6.9
CVE-2025-6925 - Dromara RuoYi-Vue-Plus Mail MailController.java path traversal
A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath lβ¦
6.9
CVE-2025-6917 - code-projects Online Hotel Booking registration.php sql injection
A vulnerability has been found in code-projects Online Hotel Booking 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/registration.php. The manipulation of the argument uname leads to sql injection. The attack can be initiated remotely. The exploit has beenβ¦
8.7
CVE-2025-52898 - Frappe account takeover via password reset token leakage
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users aβ¦
8.6
CVE-2025-52896 - Frappe authenticated XSS via data import
Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds fβ¦
8.7
CVE-2025-52895 - Frappe possibility of SQL injection due to improper validations
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There arβ¦
8.7
CVE-2025-6916 - TOTOLINK T6 formLoginAuth.htm Form_Login missing authentication
A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local β¦
4.3
CVE-2025-47871 - Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive informaβ¦
5.4
CVE-2025-46702 - Mattermost Playbooks allows privilege escalation through improper access control in playbook run paβ¦
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admiβ¦
5.3
CVE-2025-6915 - PHPGurukul Student Record System register.php sql injection
A vulnerability, which was classified as critical, has been found in PHPGurukul Student Record System 3.2. Affected by this issue is some unknown functionality of the file /register.php. The manipulation of the argument session leads to sql injection. The attack may be launched remotely. The exploiβ¦
5.3
CVE-2025-6914 - PHPGurukul Student Record System edit-student.php sql injection
A vulnerability classified as critical was found in PHPGurukul Student Record System 3.2. Affected by this vulnerability is an unknown functionality of the file /edit-student.php. The manipulation of the argument fmarks2 leads to sql injection. The attack can be launched remotely. The exploit has bβ¦