Vulnerabilities (CVE)

Total 363821 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-56432 1 Nagios 1 Nagios Xi 2026-07-05 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
CVE-2025-56422 1 Limesurvey 1 Limesurvey 2026-07-05 N/A 9.8 CRITICAL
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
CVE-2025-56421 1 Limesurvey 1 Limesurvey 2026-07-05 N/A 7.5 HIGH
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
CVE-2025-56401 1 Ziragroup 1 Wbrm 2026-07-05 N/A 7.6 HIGH
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName.
CVE-2025-56400 1 Tuya 3 Smartlife, Tuya, Tuya Smart 2026-07-05 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.
CVE-2025-56399 2026-07-05 N/A 8.8 HIGH
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.
CVE-2025-56304 1 Yzmcms 1 Yzmcms 2026-07-05 N/A 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in YzmCMS thru 7.3 via the referer header in the register page.
CVE-2025-56295 1 Carmelo 1 Computer Laboratory System 2026-07-05 N/A 7.3 HIGH
code-projects Computer Laboratory System 1.0 has a file upload vulnerability. Staff can upload malicious files by uploading PHP backdoor files when modifying personal avatar information and use web shell connection tools to obtain server permissions.
CVE-2025-56293 1 Fabian 1 Human Resource Integrated System 2026-07-05 N/A 5.4 MEDIUM
code-projects Human Resource Integrated System 1.0 is vulnerable to Cross Site Scripting (XSS) in the Add Child Information section in the Childs Name field.
CVE-2025-56289 1 Fabian 1 Document Management System 2026-07-05 N/A 5.4 MEDIUM
code-projects Document Management System 1.0 has a Cross Site Scripting (XSS) vulnerability, where attackers can leak admin's cookie information by entering malicious XSS code in the Company field when adding files.
CVE-2025-56274 1 Senior-walter 1 Web-based Pharmacy Product Management System 2026-07-05 N/A 8.1 HIGH
SourceCodester Web-based Pharmacy Product Management System 1.0 is vulnerable to Incorrect Access Control, which allows low-privileged users to forge high privileged (such as admin) sessions and perform sensitive operations such as adding new users.
CVE-2025-56231 1 Tonec 1 Internet Download Manager 2026-07-05 N/A 9.1 CRITICAL
Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections.
CVE-2025-56200 1 Validator Project 1 Validator 2026-07-05 N/A 6.1 MEDIUM
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
CVE-2025-56157 1 Langgenius 1 Dify 2026-07-05 N/A 9.8 CRITICAL
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
CVE-2025-55849 1 Weiphp 1 Weiphp 2026-07-05 N/A 8.4 HIGH
WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee
CVE-2025-55618 1 Hyundai 1 Navigation 2026-07-05 N/A 7.3 HIGH
In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered.
CVE-2025-55564 1 Tenda 2 Ac15, Ac15 Firmware 2026-07-05 N/A 7.5 HIGH
Tenda AC15 v15.03.05.19_multi_TD01 has a stack overflow via the list parameter in the fromSetIpMacBind function.
CVE-2025-55462 1 Eramba 1 Eramba 2026-07-05 N/A 6.5 MEDIUM
A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration.
CVE-2025-55422 1 Foxcms 1 Foxcms 2026-07-05 N/A 8.8 HIGH
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.
CVE-2025-55409 1 Foxcms 1 Foxcms 2026-07-05 N/A 8.8 HIGH
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code.