VulDB Recent Entries

A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been classified as problematic. Affected is an unknown function of the file /sysApp/find. The manipulation of the argument accessKey/secretKey leads to information disclosure. This vulnerability is traded as CVE-2025-8226. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. The identification of this vulnerability is CVE-2025-8225. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability has been found in GNU Binutils 2.44 and classified as problematic. This vulnerability affects the function bfd_elf_get_str_section of the file bfd/elf.c of the component BFD Library. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2025-8224. Local access is required to approach this attack. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2025-8223. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

A vulnerability, which was classified as problematic, has been found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this issue is some unknown functionality of the file GoodsController.java. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2025-8222. The attack may be launched remotely. Furthermore, there is an exploit available. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. Multiple endpoints are affected.

A vulnerability classified as problematic was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this vulnerability is the function goodsSearch of the file GoodsCustController.java. The manipulation of the argument keyword leads to cross site scripting. This vulnerability is known as CVE-2025-8221. The attack can be launched remotely. Furthermore, there is an exploit available. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

A vulnerability classified as critical has been found in Engeman Web up to 12.0.0.1. Affected is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of the argument LanguageCombobox leads to sql injection. This vulnerability is traded as CVE-2025-8220. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. It has been rated as critical. This issue affects some unknown processing of the file /crm/crmapi/erp/tabdetail_moduleSave_dxkp.php of the component HTTP POST Request Handler. The manipulation of the argument getvaluestring leads to sql injection. The identification of this vulnerability is CVE-2025-8219. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+. We strongly advise all customers to upgrade to the current version (v8.6.5.2), which includes this fix and additional security enhancements."

A vulnerability was found in Kallyas Plugin up to 4.21.0 on WordPress. It has been declared as problematic. This vulnerability affects the function delete_font of the component Path Validation Handler. The manipulation leads to denial of service. This vulnerability was named CVE-2025-6989. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Educenter Plugin up to 1.6.2 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-5529. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Kallyas Plugin up to 4.21.0 on WordPress and classified as critical. Affected by this issue is the function TH_LatestPosts4. The manipulation leads to file inclusion. This vulnerability is handled as CVE-2025-6991. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in TecharoHQ anubis up to 1.21.2 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. This vulnerability is known as CVE-2025-54414. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in tj-actions branch-names up to 8.x. Affected is an unknown function. The manipulation leads to command injection. This vulnerability is traded as CVE-2025-54416. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in dbgate up to 6.4.3-beta.8/6.4.3-prem. This issue affects some unknown processing of the component Path Handler. The manipulation of the argument File leads to path traversal: '\..\filename'. The identification of this vulnerability is CVE-2025-50184. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Opencast up to 17.5. This vulnerability affects unknown code of the component XML File Parser. The manipulation leads to information disclosure. This vulnerability was named CVE-2025-54380. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in astronomer dag-factory up to 0.23.0a8. This affects the function pull_request_target. The manipulation leads to os command injection. This vulnerability is uniquely identified as CVE-2025-54415. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in haxtheweb haxcms up to 11.0.13. It has been rated as critical. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to improper authorization. This vulnerability is handled as CVE-2025-54378. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in skops-dev skops up to 0.11.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to insufficient type distinction. This vulnerability is known as CVE-2025-54413. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in skops-dev skops up to 0.11.0. It has been classified as critical. Affected is an unknown function. The manipulation leads to insufficient type distinction. This vulnerability is traded as CVE-2025-54412. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in freescout-help-desk freescout up to 1.8.185 and classified as problematic. This issue affects the function Helper::decrypt. The manipulation leads to deserialization. The identification of this vulnerability is CVE-2025-54366. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.