4.8
CVE-2025-2590 - code-projects Human Resource Management System recruitment.go UpdateRecruitmentById cross site scriβ¦
A vulnerability was found in code-projects Human Resource Management System 1.0.1. It has been classified as problematic. Affected is the function UpdateRecruitmentById of the file \handler\recruitment.go. The manipulation of the argument c leads to cross site scripting. It is possible to launch thβ¦
5.1
CVE-2025-2589 - code-projects Human Resource Management System Account.go Index improper authorization
A vulnerability was found in code-projects Human Resource Management System 1.0.1 and classified as critical. This issue affects the function Index of the file \handler\Account.go. The manipulation of the argument user_cookie leads to improper authorization. The exploit has been disclosed to the puβ¦
4.8
CVE-2025-2588 - Hercules Augeas fa.c re_case_expand null pointer dereference
A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been discloβ¦
5.3
CVE-2025-2587 - Jinher OA C6 IncentivePlanFulfillAppprove.aspx sql injection
A vulnerability, which was classified as critical, was found in Jinher OA C6 1.0. This affects an unknown part of the file IncentivePlanFulfillAppprove.aspx. The manipulation of the argument httpOID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosβ¦
5.1
CVE-2025-2597 - Reflected Cross-Site Scripting (XSS) vulnerability in ITIUM 6050
Reflected Cross-Site Scripting (XSS) in ITIUM 6050 version 5.5.5.2-b3526 from Impact Technologies. This vulnerability could allow an attacker to execute malicious Javascript code via GET and POST requests to the β/index.phpβ endpoint and injecting code into the βid_session.
7.5
CVE-2025-25068 - Bypassing MFA Enforcement on Plugin Endpoints
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
4.3
CVE-2025-24920 - Unauthorized Bookmark Creation and Modification in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0Β fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
4.3
CVE-2025-30179 - MFA Enforcement Bypass in Search APIs
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
4.3
CVE-2025-25274 - Unauthorized Command Execution in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8Β fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
5.4
CVE-2025-27933 - Unauthorized Private-to-Public Channel Conversion
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public