Total
5302 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11435 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch. | |||||
| CVE-2025-11437 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector. | |||||
| CVE-2025-11485 | 1 Remyandrade | 1 Student Grades Management System | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function add_user of the file /admin.php of the component Manage Users Page. This manipulation of the argument first_name/last_name causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-11539 | 2025-10-09 | N/A | 9.9 CRITICAL | ||
| Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16. | |||||
| CVE-2025-2979 | 1 Wcms | 1 Wcms | 2025-10-09 | 3.3 LOW | 2.4 LOW |
| A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3251 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation of the argument motto leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-11360 | 2025-10-08 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in jakowenko double-take up to 1.13.1. The impacted element is the function app.use of the file api/src/app.js of the component API. The manipulation of the argument X-Ingress-Path results in cross site scripting. The attack can be executed remotely. Upgrading to version 1.13.2 is sufficient to resolve this issue. The patch is identified as e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50. The affected component should be upgraded. | |||||
| CVE-2025-61774 | 2025-10-08 | N/A | N/A | ||
| PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable. | |||||
| CVE-2025-10758 | 1 Htmly | 1 Htmly | 2025-10-08 | 3.3 LOW | 2.4 LOW |
| A security vulnerability has been detected in htmly up to 3.1.0. The impacted element is an unknown function of the file /htmly/admin/field/post of the component Custom Field Handler. Such manipulation of the argument label leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2787 | 1 Knime | 1 Business Hub | 2025-10-08 | N/A | 8.8 HIGH |
| KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of the following versions of KNIME Business Hub: * 1.13.3 or above * 1.12.4 or above * 1.11.4 or above * 1.10.4 or above * | |||||
| CVE-2025-59954 | 1 Eng | 1 Knowage | 2025-10-08 | N/A | 9.8 CRITICAL |
| Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service. This issue is fixed in version 8.1.27. | |||||
| CVE-2025-0706 | 1 Joeybling | 1 Bootplus | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/sys/admin.html. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-11282 | 1 Frappe | 1 Learning | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-11283 | 1 Frappe | 1 Learning | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in Frappe LMS 2.35.0. This affects an unknown function of the component Course Handler. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | |||||
| CVE-2025-51482 | 1 Letta | 1 Letta | 2025-10-07 | N/A | 8.8 HIGH |
| Remote Code Execution in letta.server.rest_api.routers.v1.tools.run_tool_from_source in letta-ai Letta 0.7.12 allows remote attackers to execute arbitrary Python code and system commands via crafted payloads to the /v1/tools/run endpoint, bypassing intended sandbox restrictions. | |||||
| CVE-2025-11027 | 1 Vvveb | 1 Vvveb | 2025-10-07 | 3.3 LOW | 2.4 LOW |
| A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | |||||
| CVE-2025-11306 | 1 Qianfox | 1 Foxcms | 2025-10-07 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in qianfox FoxCMS up to 1.2. This affects an unknown part of the file /index.php/Search of the component Search Page. The manipulation of the argument keyword results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-54999 | 1 Monicahq | 1 Monica | 2025-10-07 | N/A | 6.5 MEDIUM |
| MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module. | |||||
| CVE-2025-11291 | 2025-10-07 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A security flaw has been discovered in ixmaps website2017 up to 0c71cffa0162186bc057a76766bc97e9f5a3a2d0. This impacts an unknown function of the file /map.php of the component HTTP GET Request Handler. Performing manipulation of the argument trid results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11308 | 2025-10-06 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was identified in Vanderlande Baggage 360 7.0.0. This issue affects some unknown processing of the file /api-addons/v1/messages. Such manipulation of the argument Message leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||