Vulnerabilities (CVE)

Total 363821 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-57567 2026-07-05 N/A 9.1 CRITICAL
A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
CVE-2025-57489 1 Shirt-pocket 1 Superduper\! 2026-07-05 N/A 8.1 HIGH
Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary.
CVE-2025-57457 2026-07-05 N/A 8.8 HIGH
An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter.
CVE-2025-57393 2026-07-05 N/A 8.8 HIGH
A stored cross-site scripting (XSS) in Kissflow Work Platform Kissflow Application Versions 7337 Account v2.0 to v4.2vallows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
CVE-2025-57305 1 Vitaracharts 1 Vitaracharts 2026-07-05 N/A 6.5 MEDIUM
VitaraCharts 5.3.5 is vulnerable to Server-Side Request Forgery in fileLoader.jsp.
CVE-2025-57197 2026-07-05 N/A 6.0 MEDIUM
In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN verification check and directly modify the authentication PIN. This allows unauthorized users to change PIN without knowing the original/current PIN.
CVE-2025-57174 2026-07-05 N/A 9.8 CRITICAL
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.
CVE-2025-57130 1 Zwiicms 1 Zwiicms 2026-07-05 N/A 8.3 HIGH
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.
CVE-2025-57119 1 Phpgurukul 1 Online Library Management System 2026-07-05 N/A 9.8 CRITICAL
An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function
CVE-2025-57117 1 Remyandrade 1 Employee Management System 2026-07-05 N/A 5.4 MEDIUM
A Clickjacking vulnerability exists in Rems' Employee Management System 1.0. This flaw allows remote attackers to execute arbitrary JavaScript on the department.php page by injecting a malicious payload into the Department Name field under Add Department.
CVE-2025-57105 1 Dlink 2 Di-7400g\+, Di-7400g\+ Firmware 2026-07-05 N/A 9.8 CRITICAL
The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host.
CVE-2025-56807 1 Fairsketch 1 Rise Ultimate Project Manager 2026-07-05 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard when creating new folders.
CVE-2025-56704 1 Lepton-cms 1 Leptoncms 2026-07-05 N/A 8.8 HIGH
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.
CVE-2025-56590 1 Apryse 1 Html2pdf 2026-07-05 N/A 9.8 CRITICAL
An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server.
CVE-2025-56589 1 Apryse 1 Html2pdf 2026-07-05 N/A 7.5 HIGH
A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.
CVE-2025-56588 1 Dolibarr 1 Dolibarr Erp\/crm 2026-07-05 N/A 8.8 HIGH
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.
CVE-2025-56572 1 Ebradyjobory 1 Finance.js 2026-07-05 N/A 7.5 HIGH
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
CVE-2025-56571 1 Ebradyjobory 1 Finance.js 2026-07-05 N/A 7.5 HIGH
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
CVE-2025-56557 1 Tuya 1 Tuya 2026-07-05 N/A 9.1 CRITICAL
An issue discovered in the Tuya Smart Life App 5.6.1 allows attackers to unprivileged control Matter devices via the Matter protocol.
CVE-2025-56438 2026-07-05 N/A 6.8 MEDIUM
An issue in the firmware update mechanism of Nous W3 Smart WiFi Camera v1.33.50.82 allows unauthenticated and physically proximate attackers to escalate privileges to root via supplying a crafted update.tar archive file stored on a FAT32-formatted SD card.