8.7
CVE-2025-66225 - OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset lβ¦
9
CVE-2025-66224 - OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injeβ¦
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the systemβs sendmail command. Because these vβ¦
8.4
CVE-2025-66223 - OpenObserve's Invite Token Lifecycle Misconfiguration
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued β¦
6.3
CVE-2025-66221 - Werkzeug safe_join() allows Windows special device names
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_dirβ¦
6.3
CVE-2025-53939 - Kiteworks Core is vulnerable to Improper Input Validation
Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0.
6.5
CVE-2025-53900 - Kiteworks MFT has a Privilege Defined With Unsafe Actions
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0.
7.2
CVE-2025-53899 - Kiteworks MFT is vulnerable to an Incorrectly Specified Destination in a Communication Channel
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to β¦
6.8
CVE-2025-53897 - Kiteworks MFT has a Cross-Site Request Forgery (CSRF) vulnerability
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, this vulnerability could allow an external attacker to gain access to log information from the system by tricking an administrator into browsing a specifically crafted fake page of Kiteworks MFT. This issue has bβ¦
7.1
CVE-2025-53896 - Kiteworks MFT is vulnerable to Insufficient Session Expiration
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0.
5.1
CVE-2025-58436 - OpenPrinting CUPS slow client can halt cupsd, leading to a possible DoS attack
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue hβ¦