9.3
CVE-2025-15194 - D-Link DIR-600 HTTP Header hedwig.cgi stack-based overflow
A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack re…
7.5
CVE-2025-69200 - phpMyFAQ has unauthenticated config backup download via /api/setup/backup
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configurat…
5.4
CVE-2025-68951 - phpMyFAQ has stored XSS in admin "List of users" via display_name HTML entity decoding (html_entity…
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administra…
9.1
CVE-2025-68929 - Frappe may be vulnerable remote code execution due to server-side template injection
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution…
5.4
CVE-2025-68928 - Frappe CRM vulnerable to authenticated XSS via website field
Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available.
8.7
CVE-2025-15193 - D-Link DWR-M920 formParentControl sub_423848 buffer overflow
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and m…
5.3
CVE-2025-15192 - D-Link DWR-M920 formLtefotaUpgradeQuectel sub_415328 command injection
A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been…
5.3
CVE-2025-15191 - D-Link DWR-M920 formLtefotaUpgradeFibocom sub_4155B4 command injection
A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been mad…
8.7
CVE-2025-15190 - D-Link DWR-M920 formFilter sub_42261C stack-based overflow
A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public …
8.7
CVE-2025-15189 - D-Link DWR-M920 formDefRoute sub_464794 buffer overflow
A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be use…