5.1
CVE-2025-40646 - Multiple vulnerabilities in Energy CRM by Status Tracker
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote…
8.7
CVE-2025-40645 - Exposure of sensitive information in Viday
Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter.
4.8
CVE-2025-54292 - Client-Side Path Traversal in LXD-UI
Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
6.9
CVE-2025-54291 - Project existence disclosure in LXD images API
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
6.9
CVE-2025-54290 - Project Existence Disclosure via Error Handling in LXD Image Export
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
7.4
CVE-2025-54289 - Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
5.1
CVE-2025-54288 - Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the com…
7.1
CVE-2025-54287 - Arbitrary File Read via Template Injection in Snapshot Patterns
Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
7.5
CVE-2025-54286 - CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
9.8
CVE-2025-9697 - Ajax WooSearch <= 1.0.0 - Unauthenticated SQL Injection
The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection