LiveActive security incident?Get immediate response
CVE archive

February 2025

Browse CVE records published in February 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2891 matching CVEs · Page 3 of 58.

Medium · CVSS 4.7

CVE-2025-0545: XSS in Tekrom Technology's T-Soft E-Commerce

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tekrom Technology T-Soft E-Commerce allows Cross-Site Scripting (XSS). This issue affects T-Soft E-Commerce: before v5.

Published Feb 24, 2025 · Updated Jun 6, 2026

Medium · CVSS 5.7

CVE-2025-1035: Path Traversal in Komtera Technolgies' KLog Server

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls. This issue affects KLog Server: before 3.1.1.

Published Feb 18, 2025 · Updated Jun 6, 2026

Critical · CVSS 9.8

CVE-2025-5319: SQLi in Emit Informatics' DIGITA Efficiency Management System

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 3, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-5329: SQLi in Martcode Software's Delta Course Automation

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 4, 2026 · Updated Jun 5, 2026

High · CVSS 8.6

CVE-2025-6397: XSS in Ankara Hosting's web site

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 3, 2026 · Updated Jun 5, 2026

High · CVSS 8.7

CVE-2025-6967: Authentication Bypass in Sarman Soft's CMS

Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass. This issue affects CMS: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 10, 2026 · Updated Jun 5, 2026

High · CVSS 8.8

CVE-2025-7347: IDOR in Dinibh Puzzle's Dinibh Patrol Tracking System

Authorization Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System allows Exploitation of Trusted Identifiers. This issue affects Dinibh Patrol Tracking System: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 10, 2026 · Updated Jun 5, 2026

Medium · CVSS 5.3

CVE-2025-7630: OTP Password Brute Forcing in DorukNet's Wispotter

Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force. This issue affects Wispotter: from 1.0 before v2025.10.08.1.

Published Feb 18, 2026 · Updated Jun 5, 2026

High · CVSS 8.6

CVE-2025-7631: Time-Based Blind SQLi in Tumeva Internet Technologies' Tumeva Prime News Software

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software allows SQL Injection. This issue affects Tumeva Prime News Software: from v.1.0.1 before v1.0.2.

Published Feb 17, 2026 · Updated Jun 5, 2026

High · CVSS 8.8

CVE-2025-7636: SQLi in Ergosis Security Systems' ZEUS PDKS

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection. This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 10, 2026 · Updated Jun 5, 2026

Medium · CVSS 6.1

CVE-2025-7706: Improper Access Control in TUBITAK BILGEM's Liderahenk

Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion. This issue affects Liderahenk: from 3.0.0 to 3.3.1 before 3.5.0.

Published Feb 17, 2026 · Updated Jun 5, 2026

Medium · CVSS 6.8

CVE-2025-7708: Sensitive Data Exposure in Atlas Software's k12net

Insertion of Sensitive Information Into Sent Data vulnerability in Atlas Educational Software Industry Ltd. Co. K12net allows Communication Channel Manipulation. This issue affects k12net: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 9, 2026 · Updated Jun 5, 2026

High · CVSS 7.6

CVE-2025-7760: Reflected XSS in Ofisimo's Association Web Package Flora

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 3, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-8025: Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP

Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 11, 2026 · Updated Jun 5, 2026

Medium · CVSS 6.5

CVE-2025-8303: XSS in EKA Software's Real Estate Script V5 (With Doping Module – Store Module – New Language System)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. Real Estate Script V5 (With Doping Module – Store Module – New Language System) allows Cross-Site Scripting (XSS). This issue affects Real Estate Script V5 (With Doping Module – Store Module – New Language System): through 17022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 17, 2026 · Updated Jun 5, 2026

Medium · CVSS 6.3

CVE-2025-8308: Reflected XSS in Key Software's INFOREX

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Key Software Solutions Inc. INFOREX- General Information Management System allows XSS Through HTTP Headers. This issue affects INFOREX- General Information Management System: from 2025 and before through 18022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 18, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-8350: Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS

Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 19, 2026 · Updated Jun 5, 2026

High · CVSS 7.6

CVE-2025-8456: Reflected XSS in Kod8 Software's Kod8 Individual and SME Website

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 3, 2026 · Updated Jun 5, 2026

High · CVSS 7.6

CVE-2025-8461: Reflected XSS in Seres Software's syWEB

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 3, 2026 · Updated Jun 5, 2026

High · CVSS 8.6

CVE-2025-8587: Time-Based Blind SQLi in AKCE Software's SKSPro

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026.

Published Feb 2, 2026 · Updated Jun 5, 2026

High · CVSS 7.6

CVE-2025-8589: Reflected XSS in AKCE Software's SKSPro

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026.

Published Feb 3, 2026 · Updated Jun 5, 2026

High · CVSS 7.5

CVE-2025-8590: Information Disclosure in AKCE Software's SKSPro

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing. This issue affects SKSPro: through 07012026.

Published Feb 3, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.4

CVE-2025-8668: Reflected XSS in E-Kalite Software Hardware Engineering's Turboard

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard allows Reflected XSS. This issue affects Turboard: from 2025.07 before 2026.02.  NOTE: This CVE record updated after the vendor implemented mitigations.

Published Feb 11, 2026 · Updated Jun 5, 2026

High · CVSS 7.3

CVE-2025-9062: IDOR in MeCODE Informatics' Envanty

Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection. This issue affects Envanty: before 1.0.6.   NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The vulnerability was learned to be remediated through reporter information and testing.

Published Feb 19, 2026 · Updated Jun 5, 2026

High · CVSS 7.3

CVE-2025-10463: Improper Authentication in Birtech Information Technologies' Sensaway

Improper Authentication vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Authentication Abuse. This issue affects Senseway: through 09022026.  NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology.

Published Feb 9, 2026 · Updated Jun 5, 2026

Medium · CVSS 6.5

CVE-2025-10464: Cleartext password storage in Birtech Information Technologies' Sensaway

Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data. This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology.

Published Feb 9, 2026 · Updated Jun 5, 2026

High · CVSS 8.8

CVE-2025-10465: Unrestricted File Upload in Birtech Information Technologies' Sensaway

Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server. This issue affects Sensaway: through 09022026. NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology.

Published Feb 9, 2026 · Updated Jun 5, 2026

Medium · CVSS 5.4

CVE-2025-10912: IDOR in saastech.io's TemizlikYolda

Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables. This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 11, 2026 · Updated Jun 5, 2026

High · CVSS 8.3

CVE-2025-10913: XSS in saastech.io's TemizlikYolda

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Cross-Site Scripting (XSS). This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 11, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-10969: SQLi in Farktor Software's E-Commerce Package

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection. This issue affects E-Commerce Package: through 27112025.

Published Feb 12, 2026 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-11242: SSRF in Teknolist Computer's Okulistik

Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025.

Published Feb 10, 2026 · Updated Jun 4, 2026

Critical · CVSS 9.8

CVE-2025-11251: SQLi in Dayneks Software's E-Commerce Platform

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Feb 27, 2026 · Updated Jun 4, 2026

Critical · CVSS 9.8

CVE-2025-11252: SQLi in Signum Technologies' windesk.fm

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection. This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability after the CVE was published.

Published Feb 27, 2026 · Updated Jun 4, 2026

Medium · CVSS 6.3

CVE-2025-11950: Reflected XSS in Knowhy's EduAsist

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. EduAsist allows Reflected XSS. This issue affects EduAsist: before v2.1.

Published Feb 27, 2026 · Updated Jun 4, 2026

High · CVSS 7.2

CVE-2025-0957: Vulnerability: SMTP for Amazon SES <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs

The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published Feb 22, 2025 · Updated Jun 4, 2026

High · CVSS 7.2

CVE-2025-0953: SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs

The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published Feb 22, 2025 · Updated Jun 4, 2026

High · CVSS 7.2

CVE-2025-0918: SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs

The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published Feb 22, 2025 · Updated Jun 4, 2026

Critical · CVSS 9.8

CVE-2025-12059: Improper Access Control in Logo Software's Logo j-Platform

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Logo Software Industry and Trade Inc. Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Logo j-Platform: from 3.29.6.4 before 3.34.8.9.

Published Feb 11, 2026 · Updated Jun 4, 2026

High · CVSS 8.2

CVE-2025-13002: XSS in Farktor Software's E-Commerce Package

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025.

Published Feb 12, 2026 · Updated Jun 4, 2026

Medium · CVSS 6.3

CVE-2025-13004: IDOR in Farktor Software's E-Commerce Package

Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables. This issue affects E-Commerce Package: through 27112025.

Published Feb 12, 2026 · Updated Jun 4, 2026

Critical · CVSS 9.8

CVE-2025-14014: Insecure File Upload in NTN Informatics' Smart Panel

Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Smart Panel: before 20251215.

Published Feb 12, 2026 · Updated Jun 4, 2026

High · CVSS 8.8

CVE-2025-14349: Business Logic Error in Universal Software's FlexCity/Kiosk

Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.

Published Feb 13, 2026 · Updated Jun 4, 2026

Medium · CVSS 6.4

CVE-2025-0506: Rise Blocks – A Complete Gutenberg Page Builder <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via TitleTag Parameter

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and including, 3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published Feb 12, 2025 · Updated Jun 3, 2026

Low · CVSS 2.5

CVE-2025-1376: GNU elfutils eu-strip elf_strptr.c elf_strptr denial of service

A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Published Feb 17, 2025 · Updated Jun 2, 2026