CVE List - 2025 / November
Showing 701 - 800 of 1779 CVEs for November 2025 (Page 8 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-59171 | 2025-11-06 | Advantech DeviceOn/iEdge Path Traversal |
| CVE-2025-58423 | 2025-11-06 | Advantech DeviceOn/iEdge Path Traversal |
| CVE-2025-12789 | 2025-11-06 | Rhsso: open redirect |
| CVE-2025-57697 | 2025-11-07 | AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body... |
| CVE-2025-57698 | 2025-11-07 | AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses... |
| CVE-2025-60574 | 2025-11-07 | A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can... |
| CVE-2025-61261 | 2025-11-07 | A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. |
| CVE-2025-63420 | 2025-11-07 | CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions. |
| CVE-2025-63543 | 2025-11-07 | TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in the /search_results endpoint via the q parameter. |
| CVE-2025-63544 | 2025-11-07 | TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in /order_notes via the id parameter. |
| CVE-2025-63638 | 2025-11-07 | Sourcecodester AI-Powered To-Do List App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Task Title" and "Description (Optional)" fields when creating a Task, allowing an attacker to inject arbitrary... |
| CVE-2025-63639 | 2025-11-07 | The chat feature in the application Sourcecodester FAQ Bot with AI Assistant v1.0 is vulnerable to Cross-Site Scripting (XSS) due to improper handling of user-supplied input. An attacker can inject... |
| CVE-2025-63640 | 2025-11-07 | Sourcecodester Medicine Reminder App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Medicine Name" and "Notes (Optional)" fields when creating an "Upcoming Reminder", allowing an attacker to inject arbitrary... |
| CVE-2025-63686 | 2025-11-07 | There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system. |
| CVE-2025-63687 | 2025-11-07 | An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts. |
| CVE-2025-63689 | 2025-11-07 | Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter |
| CVE-2025-63690 | 2025-11-07 | In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class... |
| CVE-2025-63691 | 2025-11-07 | In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an improper permission verification issue, which... |
| CVE-2025-63713 | 2025-11-07 | Cross-Site Scripting (XSS) vulnerability in SourceCodester "MatchMaster" 1.0 allows remote attackers to inject arbitrary web script or HTML via crafted input in the custom test creation feature. The vulnerability exists... |
| CVE-2025-63714 | 2025-11-07 | Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in... |
| CVE-2025-63716 | 2025-11-07 | The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or... |
| CVE-2025-63717 | 2025-11-07 | The change password functionality at /pet_grooming/admin/change_pass.php in SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. The application does not implement adequate anti-CSRF tokens or... |
| CVE-2025-63718 | 2025-11-07 | A SQL injection vulnerability exists in the SourceCodester PQMS (Patient Queue Management System) 1.0 in the api_patient_schedule.php endpoint. The appointmentID parameter is not properly sanitized, allowing attackers to execute arbitrary... |
| CVE-2025-63783 | 2025-11-07 | A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the... |
| CVE-2025-63784 | 2025-11-07 | An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without... |
| CVE-2025-63785 | 2025-11-07 | A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being... |
| CVE-2025-52662 | 2025-11-07 | A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to... |
| CVE-2025-48985 | 2025-11-07 | A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users... |
| CVE-2025-11546 | 2025-11-07 | CLUSTERPRO X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 and EXPRESSCLUSTER X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, CLUSTERPRO X SingleServerSafe for Linux 4.0, 4.1,... |
| CVE-2025-64180 | 2025-11-07 | Manager-io/Manager: Complete Bypass of SSRF Protection via Time-of-Check Time-of-Use (TOCTOU) |
| CVE-2025-64184 | 2025-11-07 | Dosage vulnerable to Directory Traversal through crafted HTTP responses |
| CVE-2025-64187 | 2025-11-07 | OctoPrint is vulnerable to XSS through Action Command Notifications and Prompts |
| CVE-2025-64323 | 2025-11-07 | kgateway is missing xDS authorization |
| CVE-2025-5483 | 2025-11-07 | LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation |
| CVE-2025-64328 | 2025-11-07 | FreePBX Administration GUI is Vulnerable to Authenticated Command Injection |
| CVE-2025-64329 | 2025-11-07 | containerd CRI server: Host memory exhaustion through Attach goroutine leak |
| CVE-2025-12352 | 2025-11-07 | Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image' |
| CVE-2025-4519 | 2025-11-07 | IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function |
| CVE-2025-4522 | 2025-11-07 | IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function |
| CVE-2025-64336 | 2025-11-07 | ClipBucket v5's Manage Photo Feature is Vulnerable to Stored XSS Attack via Photo Title |
| CVE-2025-64339 | 2025-11-07 | ClipBucket v5: Stored XSS Vulnerability in Manage Playlists |
| CVE-2025-64343 | 2025-11-07 | (conda) Constructor: Excessive permissions during and after installation |
| CVE-2025-12520 | 2025-11-07 | WP Airbnb Review Slider <= 4.2 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-12527 | 2025-11-07 | Page & Post Notes <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion |
| CVE-2025-64346 | 2025-11-07 | archives: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CVE-2025-10966 | 2025-11-07 | missing SFTP host verification with wolfSSH |
| CVE-2025-46413 | 2025-11-07 | Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an... |
| CVE-2025-10870 | 2025-11-07 | SQL injection in DIAL's CentrosNet |
| CVE-2025-12853 | 2025-11-07 | SourceCodester Best House Rental Management System admin_class.php delete_house sql injection |
| CVE-2025-12854 | 2025-11-07 | newbee-mall-plus seckillExecution executeSeckill authorization |
| CVE-2025-10968 | 2025-11-07 | SQLi in GG Soft's PaperWork |
| CVE-2025-12855 | 2025-11-07 | code-projects Responsive Hotel Site newsletterdel.php sql injection |
| CVE-2025-12856 | 2025-11-07 | code-projects Responsive Hotel Site reservation.php sql injection |
| CVE-2025-34299 | 2025-11-07 | Monsta FTP <= 2.11 Unauthenticated Arbitrary File Upload |
| CVE-2025-12857 | 2025-11-07 | code-projects Responsive Hotel Site roombook.php sql injection |
| CVE-2025-12859 | 2025-11-07 | DedeBIZ templets_one_edit.php sql injection |
| CVE-2025-12860 | 2025-11-07 | DedeBIZ freelist_main.php sql injection |
| CVE-2025-58469 | 2025-11-07 | QuLog Center |
| CVE-2025-58465 | 2025-11-07 | Download Station |
| CVE-2025-58464 | 2025-11-07 | QuMagie |
| CVE-2025-58463 | 2025-11-07 | Download Station |
| CVE-2025-57712 | 2025-11-07 | Qsync Central |
| CVE-2025-57706 | 2025-11-07 | File Station 5 |
| CVE-2025-54168 | 2025-11-07 | QuLog Center |
| CVE-2025-54167 | 2025-11-07 | Notification Center |
| CVE-2025-53413 | 2025-11-07 | File Station 5 |
| CVE-2025-53412 | 2025-11-07 | File Station 5 |
| CVE-2025-53411 | 2025-11-07 | File Station 5 |
| CVE-2025-53410 | 2025-11-07 | File Station 5 |
| CVE-2025-53409 | 2025-11-07 | File Station 5 |
| CVE-2025-53408 | 2025-11-07 | File Station 5 |
| CVE-2025-52865 | 2025-11-07 | File Station 5 |
| CVE-2025-52425 | 2025-11-07 | QuMagie |
| CVE-2025-47207 | 2025-11-07 | File Station 5 |
| CVE-2025-12861 | 2025-11-07 | DedeBIZ spec_add.php sql injection |
| CVE-2025-7719 | 2025-11-07 | Smallworld SWMFS Arbitrary File Ops |
| CVE-2025-3222 | 2025-11-07 | Smallworld SWMFS Improper Authentication |
| CVE-2025-12862 | 2025-11-07 | projectworlds Online Notes Sharing Platform userprofile.php unrestricted upload |
| CVE-2025-64347 | 2025-11-07 | Apollo Router Improperly Enforces Renamed Access Control Directives |
| CVE-2025-64430 | 2025-11-07 | Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format |
| CVE-2025-9458 | 2025-11-07 | PRT File Parsing Memory Corruption Vulnerability |
| CVE-2025-12873 | 2025-11-07 | Campcodes School File Management update_user.php sql injection |
| CVE-2025-12829 | 2025-11-07 | An uninitialized stack read issue exists in Amazon Ion-C versions <v1.1.4 that may allow a threat actor to craft data and serialize it to Ion text in such a way... |
| CVE-2025-64431 | 2025-11-07 | IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering |
| CVE-2024-47118 | 2025-11-07 | IBM Db2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query |
| CVE-2025-36135 | 2025-11-07 | IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Cross-Site Scripting |
| CVE-2025-2534 | 2025-11-07 | IBM Db2 denial of service |
| CVE-2025-33012 | 2025-11-07 | IBM Db2 improper account lockout |
| CVE-2025-64432 | 2025-11-07 | KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer |
| CVE-2025-36186 | 2025-11-07 | IBM Db2 privilege escalation |
| CVE-2025-12890 | 2025-11-07 | Bluetooth: peripheral: Invalid handling of malformed connection request |
| CVE-2025-36185 | 2025-11-07 | IBM Db2 denial of service |
| CVE-2025-36136 | 2025-11-07 | IBM denial of service |
| CVE-2025-36131 | 2025-11-07 | IBM Db2 information disclosure |
| CVE-2025-36008 | 2025-11-07 | IBM Db2 denial of service |
| CVE-2025-7700 | 2025-11-07 | Ffmpeg: null pointer dereference in ffmpeg als decoder (libavcodec/alsdec.c) |
| CVE-2025-36006 | 2025-11-07 | IBM Db2 denial of service |
| CVE-2025-10230 | 2025-11-07 | Samba: command injection in wins server hook script |
| CVE-2025-64439 | 2025-11-07 | LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer |
| CVE-2025-12902 | 2025-11-07 | Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked Storage Device or create... |