9.8
CVE-2025-3361 - HGiga iSherlock - OS Command Injection
The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
6.5
CVE-2025-2519 - Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Download
The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'st_send_download_file' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to β¦
8.8
CVE-2025-2525 - Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload
The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above β¦
8.8
CVE-2025-2526 - Streamit <= 4.0.2 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account β¦
The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile'β¦
5.3
CVE-2025-3398 - lenve VBlog WebSecurityConfig.java configure access control
A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function configure of the file blogserver/src/main/java/org/sang/config/WebSecurityConfig.java. The manipulation leads to improper access controls. The attack can be launched remotely.β¦
5.3
CVE-2025-3397 - YzmCMS message.tpl cross site scripting
A vulnerability classified as problematic has been found in YzmCMS 7.1. Affected is an unknown function of the file message.tpl. The manipulation of the argument gourl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may bβ¦
5.1
CVE-2025-3393 - mrcen springboot-ucan-admin Personal Settings Interface index cross site scripting
A vulnerability was found in mrcen springboot-ucan-admin up to 5f35162032cbe9288a04e429ef35301545143509. It has been classified as problematic. This affects an unknown part of the file /ucan-admin/index of the component Personal Settings Interface. The manipulation leads to cross site scripting. Itβ¦
5.1
CVE-2025-3392 - hailey888 oa_system Backend MailController.java save cross site scripting
A vulnerability was found in hailey888 oa_system up to 2025.01.01 and classified as problematic. Affected by this issue is the function Save of the file cn/gson/oasys/controller/mail/MailController.java of the component Backend. The manipulation of the argument MailNumberId leads to cross site scriβ¦
5.1
CVE-2025-3391 - hailey888 oa_system Backend AddrController. java outAddress cross site scripting
A vulnerability has been found in hailey888 oa_system up to 2025.01.01 and classified as problematic. Affected by this vulnerability is the function outAddress of the file cn/gson/oass/controller/address/AddrController. java of the component Backend. The manipulation of the argument outtype leads tβ¦
5.1
CVE-2025-3390 - hailey888 oa_system Backend DaymanageController.java addandchangeday cross site scripting
A vulnerability, which was classified as problematic, was found in hailey888 oa_system up to 2025.01.01. Affected is the function addandchangeday of the file cn/gson/oass/controller/daymanager/DaymanageController.java of the component Backend. The manipulation of the argument scheduleList leads to β¦