Exploit Database

145,169 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-27602 WRITEUP MEDIUM
Umbraco CMS < 10.8.9 - Authenticated Improper Authorization via Backoffice API URL Manipulation
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.
CVSS 4.9
CVE-2025-27606 WRITEUP MEDIUM
Element Android <1.6.32 - Info Disclosure
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
CVSS 5.1
CVE-2025-27607 WRITEUP HIGH
Python JSON Logger <4 Mar 2025 - RCE
Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.
CVSS 8.8
CVE-2025-27612 WRITEUP MEDIUM
libcontainer < 0.5.3 - Incorrect Default Permissions via Tenant Builder Capability Inheritance
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.
CVSS 5.9
CVE-2025-27615 WRITEUP HIGH
umatiGateway - Unauthenticated Exposure of Sensitive Configuration Information
umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. With this access, the configuration can be viewed and altered. Commit 5d81a3412bc0051754a3095d89a06d6d743f2b16 uses `127.0.0.1:8080:8080` to limit access to the local network. For those who are unable to use this proposed patch, a firewall on Port 8080 may block remote access, but the workaround may not be perfect because Docker may also bypass a firewall by its iptable based rules for port forwarding.
CVSS 8.2
CVE-2025-27616 WRITEUP HIGH
go-vela/server < 0.25.3 and 0.26.0-0.26.3 - Repository Ownership Transfer via Spoofed Webhook Payload
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.
CVSS 8.5
CVE-2025-27617 WRITEUP HIGH
pimcore < 11.5.4 - Authenticated SQL Injection via Filter String
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
CVSS 8.8
CVE-2025-27773 WRITEUP HIGH
SimpleSAMLphp saml2 < 4.17.0 and 5.0.0-alpha.1-5.0.0-alpha.20 - Signature Confusion Attack via HTTPRedirect Binding
The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.
CVSS 8.6
CVE-2025-27778 WRITEUP CRITICAL
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in infer.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in `infer.py`. The issue can lead to remote code execution. As of time of publication, a fix is available on the `main` branch of the Applio repository but not attached to a numbered release.
CVSS 9.8
CVE-2025-27780 WRITEUP CRITICAL
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in model_information.py
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information` function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.
CVSS 9.8
CVE-2025-27781 WRITEUP CRITICAL
Applio < 3.2.8-bugfix - Remote Code Execution via Unsafe Deserialization in Model File Handling
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. `model_file` in inference.py as well as `model_file` in tts.py take user-supplied input (e.g. a path to a model) and pass that value to the `change_choices` and later to `get_speakers_id` function, which loads that model with `torch.load` in inference.py (line 326 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available on the `main` branch of the repository.
CVSS 9.8
CVE-2025-27840 WRITEUP MEDIUM
Espressif ESP32 Firmware - Hidden Functionality via Undocumented HCI Commands
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
CVSS 6.8
CVE-2025-2705 WRITEUP HIGH
Digiwin ERP 5.1 - Unrestricted Upload
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 7.3
CVE-2025-28009 WRITEUP CRITICAL
Dietiqa 1.0.20 - SQL Injection via Progress Body Weight Endpoint u Parameter
A SQL Injection vulnerability exists in the `u` parameter of the progress-body-weight.php endpoint of Dietiqa App v1.0.20.
CVSS 9.8
CVE-2025-28142 WRITEUP MEDIUM
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via formDiskCreateShare foldername Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the foldername in /boafrm/formDiskCreateShare.
CVSS 6.5
CVE-2025-28143 WRITEUP MEDIUM
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via Groupname Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the groupname at the /boafrm/formDiskCreateGroup.
CVSS 6.5
CVE-2025-28144 WRITEUP MEDIUM
Edimax BR-6478AC V3 Firmware 1.0.15 - Stack-based Buffer Overflow via peerPin Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a stack overflow vlunerability via peerPin parameter in the formWsc function.
CVSS 6.5
CVE-2025-28145 WRITEUP MEDIUM
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via Disk Format Partition Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat.
CVSS 6.5
CVE-2025-28146 WRITEUP CRITICAL
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via fota_url Parameter
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel
CVSS 9.8
CVE-2025-28254 WRITEUP MEDIUM
Leantime < 3.3.0 - Authenticated Stored Cross-Site Scripting via First Name Field in processMentions()
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
CVSS 5.4
CVE-2025-28355 WRITEUP MEDIUM
Volmarg Personal Management System 1.4.65 - Cross-Site Request Forgery via SameSite Cookie Attribute
Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value set to none
CVSS 4.7
CVE-2025-2812 WRITEUP CRITICAL
Mydata Ticket Sales Automation < 2025-04-03 - Blind SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection. This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).
CVSS 9.8
CVE-2025-29039 WRITEUP HIGH
D-Link DIR-823x Firmware - Remote Code Execution via Function 0x41dda8
An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8
CVSS 7.2
CVE-2025-29040 WRITEUP CRITICAL
D-Link DIR-823x Firmware 240802 - OS Command Injection via target_addr Parameter
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41737c
CVSS 9.8
CVE-2025-29041 WRITEUP CRITICAL
D-Link DIR-823x 240802 - OS Command Injection via target_addr Parameter
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41710c
CVSS 9.8