerability was found in Tenda W12 3.0.0.5. It has been rated as critical. Affected by this issue is the function cgiWifiRadioSet of the file /bin/httpd. The manipulation leads to stack-based buffer overflow. The attack may be launched remotely. The e
CVE-2025-3694 -- A vulnerability classified as critical has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part of the component Login Handler. The manipulation of the argument login_email leads to sql injection. It
CVE-2025-3696 -- A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. This vulnerability affects unknown code of the file /search/search_stock. php. The manipulation of the argument Name leads to sql injectio
CVE-2025-3697 -- A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file /edit-product.php. The manipulation of the argument ID leads to sq
CVE-2025-3698 -- Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk.
CVE-2025-3723 -- A vulnerability was found in PCMan FTP Server 2.0.7 and classified as critical. This issue affects some unknown processing of the component MDTM Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit
CVE-2025-3724 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been classified as critical. Affected is an unknown function of the component DIR Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exp
CVE-2025-3725 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component MIC Command Handler. The manipulation leads to buffer overflow. The attack can be launched r
CVE-2025-3726 -- A vulnerability was found in PCMan FTP Server 2.0.7. It has been rated as critical. Affected by this issue is some unknown functionality of the component CD Command Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. T
CVE-2025-3727 -- A vulnerability classified as critical has been found in PCMan FTP Server 2.0.7. This affects an unknown part of the component STATUS Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit h
CVE-2025-3728 -- A vulnerability classified as critical was found in SourceCodester Simple Hotel Booking System 1.0. This vulnerability affects the function Login. The manipulation of the argument uname leads to buffer overflow. It is possible to launch the attack on the
CVE-2025-3729 -- A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handler. The manipulat
CVE-2025-3730 -- A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approach
CVE-2025-3733 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal baguetteBox.Js allows Cross-Site Scripting (XSS).This issue affects baguetteBox.Js: from 0.0.0 before 2.0.4, from 3.0.0 before 3.0.1.
CVE-2025-3734 -- Allocation of Resources Without Limits or Throttling vulnerability in Drupal Stage File Proxy allows Flooding.This issue affects Stage File Proxy: from 0.0.0 before 3.1.5.
CVE-2025-3735 -- Vulnerability in Drupal Panelizer (obsolete).This issue affects Panelizer (obsolete): *.*.
CVE-2025-3736 -- Vulnerability in Drupal Simple GTM.This issue affects Simple GTM: *.*.
CVE-2025-3737 -- Vulnerability in Drupal Google Maps: Store Locator.This issue affects Google Maps: Store Locator: *.*.
CVE-2025-3738 -- Vulnerability in Drupal Google Optimize.This issue affects Google Optimize: *.*.
CVE-2025-3739 -- Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.This issue affects Drupal 8 Google Optimize Hide Page: *.*.
CVE-2025-39472 -- Cross-Site Request Forgery (CSRF) vulnerability in WPWeb WooCommerce Social Login allows Cross Site Request Forgery.This issue affects WooCommerce Social Login: from n/a through 2.8.2.
CVE-2025-39512 -- Cross-Site Request Forgery (CSRF) vulnerability in Yuya Hoshino Bulk Term Editor allows Cross Site Request Forgery. This issue affects Bulk Term Editor: from n/a through 1.1.4.
CVE-2025-39513 -- Missing Authorization vulnerability in ActiveDEMAND Online Agency Marketing Automation ActiveDEMAND allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ActiveDEMAND: from n/a through 0.2.46.
CVE-2025-39514 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0.
CVE-2025-39515 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tnomi Attendance Manager allows Stored XSS. This issue affects Attendance Manager: from n/a through 0.6.2.
CVE-2025-39516 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alan Petersen Author WIP Progress Bar allows DOM-Based XSS. This issue affects Author WIP Progress Bar: from n/a through 1.0.
CVE-2025-39517 -- Cross-Site Request Forgery (CSRF) vulnerability in WP Map Plugins Basic Interactive World Map allows Cross Site Request Forgery. This issue affects Basic Interactive World Map: from n/a through 2.7.
CVE-2025-39518 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite allows SQL Injection. This issue affects BMA Lite: from n/a through 1.4.2.
CVE-2025-39520 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham Checkout Files Upload for WooCommerce allows Stored XSS. This issue affects Checkout Files Upload for WooCommerce: from n/a through 2.2.0.
CVE-2025-39522 -- Missing Authorization vulnerability in Sebastian Lee Dynamic Post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dynamic Post: from n/a through 4.10.
CVE-2025-39524 -- Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in bPlugins Html5 Audio Player allows Stored XSS. This issue affects Html5 Audio Player: from n/a through 2.2.28.
CVE-2025-39525 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Logo Carousel Slider allows Stored XSS. This issue affects Logo Carousel Slider: from n/a through 2.1.3.
CVE-2025-39528 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS. This issue affects Rescue Shortcodes: from n/a through 3.1.
CVE-2025-39529 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin Cornett Scriptless Social Sharing allows Stored XSS. This issue affects Scriptless Social Sharing: from n/a through 3.2.4.
CVE-2025-39530 -- Cross-Site Request Forgery (CSRF) vulnerability in dsky Site Search 360 allows Stored XSS. This issue affects Site Search 360: from n/a through 2.1.7.
CVE-2025-39531 -- Missing Authorization vulnerability in slazzercom Slazzer Background Changer allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slazzer Background Changer: from n/a through 3.14.
CVE-2025-39538 -- Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search allows Upload a Web Shell to a Web Server. This issue affects WP-Advanced-Search: from n/a through 3.3.9.3.
CVE-2025-39540 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock allows DOM-Based XSS. This issue affects WP Flipclock: from n/a through 1.9.
CVE-2025-39543 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a through 1.3.977.
CVE-2025-39544 -- Cross-Site Request Forgery (CSRF) vulnerability in Bill Minozzi WP Tools allows Path Traversal. This issue affects WP Tools: from n/a through 5.18.
CVE-2025-39545 -- Missing Authorization vulnerability in miniOrange WordPress REST API Authentication allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress REST API Authentication: from n/a through 3.6.3.
CVE-2025-39546 -- Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor allows Cross Site Request Forgery. This issue affects ElementsReady Addons for Elementor: from n/a through 6.6.2.
CVE-2025-39547 -- Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Internal Link Optimiser allows Stored XSS. This issue affects Internal Link Optimiser: from n/a through 5.1.3.
CVE-2025-39548 -- Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Right Click Disable OR Ban allows Stored XSS. This issue affects Right Click Disable OR Ban: from n/a through 1.1.17.
CVE-2025-39549 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in whiletrue Most And Least Read Posts Widget allows Stored XSS. This issue affects Most And Least Read Posts Widget: from n/a through 2.5.20.
CVE-2025-39552 -- Missing Authorization vulnerability in Dylan James Zephyr Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zephyr Project Manager: from n/a through 3.3.200.
CVE-2025-39555 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andy_moyle Church Admin allows Stored XSS. This issue affects Church Admin: from n/a through 5.0.23.
CVE-2025-39556 -- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel allows Retrieve Embedded Sensitive Data. This issue affects Mediavine Control Panel: from n/a through 2.10.6.
CVE-2025-39557 -- Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14.
CVE-2025-39563 -- Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Payments for WooCommerce: from n/a through 3.3.0.
CVE-2025-39564 -- Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Shipping for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Shipping for WooCommerce: from n/a through 3.4.0.
CVE-2025-39565 -- Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0.
CVE-2025-39566 -- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Hostel allows Blind SQL Injection. This issue affects Hostel: from n/a through 1.1.5.6.
CVE-2025-39570 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Lomu WPCOM Member allows PHP Local File Inclusion. This issue affects WPCOM Member: from n/a through 1.7.7.
CVE-2025-39571 -- Missing Authorization vulnerability in WPXPO WowStore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowStore: from n/a through 4.2.4.
CVE-2025-39572 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Checkout for PayPal allows Stored XSS. This issue affects Checkout for PayPal: from n/a through 1.0.38.
CVE-2025-39573 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel allows Stored XSS. This issue affects WP Posts Carousel: from n/a through 1.3.10.
CVE-2025-39574 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Shortcodes allows Stored XSS. This issue affects Uix Shortcodes: from n/a through 2.0.4.
CVE-2025-39575 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSight WPCasa allows Stored XSS. This issue affects WPCasa: from n/a through 1.3.2.
CVE-2025-39576 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows Stored XSS. This issue affects WPAdverts: from n/a through 2.2.1.
CVE-2025-39577 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive allows Stored XSS. This issue affects PropertyHive: from n/a through 2.1.2.
CVE-2025-39578 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows Stored XSS. This issue affects Responsive Blocks: from n/a through 2.0.2.
CVE-2025-39579 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Membership For WooCommerce allows DOM-Based XSS. This issue affects Membership For WooCommerce: from n/a through 2.8.0.
CVE-2025-39581 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Shortcodes allows Stored XSS. This issue affects Themify Shortcodes: from n/a through 2.1.3.
CVE-2025-39582 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Passionate Programmer Peter WP Data Access allows DOM-Based XSS. This issue affects WP Data Access: from n/a through 5.5.36.
CVE-2025-39584 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion. This issue affects Eventin: from n/a through 4.0.25.
CVE-2025-39585 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Travelfic Toolkit allows Stored XSS. This issue affects Travelfic Toolkit: from n/a through 1.2.1.
CVE-2025-39589 -- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper Essential Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Essential Addons for Elementor: from n/a through 6.1.9.
CVE-2025-39590 -- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor allows Stored XSS. This issue affects Essential Addons for Elementor: from n/a through 6.1.9.
CVE-2025-39591 -- Missing Authorization vulnerability in WP Shuffle WP Subscription Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscription Forms: from n/a through 1.2.3.
CVE-2025-39592 -- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through 1.3
CVE-2025-39593 -- Cross-Site Request Forgery (CSRF) vulnerability in EverAccounting Ever Accounting allows Cross Site Request Forgery. This issue affects Ever Accounting: from n/a through 2.1.5.
CVE-2025-39597 -- URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Arthur Yarwood Fast eBay Listings allows Phishing. This issue affects Fast eBay Listings: from n/a through 2.12.15.
CVE-2025-39598 -- Path Traversal vulnerability in Quý Lê 91 Administrator Z allows Path Traversal. This issue affects Administrator Z: from n/a through 2025.03.28.
CVE-2025-39599 -- URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Webilia Inc. Listdom allows Phishing. This issue affects Listdom: from n/a through 4.0.0.
CVE-2025-39600 -- Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for WooCommerce and QuickBooks allows Cross Site Request Forgery. This issue affects Integration for WooCommerce and QuickBooks: from n/a through 1.3.1.
CVE-2025-39601 -- Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP allows Remote Code Inclusion. This issue affects Custom CSS, JS & PHP: from n/a through 2.4.1.
CVE-2025-39602 -- Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Product Table Lite: from n/a through 3.9.5.
CVE-2025-43703 -- An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute o
CVE-2025-43704 -- Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server.
Internals of Dirty COW Linux vulnerability and its variants Part 1: https://u1f383.github.io/linux/2025/03/27/the-evolution-of-COW-1.html… Part 2: https://u1f383.github.io/linux/2025/03/29/the-evolution-of-COW-2.html… Credits @u1f383 #infosec #Linux -- 0xor0ne
Collection of, blog posts, write-ups and papers related to cybersecurity, reverse engineering and exploitation https://github.com/0xor0ne/awesome-list/blob/main/topics/cybersec.md… #infosec -- 0xor0ne
Android Scudo heap allocator internals https://technologeeks.com/blog/Scudo/ #infosec -- 0xor0ne
Exploiting XiongMai’s uc-httpd https://modzero.com/en/blog/roping-our-way-to-rce/… Credits @mod0 #infosec -- 0xor0ne
European cybersecurity company NVISO published a report with new findings on BRICKSTORM, a backdoor linked to the China-nexus cluster UNC5221 previously believed to target Linux vCenter servers. https://infosecurity-magazine.com/news/china-hackers-brickst -- 780thC
NVISO analyzes BRICKSTORM espionage backdoor: https://nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor… @NVISOsecurity -- 780thC
People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies April 15, 2025, Government of Canada | -- 780thC
Iran’s AI Ambitions: Balancing Economic Isolation with National Security Imperatives | https://recordedfuture.com/research/irans-ai-ambitions-balancing-economic-isolation-national-security-imperatives… @RecordedFuture -- 780thC
This is NOT for my followers. Most if not all of my followers know this so I’m throwing this out there for the other people online who don’t know. I hope it helps at least one person (mom) -- alvieriD
X Public Service Announcement Did you know that confirming that you are not a bot can get you phished? Beware - I’m seeing more and more of these fake Cloudflare bot checks that execute run commands if you click. -- alvieriD
X Public Service Announcement Did you know that confirming that you are not a bot can get you phished? Beware - I’m seeing more and more of these fake Cloudflare bot checks that execute run commands if you click. #ClickFix @Cloudflare -- alvieriD
Ahoy! Our 2025 Call for Papers is now open! We're huntin’ treasure and that treasure be your talk. If you’ve got an idea burning hotter than a cannon blast, we want to hear it. Submit a proposal now at https://cfp.bsides-bournemouth.org/bsides-bournemou -- bushidotoken
here we go again -- bushidotoken
Over 16,000 Fortinet devices compromised with symlink backdoor - @LawrenceAbrams https://bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/… https://bleepingcomputer.com/news/security/over-16-000-fortinet-d -- bushidotoken
The mass exploitation of 16k Fortinet devices is very reminiscent to me of the Cisco IOS XE campaign in 2023 or the campaign against MS Exchange servers in 2021 -- bushidotoken
Therefore, the starting point and prime suspects in this case are, once again, Chinese state-sponsored threat actors -- bushidotoken
Update on the LabHost phishing service takedown: https://rcmp.ca/en/news/2025/04/project-nova-canadian-law-enforcement-continues-disruption-criminal-labhost-users… -- bushidotoken
Streamlining detection engineering in security operation centers (SOC): best practices and performance measurement https://kas.pr/k8fu -- e_kaspersky
FalconFeeds now tracks victim-reported threats in real time. Not recycled data. Not actor claims. Just raw, early intel—straight from the source. Faster alerts Direct breach disclosures Deeper context All before threat chatter begins. Want in? Get f -- FalconFeedsio
Ransomware Alert: Global Media Group, a Portuguese media holding company, has been listed as a victim of the Nitrogen Ransomware. The compromised data includes financial reports, employee personal information, confidential company data, and contracts. -- FalconFeedsio
DDoS Alert: NoName claims to have targeted multiple websites in Ukraine. - RESPECT - TAS Insurance Group - Ukrainian Agrarian Insurance Company -- FalconFeedsio
Alert: New Hacktivist Alliance LulzSec Arabs and Anonymous Jordan have officially announced a new alliance. -- FalconFeedsio
The notable developments in the ransomware ecosystem in the first quarter of 2025 range from a nation-state ransomware threat actor acting as a ransomware-as-a-service (RaaS) affiliate to deploy commodity ransomware for the first time to another threat ac -- MsftSecIntel
Microsoft recommends users and organizations to build credential hygiene, apply principle of least privilege, and employ Zero Trust to better protect against ransomware attacks. Check this page for more information and guidance: -- MsftSecIntel
In this episode of the Microsoft Threat Intelligence Podcast, @sherrod_im is joined by security researchers Anna Seitz and Sara Pfabe to discuss their insights on how Star Blizzard shifts their techniques, as well as the impact of the said changes. -- MsftSecIntel
However, the QR code is used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal. If the target follows the instructions on the page, the threat actor could gain access to messages in their WhatsApp account & exfiltrate dat -- MsftSecIntel
Learn more by listening to the full podcast episode. Also, read about Star Blizzard from our past blog post: -- MsftSecIntel
Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. -- MsftSecIntel
PetyaX #Ransomware FEF8D089A4C1EDC55E5422609B86D508 5D06542246540BA9E204C5A540DBD4DA 6B4C5EEDAB53DAEDDE9B2DA6BC085BFD CFE8248AA4373C046B1B6DF97C754EFB C:\Users\novod\source\repos\PetyaXWPF\PetyaXWPF\obj\Release\net8.0-windows\win-x64\PetyaX.pdb -- siri_urz
Amos Stealer New Variant ? Contains string "MacOS Stealer by mentalpositive" Installer_v.1.12.dmg f93be429a213f2ea8aef277862a8e8bf C2 gq8ruzk1h3a8[.]cfd -- suyog41
IAX Stealer Trojanized Hey Real AI HeyRealSetup.exe ca4ff73dfbde570b4a82867292a6ecd6 SABlAHkAUgBlAGEAbAAuAGUAeABlAA== H e y R e a l . e x e d5b74c59d31cc0e2aa6d3d2a50267447 Telegram t[.]me/s/iax_stealer HeyRealSetup(1).7z 0914bb00ef2173506ba5ebe66b -- suyog41
AMOS Stealer update 308c24e004185a20d94ce92fcbc212ff 9d7fae4405dce220040c66a311cccb7d 0084dc8f7d6ec3244ba2d2bdb899a761 Installer_v.4.94.dmg 9ef4a38b202a3f40868e5b1a8d6ca77f Installer 0d3c885f4ad550ef28861e4e51947c05 Setup_v.3.60.dmg 4ad30a5d1d7916d1ca -- suyog41
Braodo Stealer Member-list-request-travel-SGA-Group.rar 98332cd4d11656b241a01e02ade712fd All-Sample-order-list-design-quantity.bat 1190c7b93aa203a357403e0ae1363636 download payload & python library from https://github[.]com/eed8989 All-Sample-order-li -- suyog41
Braodo Stealer x-ray-health-record.rar 7215ebfd49bfb549bb7f8aa514c4c2ab x-ray-health-record.bat 29b59c8cf50f3a0ab350063ce08eca43 download payload & python library from https://github[.]com/eed8989 -- suyog41
New Crypto24 Ransomware Group Well, no not really This is a data sharing platform No strain found - 5 new victims listed; 3 previously leaked by others Title Tag - Public Data Storage /j5o5y2feotmhvr7cbcp2j2ewayv5mn5zenl3joqwx67gtfchhezjznad[.]onion -- TLP_R3D
Our analysis of a phishing campaign examines multistage malware. The malware is delivered via fake order release emails, leading to installation of Agent Tesla variants, Remcos RAT or XLoader. https://bit.ly/42CrWPP -- unit42_intel
Multiple domains leveraging #DNS #tunneling have been probing the Internet for public IPv4/IPv6 resolvers. Lacking TXT/PTR records, the associated DNS traffic is highly suspicious. These #scans began in Jan 2025 and peaked earlier this week. More info at -- unit42_intel
We've seen persistence in #CVE202427564 #SSRF probes for vulnerable ChatGPT servers, requesting /etc/passwd and URLs using OAST domains. Increase of probes hitting Education (16.6%) and Manufacturing (8%) since Feb 2025. Details at https://bit.ly/4j5tvwJ -- unit42_intel
We found a campaign using domains spoofing the United States IRS. The FQDNs present a fake CAPTCHA-style page that uses #pastehijacking and instructs viewers to paste a malicious script into a run window. HTML pages have comments in Russian. Details at ht -- unit42_intel
Cybersecurity firm buying hacker forum accounts to spy on cybercriminals - @billtoulas https://bleepingcomputer.com/news/security/cybersecurity-firm-buying-hacker-forum-accounts-to-spy-on-cybercriminals/… -- 3xp0rtblog
å¾ˆä¹…ä¹‹å‰ęŒ–ēš„ęŸEDR RCE -- 58_158_177_102
@BSidesNYC CFP is open: https://bsidesnyc.org/cfp/ We are accepting for: Technical Talks - Topics from red team to blue team to privacy & policy Technical Workshop - Longer session of hands-on exercises Entrepreneur Talks - Your lessons from runni -- aboutsecurity
"RIDE OR DIE" - Can anyone label this malware? Seems to be a NodeJS executable. Tagged as #NodeLoader Botnet C2s 5.252.153.120:3000 66.63.187.72:3000 85.209.153.84:3000 95.164.53.146:3000 Dropping -- abuse_ch
We’re pumped to be a Gold Sponsor at Pivotcon this year with our partner @SpamhausTech ! This event is the REAL DEAL. It’s organized by threat analysts, for threat analysts and offers tons of value! And there’s less than a month to wait! Let’s go! -- abuse_ch
Based on data from 15,000 companies, #ANYRUN's Q1 '25 Malware Trends Report offers insights into the most widespread #malware families, APTs, phishkits, #TTPs, and more Save hours of research and improve your company's threat awareness -- anyrun_app
Explore Threat Intelligence Reports from #ANYRUN. Discover detailed research on active cyber threats and APTs with actionable insights, #IOCs, & #TTPs. Enrich proactive security, report on #APT41 inside -- anyrun_app
Big news: You can now integrate #ANYRUN's products via SDK. Automate routine tasks, speed up triage, response, & threat hunting, and boost detection rate. See how you can simplify and improve the work of your SOC team -- anyrun_app
#WormLocker Returns with New Builds. First detected in 2021, this #ransomware remains active, with new samples recently identified. With #ANYRUN Sandbox, analysts can trace the full execution chain and uncover #malware behavior without the need for reve -- anyrun_app
#kimsuky Similarity Comparison https://genians.co.kr/blog/threat_intelligence/apt-attacks-martial-law… -- blackorbird
Malicious #NPM Campaign #Lazarus C2 Web Panel http://{IP}:1224/keys or /pdown + http://{IP}:1245/login + XAMPP + HTML Title = L-Administrator https://threatbook.io/ip/107.189.20.152… -- blackorbird
BeaverTail & InvisibleFerret Analysis from Slovenia CERT #Lazarus https://cert.si/tz016/ -- blackorbird
Summary of the DOGE whistleblower claim (because the thread is long and reads like a script): - DOGE gets ā€œtenant ownerā€ rights in Azure, with full control over NLRB cloud infra – no logs, no questions - Logs and security controls are disabled (Network W -- cyb3rops
THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read. He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords Media's coverage wasn't deta -- cyb3rops
the engagement rate of the whistleblower thread is crazy: -- cyb3rops
The MS Exchange campaign (HAFNIUM and the following) was different. We had visibility, IOCs, and real ways to investigate. With these locked-down appliances, defenders get: - vague log guidance via clunky web UIs - tools like ā€œintegrity checkersā€ - patch -- cyb3rops
#NorthKorea #Konni Threat actors using North Korean language https://genians.co.kr/blog/threat_intelligence/konni_disguise… -- cyberwar_15
My first blog with Proofpoint is live! And we love a good crossover. State-sponsored actors try their hand at ClickFix - the hottest thing in cybercrime. Meet the North Koreans, Iranians, and Russians who are upping their social engineering game -- DrunkBinary
This hurts... Please don't: - Let AI create infographics - Post them with AI created slop text - Claim you created the infographic - Delete any comments with constructive feedback - Let rundll3.exe or certufl.exe run, it probably isn't good despite what -- DrunkBinary
How to spot a penetration tester. #ThreatHunting #DFIR -- DrunkBinary
bats eat mosquitoes. they are friends. stop screaming, they don't want your blood or your drama -- DrunkBinary
The UK is a tyrannical authoritarian police state with a rapidly declining human rights index score, complete lack of freedom and is becoming an example for countries around the world looking to end free speech, freedom and human rights. -- hackerfantastic
Meanwhile in The UK Footage of another English Man being arrested over a Post on X -- hackerfantastic
Telegram Channel Scraper: A powerful Python script that allows you to scrape messages and media from Telegram channels using the Telethon library. Features include real-time continuous scraping, media downloading, and data export capabilities. Link: http -- hackerfantastic
How can you assess your #SOC maturity & #AI readiness? Ask about: Alert volume + analyst constraints Automation + incident response workflows Data visibility + tool integration Check out the full list of questions & take our quiz here. -- IntezerLabs
Come help me create mechanical advantage in defense. If you love threat hunting, learning from incidents, building new ways to find attackers, and empowering others, this may be the perfect job for you. Help expand defense from the relational world of -- ItsReallyNick
#malware #opendir at: http://176.65.134\.79/HOST/ -- james_inthe_box
#snakekeylogger c2: mail.alnozha-qa\.com -- james_inthe_box
Dear @Apple If you were so hot on getting us to reboot our phones for security, then why do you only have a Shutdown option? I can't be the only person who shut down the phone, set it down, only to realize hours later it's been off. Do better. -- james_inthe_box
Looks like @Zoom is down -- james_inthe_box
#phishing m365 targeting energy & renewable companies - landing on onenote of compromised m365 account of 850 employees oil&gas (dm for url) - s://mangotech.cloud/me/ @JAMESWT_WT @illegalFawn @phishunt_io @PhishKitTracker @ActorExpose -- luc4m
not #MalwareChallenge but DLL sideloading abuse of signed EXE @Cryptolaemus1 @executemalware @HazMalware @James_inthe_box @JAMESWT_MHT @JRoosen @lazyactivist192 -- luc4m
#MalwareChallenge Abuse of signed EXE for DLL sideloading Benign "hpreader.exe" when loading "msimg32.dll" from System32 https://virustotal.com/gui/file/08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2/… -- luc4m
If you look at the IoCs list of that Check Point article (published 15th this month), you can see these mentioned files. The "wine\.zip", one "ppcore.dll" and one "AppvIsvSubsystems64.dll" with their hashes were mentioned here (tweeted on March 13): https -- malwrhunterteam
We caught an APT29 sample a month before most AV engines even blinked Sample: https://virustotal.com/gui/file/adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8/community… -- malwrhunterteam
ihsue.teiehram[.]org -- malwrhunterteam
"Full-version\.zip": cfbc2fcc8a5188d3f66a0e2b2a594db3235595c4d7b92daac86f88dcd531fe7e -> "UZWQKZQO.msi": 329f64bb5413cb69ed61dcdcafd3686782d8ac163301de64ff60ba158f35b5c9 From: https://krastrikt[.]sbs/UZWQKZQO.msi games1-server[.]cfd -- malwrhunterteam
"RuntimeBroker.bat": efdac24fbd0a8397511c998d4a6a1a5db291e34b4a2f59b208ae334450e75d95 191.96.166[.]73 @X__Junior @cyb3rops , . -- malwrhunterteam
Another example for the same C2 IP, "popeyes.bat": 2b4bebb36e7e9b5e193aa50fa8aae9826d0b8358095e83eade56cefbcb02c42a One AV detected it on VT... and there are 3 @thor_scanner comments. -- malwrhunterteam
This was some fun research for our team to work on! It really gives you a good introspective into how Black Basta functioned! -- Max_Mal_
During the past few months, criminals have registered several tax return-themed domains. These domains host #phishing and #scam sites that take advantage of #TaxReturn season. Stay alert! Verify sites that claim to be the IRS or tax services. More info at -- Max_Mal_
This is was useful to me today. My Client's system for some reasons HATES anything using ldap3 (EDR?) So this was the only Linux based LDAP tool that worked for me -- mrd0x
msldap new release on github an pip. Improved bloodhound data gathering -still not in the quality I like, PR welcome- ADExplorer conversion to Bloodhound zip feature added, the parser part is inspired by @c3c 's https://github.com/c3c/ADExplorerSnapshot. -- mrd0x
Get ready for this year's Sleuthcon by listening to the episode of THE Microsoft Threat Intelligence podcast all about ScumBots with Paul Melson! https://thecyberwire.com/podcasts/microsoft-threat-intelligence/17/notes… -- pmelson
We are excited to announce our 2025 SLEUTHCON keynote speaker: @pmelson, VP of Cybersecurity at Capital One and author/operator of @ScumBots With over two decades of experience defending networks and disrupting adversaries, Paul brings unmatched insight -- pmelson
Recently, the #Konni #APT group has used a large number of #compromised websites to transmit information of infected hosts. ausbildungsbuddy[.]de https://i.secai.ai/research/ausbildungsbuddy.de……absongkhla[.]com https://i.secai.ai/research/absongkhla.com -- ShadowChasing1
The #Lazarus #APT group disguised as NPM malicious packages to carry out the supply chain attack. 107.189.16[.]122:1224 107.189.16[.]176:1224 107.189.20[.]152:1224 https://threatbook.io/ip/107.189.16.122… https://threatbook.io/ip/107.189.16.176… https://t -- ShadowChasing1
campaign's C2 infra šŸ…—šŸ…šŸ…£šŸ…”šŸ…¢ to see Prashil coming https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/… -- ShadowChasing1
Andy Piazza (@klrgrz), senior director for threat research at Unit 42, says North Korean groups " . . . have the capability to be focused on that OPSEC, to be focused on that persistence capability." Read more details of our #TraderTraitor research on @W -- ShadowChasing1
Curious about how attackers could move through your environment? Book a personalized BloodHound Enterprise demo w/ our team at #RSAC and find out where you're exposed. Reserve your demo now! https://ghst.ly/rsa-2025 -- specterops
Stop guessing about your security gaps. Schedule a BloodHound Enterprise demo at #RSAC to see how you can uncover hidden attack paths and strengthen your defenses where it matters most. Reserve a spot https://ghst.ly/rsa-2025 -- specterops
We are hiring a Services Sales Engineer with offensive/defensive security operations experience. Join our team and help customers discover how we can strengthen their security posture. Apply today! https://ghst.ly/44gIYWn -- specterops
Getting started w/ Mythic? We've got you covered. @its_a_feature_ walks through the web UI basics, login process, & how to configure your default username/password. Check it out! https://ghst.ly/user-interface Watch the full series: https://ghst.ly/myt -- specterops
When: April 30, 6-9pm Where: Bourbon & Branch, San Francisco What: Join us at #RSAC for an evening of craft cocktails, delicious bites, and security talk. Space is limited - RSVP today & receive the secret password via Telegram: https://ghst.ly/hh-rsa -- specterops
In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices: http://cs.co/60172KrsF -- talossecurity
Hazel, Azim and Lexi discuss some of the most prolific ransomware techniques and groups — and why LockBit may end this year very differently to how they ended 2024. Listen to the full episode: http://cs.co/60172EeHb -- talossecurity
Cisco Talos has uncovered the XorDDoS controller and its global impact. This sophisticated malware targeted over 70% of its attacks on the U.S., and a new "VIP version" is available to threat actors. Read the full blog now: http://cs.co/60102Kn1y -- talossecurity
In 2024, the education sector faced the brunt of ransomware attacks. Explore our summary for in-depth insights, including the methods ransomware actors are using to slip past defenses with minimal noise: https://blog.talosintelligence.com/year-in-review- -- talossecurity
Thank you to everyone who has submitted their reports so far! We're already seeing some excellent candidates and appreciate you getting these in promptly. For those still working, please note this is the last weekend before the deadline on Monday, April -- TheDFIRReport
New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages. The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce. The #phishing page loads only for US-based victims, as -- virusbtn
The Cyber Threat Alliance is once again partnering the Virus Bulletin conference Threat Intelligence Practitioners Summit (TIPS) and is seeking proposals for presentations. The theme for the VB2025 TIPS track is Community Driven Threat Defense. Details at -- virusbtn
Zscaler researchers present the second part of a series on Mustang Panda tools. This time they analyse two new keyloggers, PAKLOG and CorKLOG, as well as an EDR evasion driver (SplatCloak). https://zscaler.com/blogs/security-research/latest-mustang-panda- -- virusbtn
Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis. https://u -- virusbtn
Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload. https://b -- virusbtn
More information: -- vxunderground
We've got a 0day exploit. The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal The exploit was reported, but the vendor ignored it. Chat, do we d -- vxunderground
The zero day (because people keep asking me but we've already made the post): -- vxunderground
In 2024, 2 security researchers discovered a flaw in Bubble-dot-io, a self-described AI-based app development and publishing service. Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell -- vxunderground
In 2024, 2 security researchers discovered a flaw in Bubble-dot-io, a self-described AI-based app development and publishing service. Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell -- vxunderground