CVE News Feed

• CVE-2025-15076 - Tenda CH22 public path traversal

  CVE ID :CVE-2025-15076
  Published : Dec. 25, 2025, 3:32 a.m. | 31 minutes ago
  Description :A weakness has been identified in Tenda CH22 1.0.0.1. Impacted is an unknown function of the file /public/. Executing manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
  Severity: 0.0 | NA
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15075 - itsourcecode Student Management System student_p.php sql injection

  CVE ID :CVE-2025-15075
  Published : Dec. 25, 2025, 3:15 a.m. | 47 minutes ago
  Description :A security flaw has been discovered in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /student_p.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15074 - itsourcecode Online Frozen Foods Ordering System customer_details.php sql injection

  CVE ID :CVE-2025-15074
  Published : Dec. 25, 2025, 3:15 a.m. | 47 minutes ago
  Description :A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /customer_details.php. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68922 - OpenOps Terraform Remote Code Execution

  CVE ID :CVE-2025-68922
  Published : Dec. 25, 2025, 12:16 a.m. | 3 hours, 47 minutes ago
  Description :OpenOps before 0.6.11 allows remote code execution in the Terraform block.
  Severity: 7.4 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-15073 - itsourcecode Online Frozen Foods Ordering System contact_us.php sql injection

  CVE ID :CVE-2025-15073
  Published : Dec. 24, 2025, 11:15 p.m. | 4 hours, 47 minutes ago
  Description :A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68920 - C-Kermit Remote File Overwrite/Vulnerable File Retrieval

  CVE ID :CVE-2025-68920
  Published : Dec. 24, 2025, 10:15 p.m. | 5 hours, 47 minutes ago
  Description :C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system.
  Severity: 8.9 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-8769 - MegaSys Computer Technologies Telenium Online Web Application Improper Input Validation

  CVE ID :CVE-2025-8769
  Published : Dec. 24, 2025, 9:16 p.m. | 6 hours, 47 minutes ago
  Description :Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.
  Severity: 9.8 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68919 - Fujitsu Fsas Technologies ETERNUS SF ACM/SC/Express Management Software Authentication Bypass

  CVE ID :CVE-2025-68919
  Published : Dec. 24, 2025, 9:16 p.m. | 6 hours, 47 minutes ago
  Description :Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability.
  Severity: 5.6 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68917 - ONLYOFFICE Docs Cross-Site Scripting Vulnerability

  CVE ID :CVE-2025-68917
  Published : Dec. 24, 2025, 9:16 p.m. | 6 hours, 47 minutes ago
  Description :ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
  Severity: 6.4 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68916 - Riello UPS NetMan 208 Remote File Inclusion Vulnerability

  CVE ID :CVE-2025-68916
  Published : Dec. 24, 2025, 8:16 p.m. | 7 hours, 47 minutes ago
  Description :Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution.
  Severity: 9.1 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68915 - Riello UPS NetMan 208 Cross-Site Scripting Vulnerability

  CVE ID :CVE-2025-68915
  Published : Dec. 24, 2025, 8:16 p.m. | 7 hours, 47 minutes ago
  Description :Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner.
  Severity: 5.5 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-68914 - Riello UPS NetMan 208 SQL Injection Vulnerability

  CVE ID :CVE-2025-68914
  Published : Dec. 24, 2025, 8:16 p.m. | 7 hours, 47 minutes ago
  Description :Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table.
  Severity: 6.5 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-3232 - Mitsubishi Electric Europe smartRTU Missing Authentication for Critical Function

  CVE ID :CVE-2025-3232
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25258 - LogicalDOC Enterprise 7.7.4 Multiple Post-Authentication Directory Traversal Vulnerabilities

  CVE ID :CVE-2019-25258
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25257 - LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation

  CVE ID :CVE-2019-25257
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25256 - VideoFlow Digital Video Protection DVP 2.10 Authenticated Directory Traversal

  CVE ID :CVE-2019-25256
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests.
  Severity: 7.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25255 - VideoFlow Digital Video Protection DVP 2.10 Authenticated Remote Code Execution

  CVE ID :CVE-2019-25255
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access.
  Severity: 8.7 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25254 - KYOCERA Net Admin 3.4.0906 Cross-Site Request Forgery via User Administration

  CVE ID :CVE-2019-25254
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.
  Severity: 5.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25253 - KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection

  CVE ID :CVE-2019-25253
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2019-25252 - Teradek VidiU Pro 3.0.3 Cross-Site Request Forgery via Password Change

  CVE ID :CVE-2019-25252
  Published : Dec. 24, 2025, 8:15 p.m. | 7 hours, 47 minutes ago
  Description :Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page.
  Severity: 5.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...