5.3
CVE-2025-11913 - Shenzhen Ruiming Technology Streamax Crocus Service.do download path traversal
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit hasβ¦
5.3
CVE-2025-11912 - Shenzhen Ruiming Technology Streamax Crocus DeviceState.do Query sql injection
A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be usβ¦
10
CVE-2025-11925 - Incorrect Content-Type Header
Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
6.3
CVE-2025-62511 - yt-grabber-tui local arbitrary file overwrite via TOCTOU race in config file creation
yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) in the creation of the default configuration file config.json. In version 1.0, load_json_settings in Settβ¦
5.3
CVE-2025-11911 - Shenzhen Ruiming Technology Streamax Crocus DeviceFault.do Query sql injection
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the attack remotely. The exploit is now public β¦
5.3
CVE-2025-11910 - Shenzhen Ruiming Technology Streamax Crocus MemoryState.do query sql injection
A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible to initiate the attack remotely. The exploitβ¦
6.9
CVE-2025-34282 - ThingsBoard < v4.2.1 SVG Image SSRF
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may inβ¦
6.2
CVE-2025-34281 - Stored Cross-Site Scripting (XSS) in ThingsBoard
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if tβ¦
5.3
CVE-2025-11909 - Shenzhen Ruiming Technology Streamax Crocus RepairRecord.do queryLast sql injection
A weakness has been identified in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The impacted element is the function queryLast of the file /RepairRecord.do?Action=QueryLast. Executing manipulation of the argument orderField can lead to sql injection. The attack may be performed from remote. Tβ¦
5.3
CVE-2025-11908 - Shenzhen Ruiming Technology Streamax Crocus FileDir.do uploadFile unrestricted upload
A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remβ¦