5.1
CVE-2025-41011 - HTML injection in PHP Point Of Sale
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' โฆ
8.9
CVE-2026-40498 - FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed inโฆ
9.3
CVE-2025-41029 - SQL injection in Zeon Academy Pro by Zeon Global Tech
SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'.
8.8
CVE-2026-3298 - Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
5.1
CVE-2025-10354 - Reflected Cross-Site Scripting (XSS) in Semantic MediaWiki
Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploitโฆ
5.3
CVE-2025-31981 - HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption
HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access.ย An attacker with access to the network traffic can sniff packets from the connection and uncover the data.
8.5
CVE-2026-5789 - Search path without quotes in CivetWeb
Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWebโฆ
6.5
CVE-2026-1089 - UserโControlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups
UserโControlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well asย DNS Rebinding and Information Disclosure.
5.4
CVE-2026-0972 - HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing.
4.3
CVE-2026-0971 - GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.