9.8
CVE-2025-59360 - OS command injection in Chaos Mesh via the killProcesses mutation
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
9.8
CVE-2025-59359 - OS command injection in Chaos Mesh via the cleanTcs mutation
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
7.5
CVE-2025-59358 - Denial of Service via Unauthorized Access to Chaos Mesh debugging server
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
8.7
CVE-2025-10443 - Tenda AC9/AC15 exeCommand formexeCommand buffer overflow
A vulnerability was identified in Tenda AC9 and AC15 15.03.05.14/15.03.05.18. This vulnerability affects the function formexeCommand of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to buffer overflow. The attack can be executed remotely. The exploit is publicly avaiβ¦
4.6
CVE-2025-43794 -
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote authenticated attackersβ¦
5.3
CVE-2025-10442 - Tenda AC9/AC15 exeCommand formexeCommand os command injection
A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed aβ¦
5.3
CVE-2025-10441 - D-Link DI-8100G/DI-8200G/DI-8003G jhttpd version_upgrade.asp sub_433F7C os command injection
A vulnerability was found in D-Link DI-8100G, DI-8200G and DI-8003G 17.12.20A1/19.12.10A1. Affected by this issue is the function sub_433F7C of the file version_upgrade.asp of the component jhttpd. The manipulation of the argument path results in os command injection. The attack may be launched remβ¦
7.6
CVE-2025-9072 - One-Click Mattermost Account Takeover via Poisoned RelayState SAML Parameter
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the userβs cookies to an attacker-controlled URL.
3.1
CVE-2025-9084 - Open redirect in OAuth login
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
7
CVE-2025-9826 -
Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users.