CVE List - 2025 / September
Showing 1101 - 1200 of 4322 CVEs for September 2025 (Page 12 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-57063 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the portMappingIndex parameter in the formDelPortMapping function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57064 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the bindDhcpIndex parameter in the modifyDhcpRule function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57069 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pPppUser parameter in the getsinglepppuser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57070 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the gstUp parameter in the guestWifiRuleRefresh function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57071 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the vpnUsers parameter in the formAddVpnUsers function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57072 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the staticRouteGateway parameter in the formSetStaticRoute function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57078 | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pppoeServerWhiteMacIndex parameter in the formModifyPppAuthWhiteMac function. This vulnerability allows attackers to cause a Denial of Service (DoS) via... |
| CVE-2025-57085 | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-57086 | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNode function. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-57087 | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the countryCode parameter in the werlessAdvancedSet function. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-57278 | 2025-09-09 | The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to... |
| CVE-2025-57538 | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) 8.4 allows an authenticated user to inject malicious input.... |
| CVE-2025-57539 | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. The payload... |
| CVE-2025-57540 | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4. Authenticated users can inject JavaScript code that... |
| CVE-2025-57633 | 2025-09-09 | A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file... |
| CVE-2025-57665 | 2025-09-09 | Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href... |
| CVE-2025-10113 | 2025-09-09 | itsourcecode Student Information Management System index.php sql injection |
| CVE-2025-10114 | 2025-09-09 | PHPGurukul Small CRM profile.php sql injection |
| CVE-2025-10115 | 2025-09-09 | SiempreCMS user_search_ajax.php sql injection |
| CVE-2025-10116 | 2025-09-09 | SiempreCMS file_upload.php unrestricted upload |
| CVE-2025-10117 | 2025-09-09 | SourceCodester Simple To-Do List System Add New Task fetch_tasks.php cross site scripting |
| CVE-2025-43778 | 2025-09-09 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13... |
| CVE-2025-10118 | 2025-09-09 | itsourcecode E-Logbook with Health Monitoring System for COVID-19 login.php sql injection |
| CVE-2025-10120 | 2025-09-09 | Tenda AC20 GetParentControlInfo strcpy buffer overflow |
| CVE-2025-10121 | 2025-09-09 | uverif kami_list addbatch sql injection |
| CVE-2025-42911 | 2025-09-09 | Missing Authorization check in SAP NetWeaver (Service Data Download) |
| CVE-2025-42912 | 2025-09-09 | Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) |
| CVE-2025-42913 | 2025-09-09 | Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) |
| CVE-2025-42914 | 2025-09-09 | Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) |
| CVE-2025-42915 | 2025-09-09 | Missing Authorization Check in Fiori app (Manage Payment Blocks) |
| CVE-2025-42916 | 2025-09-09 | Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise) |
| CVE-2025-42917 | 2025-09-09 | Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application) |
| CVE-2025-42918 | 2025-09-09 | Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing) |
| CVE-2025-42920 | 2025-09-09 | Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management |
| CVE-2025-42922 | 2025-09-09 | Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service) |
| CVE-2025-42923 | 2025-09-09 | Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups) |
| CVE-2025-42925 | 2025-09-09 | Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service) |
| CVE-2025-42926 | 2025-09-09 | Missing Authentication check in SAP NetWeaver Application Server Java |
| CVE-2025-42927 | 2025-09-09 | Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service) |
| CVE-2025-42929 | 2025-09-09 | Missing input validation vulnerability in SAP Landscape Transformation Replication Server |
| CVE-2025-42930 | 2025-09-09 | Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation |
| CVE-2025-42933 | 2025-09-09 | Insecure Storage of Sensitive Information in SAP Business One (SLD) |
| CVE-2025-42938 | 2025-09-09 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform |
| CVE-2025-42944 | 2025-09-09 | Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) |
| CVE-2025-42958 | 2025-09-09 | Missing Authentication check in SAP NetWeaver |
| CVE-2025-10122 | 2025-09-09 | Maccms10 Database.php rep sql injection |
| CVE-2025-10123 | 2025-09-09 | D-Link DIR-823X set_static_leases sub_415028 command injection |
| CVE-2025-43777 | 2025-09-09 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server... |
| CVE-2025-9489 | 2025-09-09 | WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names |
| CVE-2025-9061 | 2025-09-09 | Wilmer Core <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-9058 | 2025-09-09 | Mikado Core <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-8889 | 2025-09-09 | Compress Then Upload < 1.0.5 - Admin+ Arbitrary File Upload |
| CVE-2025-9111 | 2025-09-09 | WPBOT < 7.1.0 - Admin+ Stored XSS |
| CVE-2025-9542 | 2025-09-09 | AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions |
| CVE-2025-9539 | 2025-09-09 | AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation |
| CVE-2025-10134 | 2025-09-09 | Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion |
| CVE-2025-40594 | 2025-09-09 | A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions), SINAMICS S210 V6.4 (All versions < V6.4 HF2). The affected devices... |
| CVE-2025-40757 | 2025-09-09 | A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). Affected devices connected to the... |
| CVE-2025-40795 | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions... |
| CVE-2025-40796 | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions... |
| CVE-2025-40797 | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions... |
| CVE-2025-40798 | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), User Management Component (UMC) (All versions... |
| CVE-2025-40802 | 2025-09-09 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). The affected device may be susceptible to resource exhaustion when subjected to high volumes of query requests. This could... |
| CVE-2025-40803 | 2025-09-09 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). The affected device exposes certain non-critical information from the device. This could allow an unauthenticated attacker to access sensitive... |
| CVE-2025-40804 | 2025-09-09 | A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This could allow an attacker to... |
| CVE-2025-41701 | 2025-09-09 | Beckhoff: Deserialization of untrusted data by TwinCAT 3 Engineering |
| CVE-2025-59013 | 2025-09-09 | Open Redirect in TYPO3 CMS |
| CVE-2025-59014 | 2025-09-09 | Denial of Service in TYPO3 Bookmark Toolbar |
| CVE-2025-59015 | 2025-09-09 | Insufficient Entropy in Password Generation |
| CVE-2025-59016 | 2025-09-09 | Information Disclosure via File Abstraction Layer |
| CVE-2025-59017 | 2025-09-09 | Broken Access Control in Backend AJAX Routes |
| CVE-2025-59018 | 2025-09-09 | Information Disclosure in Workspaces Module |
| CVE-2025-59019 | 2025-09-09 | Information Disclosure via CSV Download |
| CVE-2025-24404 | 2025-09-09 | Apache HertzBeat (incubating): RCE by parse http sitemap xml response |
| CVE-2025-48208 | 2025-09-09 | Apache HertzBeat (incubating): Jmx JNDI injection vulnerability |
| CVE-2025-10095 | 2025-09-09 | SQL injection in SMPP component of SMSEagle firmware |
| CVE-2025-8277 | 2025-09-09 | Libssh: memory exhaustion via repeated key exchange in libssh |
| CVE-2025-8008 | 2025-09-09 | Rockwell Automation 1756-ENT2R, EN4TR, EN4TRXT Vulnerability |
| CVE-2025-8007 | 2025-09-09 | Rockwell Automation 1756-ENT2R, EN4TR, EN4TRXT Vulnerability |
| CVE-2025-9160 | 2025-09-09 | Rockwell Automation CompactLogix® 5480 Code Execution Vulnerability |
| CVE-2025-9166 | 2025-09-09 | Rockwell Automation ControlLogix® 5580 V35.013 Denial-Of-Service |
| CVE-2025-9364 | 2025-09-09 | Rockwell Automation FactoryTalk® Analytics™ LogixAI® Exposed Redis DB |
| CVE-2025-7970 | 2025-09-09 | Rockwell Automation FactoryTalk Activation Manager Lack of Encryption Vulnerability |
| CVE-2025-9065 | 2025-09-09 | Rockwell Automation ThinManager® Server-Side Request Forgery Vulnerability |
| CVE-2025-7350 | 2025-09-09 | Rockwell Automation Stratix® IOS Cross-Site Request Forgery to Code Execution Vulnerability |
| CVE-2025-9161 | 2025-09-09 | Rockwell Automation FactoryTalk Optix Remote Code Execution Vulnerability |
| CVE-2025-9994 | 2025-09-09 | Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not require authentication |
| CVE-2025-54236 | 2025-09-09 | Adobe Commerce | Improper Input Validation (CWE-20) |
| CVE-2024-45325 | 2025-09-09 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiDDoS-F version 7.0.0 through 7.02 and before 6.6.3 may allow a privileged... |
| CVE-2025-53609 | 2025-09-09 | A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an arbitrary file... |
| CVE-2025-47416 | 2025-09-09 | ConsoleFindCommandMatchList |
| CVE-2025-9951 | 2025-09-09 | Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000 |
| CVE-2025-33045 | 2025-09-09 | Legacy Serial Redirection SMRAM Vulnerabilities |
| CVE-2025-43776 | 2025-09-09 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,... |
| CVE-2025-10107 | 2025-09-09 | TRENDnet TEW-831DR formSysCmd command injection |
| CVE-2025-10183 | 2025-09-09 | XML External Entity Injection in TecConnect 4.1 |
| CVE-2025-9712 | 2025-09-09 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. |
| CVE-2025-9872 | 2025-09-09 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. |
| CVE-2025-8712 | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed... |
| CVE-2025-8711 | 2025-09-09 | CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on... |