CVE List - 2025 / September
Showing 1001 - 1100 of 4322 CVEs for September 2025 (Page 11 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-56265 | 2025-09-08 | An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file. |
| CVE-2025-56266 | 2025-09-08 | A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL. |
| CVE-2025-56267 | 2025-09-08 | A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file. |
| CVE-2025-56630 | 2025-09-08 | FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file. |
| CVE-2025-57141 | 2025-09-08 | rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. |
| CVE-2025-57285 | 2025-09-08 | codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary... |
| CVE-2025-59033 | 2025-09-08 | The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. Entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly... |
| CVE-2025-10074 | 2025-09-08 | Portabilis i-Educar tipos cross site scripting |
| CVE-2025-10075 | 2025-09-08 | SourceCodester Online Polling System manage-profile.php cross site scripting |
| CVE-2025-10076 | 2025-09-08 | SourceCodester Online Polling System manage-profile.php sql injection |
| CVE-2025-10077 | 2025-09-08 | SourceCodester Online Polling System registeracc.php sql injection |
| CVE-2025-10078 | 2025-09-08 | SourceCodester Online Polling System candidates.php sql injection |
| CVE-2025-10079 | 2025-09-08 | PHPGurukul Small CRM get-quote.php sql injection |
| CVE-2025-10080 | 2025-09-08 | running-elephant Datart API AESUtil.java getTokensecret hard-coded key |
| CVE-2025-10081 | 2025-09-08 | SourceCodester Pet Management System profile.php unrestricted upload |
| CVE-2025-10082 | 2025-09-08 | SourceCodester Online Polling System manage-admins.php sql injection |
| CVE-2025-10083 | 2025-09-08 | SourceCodester Pet Grooming Management Software profile.php unrestricted upload |
| CVE-2025-58422 | 2025-09-08 | RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests,... |
| CVE-2025-10084 | 2025-09-08 | elunez eladmin SysLogController 1 queryErrorLogDetail improper authorization |
| CVE-2025-10085 | 2025-09-08 | SourceCodester Pet Grooming Management Software manage_website.php unrestricted upload |
| CVE-2025-8085 | 2025-09-08 | Ditty < 3.1.58 - Unauthenticated SSRF |
| CVE-2025-10086 | 2025-09-08 | fuyang_lipengjun platform AdPositionController queryAll improper authorization |
| CVE-2025-10087 | 2025-09-08 | SourceCodester Pet Grooming Management Software profit_report.php sql injection |
| CVE-2025-41682 | 2025-09-08 | Credential Disclosure via Insecure Storage on Charge Controller |
| CVE-2025-41708 | 2025-09-08 | Cleartext Transmission of Sensitive Data via Insecure HTTP Web Interface |
| CVE-2025-41664 | 2025-09-08 | Improper Permission Handling Enables Unauthorized Access to Firmware and Certificates |
| CVE-2025-10088 | 2025-09-08 | SourceCodester Time Tracker index.html cross site scripting |
| CVE-2025-58782 | 2025-09-08 | Apache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactory |
| CVE-2025-10090 | 2025-09-08 | Jinher OA GetTreeDate.aspx sql injection |
| CVE-2019-25225 | 2025-09-08 | `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to... |
| CVE-2014-125128 | 2025-09-08 | 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different... |
| CVE-2025-5993 | 2025-09-08 | Path Traversal in ITCube CRM |
| CVE-2025-10091 | 2025-09-08 | Jinher OA XML Type xml external entity reference |
| CVE-2025-40642 | 2025-09-08 | Reflected Cross-Site Scripting (XSS) in WebWork |
| CVE-2025-10092 | 2025-09-08 | Jinher OA XML Type xml external entity reference |
| CVE-2025-40641 | 2025-09-08 | Stored Cross-Site Scripting (XSS) in the Multi-purpose Inventory Management System |
| CVE-2025-10093 | 2025-09-08 | D-Link DIR-852 Device Configuration getcfg.php phpcgi_main information disclosure |
| CVE-2025-3212 | 2025-09-08 | Mali GPU Kernel Driver allows access to already freed memory |
| CVE-2025-36853 | 2025-09-08 | EOL .NET 6.0 Runtime Remote Code Execution Vulnerability |
| CVE-2025-36854 | 2025-09-08 | EOL ASP.NET 6.0 Remote Code Execution Vulnerability |
| CVE-2025-36855 | 2025-09-08 | EOL .NET 6.0 Runtime Remote Code Execution Vulnerability |
| CVE-2025-7709 | 2025-09-08 | Out Of Bounds write in FTS5 Extension in SQLite |
| CVE-2025-40928 | 2025-09-08 | JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact |
| CVE-2025-40929 | 2025-09-08 | Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact |
| CVE-2025-40930 | 2025-09-08 | JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact |
| CVE-2025-10096 | 2025-09-08 | SimStudioAI sim route.ts server-side request forgery |
| CVE-2025-10097 | 2025-09-08 | SimStudioAI sim route.ts code injection |
| CVE-2025-10098 | 2025-09-08 | PHPGurukul User Management System edit-user-profile.php sql injection |
| CVE-2025-10099 | 2025-09-08 | Portabilis i-Educar Editar usuário educar_usuario_cad.php cross site scripting |
| CVE-2025-10100 | 2025-09-08 | SourceCodester Simple Forum Discussion System admin_class.php sql injection |
| CVE-2025-9112 | 2025-09-08 | Doccure <= 1.4.8 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-9113 | 2025-09-08 | Doccure <= 1.4.8 - Unauthenticated Arbitrary File Upload |
| CVE-2025-9114 | 2025-09-08 | Doccure <= 1.4.8 - Unauthenticated Arbitrary User Password Change |
| CVE-2025-10102 | 2025-09-08 | code-projects Online Event Judging System index.php sql injection |
| CVE-2025-43722 | 2025-09-08 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper privilege management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges. |
| CVE-2025-10103 | 2025-09-08 | code-projects Online Event Judging System home.php sql injection |
| CVE-2025-53838 | 2025-09-08 | LinkAce has a Stored One Click XSS vulnerability |
| CVE-2025-54994 | 2025-09-08 | @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API |
| CVE-2025-10104 | 2025-09-08 | code-projects Online Event Judging System review_search.php sql injection |
| CVE-2025-10105 | 2025-09-08 | yanyutao0402 ChanCMS search sql injection |
| CVE-2025-57815 | 2025-09-08 | Fides Lacks Brute-Force Protections on Authentication Endpoints |
| CVE-2025-57766 | 2025-09-08 | Fides's Admin UI User Password Change Does Not Invalidate Current Session |
| CVE-2025-57816 | 2025-09-08 | Fides Webserver API Rate Limiting Vulnerability in Proxied Environments |
| CVE-2025-57817 | 2025-09-08 | Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation |
| CVE-2025-58365 | 2025-09-08 | XWiki Blog Application: Privilege Escalation (PR) from account through blog content |
| CVE-2025-58444 | 2025-09-08 | MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server |
| CVE-2025-58449 | 2025-09-08 | Maho Vulnerable to Authenticated Remote Code Execution via File Upload |
| CVE-2025-10106 | 2025-09-08 | yanyutao0402 ChanCMS search sql injection |
| CVE-2025-58450 | 2025-09-08 | pREST has Systemic SQL Injection Vulnerability |
| CVE-2025-10108 | 2025-09-08 | Campcodes Online Loan Management System ajax.php sql injection |
| CVE-2025-58451 | 2025-09-08 | Cattown Vulnerable to Inefficient Regular Expression Complexity and Uncontrolled Resource Consumption |
| CVE-2025-1761 | 2025-09-08 | IBM Concert Software information disclosure |
| CVE-2025-58452 | 2025-09-08 | WeGIA vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint 'listar_despachos.php' parameter 'id_memorando' |
| CVE-2025-58453 | 2025-09-08 | WeGIA vulnerable to Blind Time-Based SQL Injection in endpoint 'exibe_anexo.php' parameter 'id_anexo' |
| CVE-2025-10109 | 2025-09-08 | Campcodes Online Loan Management System ajax.php sql injection |
| CVE-2025-10110 | 2025-09-08 | ChanCMS search sql injection |
| CVE-2025-58454 | 2025-09-08 | WeGIA vulnerable to Blind Time-Based SQL Injection in endpoint 'listar_despachos.php' parameter 'id_memorando' |
| CVE-2025-58745 | 2025-09-08 | WeGIA has a bypass for the fix for CVE-2025-22133 - Arbitrary File Upload leads to Remote Code Execution (RCE) |
| CVE-2025-58746 | 2025-09-08 | Volkov Labs Business Links plugin vulnerable to privilege escalation attack |
| CVE-2025-58751 | 2025-09-08 | Vite middleware may serve files starting with the same name with the public directory |
| CVE-2025-58752 | 2025-09-08 | Vite's `server.fs` settings were not applied to HTML files |
| CVE-2025-10111 | 2025-09-08 | itsourcecode Student Information Management System index.php sql injection |
| CVE-2025-43763 | 2025-09-08 | A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20... |
| CVE-2025-10112 | 2025-09-08 | itsourcecode Student Information Management System index.php sql injection |
| CVE-2025-58755 | 2025-09-08 | MONAI has path traversal issue that may lead to arbitrary file writes |
| CVE-2025-58756 | 2025-09-08 | MONAI's unsafe torch usage may lead to arbitrary code execution |
| CVE-2025-58757 | 2025-09-08 | MONAI's unsafe use of Pickle deserialization may lead to RCE |
| CVE-2025-29089 | 2025-09-09 | An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information |
| CVE-2025-44593 | 2025-09-09 | Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is... |
| CVE-2025-44594 | 2025-09-09 | halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. |
| CVE-2025-44595 | 2025-09-09 | Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. |
| CVE-2025-52277 | 2025-09-09 | Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field |
| CVE-2025-52322 | 2025-09-09 | An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the... |
| CVE-2025-52915 | 2025-09-09 | K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is... |
| CVE-2025-57057 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the listStr parameter in the ipMacBindListStore function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57058 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formSetDebugCfg function via the pEnable, pLevel, and pModule parameters. This vulnerability allows attackers to cause a Denial of... |
| CVE-2025-57059 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the dhcpIndex parameter in the addDhcpRule function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57060 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the rules parameter in the dns_forward_rule_store function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57061 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formIPMacBindModify function via the ruleId, ip, mac, v6 and remark parameters. This vulnerability allows attackers to cause a... |
| CVE-2025-57062 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the delDhcpIndex parameter in the formDelDhcpRule function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |