CVE List - 2025 / October
Showing 3601 - 3700 of 4280 CVEs for October 2025 (Page 37 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-12299 | 2025-10-27 | code-projects Simple Food Ordering System addproduct.php cross site scripting |
| CVE-2025-55754 | 2025-10-27 | Apache Tomcat: console manipulation via escape sequences in log messages |
| CVE-2025-55752 | 2025-10-27 | Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled |
| CVE-2025-61795 | 2025-10-27 | Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS |
| CVE-2025-12300 | 2025-10-27 | code-projects Simple Food Ordering System addcategory.php cross site scripting |
| CVE-2025-12301 | 2025-10-27 | code-projects Simple Food Ordering System editproduct.php unrestricted upload |
| CVE-2025-12302 | 2025-10-27 | code-projects Simple Food Ordering System editproduct.php cross site scripting |
| CVE-2025-12303 | 2025-10-27 | PHPGurukul Curfew e-Pass Management System admin-profile.php cross site scripting |
| CVE-2025-12363 | 2025-10-27 | Email Password Disclosure |
| CVE-2025-12364 | 2025-10-27 | Weak Password Policy |
| CVE-2025-12365 | 2025-10-27 | Error Messages Wrapped In HTTP Header |
| CVE-2025-12304 | 2025-10-27 | dulaiduwang003 TIME-SEA-PLUS Order Status PayController.java alipayIsSucceed improper authorization |
| CVE-2025-12305 | 2025-10-27 | quequnlong shiyi-blog Job SysJobController.java deserialization |
| CVE-2025-12306 | 2025-10-27 | code-projects Nero Social Networking Site acceptoffres.php sql injection |
| CVE-2025-36007 | 2025-10-27 | IBM QRadar SIEM incorrect privilege assignment |
| CVE-2025-46602 | 2025-10-27 | Dell SupportAssist OS Recovery, versions prior to 5.5.15.0, contain an Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability. A low privileged attacker with local access could potentially exploit... |
| CVE-2025-32785 | 2025-10-27 | Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field) |
| CVE-2025-36170 | 2025-10-27 | IBM QRadar SIEM cross-site scripting |
| CVE-2025-36138 | 2025-10-27 | IBM QRadar SIEM cross-site scripting |
| CVE-2025-62253 | 2025-10-27 | Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA... |
| CVE-2025-12307 | 2025-10-27 | code-projects Nero Social Networking Site addfriend.php sql injection |
| CVE-2025-12308 | 2025-10-27 | code-projects Nero Social Networking Site deletemessage.php sql injection |
| CVE-2025-12309 | 2025-10-27 | code-projects Nero Social Networking Site friendprofile.php sql injection |
| CVE-2025-53533 | 2025-10-27 | Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page |
| CVE-2025-12310 | 2025-10-27 | VirtFusion Email Change _settings excessive authentication |
| CVE-2025-12311 | 2025-10-27 | PHPGurukul Curfew e-Pass Management System edit-category-detail.php cross site scripting |
| CVE-2025-12312 | 2025-10-27 | PHPGurukul Curfew e-Pass Management System view-pass-detail.php cross site scripting |
| CVE-2025-58356 | 2025-10-27 | Constellation allows insecure use of LUKS2 persistent storage partitions |
| CVE-2025-62263 | 2025-10-27 | Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow... |
| CVE-2025-59151 | 2025-10-27 | Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection |
| CVE-2025-62594 | 2025-10-27 | ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS) |
| CVE-2025-12313 | 2025-10-27 | D-Link DI-7001 MINI msp_info.htm command injection |
| CVE-2025-12314 | 2025-10-27 | code-projects Food Ordering System deleteitem.php sql injection |
| CVE-2025-12315 | 2025-10-27 | code-projects Food Ordering System menu.php sql injection |
| CVE-2025-62523 | 2025-10-27 | PILOS Misconfigured the Access-Control-Allow-Origin Header |
| CVE-2025-62524 | 2025-10-27 | PILOS Exposes PHP version |
| CVE-2025-12316 | 2025-10-27 | code-projects Courier Management System edit-courier.php sql injection |
| CVE-2025-12322 | 2025-10-27 | Tenda CH22 NatStaticSetting fromNatStaticSetting buffer overflow |
| CVE-2025-12325 | 2025-10-27 | SourceCodester Best Salon Management System forgot-password.php sql injection |
| CVE-2025-62725 | 2025-10-27 | Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations |
| CVE-2025-62262 | 2025-10-27 | Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update... |
| CVE-2025-62782 | 2025-10-27 | InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement |
| CVE-2025-62783 | 2025-10-27 | InventoryGui affected by item duplication in GUIs which use GuiStorageElement |
| CVE-2025-62784 | 2025-10-27 | InventoryGui allows item duplication in GUIs which use GuiStorageElement |
| CVE-2025-12326 | 2025-10-27 | shawon100 RUET OJ POST Request process.php sql injection |
| CVE-2025-12327 | 2025-10-27 | shawon100 RUET OJ description.php sql injection |
| CVE-2025-62261 | 2025-10-27 | Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores... |
| CVE-2025-62778 | 2025-10-27 | Frappe Learning allowed students to access the Quiz Form via direct URL |
| CVE-2025-62779 | 2025-10-27 | Frappe Learning users were able to add HTML through input fields in the Job Form |
| CVE-2025-62781 | 2025-10-27 | PILOS is missing session regeneration after password change |
| CVE-2025-62793 | 2025-10-27 | eLabFTW HTML / CSS Injection via Malicious SVG Upload Leads to Credential Theft / Clickjacking |
| CVE-2025-12328 | 2025-10-27 | shawon100 RUET OJ contestproblem.php sql injection |
| CVE-2025-12329 | 2025-10-27 | shawon100 RUET OJ details.php sql injection |
| CVE-2025-62260 | 2025-10-27 | Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number... |
| CVE-2025-12330 | 2025-10-27 | Willow CMS Add Post add cross site scripting |
| CVE-2025-12331 | 2025-10-27 | Willow CMS add unrestricted upload |
| CVE-2025-62259 | 2025-10-27 | Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does... |
| CVE-2025-12333 | 2025-10-27 | code-projects E-Commerce Website supplier_add.php cross site scripting |
| CVE-2025-12334 | 2025-10-27 | code-projects E-Commerce Website product_add.php cross site scripting |
| CVE-2025-62258 | 2025-10-27 | CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported... |
| CVE-2025-43024 | 2025-10-27 | HP ThinPro 8.1 SP8 Security Updates |
| CVE-2025-12332 | 2025-10-27 | SourceCodester Student Grades Management System admin.php delete_user cross site scripting |
| CVE-2025-12335 | 2025-10-27 | code-projects E-Commerce Website supplier_update.php cross site scripting |
| CVE-2025-33126 | 2025-10-27 | Fixes to common vulnerabilities found in IBM Db2 High Performance Unload |
| CVE-2025-33131 | 2025-10-27 | Fixes to common vulnerabilities found in IBM Db2 High Performance Unload |
| CVE-2025-33132 | 2025-10-27 | Fixes to common vulnerabilities found in IBM Db2 High Performance Unload |
| CVE-2025-33133 | 2025-10-27 | Fixes to common vulnerabilities found in IBM Db2 High Performance Unload |
| CVE-2025-54604 | 2025-10-28 | Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2). |
| CVE-2025-54605 | 2025-10-28 | Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2). |
| CVE-2025-56399 | 2025-10-28 | alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can... |
| CVE-2025-60349 | 2025-10-28 | An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key... |
| CVE-2025-60354 | 2025-10-28 | Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot. |
| CVE-2025-60355 | 2025-10-28 | zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. |
| CVE-2025-60800 | 2025-10-28 | Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. |
| CVE-2025-60805 | 2025-10-28 | An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml. |
| CVE-2025-60858 | 2025-10-28 | Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information. |
| CVE-2025-61043 | 2025-10-28 | An out-of-bounds read vulnerability has been discovered in Monkey's Audio 11.31, specifically in the CAPECharacterHelper::GetUTF16FromUTF8 function. The issue arises from improper handling of the length of the input UTF-8 string,... |
| CVE-2025-61080 | 2025-10-28 | A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Clear2Pay Bank Visibility Application - Payment Execution 1.10.0.104 via the ID parameter in the URL. |
| CVE-2025-61103 | 2025-10-28 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_lan_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61104 | 2025-10-28 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61106 | 2025-10-28 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61107 | 2025-10-28 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61128 | 2025-10-28 | Stack-based buffer overflow vulnerability in WAVLINK QUANTUM D3G/WL-WN530HG3 firmware M30HG3_V240730, and possibly other wavlink models allows attackers to execute arbitrary code via crafted referrer value POST to login.cgi. |
| CVE-2025-61155 | 2025-10-28 | Hotta Studio GameDriverX64.sys 7.23.4.7, a signed kernel-mode anti-cheat driver, allows local attackers to cause a denial of service by crashing arbitrary processes via sending crafted IOCTL requests. |
| CVE-2025-61235 | 2025-10-28 | An issue was discovered in Dataphone A920 v2025.07.161103. A custom packet based on public documentation can be crafted, where some fields can contain arbitrary or trivial data. Normally, such data... |
| CVE-2025-12336 | 2025-10-28 | Campcodes Retro Basketball Shoes Online Store admin_index.php sql injection |
| CVE-2025-12337 | 2025-10-28 | Campcodes Retro Basketball Shoes Online Store admin_feature.php sql injection |
| CVE-2025-12338 | 2025-10-28 | Campcodes Retro Basketball Shoes Online Store admin_product.ph sql injection |
| CVE-2025-12339 | 2025-10-28 | Campcodes Retro Basketball Shoes Online Store admin_football.php sql injection |
| CVE-2025-12341 | 2025-10-28 | ermig1979 AntiDupl Delete Duplicate Image AntiDupl.NET.WinForms.exe link following |
| CVE-2025-12342 | 2025-10-28 | Serdar Bayram Ghost Hot Spot Login Auth.php sql injection |
| CVE-2025-12344 | 2025-10-28 | Yonyou U8 Cloud Request Header NCloudGatewayServlet unrestricted upload |
| CVE-2025-12346 | 2025-10-28 | MaxSite CMS HTTP Header uploads-require-maxsite.php unrestricted upload |
| CVE-2025-12347 | 2025-10-28 | MaxSite CMS save-file-ajax.php unrestricted upload |
| CVE-2025-10939 | 2025-10-28 | Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console |
| CVE-2025-62777 | 2025-10-28 | Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet... |
| CVE-2025-10145 | 2025-10-28 | Auto Featured Image (Auto Post Thumbnail) <= 4.1.7 - Authenticated (Author+) Server-Side Request Forgery |
| CVE-2025-11735 | 2025-10-28 | HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.1 - Unauthenticated SQL Injection via `phrase` Parameter |
| CVE-2025-12378 | 2025-10-28 | code-projects Simple Food Ordering System addproduct.php unrestricted upload |
| CVE-2025-10150 | 2025-10-28 | Webserver crash caused by scanning on TCP port 80 |