5.8
CVE-2025-62652 - Stored XSS in WebAuthn key name
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.
9.8
CVE-2025-62515 - Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do_action() method. The vulnerable code is locβ¦
5.3
CVE-2025-11914 - Shenzhen Ruiming Technology Streamax Crocus DeviceFileReport.do download path traversal
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exβ¦
6.5
CVE-2025-62508 - Citizen vulnerable to stored XSS in sticky header button messages
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source elementβs tβ¦
5.3
CVE-2025-11913 - Shenzhen Ruiming Technology Streamax Crocus Service.do download path traversal
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit hasβ¦
5.3
CVE-2025-11912 - Shenzhen Ruiming Technology Streamax Crocus DeviceState.do Query sql injection
A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be usβ¦
10
CVE-2025-11925 - Incorrect Content-Type Header
Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
6.3
CVE-2025-62511 - yt-grabber-tui local arbitrary file overwrite via TOCTOU race in config file creation
yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) in the creation of the default configuration file config.json. In version 1.0, load_json_settings in Settβ¦
5.3
CVE-2025-11911 - Shenzhen Ruiming Technology Streamax Crocus DeviceFault.do Query sql injection
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the attack remotely. The exploit is now public β¦
5.3
CVE-2025-11910 - Shenzhen Ruiming Technology Streamax Crocus MemoryState.do query sql injection
A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible to initiate the attack remotely. The exploitβ¦