5.3
CVE-2025-5611 - CodeAstro Real Estate Management System submitpropertyupdate.php sql injection
A vulnerability, which was classified as critical, was found in CodeAstro Real Estate Management System 1.0. This affects an unknown part of the file /submitpropertyupdate.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit haβ¦
5.3
CVE-2025-5610 - CodeAstro Real Estate Management System submitpropertydelete.php sql injection
A vulnerability, which was classified as critical, has been found in CodeAstro Real Estate Management System 1.0. Affected by this issue is some unknown functionality of the file /submitpropertydelete.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remoteβ¦
7.7
CVE-2025-48947 - NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for soβ¦
7.1
CVE-2025-46341 - Privilege escalation via SSRF when using HTTP auth
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality β¦
4.3
CVE-2025-46339 - FreshRSS vulnerable to favicon cache poisoning via proxy
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not inβ¦
8.7
CVE-2025-5609 - Tenda AC18 AdvSetLanip fromadvsetlanip buffer overflow
A vulnerability classified as critical was found in Tenda AC18 15.03.05.05. Affected by this vulnerability is the function fromadvsetlanip of the file /goform/AdvSetLanip. The manipulation of the argument lanMask leads to buffer overflow. The attack can be launched remotely. The exploit has been diβ¦
8.7
CVE-2025-5608 - Tenda AC18 SetSysAutoRebbotCfg formsetreboottimer buffer overflow
A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formsetreboottimer of the file /goform/SetSysAutoRebbotCfg. The manipulation of the argument rebootTime leads to buffer overflow. It is possible to launch the attack remotely. The exploit has bβ¦
6.7
CVE-2025-32015 - FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `<iframe srcdoc>` attribute, which leads to cross-site scripting (XSS) by loading an attacker's UserJS inside `<script src>`. In order to execute the attack, the attacker needs to controlβ¦
4.3
CVE-2025-31482 - FreshRSS vulnerable to DoS by malicious feed entry loading logout URL
FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.
6.7
CVE-2025-31136 - FreshRSS vulnerable to Cross-site Scripting by <iframe>'ing a vulnerable same-origin page in a feedβ¦
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `<scriβ¦