LiveActive security incident?Get immediate response
CVE archive

September 2025

Browse CVE records published in September 2025, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3728 matching CVEs · Page 2 of 75.

Unknown · CVSS Not scored

CVE-2025-39757: ALSA: usb-audio: Validate UAC3 cluster segment descriptors

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses.

Published Sep 11, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-39760: usb: core: config: Prevent OOB read in SS endpoint companion parsing

In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor.

Published Sep 11, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-39766: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.

Published Sep 11, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-39864: wifi: cfg80211: fix use-after-free in cmp_bss()

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer.

Published Sep 19, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-38718: sctp: linearize cloned gso packets in sctp_rcv

In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Published Sep 4, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-38724: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked().

Published Sep 4, 2025 · Updated Jun 11, 2026

Unknown · CVSS Not scored

CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp.

Published Sep 16, 2025 · Updated Jun 11, 2026

High · CVSS 8.7

CVE-2025-40798: A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versi...

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a out-of-bounds read vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial of service condition.

Published Sep 9, 2025 · Updated Jun 9, 2026

High · CVSS 8.7

CVE-2025-40797: A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versi...

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a out-of-bounds read vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial of service condition.

Published Sep 9, 2025 · Updated Jun 9, 2026

High · CVSS 8.7

CVE-2025-40796: A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versi...

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a out-of-bounds read vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial of service condition.

Published Sep 9, 2025 · Updated Jun 9, 2026

Critical · CVSS 9.8

CVE-2025-40795: A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versi...

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). Affected products contain a stack-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial of service condition.

Published Sep 9, 2025 · Updated Jun 9, 2026

Medium · CVSS 4.7

CVE-2025-0419: XSS in Mikrogrup's Zirve Nova

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. Zirve Nova allows Cross-Site Scripting (XSS). This issue affects Zirve Nova: from 235 through 20250131.

Published Sep 17, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0420: XSS in Mikrogrup's Paraşüt

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Paraşüt Software Paraşüt allows Cross-Site Scripting (XSS). This issue affects Paraşüt: from 0.0.0.65efa44e through 20250204.

Published Sep 17, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0546: XSS in Mevzuattr Software's MevzuatTR

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges.  This issue affects MevzuatTR: before 12.02.2025.

Published Sep 17, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0547: XSS in Mikrogrup's Bizmu

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Paraşüt Software Bizmu allows Cross-Site Scripting (XSS). This issue affects Bizmu: from 2.27.0 through 20250212.

Published Sep 18, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-0610: CSRF in Akinsoft's QR Menu

Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request Forgery. This issue affects QR Menü: from s1.05.06 before v1.05.12.

Published Sep 1, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0640: IDOR in Akinsoft's OctoCloud

Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure. This issue affects OctoCloud: from s1.09.02 before v1.11.01.

Published Sep 2, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0670: IDOR in Akinsoft's ProKuafor

Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure. This issue affects ProKuafor: from s1.02.07 before v1.02.08.

Published Sep 2, 2025 · Updated Jun 6, 2026

Medium · CVSS 6.5

CVE-2025-0875: IDOR in Proliz Software's OBS

Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection. This issue affects OBS (Student Affairs Information System): before v26.0328.

Published Sep 22, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0878: XSS in Akinsoft's LimonDesk

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akinsoft LimonDesk allows Cross-Site Scripting (XSS). This issue affects LimonDesk: from s1.02.14 before v1.02.17.

Published Sep 3, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.7

CVE-2025-0879: XSS in Shopside Software's Shopside App

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shopside Software Shopside App allows Cross-Site Scripting (XSS). This issue requires high privileges. This issue affects Shopside App: before 17.02.2025.

Published Sep 17, 2025 · Updated Jun 6, 2026

Critical · CVSS 9.8

CVE-2025-1740: Authentication Bypass in Akinsoft's MyRezzta

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force. This issue affects MyRezzta: from s2.03.01 before v2.05.01.

Published Sep 3, 2025 · Updated Jun 6, 2026

Medium · CVSS 4.3

CVE-2025-2404: XSS in Ubit Information Technologies' STOYS

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ubit Information Technologies STOYS allows Cross-Site Scripting (XSS). This issue affects STOYS: from 2 before 20250916.

Published Sep 16, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2411: OTP Bypass in Akinsoft's TaskPano

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft TaskPano allows Authentication Bypass. This issue affects TaskPano: from s1.06.04 before v1.06.06.

Published Sep 4, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2412: OTP Bypass in Akinsoft's QR Menu

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft QR Menu allows Authentication Bypass. This issue affects QR Menu: from s1.05.07 before v1.05.12.

Published Sep 1, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2413: OTP Bypass in Akinsoft's ProKuafor

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft ProKuafor allows Authentication Bypass. This issue affects ProKuafor: from s1.02.08 before v1.02.08.

Published Sep 2, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2414: OTP Bypass in Akinsoft's OctoCloud

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass. This issue affects OctoCloud: from s1.09.03 before v1.11.01.

Published Sep 2, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2415: OTP Bypass in Akinsoft's MyRezzta

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass. This issue affects MyRezzta: from s2.03.01 before v2.05.01.

Published Sep 3, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2416: OTP Bypass in Akinsoft's LimonDesk

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass. This issue affects LimonDesk: from s1.02.14 before v1.02.17.

Published Sep 3, 2025 · Updated Jun 6, 2026

High · CVSS 8.6

CVE-2025-2417: OTP Bypass in Akinsoft's e-Mutabakat

Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft e-Mutabakat allows Authentication Bypass. This issue affects e-Mutabakat: from 2.02.06 before v2.02.06.

Published Sep 4, 2025 · Updated Jun 6, 2026

Critical · CVSS 9.8

CVE-2025-4688: SQLi in BGS Interactive's SINAV.LINK Exam Result Module

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection. This issue affects SINAV.LINK Exam Result Module: before 1.2.

Published Sep 16, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.5

CVE-2025-5518: IDOR in ArgusTech's BILGER

Authorization Bypass Through User-Controlled Key vulnerability with user privileges in ArgusTech BILGER allows Exploitation of Trusted Identifiers. This issue affects BILGER: before 2.4.6.

Published Sep 16, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.1

CVE-2025-6396: XSS in Webbeyaz's web site

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webbeyaz Website Design Website Software allows Cross-Site Scripting (XSS). This issue affects Website Software: through 2025.07.14.

Published Sep 26, 2025 · Updated Jun 5, 2026

Medium · CVSS 5.4

CVE-2025-6575: XSS in Dolusoft's Omaspot

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS. This issue affects Omaspot: before 12.09.2025.

Published Sep 16, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.5

CVE-2025-7355: IDOR in Beefull Energy Technologies' Beefull App

Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers. This issue affects Beefull App: before 24.07.2025.

Published Sep 16, 2025 · Updated Jun 5, 2026

Medium · CVSS 4.7

CVE-2025-7702: Open Redirect in PUSULA's Manageable Email Sending System

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Pusula Communication Information Internet Industry and Trade Ltd. Co. Manageable Email Sending System allows Exploiting Trust in Client. This issue affects Manageable Email Sending System: from <=2025.06 before 2025.08.06.

Published Sep 19, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.9

CVE-2025-48040: Malicious Key Exchange Messages may Lead to Excessive Resource Consumption

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Published Sep 11, 2025 · Updated Jun 5, 2026

High · CVSS 7.1

CVE-2025-48041: SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Published Sep 11, 2025 · Updated Jun 5, 2026

Medium · CVSS 5.3

CVE-2025-48039: Unverified Paths can Cause Excessive Use of System Resources

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Published Sep 11, 2025 · Updated Jun 5, 2026

Medium · CVSS 5.3

CVE-2025-48038: Unverified File Handles can Cause Excessive Use of System Resources

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Published Sep 11, 2025 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-7744: SQLi in Dolusoft's Omaspot

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection. This issue affects Omaspot: before 12.09.2025.

Published Sep 16, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.5

CVE-2025-8057: IDOR in Patika Global Technologies' HumanSuite

Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client. This issue affects HumanSuite: before 53.21.0.

Published Sep 16, 2025 · Updated Jun 5, 2026

Critical · CVSS 9.8

CVE-2025-8276: HTML Injection in Patika Global Technologies' HumanSuite

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Patika Global Technologies HumanSuite allows Cross-Site Scripting (XSS), Phishing. This issue affects HumanSuite: before 53.21.0.

Published Sep 16, 2025 · Updated Jun 5, 2026

High · CVSS 7.1

CVE-2025-8411: XSS in Dokuzsoft Technology's E-Commerce Web Design Product

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology E-Commerce Web Design Product allows XSS Through HTTP Headers. This issue affects E-Commerce Web Design Product: before 11.08.2025.

Published Sep 17, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.4

CVE-2025-8532: IDOR in Bimser's eBA Document and Workflow Management System

Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing. This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166.

Published Sep 19, 2025 · Updated Jun 5, 2026

Medium · CVSS 6.3

CVE-2025-8664: XSS in Saysis Computer Systems' StarCities

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities E-Municipality Management allows Cross-Site Scripting (XSS). This issue affects StarCities E-Municipality Management: before 20250825.

Published Sep 19, 2025 · Updated Jun 5, 2026

Medium · CVSS 5.4

CVE-2025-8695: Reflected XSS in Netcad Software's NetGIS Server

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad NetGIS Server allows Reflected XSS. This issue affects NetGIS Server: from 5.2.4 through 22.08.2025.

Published Sep 5, 2025 · Updated Jun 5, 2026