7.5
CVE-2025-64756 - glob CLI: Command injection via -c/--cmd executes matches with shell:true
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <commβ¦
4.8
CVE-2025-55056 -
Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
6.8
CVE-2025-55055 -
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
4.8
CVE-2025-64758 - @dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message
@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permissionβ¦
6.9
CVE-2025-64342 - ESF-IDF's ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly β¦
7.4
CVE-2025-58407 - GPU DDK - TOCTOU bug affecting psFWMemContext->uiPageCatBaseRegSet
Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
6.9
CVE-2025-13291 - Campcodes Supplier Management System confirm_order.php sql injection
A vulnerability was found in Campcodes Supplier Management System 1.0. This affects an unknown part of the file /manufacturer/confirm_order.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could beβ¦
7.5
CVE-2025-58410 - GPU DDK - Multiple calls into PhysmemGEMPrimeExport can inherit write access permission for an exisβ¦
Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource.
7.2
CVE-2025-62519 - phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation β¦
8.8
CVE-2025-13319 - Authenticated SQL injection in API - Digi On-Prem Manager
An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack.