7.1
CVE-2025-64764 - Astro is vulnerable to Reflected XSS via the server islands feature
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
5.4
CVE-2025-65019 - Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This e…
3.5
CVE-2025-64757 - Astro Development Server is Vulnerable to Arbitrary Local File Read
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attacke…
8.7
CVE-2025-34335 - AudioCodes Fax/IVR Appliance <= 2.6.23 Authenticated Command Injection via ActivateLicense.php
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. When a license file is uploaded, the application derives a new file…
8.7
CVE-2025-34334 - AudioCodes Fax/IVR Appliance <= 2.6.23 Authenticated Command Injection via TestFax.php & LPE
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by AudioCodes_files/TestFax.php. When a fax "send" test is requested, the application builds a faxsender command…
8.5
CVE-2025-34332 - AudioCodes Fax/IVR Appliance <= 2.6.23 Insecure Service Control Scripts LPE
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services. When certain service actions are …
9.3
CVE-2025-34329 - AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated Backup Upload RCE via ajaxBackupUploadFile.p…
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates th…
8.7
CVE-2025-34331 - AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Read via download.php
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request fil…
9.3
CVE-2025-34328 - AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Upload RCE via ajaxScript.php
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-suppli…
6.9
CVE-2025-34330 - AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated Prompt File Upload via ajaxPromptUploadFile.…
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file an…