CVE List - 2025 / December
Showing 1 - 100 of 3706 CVEs for December 2025 (Page 1 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-32388 | 2025-12-01 | Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services... |
| CVE-2024-39148 | 2025-12-01 | The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is... |
| CVE-2024-56089 | 2025-12-01 | An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack. |
| CVE-2025-51682 | 2025-12-01 | mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on... |
| CVE-2025-51683 | 2025-12-01 | A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . |
| CVE-2025-57489 | 2025-12-01 | Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. |
| CVE-2025-61228 | 2025-12-01 | An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism |
| CVE-2025-61229 | 2025-12-01 | An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full... |
| CVE-2025-63095 | 2025-12-01 | Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
| CVE-2025-63317 | 2025-12-01 | Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a... |
| CVE-2025-63365 | 2025-12-01 | SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive... |
| CVE-2025-63520 | 2025-12-01 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). |
| CVE-2025-63522 | 2025-12-01 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function |
| CVE-2025-63523 | 2025-12-01 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the... |
| CVE-2025-63525 | 2025-12-01 | An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. |
| CVE-2025-63526 | 2025-12-01 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in... |
| CVE-2025-63527 | 2025-12-01 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before... |
| CVE-2025-63528 | 2025-12-01 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it... |
| CVE-2025-63529 | 2025-12-01 | A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the... |
| CVE-2025-63531 | 2025-12-01 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker... |
| CVE-2025-63532 | 2025-12-01 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker... |
| CVE-2025-63533 | 2025-12-01 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before... |
| CVE-2025-63534 | 2025-12-01 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it... |
| CVE-2025-63535 | 2025-12-01 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker... |
| CVE-2025-64030 | 2025-12-01 | Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered... |
| CVE-2025-65403 | 2025-12-01 | A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
| CVE-2025-65404 | 2025-12-01 | A buffer overflow in the getSideInfo2() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via a crafted MP3 stream. |
| CVE-2025-65405 | 2025-12-01 | A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file. |
| CVE-2025-65406 | 2025-12-01 | A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file. |
| CVE-2025-65407 | 2025-12-01 | A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream. |
| CVE-2025-65408 | 2025-12-01 | A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file. |
| CVE-2025-65621 | 2025-12-01 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. |
| CVE-2025-65622 | 2025-12-01 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. |
| CVE-2025-65836 | 2025-12-01 | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. |
| CVE-2025-65838 | 2025-12-01 | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. |
| CVE-2025-65840 | 2025-12-01 | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. |
| CVE-2025-13797 | 2025-12-01 | ADSLR B-QE2W401 send_order.cgi parameterdel_swifimac command injection |
| CVE-2025-64772 | 2025-12-01 | The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code... |
| CVE-2025-13798 | 2025-12-01 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_add command injection |
| CVE-2025-13799 | 2025-12-01 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_del command injection |
| CVE-2025-13800 | 2025-12-01 | ADSLR NBR1005GPEV2 send_order.cgi set_mesh_disconnect command injection |
| CVE-2025-13802 | 2025-12-01 | jairiidriss RestaurantWebsite Make a Reservation cross site scripting |
| CVE-2025-13803 | 2025-12-01 | MediaCrush Header paths.py http headers for scripting syntax |
| CVE-2025-13804 | 2025-12-01 | nutzam NutzBoot Ethereum Wallet EthModule.java information disclosure |
| CVE-2025-13805 | 2025-12-01 | nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization |
| CVE-2025-13806 | 2025-12-01 | nutzam NutzBoot Transaction API EthModule.java improper authorization |
| CVE-2025-13807 | 2025-12-01 | orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization |
| CVE-2025-13808 | 2025-12-01 | orionsec orion-ops User Profile UserController.java update improper authorization |
| CVE-2025-13809 | 2025-12-01 | orionsec orion-ops SSH Connection MachineInfoController.java server-side request forgery |
| CVE-2025-13810 | 2025-12-01 | jsnjfz WebStack-Guns KaptchaController.java renderPicture path traversal |
| CVE-2025-13811 | 2025-12-01 | jsnjfz WebStack-Guns PageFactory.java sql injection |
| CVE-2025-13813 | 2025-12-01 | moxi159753 Mogu Blog v2 Storage Management Endpoint storage authorization |
| CVE-2025-13814 | 2025-12-01 | moxi159753 Mogu Blog v2 uploadPicsByUrl LocalFileServiceImpl.uploadPictureByUrl server-side request forgery |
| CVE-2025-11131 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-11132 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-11133 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-3012 | 2025-12-01 | In dpc modem, there is a possible system crash due to null pointer dereference. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61617 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61618 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61619 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61607 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61608 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61609 | 2025-12-01 | In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-61610 | 2025-12-01 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| CVE-2025-13815 | 2025-12-01 | moxi159753 Mogu Blog v2 pictures unrestricted upload |
| CVE-2025-13816 | 2025-12-01 | moxi159753 Mogu Blog v2 ZIP File unzipFile FileOperation.unzip path traversal |
| CVE-2025-13819 | 2025-12-01 | Open redirect in web server of MiR robots and MiR fleet |
| CVE-2025-41739 | 2025-12-01 | CODESYS Control - Linux/QNX SysSocket flaw |
| CVE-2025-41738 | 2025-12-01 | CODESYS Control - Invalid type usage in visualization |
| CVE-2025-41700 | 2025-12-01 | CODESYS Development System - Deserialization of Untrusted Data |
| CVE-2025-59789 | 2025-12-01 | Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser |
| CVE-2025-2879 | 2025-12-01 | Mali GPU Kernel Driver allows improper GPU processing operations |
| CVE-2025-8045 | 2025-12-01 | Mali GPU Kernel Driver allows improper GPU processing operations |
| CVE-2025-6349 | 2025-12-01 | Mali GPU Kernel Driver allows improper GPU memory processing operations |
| CVE-2025-41070 | 2025-12-01 | Reflected Cross-site Scripting (XSS) in Sanoma's Clickedu |
| CVE-2025-58408 | 2025-12-01 | GPU DDK - KASAN Read UAF in the PVRSRVBridgeRGXSubmitTransfer2 due to improper error handling code |
| CVE-2025-13296 | 2025-12-01 | CSRF in Tekrom Technology's T-Soft E-Commerce |
| CVE-2025-12106 | 2025-12-01 | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses |
| CVE-2025-27232 | 2025-12-01 | Frontend arbitrary file read in oauth.authorize action |
| CVE-2025-49642 | 2025-12-01 | Agent builds for AIX vulnerable to library loading hijacking |
| CVE-2025-49643 | 2025-12-01 | Frontend DoS vulnerability due to asymmetric resource consumption |
| CVE-2025-13129 | 2025-12-01 | Business Logic Error in Seneka Software's Onaylarım |
| CVE-2025-11699 | 2025-12-01 | CVE-2025-11699 |
| CVE-2025-55221 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can... |
| CVE-2025-55222 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can... |
| CVE-2025-54848 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can... |
| CVE-2025-54849 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can... |
| CVE-2025-54850 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can... |
| CVE-2025-54851 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can... |
| CVE-2025-26858 | 2025-12-01 | A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An... |
| CVE-2025-23417 | 2025-12-01 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service.... |
| CVE-2025-20085 | 2025-12-01 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service... |
| CVE-2024-48882 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker... |
| CVE-2024-49572 | 2025-12-01 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken... |
| CVE-2024-45370 | 2025-12-01 | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can... |
| CVE-2024-53684 | 2025-12-01 | A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can... |
| CVE-2024-48894 | 2025-12-01 | A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker... |
| CVE-2025-10101 | 2025-12-01 | Crafted Mach-O file may allow Remote Code Execution in Avast Antivirus 15.7 on MacOS |
| CVE-2025-13829 | 2025-12-01 | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session)... |
| CVE-2025-8351 | 2025-12-01 | Scanning a malformed file in Avast Antivirus 8.3.70.94 on MacOS may result in remote code execution |