1.2
CVE-2025-69210 - FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These fiβ¦
6.7
CVE-2025-69257 - theshit vulnerable to unsafe loading of user-owned Python rules when running as root.
theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions wβ¦
7.5
CVE-2025-69256 - serverless MCP Server vulnerable to command injection in list-projects tool
The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulβ¦
6.9
CVE-2025-15264 - FeehiCMS TimThumb timthumb.php server-side request forgery
A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publβ¦
6.9
CVE-2025-15263 - BiggiDroid Simple PHP CMS Admin Login login.php sql injection
A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been made avaβ¦
5.1
CVE-2025-15262 - BiggiDroid Simple PHP CMS Site Logo edit.php unrestricted upload
A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing a manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The eβ¦
5.1
CVE-2025-15258 - Edimax BR-6208AC Web-based Configuration formALGSetup redirect
A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carrieβ¦
6.9
CVE-2025-15257 - Edimax BR-6208AC Web-based Configuration formRoute command injection
A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The aβ¦
9.8
CVE-2025-68926 - RustFS has a gRPC Hardcoded Token Authentication Bypass
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable wβ¦
5.3
CVE-2025-69204 - ImageMagick converting a malicious MVG file to SVG caused an integer overflow.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Vβ¦