VulDB Recent Entries

A vulnerability marked as problematic has been reported in Mattermost up to 9.11.17/10.5.8. Impacted is an unknown function of the file /api/v4/teams/team-id/members/user-id/schemeRoles of the component API Endpoint. Performing manipulation results in incorrect authorization. This vulnerability is cataloged as CVE-2025-53971. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability identified as critical has been detected in Mattermost up to 9.11.17/10.5.8/10.8.3/10.9.2/10.10.0. This vulnerability affects unknown code of the component Non-Attachment File Handler. This manipulation causes unrestricted upload. This vulnerability is tracked as CVE-2025-49222. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability labeled as critical has been found in Mattermost up to 9.11.17/10.5.8/10.8.3/10.9.2. This issue affects some unknown processing. Such manipulation leads to path traversal. This vulnerability is listed as CVE-2025-8023. The attack may be performed from a remote location. There is no available exploit. The affected component should be upgraded.

A vulnerability categorized as critical has been discovered in Mattermost up to 9.11.17/10.5.8/10.8.3/10.9.2. This affects an unknown part of the file /api/v4/teams/:teamId/restore. The manipulation results in missing authentication. This vulnerability is identified as CVE-2025-47870. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in itsourcecode Apartment Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /fair/addfair.php. The manipulation of the argument ID leads to sql injection. This vulnerability is referenced as CVE-2025-9311. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /carRental_war/druid/login.html of the component Druid. Executing manipulation can lead to hard-coded credentials. The identification of this vulnerability is CVE-2025-9310. The attack may be launched remotely. Furthermore, there is an exploit available. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

A vulnerability was found in Tenda AC10 16.03.10.13. It has been classified as problematic. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. This vulnerability was named CVE-2025-9309. The attack needs to be approached locally. In addition, an exploit is available.

A vulnerability was found in yarnpkg Yarn up to 1.22.22 and classified as problematic. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is uniquely identified as CVE-2025-9308. Local access is required to approach this attack. No exploit exists.

A vulnerability has been found in PHPGurukul Online Course Registration 3.1 and classified as critical. This affects an unknown function of the file /admin/session.php. This manipulation of the argument sesssion causes sql injection. This vulnerability is handled as CVE-2025-9307. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability, which was classified as problematic, was found in SourceCodester Advanced School Management System 1.0. The impacted element is an unknown function of the file /index.php/notice/addNotice. The manipulation of the argument noticeSubject results in cross site scripting. This vulnerability is known as CVE-2025-9306. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability, which was classified as critical, has been found in SourceCodester Online Bank Management System 1.0. The affected element is an unknown function of the file /bank/mnotice.php. The manipulation of the argument ID leads to sql injection. This vulnerability is traded as CVE-2025-9305. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in SourceCodester Online Bank Management System 1.0. Impacted is an unknown function of the file /bank/show.php. Executing manipulation of the argument ID can lead to sql injection. This vulnerability appears as CVE-2025-9304. The attack may be performed from a remote location. In addition, an exploit is available.

A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5cu.630_B20250509. This issue affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument desc results in buffer overflow. This vulnerability is reported as CVE-2025-9303. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability described as critical has been identified in PHPGurukul User Management System 1.0. This vulnerability affects unknown code of the file /signup.php. Such manipulation of the argument emailid leads to sql injection. This vulnerability is documented as CVE-2025-9302. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability marked as problematic has been reported in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. This vulnerability is registered as CVE-2025-9301. The attack needs to be launched locally. Furthermore, an exploit is available. It is suggested to install a patch to address this issue.

A vulnerability labeled as critical has been found in saitoha libsixel up to 1.10.3. Affected by this issue is the function sixel_debug_print_palette of the file src/encoder.c of the component img2sixel. The manipulation results in stack-based buffer overflow. This vulnerability is cataloged as CVE-2025-9300. The attack must be initiated from a local position. Furthermore, there is an exploit available. Applying a patch is advised to resolve this issue.

A vulnerability identified as critical has been detected in Tenda M3 1.0.0.12. Affected by this vulnerability is the function formGetMasterPassengerAnalyseData of the file /goform/getMasterPassengerAnalyseData. The manipulation of the argument Time leads to stack-based buffer overflow. This vulnerability is listed as CVE-2025-9299. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability categorized as critical has been discovered in Tenda M3 1.0.0.12. Affected is the function formQuickIndex of the file /goform/QuickIndex. Executing manipulation of the argument PPPOEPassword can lead to stack-based buffer overflow. This vulnerability is tracked as CVE-2025-9298. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in Tenda i22 1.0.0.3(4687). It has been rated as critical. This impacts the function formWeixinAuthInfoGet of the file /goform/wxportalauth. Performing manipulation of the argument Type results in stack-based buffer overflow. This vulnerability is identified as CVE-2025-9297. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability was found in Emlog Pro up to 2.5.18. It has been declared as critical. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. This vulnerability is referenced as CVE-2025-9296. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.