9.3
CVE-2025-66571 - UNA CMS 9.0.0-RC1 - 14.0.0-RC4 PHP Object Injection
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially wrβ¦
8.8
CVE-2025-66555 - AirKeyboard iOS App 1.0.5 - Remote Input Injection
AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control.
8.5
CVE-2024-58278 - IndigoSTAR Software - perl2exe <= V30.10C - Arbitrary Code Execution
perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized accesβ¦
8.7
CVE-2024-58277 - R Radio Network FM Transmitter 1.07 System Settings Disclosure
R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access.
8.7
CVE-2024-58276 - Obi08-Enrollment System 1.0 login.php SQL Injection
Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames aβ¦
8.7
CVE-2024-58275 - Easywall 0.3.1 - Authentication Bypass via Command Injection in /ports-save Endpoint
Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server.
5.3
CVE-2023-53735 - WEBIGniter 28.7.23 Cross-Site Scripting (XSS) in User Creation Process
WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks.
8.7
CVE-2023-53734 - dawa-pharma-1.0 - SQL Injection via Email Parameter
dawa-pharma-1.0 allows unauthenticated attackers to execute SQL queries on the server, allowing them to access sensitive information and potentially gain administrative access.
8.6
CVE-2025-27935 - Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.
8.8
CVE-2025-13543 - PostGallery <= 1.12.5 - Authenticated (Subscriber+) Arbitrary File Upload
The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissioβ¦