5.9
CVE-2025-53097 - Roo Code extension vulnerable to Potential Information Leakage via JSON Schema
Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent couβ¦
4.8
CVE-2025-6778 - code-projects Food Distributor Site save_settings.php cross site scripting
A vulnerability, which was classified as problematic, was found in code-projects Food Distributor Site 1.0. Affected is an unknown function of the file /admin/save_settings.php. The manipulation of the argument site_phone/site_email/address leads to cross site scripting. It is possible to launch thβ¦
6.9
CVE-2025-6777 - code-projects Food Distributor Site process_login.php sql injection
A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotβ¦
6.9
CVE-2025-6776 - xiaoyunjie openvpn-cms-flask File Upload controller.py upload path traversal
A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be β¦
5.3
CVE-2025-6775 - xiaoyunjie openvpn-cms-flask User Creation Endpoint openvpn.py create_user command injection
A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible tβ¦
8.7
CVE-2025-53094 - ESPAsyncWebServer Vulnerable to CRLF Injection in AsyncWebHeader.cpp
ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitiβ¦
5.3
CVE-2025-6774 - gooaclok819 sublinkX template.go AddTemp path traversal
A vulnerability was found in gooaclok819 sublinkX up to 1.8. It has been rated as critical. Affected by this issue is the function AddTemp of the file api/template.go. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been discloβ¦
4.8
CVE-2025-6773 - HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to patβ¦
6.9
CVE-2025-6772 - eosphoros-ai db-gpt import import_flow path traversal
A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploitβ¦
8.6
CVE-2025-53093 - TabberNeue vulnerable to Stored XSS through wikitext
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.