5.1
CVE-2025-14580 - Qualitor viewDocumento.php cross site scripting
A security vulnerability has been detected in Qualitor up to 8.24.73. The impacted element is an unknown function of the file /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php. Such manipulation of the argument cdscript leads to cross site scripting. It is possible to launch the aβ¦
8.7
CVE-2024-58316 - Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter
Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database infβ¦
8.4
CVE-2025-67750 - Lightning Flow Scanner is Vulnerable to Code Injection via Unsafe Use of new Function() in APIVersiβ¦
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Functβ¦
6.9
CVE-2025-14578 - itsourcecode Student Management System update_account.php sql injection
A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available tβ¦
8.7
CVE-2024-58314 - Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remotβ¦
8.7
CVE-2024-58311 - Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness
Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation oβ¦
8.6
CVE-2024-58305 - WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation
WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticateβ¦
9.3
CVE-2024-58299 - PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
8.5
CVE-2024-14010 - Typora 1.7.4 OS Command Injection via Export PDF Preferences
Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.
5.1
CVE-2025-67734 - Frappe Authenticated Users can Execute JavaScript through its Job Form
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed iβ¦