Exploit Database

145,365 exploits tracked across all sources.

Sort: Activity Stars
CVE-2025-65858 WRITEUP LOW
Calibre-Web 0.6.25 - Stored Cross-Site Scripting via Username Field
A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.
CVSS 3.5
CVE-2025-65865 WRITEUP HIGH
eProsima Fast-DDS v3.3 - Denial of Service via Integer Overflow
An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVSS 7.5
CVE-2025-65875 WRITEUP HIGH
FPDF <= 1.86 - Arbitrary File Upload via AddFont Function
An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVSS 8.8
CVE-2024-48514 WRITEUP CRITICAL
php-heic-to-jpg <= 1.0.5 - Remote Code Execution via HEIC Image Filename
php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below.
CVSS 9.8
CVE-2025-65881 WRITEUP MEDIUM
Sourcecodester Zoo Management System v1.0 - XSS
Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php.
CVSS 6.1
CVE-2025-65881 WRITEUP MEDIUM
Sourcecodester Zoo Management System v1.0 - XSS
Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php.
CVSS 6.1
CVE-2025-65882 WRITEUP CRITICAL
openmptcprouter <0.64 - Code Injection
An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands.
CVSS 9.8
CVE-2025-65897 WRITEUP HIGH
zdh_web <5.6.17 - Privilege Escalation/Remote Code Execution
zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.
CVSS 8.8
CVE-2025-65899 WRITEUP MEDIUM
Kalmia 0.2.0 - Unauthenticated User Enumeration via Authentication Error Messages
Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system.
CVSS 5.3
CVE-2025-65900 WRITEUP MEDIUM
Kalmia CMS <0.2.0 - Info Disclosure
Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users.
CVSS 6.5
CVE-2025-65922 WRITEUP MEDIUM
Planka 2.0.0 - UI Redressing via Missing X-Frame-Options and CSP Headers
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes."
CVSS 4.3
CVE-2025-65945 WRITEUP HIGH
auth0/node-jws <4.0.0 - Improper Signature Verification
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
CVSS 7.5
CVE-2025-65952 WRITEUP HIGH
Console < 2.8.0 - Path Traversal and Arbitrary File Write via Backslash and Period Bypass
Console is a network used to control Gorilla Tag mods' users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0.
CVE-2025-65955 WRITEUP MEDIUM
ImageMagick <7.1.2-9 & 6.9.13-34 - Memory Corruption
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.
CVSS 4.9
CVE-2025-65964 WRITEUP HIGH
n8n 0.123.1-1.119.1 - Remote Code Execution via Git Hook Path Manipulation
n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.
CVSS 8.8
CVE-2025-6509 WRITEUP LOW
seaswalker spring-analysis <4379cce848af96997a9d7ef91d594aa129be8d7...
A vulnerability was found in seaswalker spring-analysis up to 4379cce848af96997a9d7ef91d594aa129be8d71. It has been declared as problematic. Affected by this vulnerability is the function echo of the file /src/main/java/controller/SimpleController.java. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
CVSS 3.5
CVE-2025-6514 WRITEUP CRITICAL
mcp-remote >=0.0.5 <0.1.16 - OS Command Injection via Authorization Endpoint Response URL
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
CVSS 9.6
CVE-2025-6517 WRITEUP MEDIUM
Dromara MaxKey <= 4.1.7 - Server-Side Request Forgery via SAML20DetailsController Meta URL Handler
A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 6.3
CVE-2025-6531 WRITEUP MEDIUM
SIFUSM/MZZYG BD S1 <20250611 - Info Disclosure
A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names.
CVSS 4.3
CVE-2025-6532 WRITEUP MEDIUM
NOYAFA/Xiami LF9 Pro <20250611 - Info Disclosure
A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names.
CVSS 4.3
CVE-2025-6545 WRITEUP CRITICAL
pbkdf2 3.0.10-3.1.2 - Signature Spoofing via Improper Input Validation in lib/to-buffer.js
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.
CVE-2025-6551 WRITEUP LOW
java-aodeng Hope-Boot 1.0.0 - Cross-Site Scripting via WebController Login Error Message
A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.5
CVE-2025-6552 WRITEUP MEDIUM
java-aodeng Hope-Boot 1.0.0 - Open Redirect
A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 4.3
CVE-2025-6568 WRITEUP HIGH
TOTOLINK EX1200T 4.1.2cu.5232_B20210713 - Buffer Overflow
A vulnerability classified as critical has been found in TOTOLINK EX1200T 4.1.2cu.5232_B20210713. Affected is an unknown function of the file /boafrm/formIpv6Setup of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS 8.8
CVE-2025-66022 WRITEUP CRITICAL
OWASP Faction < 1.7.1 - Unauthenticated Remote Code Execution via Malicious Extension Upload
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
CVSS 9.6