6.4
CVE-2025-68145 - mcp-server-git has missing path validation when using --repository flag
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls toβ¦
6.3
CVE-2025-68144 - mcp-server-git argument injection in git_diff and git_checkout functions allows overwriting local fβ¦
In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpreted as command-line options rather than git rβ¦
6.5
CVE-2025-68143 - mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locaβ¦
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other toβ¦
6.8
CVE-2025-68129 - Auth0-PHP SDK has Improper Audience Validation
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they β¦
6.9
CVE-2025-14832 - itsourcecode Online Cake Ordering System updateproduct.php sql injection
A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly β¦
6.6
CVE-2025-68118 - Potential Heap Out-of-Bounds Read in freerdp_certificate_data_hash_ via Unsafe _snprintf Usage
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDPβs certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache fiβ¦
9.2
CVE-2025-68275 - ChurchCRM vulnerable to Stored XSS - Group name > Person Listing
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
6.2
CVE-2025-68401 - ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and accouβ¦
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts β¦
9.3
CVE-2025-68400 - ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a β¦
2
CVE-2025-68399 - ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to wβ¦