9.3
CVE-2025-67494 - ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This alβ¦
4.3
CVE-2025-36437 - IBM Planning Analytics Local is vulnerable to disclosing sensitive information
IBM Planning Analytics LocalΒ 2.1.0 -Β 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system.
7.5
CVE-2025-66645 - NiceGUI Path Traversal Vulnerability in app.add_media_files() Allows Arbitrary File Reading
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
9.3
CVE-2025-66039 - FreePBX Endpoint Manager Allows Unauthenticated Logins to Administrator Control Panel via Forged Baβ¦
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target userβ¦
5.3
CVE-2025-34425 - MailEnable < 10.54 Reflected XSS in WindowContext Parameter of MAI/compose.aspx
MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a <script> context in β¦
6.9
CVE-2023-53774 - MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol Remote Code Execution
MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorderβ¦
8.7
CVE-2023-53773 - MiniDVBLinux 5.4 Unauthenticated Live Stream Disclosure via tv_action.sh
MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg β¦
8.7
CVE-2023-53772 - MiniDVBLinux 5.4 Arbitrary File Read Vulnerability via About Page
MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device.
9.3
CVE-2023-53771 - MiniDVBLinux 5.4 Unauthenticated Root Password Change via System Setup
MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials.
9.8
CVE-2025-67489 - @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIsβ¦
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into Rβ¦