Aggregator

Currently trending CVE - Hype Score: 1 - XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's ...

A vulnerability, which was classified as critical, was found in Feng Office 3.11.1.2. Affected is an unknown function of the component Workspaces. The manipulation of the argument dim leads to sql injection. This vulnerability is traded as CVE-2024-6039. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Elaine Marketing Automation up to 6.18.17 and classified as problematic. This vulnerability affects unknown code of the file /system/interface/wrapper_dialog.php. The manipulation of the argument dialog leads to cross site scripting. This vulnerability was named CVE-2024-42831. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Drupal 11.x-dev and classified as problematic. This vulnerability affects the function hash_salt of the file core/authorize.php. The manipulation leads to information disclosure. This vulnerability was named CVE-2024-45440. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in Adobe ColdFusion 2021 and ColdFusion 2023. It has been classified as critical. Affected is an unknown function. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2024-20767. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Xlightftpd Xlight FTP Server 1.1. This vulnerability affects unknown code of the component Login. The manipulation of the argument User leads to denial of service. This vulnerability was named CVE-2024-0737. The attack can be initiated remotely. Furthermore, there is an exploit available.

Evilent Coerce A practical NTLM relay attack using the MS-EVEN RPC protocol and antivirus-assisted coercion. Evilent is a PoC tool that triggers the ElfrOpenBELW procedure in the MS-EVEN RPC interface (used for Windows Event...

The post Evilent PoC Exposes Windows Event Log Vulnerability, Leaking NetNTLMv2 Credentials via SMB Share appeared first on Penetration Testing Tools.

What if defenders could prepare for new vulnerabilities before they’re disclosed? GreyNoise’s latest research reveals that spikes in attacker activity often precede the disclosure of new CVEs — typically within six weeks. These findings shed light on a narrow but reliable early warning signal, giving security teams a critical window to harden defenses, monitor closely, and act ahead of emerging threats.

Close the speed gap in your security. GreyNoise unveils new real-time dynamic blocklists, push-based threat intelligence feeds, and SOAR integrations to help defenders detect, block, and respond to automated attacks faster than ever.

让地下环隧管理系统安全、稳定、高速运行。

Cybersecurity experts have identified more than a dozen critical vulnerabilities within the Niagara Framework—a platform developed by Tridium, a subsidiary of Honeywell. This technology is extensively deployed in the automation and management of smart...

The post Critical Flaws (CVSS 9.8) in Honeywell’s Niagara Framework Expose Smart Buildings & Industrial Systems to Root Access appeared first on Penetration Testing Tools.

A vulnerability was found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-54438. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052. Affected is an unknown function. The manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2025-54440. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052. Affected by this issue is some unknown functionality. The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2025-54444. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052. This affects an unknown part. The manipulation leads to unrestricted upload. This vulnerability is uniquely identified as CVE-2025-54439. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052 and classified as critical. This issue affects some unknown processing. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2025-54442. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in PHPGurukul Local Services Search Engine Management System 2.1. Affected by this vulnerability is an unknown functionality of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. This vulnerability is known as CVE-2025-8179. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in code-projects Exam Form Submission 1.0. This issue affects some unknown processing of the file /admin/update_s3.php. The manipulation of the argument credits leads to sql injection. The identification of this vulnerability is CVE-2025-8249. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Samsung Electronics MagicINFO 9 Server 21.1050/21.1052 and classified as critical. This vulnerability affects unknown code. The manipulation leads to unrestricted upload. This vulnerability was named CVE-2025-54441. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Lakeside SyStrack. This issue affects some unknown processing of the file LsiAgent.exe of the component Environment Variable Handler. The manipulation of the argument SYSTEM PATH leads to uncontrolled search path. The identification of this vulnerability is CVE-2025-6241. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.