6.5
CVE-2025-68143 - mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locaβ¦
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other toβ¦
6.8
CVE-2025-68129 - Auth0-PHP SDK has Improper Audience Validation
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they β¦
6.9
CVE-2025-14832 - itsourcecode Online Cake Ordering System updateproduct.php sql injection
A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly β¦
6.6
CVE-2025-68118 - Potential Heap Out-of-Bounds Read in freerdp_certificate_data_hash_ via Unsafe _snprintf Usage
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDPβs certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache fiβ¦
9.2
CVE-2025-68275 - ChurchCRM vulnerable to Stored XSS - Group name > Person Listing
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
6.2
CVE-2025-68401 - ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and accouβ¦
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts β¦
9.3
CVE-2025-68400 - ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a β¦
2
CVE-2025-68399 - ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to wβ¦
9.6
CVE-2025-68112 - ChurchCRM has SQL injection in EditEventAttendees.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential β¦
7.2
CVE-2025-68111 - ChurchCRM has SQL Injection in eGive Import Feature
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamIDβ¦