5.3
CVE-2025-10605 - Portabilis i-Educar agenda_preferencias.php cross site scripting
A security flaw has been discovered in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /agenda_preferencias.php. The manipulation of the argument tipoacao results in cross site scripting. The attack may be launched remotely. The exploit has been released to the pโฆ
6.9
CVE-2025-10604 - PHPGurukul Online Discussion Forum edit_member.php sql injection
A vulnerability was identified in PHPGurukul Online Discussion Forum 1.0. This affects an unknown part of the file /admin/edit_member.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
5.2
CVE-2025-58432 - ZimaOS Privilege Escalation using localhost calls to File API Upload
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.
4.8
CVE-2025-58431 - ZimaOS reads arbitrary files using localhost calls to File API Download
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.
6.9
CVE-2025-10603 - PHPGurukul Online Discussion Forum search_result.php sql injection
A vulnerability was determined in PHPGurukul Online Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_forum/search_result.php. Executing manipulation of the argument Search can lead to sql injection. The attack can be launched remotely. The exploit โฆ
5.3
CVE-2025-10602 - SourceCodester Online Exam Form Submission delete_s1.php sql injection
A vulnerability was found in SourceCodester Online Exam Form Submission 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/delete_s1.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been mโฆ
6.9
CVE-2025-35436 - CISA Thorium account verification email error handling
CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.
5.3
CVE-2025-35435 - CISA Thorium download stream divide by zero
CISA Thorium accepts a stream split size of zero then divides by this value. A remote, authenticated attacker could cause the service to crash. Fixed in commit 89101a6.
2.3
CVE-2025-35434 - CISA Thorium does not validate TLS connections to Elasticsearch
CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.
2.3
CVE-2025-35433 - CISA Thorium does not properly invalidate previously used tokens
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.