VulDB Recent Entries

A vulnerability was found in Xinhu Rainrock RockOA up to 2.7.1. It has been rated as problematic. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. This vulnerability appears as CVE-2026-0588. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Xinhu Rainrock RockOA up to 2.7.1. It has been declared as problematic. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. This vulnerability is reported as CVE-2026-0587. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in JFrog Artifactory. It has been classified as problematic. This impacts an unknown function. The manipulation leads to cross site scripting. This vulnerability is documented as CVE-2025-14830. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability was found in bg5sbk MiniCMS up to 1.8 and classified as critical. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. This vulnerability is registered as CVE-2025-15458. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in bg5sbk MiniCMS up to 1.8 and classified as critical. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. This vulnerability is cataloged as CVE-2025-15457. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. Such manipulation leads to improper authentication. This vulnerability is listed as CVE-2025-15456. The attack may be performed from remote. In addition, an exploit is available. The existence of this vulnerability is still disputed at present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. This manipulation causes improper authentication. This vulnerability is tracked as CVE-2025-15455. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as problematic was found in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. This vulnerability is identified as CVE-2025-15454. The attack can be executed remotely. Additionally, an exploit exists. It is best practice to apply a patch to resolve this issue.

A vulnerability classified as critical has been found in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. This vulnerability is referenced as CVE-2025-15453. Remote exploitation of the attack is possible. Furthermore, an exploit is available. A fix is planned for the next release 2.6.8.

A vulnerability described as problematic has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The identification of this vulnerability is CVE-2025-15452. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability marked as problematic has been reported in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. This vulnerability was named CVE-2025-15451. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability labeled as critical has been found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. This vulnerability is uniquely identified as CVE-2025-15450. The attack can be launched remotely. Moreover, an exploit is present. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability identified as critical has been detected in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. This vulnerability is handled as CVE-2025-15449. The attack can be initiated remotely. There is not any exploit available. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability categorized as critical has been discovered in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. This vulnerability is known as CVE-2025-15448. It is possible to launch the attack remotely. No exploit is available. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Seeyon Zhiyuan OA Web Application System up to 20251223. It has been rated as critical. This affects an unknown function of the file /assetsGroupReport/assetsService.j%73p. The manipulation of the argument unitCode leads to sql injection. This vulnerability is traded as CVE-2025-15447. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Seeyon Zhiyuan OA Web Application System up to 20251223. It has been declared as critical. The impacted element is an unknown function of the file /assetsGroupReport/fixedAssetsList.j%73p. Executing a manipulation of the argument unitCode can lead to sql injection. This vulnerability appears as CVE-2025-15446. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in code-projects Online Product Reservation System 1.0. It has been classified as problematic. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. This vulnerability is reported as CVE-2026-0586. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability was found in code-projects Online Product Reservation System 1.0 and classified as critical. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. This vulnerability is documented as CVE-2026-0585. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability has been found in code-projects Online Product Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. This vulnerability is registered as CVE-2026-0584. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability, which was classified as critical, was found in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. This vulnerability is cataloged as CVE-2026-0583. The attack may be launched remotely. Furthermore, there is an exploit available.