7.5
CVE-2025-11452 - Asgaros Forum <= 3.1.0 - Unauthenticated SQL Injection
The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This β¦
7.3
CVE-2025-64496 - Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via β¦
8.7
CVE-2025-64495 - Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled reβ¦
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigneβ¦
4.6
CVE-2025-64494 - Soft Serve does not sanitize ANSI escape sequences in user input
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messagesβ¦
6.5
CVE-2025-64493 - SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from tβ¦
8.8
CVE-2025-64492 - SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times,β¦
6.1
CVE-2025-64491 - SuiteCRM is vulnerable to unauthenticated reflected XSS through its Login page
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to sendβ¦
8.3
CVE-2025-64490 - SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even wβ¦
8.3
CVE-2025-64489 - SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an acβ¦
8.6
CVE-2025-64488 - SuiteCRM: Authenticated SQL Injection Possible in Reschedule Call Module
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack caβ¦