5.1
CVE-2025-13411 - Campcodes Retro Basketball Shoes Online Store admin_football.php unrestricted upload
A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing a manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carrβ¦
6.9
CVE-2025-13410 - Campcodes Retro Basketball Shoes Online Store receipt.php sql injection
A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and maβ¦
6.5
CVE-2025-36371 - IBM i Information Disclosure
IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation.Β A user with access to the database plan cache could see information they do not have authority to view.
8.8
CVE-2025-65103 - OpenSTAManager has an authenticated SQL Injection vulnerability in API via 'display' parameter
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in anβ¦
8.7
CVE-2025-65094 - WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)
WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, buβ¦
6.9
CVE-2025-65100 - Security Snapshot May Use Unintended Timestamp When Only ISAR_APT_SNAPSHOT_DATE Is Set
Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb.
8.1
CVE-2025-64759 - Homarr is Vulnerable to Stored Cross-Site Scripting (XSS) and Possible Privilege Escalation via Malβ¦
Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacβ¦
8.2
CVE-2025-13316 - Hard-coded encryption keys in Twonky Server
Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonβ¦
9.3
CVE-2025-13315 - Unauthenticated log access in Twonky Server
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
6.8
CVE-2025-65089 - XWiki view file macro: User can view content of office file without view rights on the attachment
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0.