High · CVSS 7
HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any, previously not registered, email address.
Published Aug 21, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.3
Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Policy plugin through version 2.29 allows remote attackers to cause a denial of service (database server resource exhaustion) via unlimited database write operations to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint.
Published Aug 19, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.9
The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 has allowBackup=true set in its manifest, allowing data exfiltration via ADB backup on rooted or debug-enabled devices. This presents a risk of user data exposure.
Published Aug 14, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of service or logic abuse.
Published Aug 14, 2025 · Updated Jul 5, 2026
High · CVSS 8.4
Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell.
Published Aug 26, 2025 · Updated Jul 5, 2026
Critical · CVSS 10
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.
Published Aug 19, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file.
Published Aug 4, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Temp parameter.
Published Aug 7, 2025 · Updated Jul 5, 2026
High · CVSS 7.5
Insecure Direct Object Reference (IDOR) vulnerability in PdfHandler component in Agenzia Impresa Eccobook v2.81.1 and below allows unauthenticated attackers to read confidential documents via the DocumentoId parameter.
Published Aug 5, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
Incorrect access control in CaricaVerbale in Agenzia Impresa Eccobook v2.81.1 allows authenticated attackers with low-level access to escalate privileges to Administrator.
Published Aug 5, 2025 · Updated Jul 5, 2026
High · CVSS 7.6
Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled.
Published Aug 5, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).
Published Aug 4, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion
Published Aug 4, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.
Published Aug 20, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host.
Published Aug 22, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
Published Aug 26, 2025 · Updated Jul 5, 2026
High · CVSS 7.3
In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered.
Published Aug 27, 2025 · Updated Jul 5, 2026
High · CVSS 7.5
Tenda AC15 v15.03.05.19_multi_TD01 has a stack overflow via the list parameter in the fromSetIpMacBind function.
Published Aug 21, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.
Published Aug 27, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code.
Published Aug 25, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.3
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
Published Aug 21, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.
Published Aug 21, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
Published Aug 21, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.3
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
Published Aug 21, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.3
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
Published Aug 21, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
EyouCMS 1.7.3 is vulnerale to Cross Site Scripting (XSS) in index.php, which can be exploited to obtain sensitive information.
Published Aug 14, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
OURPHP thru 8.6.1 is vulnerable to Cross-Site Scripting (XSS) via the "Name" field of the "Complete Profile" functionality under the "My User Center" page, which can be accessed after registering through the front-end interface.
Published Aug 14, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint.
Published Aug 19, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
Published Aug 13, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
Published Aug 13, 2025 · Updated Jul 5, 2026
High · CVSS 7.8
An issue was discovered in the changePassword method in file /usr/share/php/openmediavault/system/user.inc in OpenMediaVault 7.4.17 allowing local authenticated attackers to escalate privileges to root.
Published Aug 22, 2025 · Updated Jul 5, 2026
High · CVSS 8.1
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
Published Aug 25, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.4
A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter.
Published Aug 13, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the add function.
Published Aug 13, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter.
Published Aug 13, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
An issue in the component /stl/actions/download?filePath of SSCMS v7.3.1 allows attackers to execute a directory traversal.
Published Aug 5, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
File upload vulnerability in Writebot AI Content Generator SaaS React Template thru 4.0.0, allowing remote attackers to gain escalated privileges via a crafted POST request to the /file-upload endpoint.
Published Aug 5, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
The reconcile method in the AttachmentReconciler class of the Halo system v.2.20.18LTS and before is vulnerable to XSS attacks.
Published Aug 5, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a command injection vulnerability via the pin parameter in the setWiFiWpsConfig function.
Published Aug 4, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery (SSRF) in the /api_vedo/video/preview endpoint, which allows remote authenticated attackers to trigger HTTP requests towards arbitrary remote paths via the "file" URL parameter.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'.
Published Aug 6, 2025 · Updated Jul 5, 2026
High · CVSS 8.2
An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE).
Published Aug 6, 2025 · Updated Jul 5, 2026
High · CVSS 8.6
Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
Vedo Suite 2024.17 is vulnerable to Incorrect Access Control, which allows remote attackers to obtain a valid high privilege JWT token without prior authentication via sending an empty HTTP POST request to the /autologin/ API endpoint.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.1
A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 6.5
A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.
Published Aug 6, 2025 · Updated Jul 5, 2026
Medium · CVSS 5.4
Cross site scripting vulnerability in seacms before 13.2 via the vid parameter to Upload/js/player/dmplayer/player.
Published Aug 5, 2025 · Updated Jul 5, 2026
Critical · CVSS 9.8
A Boolean-based SQL injection vulnerability was discovered in Axelor 5.2.4 via the _domain parameter. An attacker can manipulate the SQL query logic and determine true/false conditions, potentially leading to data exposure or further exploitation.
Published Aug 4, 2025 · Updated Jul 5, 2026
Low · CVSS 3.9
A lack of SSL certificate validation in BlueStacks v5.20 allows attackers to execute a man-it-the-middle attack and obtain sensitive information.
Published Aug 5, 2025 · Updated Jul 5, 2026