5.4
CVE-2025-53491 - XSS in FlaggedRevs
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRevs Extension: from 1.43.X before 1.43.2.
8.2
CVE-2025-36014 - IBM Integration Bus for z/OS code injection
IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.
6.9
CVE-2025-7135 - Campcodes Online Recruitment Management System ajax.php sql injection
A vulnerability, which was classified as critical, has been found in Campcodes Online Recruitment Management System 1.0. This issue affects some unknown processing of the file /admin/ajax.php?action=save_vacancy. The manipulation of the argument ID leads to sql injection. The attack may be initiateβ¦
4.9
CVE-2025-53375 - Dokploy allows attackers to read any file that the Traefik process user can access
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing creβ¦
6.5
CVE-2025-7259 - Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash
An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.
6.3
CVE-2025-53376 - Dokploy allows attackers to run arbitrary OS commands on the Dokploy host.
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attackβ¦
1.3
CVE-2025-53374 - Dokploy Improperly Discloses User Information via user.one Endpoint
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The respβ¦
8.9
CVE-2025-53373 - Natours has a 1 Click Account take over on reset password via Host Header injection
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.
6.9
CVE-2025-7134 - Campcodes Online Recruitment Management System ajax.php sql injection
A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_application. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. Thβ¦
7.5
CVE-2025-48367 - Redis DoS Vulnerability due to bad connection error handling
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.