9.1
CVE-2025-63386 -
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains tβ¦
8.2
CVE-2025-14202 - Cross-Site Request Forgery (CSRF) Leading to Account Takeover via SVG File Upload
A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the adminβs browser, retrβ¦
5.1
CVE-2025-14837 - ZZCMS Backend Website Settings siteconfig.php stripfxg code injection
A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been β¦
9.1
CVE-2025-68435 - Zerobyte has Authentication Bypass by Primary Weakness
Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This iβ¦
5.1
CVE-2025-14836 - ZZCMS User Data Storage user_save.php cleartext storage in file
A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has bβ¦
5.3
CVE-2025-14834 - code-projects Simple Stock System checkuser.php sql injection
A weakness has been identified in code-projects Simple Stock System 1.0. This affects an unknown function of the file /checkuser.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public aβ¦
7.8
CVE-2025-68433 - Zed IDE MCP Context Server Configuration Arbitrary Code Execution
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a projectβs `.zed` subdirectory. A malicious MCP configuration can contain arbitrary shell cβ¦
8.7
CVE-2023-53917 - Affiliate Me 5.0.1 SQL Injection Vulnerability via Admin Panel
Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames anβ¦
7.8
CVE-2025-68432 - Zed IDE LSP Binary Configuration Arbitrary Code Execution
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurations from the `settings.json` file located within a projectβs `.zed` subdirectory. A malicious LSP configuration can contain arbitrary shellβ¦
8.7
CVE-2023-53933 - Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload
Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.