7.1
CVE-2025-66402 - misskey.js's export data contains private post data
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.
7.4
CVE-2025-58173 - FreshRSS vulnerable to authenticated RCE via path traversal inside include()
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as thβ¦
5.1
CVE-2025-14730 - CTCMS Content Management System Backend System Configuration Ct_Config.php code injection
A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. Tβ¦
5.1
CVE-2025-14729 - CTCMS Content Management System Backend App Configuration Ct_App.php save code injection
A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitationβ¦
8.8
CVE-2025-9121 - Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
5.3
CVE-2025-9122 - Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitivβ¦
Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
5.3
CVE-2023-53879 - NVClient 5.0 Stack Buffer Overflow Vulnerability via User Configuration
NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition.
4.8
CVE-2025-14722 - vion707 DMadmin Backend AddonsController.class.php add cross site scripting
A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotβ¦
5.3
CVE-2023-53893 - Ateme TITAN File 3.9 Authenticated Server-Side Request Forgery Vulnerability
Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the appβ¦
8.6
CVE-2023-53892 - Blackcat CMS 1.4 Remote Code Execution via Jquery Plugin Manager
Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's β¦