7.3
CVE-2025-58062 - LSTM-Kirigaya's openmcp-client Vulnerable to RCE in MCP Authorization Flow
LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command injection attack in the โฆ
5.5
CVE-2025-58061 - OpenEBS Local PV RawFile persistent volume data is world readable
OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Prior to version 0.10.0, persistent volume data is world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload. The rawfโฆ
6.9
CVE-2025-9592 - itsourcecode Apartment Management System bill_info.php sql injection
A vulnerability was detected in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /report/bill_info.php. Performing manipulation of the argument vid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public โฆ
4.8
CVE-2025-9591 - ZrLog Theme Configuration Form config cross site scripting
A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotely.โฆ
5.3
CVE-2025-58058 - github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementaโฆ
5.1
CVE-2025-9590 - Weaver E-Mobile Mobile Management Platform cross site scripting
A vulnerability was identified in Weaver E-Mobile Mobile Management Platform up to 20250813. Affected by this vulnerability is an unknown functionality. The manipulation of the argument gohome leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available andโฆ
2
CVE-2025-9589 - Cudy WR1200EA shadow default password
A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitabiโฆ
5.3
CVE-2025-9586 - Comfast CF-N1 webmgnt wireless_device_dissoc command injection
A vulnerability was identified in Comfast CF-N1 2.6.0. This vulnerability affects the function wireless_device_dissoc of the file /usr/bin/webmgnt. Such manipulation of the argument mac leads to command injection. The attack may be performed from a remote location. The exploit is publicly availableโฆ
5.3
CVE-2025-9585 - Comfast CF-N1 webmgnt wifilith_delete_pic_file command injection
A vulnerability was determined in Comfast CF-N1 2.6.0. This affects the function wifilith_delete_pic_file of the file /usr/bin/webmgnt. This manipulation of the argument portal_delete_picname causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly โฆ
5.3
CVE-2025-9584 - Comfast CF-N1 webmgnt update_interface_png command injection
A vulnerability was found in Comfast CF-N1 2.6.0. Affected by this issue is the function update_interface_png of the file /usr/bin/webmgnt. The manipulation of the argument interface/display_name results in command injection. The attack can be executed remotely. The exploit has been made public andโฆ