CVE List - 2025 / September
Showing 1 - 100 of 4322 CVEs for September 2025 (Page 1 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-9753 | 2025-09-01 | Campcodes Online Hospital Management System Patient Search patient-search.php cross site scripting |
| CVE-2025-9754 | 2025-09-01 | Campcodes Online Hospital Management System Edit Profile edit-profile.php cross site scripting |
| CVE-2025-9755 | 2025-09-01 | Khanakag-17 Library Management System index.php cross site scripting |
| CVE-2025-9756 | 2025-09-01 | PHPGurukul User Management System change-emailid.php sql injection |
| CVE-2025-9757 | 2025-09-01 | Campcodes/SourceCodester Courier Management System ajax.php login sql injection |
| CVE-2025-9567 | 2025-09-01 | Sunnet|eHRD CTMS - Reflected Cross-site Scripting |
| CVE-2025-9568 | 2025-09-01 | Sunnet|eHRD CTMS - Reflected Cross-site Scripting |
| CVE-2025-9569 | 2025-09-01 | Sunnet|eHRD CTMS - Reflected Cross-site Scripting |
| CVE-2025-9570 | 2025-09-01 | Sunnet|eHRD CTMS - Arbitrary File Reading through Path Traversal |
| CVE-2025-9758 | 2025-09-01 | deepakmisal24 Chemical Inventory Management System inventory_form.php sql injection |
| CVE-2025-9759 | 2025-09-01 | Campcodes/SourceCodester Courier Management System ajax.php signup sql injection |
| CVE-2025-7405 | 2025-09-01 | Information Disclosure, Information Tampering, and Denial of Service (DoS) Vulnerability in MELSEC iQ-F Series CPU module |
| CVE-2025-7731 | 2025-09-01 | Information Disclosure Vulnerability in MELSEC iQ-F Series CPU module |
| CVE-2025-9760 | 2025-09-01 | Portabilis i-Educar Matricula API matricula improper authorization |
| CVE-2025-9761 | 2025-09-01 | Campcodes Online Feeds Product Inventory System Login index.php sql injection |
| CVE-2025-9763 | 2025-09-01 | Campcodes Online Learning Management System student_signup.php sql injection |
| CVE-2025-6507 | 2025-09-01 | Deserialization of Untrusted Data in h2oai/h2o-3 |
| CVE-2025-20708 | 2025-09-01 | In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege, if a UE has connected to... |
| CVE-2025-20703 | 2025-09-01 | In Modem, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to... |
| CVE-2025-20704 | 2025-09-01 | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to... |
| CVE-2025-20705 | 2025-09-01 | In monitor_hang, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System... |
| CVE-2025-20706 | 2025-09-01 | In mbrain, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System... |
| CVE-2025-20707 | 2025-09-01 | In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System... |
| CVE-2025-54857 | 2025-09-01 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge BASIC MB-A130 Ver.1.5.8 and earlier. If exploited, a remote unauthenticated attacker may execute... |
| CVE-2025-9764 | 2025-09-01 | itsourcecode Sports Management System resultdetails.php sql injection |
| CVE-2025-9765 | 2025-09-01 | itsourcecode Sports Management System tournament_details.php sql injection |
| CVE-2025-9766 | 2025-09-01 | itsourcecode Sports Management System facilitator.php sql injection |
| CVE-2025-9767 | 2025-09-01 | itsourcecode Sports Management System sporttype.php sql injection |
| CVE-2025-58318 | 2025-09-01 | DIAView - Authentication Bypass Vulnerability |
| CVE-2022-38691 | 2025-09-01 | In BootROM, there is a possible missing validation for Certificate Type 0. This could lead to local escalation of privilege with no additional execution privileges needed. |
| CVE-2022-38692 | 2025-09-01 | In BootROM, there is a missing size check for RSA keys in Certificate Type 0 validation. This could lead to memory buffer overflow without requiring additional execution privileges. |
| CVE-2022-38693 | 2025-09-01 | In FDL1, there is a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges. |
| CVE-2022-38694 | 2025-09-01 | In BootRom, there is a possible unchecked write address. This could lead to local escalation of privilege with no additional execution privileges needed. |
| CVE-2022-38695 | 2025-09-01 | In BootRom, there's a possible unchecked command index. This could lead to local escalation of privilege with no additional execution privileges needed. |
| CVE-2022-38696 | 2025-09-01 | In BootRom, there's a possible missing payload size check. This could lead to memory buffer overflow without requiring additional execution privileges. |
| CVE-2025-9768 | 2025-09-01 | itsourcecode Sports Management System mode.php sql injection |
| CVE-2025-9769 | 2025-09-01 | D-Link DI-7400G+ mng_platform.asp sub_478D28 command injection |
| CVE-2025-9770 | 2025-09-01 | Campcodes Hospital Management System Admin Dashboard Login admin sql injection |
| CVE-2025-9771 | 2025-09-01 | SourceCodester Eye Clinic Management System search_index_Diagnosis.php sql injection |
| CVE-2025-9772 | 2025-09-01 | RemoteClinic edit.php unrestricted upload |
| CVE-2025-9773 | 2025-09-01 | RemoteClinic edit.php cross site scripting |
| CVE-2025-9774 | 2025-09-01 | RemoteClinic edit-patient.php information disclosure |
| CVE-2025-9775 | 2025-09-01 | RemoteClinic edit-my-profile.php unrestricted upload |
| CVE-2025-36133 | 2025-09-01 | IBM App Connect Enterprise information disclosure |
| CVE-2025-9778 | 2025-09-01 | Tenda W12 Administrative shadow hard-coded credentials |
| CVE-2024-12914 | 2025-09-01 | XSS in Akinsoft's QR Menu |
| CVE-2025-9779 | 2025-09-01 | TOTOLINK A702R formFilter sub_4162DC buffer overflow |
| CVE-2024-12924 | 2025-09-01 | Open Redirect in Akinsoft's QR Menu |
| CVE-2024-12925 | 2025-09-01 | Host Header Injection in Akinsoft's QR Menu |
| CVE-2025-0610 | 2025-09-01 | CSRF in Akinsoft's QR Menu |
| CVE-2025-2412 | 2025-09-01 | OTP Bypass in Akinsoft's QR Menu |
| CVE-2025-9780 | 2025-09-01 | TOTOLINK A702R formIpQoS sub_419BE0 buffer overflow |
| CVE-2025-9781 | 2025-09-01 | TOTOLINK A702R formFilter sub_4162DC buffer overflow |
| CVE-2025-9782 | 2025-09-01 | TOTOLINK A702R formOneKeyAccessButton sub_4466F8 buffer overflow |
| CVE-2025-33102 | 2025-09-01 | IBM Concert Software information disclosure |
| CVE-2025-33099 | 2025-09-01 | IBM Concert Software information disclosure |
| CVE-2025-33084 | 2025-09-01 | IBM Concert Software information disclosure |
| CVE-2025-33083 | 2025-09-01 | IBM Concert Software cross-site scripting |
| CVE-2025-33082 | 2025-09-01 | IBM Concert Software cross-site scripting |
| CVE-2025-0656 | 2025-09-01 | IBM Concert Software cross-site scripting |
| CVE-2025-9783 | 2025-09-01 | TOTOLINK A702R formParentControl sub_418030 buffer overflow |
| CVE-2025-9786 | 2025-09-01 | Campcodes Online Learning Management System teacher_signup.php sql injection |
| CVE-2025-55007 | 2025-09-01 | Knowage vulnerable to server-side request forgery |
| CVE-2025-57799 | 2025-09-01 | StreamVault can perform remote command execution |
| CVE-2025-9375 | 2025-09-01 | xmltodict 0.14.2 - XML Injection |
| CVE-2025-9788 | 2025-09-01 | SourceCodester/Campcodes School Log Management System admin_class.php sql injection |
| CVE-2025-9789 | 2025-09-01 | SourceCodester Online Hotel Reservation System edituser.php sql injection |
| CVE-2025-3586 | 2025-09-01 | In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the... |
| CVE-2025-9790 | 2025-09-01 | SourceCodester Hotel Reservation System updateabout.php sql injection |
| CVE-2025-9809 | 2025-09-01 | Out-of-bounds write in cdfs_open_cue_track in libretro libretro-common latest on all platforms allows remote attackers to execute arbitrary code via a crafted .cue file with a file path exceeding PATH_MAX_LENGTH that... |
| CVE-2025-9791 | 2025-09-01 | Tenda AC20 fromAdvSetMacMtuWan stack-based overflow |
| CVE-2025-9810 | 2025-09-01 | TOCTOU race in Linenoise enables arbitrary file overwrite and permission changes |
| CVE-2025-9792 | 2025-09-01 | itsourcecode Apartment Management System e_all_info.php sql injection |
| CVE-2025-9793 | 2025-09-01 | itsourcecode Apartment Management System Setting admin.php sql injection |
| CVE-2025-9794 | 2025-09-01 | Campcodes Computer Sales and Inventory System pos_transac.php sql injection |
| CVE-2025-9795 | 2025-09-01 | xujeff tianti 天梯 UploadController.java ajaxUploadFile unrestricted upload |
| CVE-2024-28988 | 2025-09-01 | SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability |
| CVE-2025-9796 | 2025-09-01 | thinkgem JeeSite EncodeUtils.java decodeUrl2 cross site scripting |
| CVE-2025-9797 | 2025-09-01 | mrvautin expressCart Edit Product edit injection |
| CVE-2025-9799 | 2025-09-01 | Langfuse Webhook promptRouter.ts promptChangeEventSourcing server-side request forgery |
| CVE-2025-9800 | 2025-09-01 | SimStudioAI sim HTML File route.ts import unrestricted upload |
| CVE-2025-9801 | 2025-09-01 | SimStudioAI sim path traversal |
| CVE-2025-9802 | 2025-09-01 | RemoteClinic profile.php sql injection |
| CVE-2024-48705 | 2025-09-02 | Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the... |
| CVE-2024-51423 | 2025-09-02 | Cross Site Scripting vulnerability in Infor Global HR GHR v.11.23.03.00.21 and before allows a remote attacker to execute arbitrary code via the class parameter. |
| CVE-2025-32098 | 2025-09-02 | An issue was discovered in Samsung Magician 6.3 through 8.3 on Windows. An attacker can achieve Elevation of Privileges to SYSTEM by exploiting insecure file delete operations during the update... |
| CVE-2025-32100 | 2025-09-02 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem... |
| CVE-2025-46047 | 2025-09-02 | A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter. |
| CVE-2025-50565 | 2025-09-02 | Doubo ERP 1.0 has an SQL injection vulnerability due to a lack of filtering of user input, which can be remotely initiated by an attacker. |
| CVE-2025-50755 | 2025-09-02 | Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_cmd function via the command parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-50757 | 2025-09-02 | Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the username parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted... |
| CVE-2025-51966 | 2025-09-02 | A cross-site scripting (XSS) vulnerability exists in the PDF preview functionality of uTools thru 7.1.1. When a user previews a specially crafted PDF file, embedded JavaScript code executes within the... |
| CVE-2025-54599 | 2025-09-02 | The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that... |
| CVE-2025-55372 | 2025-09-02 | An arbitrary file upload vulnerability in Beakon Application before v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. |
| CVE-2025-55373 | 2025-09-02 | Incorrect access control in Beakon Application before v5.4.3 allows authenticated attackers with low-level privileges to escalate privileges and execute commands with Administrator rights. |
| CVE-2025-55472 | 2025-09-02 | SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly... |
| CVE-2025-55473 | 2025-09-02 | Asian Arts Talents Foundation (AATF) Website v5.1.x and Docker version 2024.12.8.1 are vulnerable to Cross Site Scripting (XSS). The vulnerability exists in the /ip.php endpoint, which processes and displays the... |
| CVE-2025-55474 | 2025-09-02 | Many Notes 0.10.1 is vulnerable to Cross Site Scripting (XSS), which allows malicious Markdown files to execute JavaScript when viewed. |
| CVE-2025-55476 | 2025-09-02 | FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause... |
| CVE-2025-55824 | 2025-09-02 | ModStartCMS v9.5.0 has an arbitrary file write vulnerability, which allows attackers to write malicious files and execute malicious commands to obtain sensitive data on the server. |