4.8
CVE-2025-9416 - oitcode samarium Pages Image webpage cross site scripting
A security flaw has been discovered in oitcode samarium up to 0.9.6. This vulnerability affects unknown code of the file /cms/webpage/ of the component Pages Image Handler. The manipulation results in cross site scripting. The attack may be performed from a remote location. The exploit has been relโฆ
5.3
CVE-2025-9415 - GreenCMS index.php unrestricted upload
A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available โฆ
5.1
CVE-2025-9414 - kalcaddle kodbox Download from Link serverDownload server-side request forgery
A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitโฆ
5.3
CVE-2025-9413 - lostvip-com ruoyi-go system_router.go SelectListByPage sql injection
A flaw has been found in lostvip-com ruoyi-go up to 2.1. This impacts the function SelectListByPage of the file modules/system/system_router.go. This manipulation of the argument orderByColumn/isAsc causes sql injection. The attack may be initiated remotely. The exploit has been published and may bโฆ
6.1
CVE-2025-57811 - Craft Potential Remote Code Execution via Twig SSTI
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versโฆ
8.7
CVE-2025-57802 - Airlink's Daemon Symlink Vulnerability
Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrโฆ
5.3
CVE-2025-9412 - lostvip-com ruoyi-go DictDataDao.go SelectListByPage sql injection
A vulnerability was detected in lostvip-com ruoyi-go up to 2.1. This affects the function SelectListByPage of the file modules/system/dao/DictDataDao.go. The manipulation of the argument orderByColumn/isAsc results in sql injection. The attack can be launched remotely. The exploit is now public andโฆ
5.3
CVE-2025-9411 - lostvip-com ruoyi-go LoginInforService.go SelectPageList sql injection
A security vulnerability has been detected in lostvip-com ruoyi-go up to 2.1. The impacted element is the function SelectPageList of the file modules/system/service/LoginInforService.go. The manipulation of the argument isAsc leads to sql injection. The attack can be initiated remotely. The exploitโฆ
8.2
CVE-2025-57772 - Dataease H2 JDBC RCE Bypass
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2's filteโฆ
8.2
CVE-2025-57773 - Dataease DB2 Aspectweaver Deserialization Arbitrary File Write Vulnerability
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This vulnerability requโฆ