VulDB Recent Entries

A vulnerability described as problematic has been identified in Nagios Fusion 2024R1.2/2024R2. This vulnerability affects unknown code of the component OTP Verification. Such manipulation leads to improper restriction of excessive authentication attempts. This vulnerability is documented as CVE-2025-60424. The attack can be executed remotely. There is not any exploit available.

A vulnerability marked as critical has been reported in NetKnights privacyIDEA Authenticator 4.3.0 on Android. This affects an unknown part of the component OTP/TOTP/HOTP. This manipulation causes improper authentication. This vulnerability is registered as CVE-2025-61482. The attack needs to be launched locally. No exploit is available.

A vulnerability labeled as problematic has been found in Docker Desktop up to 4.48.0. Affected by this issue is some unknown functionality of the file Installer.exe. The manipulation results in uncontrolled search path. This vulnerability is cataloged as CVE-2025-9164. The attack must be initiated from a local position. There is no exploit available.

A vulnerability identified as problematic has been detected in Nagios Fusion 2024R1.2/v2024R2. Affected by this vulnerability is an unknown functionality. The manipulation leads to session expiration. This vulnerability is listed as CVE-2025-60425. The attack may be initiated remotely. There is no available exploit.

A vulnerability categorized as problematic has been discovered in Honeywell S35. Affected is an unknown function. Executing manipulation can lead to authorization bypass. This vulnerability is tracked as CVE-2025-12351. The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability was found in Ping Identity PingFederate up to 11.3.13/12.0.9/12.1.8/12.2.5/12.3.2. It has been rated as problematic. This impacts an unknown function of the component HTML Form Adapter. Performing manipulation results in improper restriction of excessive authentication attempts. This vulnerability is identified as CVE-2025-26862. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability was found in StarCharge Artemis AC Charger 7-22 kW 1.0.4. It has been declared as critical. This affects an unknown function of the component Web Configuration Module. Such manipulation leads to download of code without integrity check. This vulnerability is referenced as CVE-2025-52263. The attack needs to be initiated within the local network. No exploit is available.

A vulnerability was found in indieka900 online-shopping-system-php 1.0. It has been classified as critical. The impacted element is an unknown function of the file login.php. This manipulation of the argument Password causes sql injection. The identification of this vulnerability is CVE-2025-61247. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in IBM OpenPages 9.0/9.1 and classified as problematic. The affected element is an unknown function. The manipulation results in basic cross site scripting. This vulnerability was named CVE-2025-36121. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability has been found in BeWelcome Rox and classified as critical. Impacted is the function RoxPOSTHandler::getCallbackAction. The manipulation of the argument formkit_memory_recovery leads to deserialization. This vulnerability is uniquely identified as CVE-2025-34292. The attack is possible to be carried out remotely. No exploit exists. It is suggested to install a patch to address this issue.

A vulnerability, which was classified as critical, was found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upload. This vulnerability is handled as CVE-2025-12347. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in MaxSite CMS up to 109. This vulnerability affects unknown code of the file application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php of the component HTTP Header Handler. Performing manipulation of the argument X-Requested-FileName/X-Requested-FileUpDir results in unrestricted upload. This vulnerability is known as CVE-2025-12346. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as problematic was found in SuiteCRM 7.14.1. This affects an unknown part of the component HTTP Header Handler. Such manipulation of the argument Referer leads to cross site scripting. This vulnerability is traded as CVE-2025-41384. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in OpenVPN Access Server up to 2.14.3. Affected by this issue is some unknown functionality of the component SAML Authentication Module. This manipulation of the argument RelayState causes cross site scripting. This vulnerability appears as CVE-2025-50055. The attack may be initiated remotely. There is no available exploit.

A vulnerability described as problematic has been identified in Zoho ManageEngine ManageEngine Endpoint Central. Affected by this vulnerability is an unknown functionality. The manipulation results in sensitive information in log files. This vulnerability is reported as CVE-2025-11248. The attack requires a local approach. No exploit exists. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in eTimeTrackLite Web up to 12.0. Affected is an unknown function. The manipulation leads to permission issues. This vulnerability is documented as CVE-2025-60291. The attack requires being on the local network. There is not any exploit available.

A vulnerability labeled as critical has been found in Open5GS up to 2.7.4. This impacts an unknown function of the component Discovery Service. Executing manipulation can lead to reachable assertion. This vulnerability is registered as CVE-2025-41068. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in Open5GS up to 2.7.4. This affects an unknown function of the component Discovery Service. Performing manipulation results in reachable assertion. This vulnerability is cataloged as CVE-2025-41067. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in Yonyou U8 Cloud up to 5.1sp. The impacted element is an unknown function of the file /service/NCloudGatewayServlet of the component Request Header Handler. Such manipulation of the argument ts/sign leads to unrestricted upload. This vulnerability is listed as CVE-2025-12344. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Serdar Bayram Ghost Hot Spot up to 20251014. It has been rated as critical. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. This vulnerability is tracked as CVE-2025-12342. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.