CVE List - 2025 / September
Showing 4101 - 4200 of 4322 CVEs for September 2025 (Page 42 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-51495 | 2025-09-29 | An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If... |
| CVE-2025-55795 | 2025-09-29 | The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user... |
| CVE-2025-56233 | 2025-09-29 | Openindiana, kernel SunOS 5.11 has a denial of service vulnerability. For the processing of TCP packets with RST or SYN flag set, Openindiana has a wide acceptable range of sequence... |
| CVE-2025-56234 | 2025-09-29 | AT_NA2000 from Nanda Automation Technology vendor has a denial-of-service vulnerability. For the processing of TCP RST packets, PLC AT_NA2000 has a wide acceptable range of sequence numbers. It does not... |
| CVE-2025-56449 | 2025-09-29 | A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement... |
| CVE-2025-56764 | 2025-09-29 | Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. "Wrong password"), allowing an attacker to enumerate... |
| CVE-2025-56795 | 2025-09-29 | Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is... |
| CVE-2025-56807 | 2025-09-29 | A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows an administrator to store a JavaScript payload using the file explorer in the admin dashboard... |
| CVE-2025-57197 | 2025-09-29 | In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device... |
| CVE-2025-57266 | 2025-09-29 | An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint. |
| CVE-2025-57424 | 2025-09-29 | A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in... |
| CVE-2025-57428 | 2025-09-29 | Default credentials in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to gain access to the debug shell exposed via Telnet on Port 23 and execute hardware-level flash... |
| CVE-2025-57483 | 2025-09-29 | A reflected cross-site scripting (XSS) vulnerability in tawk.to chatbox widget v4 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into... |
| CVE-2025-57516 | 2025-09-29 | OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file. |
| CVE-2025-61659 | 2025-09-29 | bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name. |
| CVE-2025-11126 | 2025-09-29 | Apeman ID71 system.ini hard-coded credentials |
| CVE-2025-11130 | 2025-09-29 | iHongRen pptp-vpn XPC Service HelperTool.m shouldAcceptNewConnection missing authentication |
| CVE-2025-9903 | 2025-09-29 | Out-of-bounds write vulnerabilities in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer... |
| CVE-2025-9904 | 2025-09-29 | Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX... |
| CVE-2025-7698 | 2025-09-29 | Out-of-bounds read vulnerabilities in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer... |
| CVE-2025-11134 | 2025-09-29 | Cudy TR1200 Wireless Settings config cross site scripting |
| CVE-2025-11135 | 2025-09-29 | pmTicket Project-Management-Software Cookie class.database.php loadLanguage deserialization |
| CVE-2025-11136 | 2025-09-29 | YiFang CMS Backend File.php webUploader unrestricted upload |
| CVE-2025-11137 | 2025-09-29 | Gstarsoft GstarCAD File Renaming cross site scripting |
| CVE-2025-11138 | 2025-09-29 | mirweiye wenkucms common.php createPathOne os command injection |
| CVE-2025-11139 | 2025-09-29 | Bjskzy Zhiyou ERP com.artery.form.services.FormStudioUpdater uploadStudioFile path traversal |
| CVE-2025-11140 | 2025-09-29 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService openForm xml external entity reference |
| CVE-2025-10504 | 2025-09-29 | Heap Memory Corruption Vulnerability |
| CVE-2025-11141 | 2025-09-29 | Ruijie NBR2100G-E branch_passw.php listAction os command injection |
| CVE-2024-5200 | 2025-09-29 | Postie < 1.9.71 - Admin+ Stored XSS |
| CVE-2025-48006 | 2025-09-29 | Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on the file system where the... |
| CVE-2025-10341 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-10342 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-10343 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-10344 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-10345 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-10346 | 2025-09-29 | HTML injection in Perfex CRM |
| CVE-2025-11146 | 2025-09-29 | Reflected Cross-site scripting (XSS) vulnerability in Apt-Cacher-NG |
| CVE-2025-11147 | 2025-09-29 | Reflected Cross-site scripting (XSS) vulnerability in Apt-Cacher-NG |
| CVE-2025-6724 | 2025-09-29 | Chef Automate SQL Injection Vulnerability |
| CVE-2025-8868 | 2025-09-29 | Chef Automate compliance service SQL Injection Vulnerability |
| CVE-2025-9648 | 2025-09-29 | Denial of Service in CivetWeb |
| CVE-2024-13150 | 2025-09-29 | SQLi in Fayton Software's fayton.pro ERP |
| CVE-2025-36352 | 2025-09-29 | IBM License Metric Tool cross-site scripting |
| CVE-2025-36351 | 2025-09-29 | IBM License Metric Tool bypass security |
| CVE-2025-11155 | 2025-09-29 | WEAK ENCODING FOR PASSWORD IN DEVICE SERVER CONFIGURATION |
| CVE-2025-41246 | 2025-09-29 | Improper authorisation vulnerability |
| CVE-2025-41244 | 2025-09-29 | VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246) |
| CVE-2025-41245 | 2025-09-29 | VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246) |
| CVE-2025-7104 | 2025-09-29 | Mass Assignment in danny-avila/librechat |
| CVE-2025-41250 | 2025-09-29 | Header injection vulnerability |
| CVE-2025-43400 | 2025-09-29 | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in watchOS 26.1, tvOS 26.1. Processing a maliciously crafted font may lead to unexpected app termination... |
| CVE-2025-36099 | 2025-09-29 | IBM WebSphere Application Server denial of service |
| CVE-2025-57876 | 2025-09-29 | Stored XSS vulnerability in Portal for ArcGIS |
| CVE-2025-57879 | 2025-09-29 | BUG-000171009 - URL manipulation vulnerability in Portal for ArcGIS. |
| CVE-2025-57878 | 2025-09-29 | BUG-000174149 - The Portal for ArcGIS has an unvalidated redirect. |
| CVE-2025-57877 | 2025-09-29 | Reflected XSS vulnerability in Portal for ArcGIS. |
| CVE-2025-57875 | 2025-09-29 | BUG-000164122 - Reflected XSS vulnerability in Portal for ArcGIS. |
| CVE-2025-57874 | 2025-09-29 | BUG-000161627 - Reflected XSS vulnerability in Portal for ArcGIS. (11.3, 11.1, 10.9.1) |
| CVE-2025-57873 | 2025-09-29 | BUG-000175222 - Reflected XSS vulnerability in Portal for ArcGIS. |
| CVE-2025-57872 | 2025-09-29 | BUG-000174150 - Unvalidated redirect in Portal for ArcGIS. |
| CVE-2025-57871 | 2025-09-29 | BUG-000174020 - Reflected XSS vulnerability identified in Portal for ArcGIS. (11.3, 11.1, 10.9.1) |
| CVE-2025-41251 | 2025-09-29 | Weak password recovery vulnerability |
| CVE-2025-41252 | 2025-09-29 | Username enumeration vulnerability |
| CVE-2025-34196 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Hardcoded PrinterLogic CA Private Key and Hardcoded Password |
| CVE-2025-35030 | 2025-09-29 | Medical Informatics Engineering Enterprise Health cross site request forgery |
| CVE-2025-35031 | 2025-09-29 | Medical Informatics Engineering Enterprise Health includes session token in debug output |
| CVE-2025-35032 | 2025-09-29 | Medical Informatics Engineering Enterprise Health arbitrary file upload |
| CVE-2025-35033 | 2025-09-29 | Medical Informatics Engineering Enterprise Health CSV injection |
| CVE-2025-35034 | 2025-09-29 | Medical Informatics Engineering Enterprise Health reflected cross site scripting via portlet_user_id |
| CVE-2025-45376 | 2025-09-29 | Dell Repository Manager (DRM), versions 3.4.7 and 3.4.8, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability,... |
| CVE-2025-34232 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Blind SSRF via Lexmark dellCheck.php |
| CVE-2025-34218 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Exposed Internal Docker Instance |
| CVE-2025-34234 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys |
| CVE-2025-34209 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Hardcoded GPG Private Key |
| CVE-2025-34211 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Hardcoded SSL Certificate and Private Keys |
| CVE-2025-34212 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Insecure Build Pipeline |
| CVE-2025-34223 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Insecure Installation Credentials |
| CVE-2025-34207 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Insecure SSH Client Configuration |
| CVE-2025-34233 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Insecure Use of file_get_contents() |
| CVE-2025-34216 | 2025-09-29 | Vasion Print (formerly PrinterLogic) RCE and Password Leaks via API |
| CVE-2025-34225 | 2025-09-29 | Vasion Print (formerly PrinterLogic) SSRF via console_release Directory |
| CVE-2025-34231 | 2025-09-29 | Vasion Print (formerly PrinterLogic) SSRF via HP badgeSetup.php |
| CVE-2025-34230 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Blind SSRF via HP log_off_single_sign_on.php |
| CVE-2025-34229 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Blind SSRF via HP installApp.php |
| CVE-2025-34228 | 2025-09-29 | Vasion Print (formerly PrinterLogic) SSRF via Lexmark update.php |
| CVE-2025-34222 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Unauthenticated Admin APIs Used to Modify SSL Certificates |
| CVE-2025-34220 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Unauthenticated API Leaks Group Information |
| CVE-2025-34224 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Unauthenticated Device Modification |
| CVE-2025-34215 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Unauthenticated Firmware Update Endpoint RCE |
| CVE-2025-34221 | 2025-09-29 | Vasion Print (formerly PrinterLogic) |
| CVE-2025-34235 | 2025-09-29 | Vasion Print (formerly PrinterLogic) Weak SSL/TLS Certificate Validation RCE |
| CVE-2025-54591 | 2025-09-29 | FreshRSS: Unauthenticated users can view default user's information |
| CVE-2025-30247 | 2025-09-29 | An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a... |
| CVE-2025-43815 | 2025-09-29 | Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, and 2023.Q3.5 allows remote attackers to inject arbitrary... |
| CVE-2025-54592 | 2025-09-29 | FreshRSS has Incomplete Session Termination on Logout |
| CVE-2025-54875 | 2025-09-29 | FreshRSS: Unauthorized creation of admin user when registration is enabled |
| CVE-2025-57769 | 2025-09-29 | FressRSS: Clickjacking can lead to XSS and/or privilege escalation |
| CVE-2025-43818 | 2025-09-29 | Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and... |
| CVE-2025-43820 | 2025-09-29 | Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6,... |