CVE List - 2025 / October
Showing 801 - 900 of 4280 CVEs for October 2025 (Page 9 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-11335 | 2025-10-06 | D-Link DI-7100G C1 jhttpd msp_info.htm sub_46409C command injection |
| CVE-2025-11336 | 2025-10-06 | Four-Faith Water Conservancy Informatization Platform download.do;otherlogout.do path traversal |
| CVE-2025-11337 | 2025-10-06 | Four-Faith Water Conservancy Informatization Platform download.do;othersusrlogout.do path traversal |
| CVE-2023-49886 | 2025-10-06 | IBM Transformation Extender Advanced code execution |
| CVE-2025-49594 | 2025-10-06 | XWiki OIDC Authenticator vulnerable to creation of token for any user with just `view` right |
| CVE-2025-52472 | 2025-10-06 | XWiki Platform vulnerable to HQL injection via wiki and space search REST API |
| CVE-2025-59152 | 2025-10-06 | X-Forwarded-For Header Spoofing Bypasses Litestar Rate Limiting |
| CVE-2025-59159 | 2025-10-06 | SillyTavern Web Interface Vulnerable to DNS Rebinding |
| CVE-2025-61687 | 2025-10-06 | FlowiseAI/Flosise has File Upload vulnerability |
| CVE-2025-11338 | 2025-10-06 | D-Link DI-7100G C1 jhttpd login.cgi sub_4C0990 buffer overflow |
| CVE-2025-61765 | 2025-10-06 | python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments |
| CVE-2025-61766 | 2025-10-06 | Bucket vulnerable to infinite recursion when querying a bucket using the != operator |
| CVE-2025-0038 | 2025-10-06 | In AMD Zynq UltraScale+ devices, the lack of address validation when executing CSU runtime services through the PMU Firmware can allow access to isolated or protected memory spaces resulting in... |
| CVE-2025-61769 | 2025-10-06 | Emlog vulnerable to stored XSS in file upload functionality in emlog |
| CVE-2025-11339 | 2025-10-06 | D-Link DI-7100G C1 jhttpd hi_block.asp sub_4BD4F8 buffer overflow |
| CVE-2025-10363 | 2025-10-06 | Unauthenticated RCE via .NET Deserialization in Topal Finance Software |
| CVE-2025-61777 | 2025-10-06 | FlagForge Allows Unauthenticated Badge Template API Access |
| CVE-2025-36356 | 2025-10-06 | IBM Security Verify Access privilege escalation |
| CVE-2025-36355 | 2025-10-06 | IBM Security Verify Access code execution |
| CVE-2025-61778 | 2025-10-06 | Akka.Remote TLS did not properly implement certificate-based authentication |
| CVE-2025-36354 | 2025-10-06 | IBM Security Verify Access command execution |
| CVE-2025-11341 | 2025-10-06 | Jinher OA type xml external entity reference |
| CVE-2025-11342 | 2025-10-06 | code-projects Online Course Registration edit-course.php sql injection |
| CVE-2025-6985 | 2025-10-06 | XXE Vulnerability in langchain-ai/langchain |
| CVE-2025-11343 | 2025-10-06 | code-projects Student Crud Operation delete.php sql injection |
| CVE-2025-11344 | 2025-10-06 | ILIAS Certificate Import code injection |
| CVE-2025-11345 | 2025-10-06 | ILIAS Test Import unserialize deserialization |
| CVE-2025-11346 | 2025-10-06 | ILIAS Base64 Decoding unserialize deserialization |
| CVE-2025-61768 | 2025-10-06 | Kuno CMS Vulnerable to Server-Side Request Forgery (SSRF) via Unsafe SVG Upload |
| CVE-2025-43824 | 2025-10-06 | The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported... |
| CVE-2025-61774 | 2025-10-06 | PyVista has Dependency Confusion Vulnerability in that leads to RCE |
| CVE-2025-34251 | 2025-10-06 | Tesla Telematics Control Unit (TCU) < v2025.14 Authentication Bypass |
| CVE-2025-44823 | 2025-10-07 | Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475. |
| CVE-2025-44824 | 2025-10-07 | Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop... |
| CVE-2025-50505 | 2025-10-07 | Clash Verge Rev thru 2.2.3 forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path... |
| CVE-2025-52021 | 2025-10-07 | A SQL Injection vulnerability exists in the edit_product.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The product_id GET parameter is unsafely passed to a SQL query without proper validation... |
| CVE-2025-56243 | 2025-10-07 | A Cross-Site Scripting (XSS) vulnerability was found in the register.php page of PuneethReddyHC Event Management System 1.0, where the event_id GET parameter is improperly handled. An attacker can craft a... |
| CVE-2025-57564 | 2025-10-07 | CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing... |
| CVE-2025-60312 | 2025-10-07 | Sourcecodester Markdown to HTML Converter v1.0 is vulnerable to a Cross-Site Scripting (XSS) in the "Markdown Input" field, allowing a remote attacker to inject arbitrary HTML/JavaScript code that executes in... |
| CVE-2025-62185 | 2025-10-07 | In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck.... |
| CVE-2025-62186 | 2025-10-07 | Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands when playing audio because of URL scheme mishandling. |
| CVE-2025-62187 | 2025-10-07 | In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to... |
| CVE-2025-11347 | 2025-10-07 | code-projects Student Crud Operation Add Student Page/Edit Student add.php move_uploaded_file unrestricted upload |
| CVE-2025-11348 | 2025-10-07 | Campcodes Online Apartment Visitor Management System index.php sql injection |
| CVE-2025-11349 | 2025-10-07 | Campcodes Online Apartment Visitor Management System search-visitor.php sql injection |
| CVE-2025-11350 | 2025-10-07 | Campcodes Online Apartment Visitor Management System bwdates-reports-details.php sql injection |
| CVE-2025-11351 | 2025-10-07 | code-projects Online Hotel Reservation System editpicexec.php unrestricted upload |
| CVE-2025-11362 | 2025-10-07 | Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application... |
| CVE-2025-11352 | 2025-10-07 | code-projects Online Hotel Reservation System addexec.php unrestricted upload |
| CVE-2025-11353 | 2025-10-07 | code-projects Online Hotel Reservation System addgalleryexec.php unrestricted upload |
| CVE-2025-10162 | 2025-10-07 | OrderConvo < 14 - Unauthenticated Arbitrary File Read |
| CVE-2025-11354 | 2025-10-07 | code-projects Online Hotel Reservation System addslideexec.php unrestricted upload |
| CVE-2025-11355 | 2025-10-07 | UTT 1250GW aspChangeChannel strcpy buffer overflow |
| CVE-2025-11356 | 2025-10-07 | Tenda AC23 SetStaticRouteCfg sscanf buffer overflow |
| CVE-2025-7400 | 2025-10-07 | Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields |
| CVE-2025-11357 | 2025-10-07 | code-projects Simple Banking System createuser.php sql injection |
| CVE-2025-11358 | 2025-10-07 | code-projects Simple Banking System removeuser.php sql injection |
| CVE-2025-10645 | 2025-10-07 | WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log |
| CVE-2025-11359 | 2025-10-07 | code-projects Simple Banking System transfermoney.php sql injection |
| CVE-2025-11360 | 2025-10-07 | jakowenko double-take API app.js app.use cross site scripting |
| CVE-2025-11385 | 2025-10-07 | Tenda AC20 fast_setting_wifi_set sscanf buffer overflow |
| CVE-2025-11386 | 2025-10-07 | Tenda AC15 POST Parameter SetDDNSCfg stack-based overflow |
| CVE-2025-11387 | 2025-10-07 | Tenda AC15 fast_setting_pppoe_set stack-based overflow |
| CVE-2025-11388 | 2025-10-07 | Tenda AC15 setNotUpgrade stack-based overflow |
| CVE-2025-11389 | 2025-10-07 | Tenda AC15 saveAutoQos stack-based overflow |
| CVE-2025-0603 | 2025-10-07 | SQLi in Callvision Healthcare's Callvision Emergency Code |
| CVE-2025-11390 | 2025-10-07 | PHPGurukul Cyber Cafe Management System POST Parameter search.php cross site scripting |
| CVE-2025-40649 | 2025-10-07 | Múltiples vulnerabilidades en Negotiator de BBMRI-ERIC |
| CVE-2025-40676 | 2025-10-07 | Múltiples vulnerabilidades en Negotiator de BBMRI-ERIC |
| CVE-2025-3718 | 2025-10-07 | Client-side path traversal in Guardian/CMC before 25.2.0 |
| CVE-2025-3719 | 2025-10-07 | Incorrect authorization for CLI in Guardian/CMC before 25.2.0 |
| CVE-2025-40885 | 2025-10-07 | Authenticated SQL Injection on Smart Polling functionality in Guardian/CMC before 25.2.0 |
| CVE-2025-40886 | 2025-10-07 | Authenticated SQL Injection on Alert functionality in Guardian/CMC before 25.2.0 |
| CVE-2025-40887 | 2025-10-07 | Authenticated SQL Injection on Alert functionality in Guardian/CMC before 25.2.0 |
| CVE-2025-40889 | 2025-10-07 | Path traversal in Time Machine functionality in Guardian/CMC before 25.2.0 |
| CVE-2025-40888 | 2025-10-07 | Authenticated SQL Injection on CLI functionality in Guardian/CMC before 25.3.0 |
| CVE-2025-11396 | 2025-10-07 | code-projects Simple Food Ordering System product.php sql injection |
| CVE-2021-22291 | 2025-10-07 | EIBPORT Reflected XSS |
| CVE-2025-53476 | 2025-10-07 | A denial of service vulnerability exists in the ModbusTCP server functionality of OpenPLC _v3 a931181e8b81e36fadf7b74d5cba99b73c3f6d58. A specially crafted series of network connections can lead to the server not processing subsequent... |
| CVE-2025-37728 | 2025-10-07 | Kibana Insufficiently Protected Credentials in the CrowdStrike Connector |
| CVE-2025-54405 | 2025-10-07 | Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can... |
| CVE-2025-54406 | 2025-10-07 | Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can... |
| CVE-2025-48826 | 2025-10-07 | A format string vulnerability exists in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to memory corruption. An attacker can send a... |
| CVE-2025-54403 | 2025-10-07 | Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a... |
| CVE-2025-54404 | 2025-10-07 | Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a... |
| CVE-2025-54399 | 2025-10-07 | Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can... |
| CVE-2025-54400 | 2025-10-07 | Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can... |
| CVE-2025-54401 | 2025-10-07 | Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can... |
| CVE-2025-54402 | 2025-10-07 | Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can... |
| CVE-2025-25009 | 2025-10-07 | Kibana Cross-Site Scripting (XSS) |
| CVE-2025-11397 | 2025-10-07 | SourceCodester Hotel and Lodge Management System login.php sql injection |
| CVE-2025-59425 | 2025-10-07 | vLLM vulnerable to timing attack at bearer auth |
| CVE-2025-61770 | 2025-10-07 | Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) |
| CVE-2023-6215 | 2025-10-07 | HP Sure Start IFD Protection - BIOS Security Update |
| CVE-2025-11398 | 2025-10-07 | SourceCodester Hotel and Lodge Management System Profile profile.php unrestricted upload |
| CVE-2025-61771 | 2025-10-07 | Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) |
| CVE-2025-61772 | 2025-10-07 | Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) |
| CVE-2022-50509 | 2025-10-07 | media: coda: Add check for kmalloc |
| CVE-2022-50510 | 2025-10-07 | perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() |
| CVE-2022-50511 | 2025-10-07 | lib/fonts: fix undefined behavior in bit shift for get_default_font |