9
CVE-2025-31122 - scratch-coding-hut.github.io Login Links Generation vulnerability
scratch-coding-hut.github.io is the website for Coding Hut. In 1.0-beta3 and earlier, the login link can be used to login to any account by changing the username in the username field.
6.1
CVE-2025-30006 - Xorcom CompletePBX <= 5.2.35 Reflected Cross-Site Scripting
Xorcom CompletePBX is vulnerable to a reflected cross-site scripting (XSS) in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35
6.9
CVE-2025-31117 - OpenEMR Out-of-Band Server-Side Request Forgery (OOB SSRF) Vulnerability
OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resoβ¦
8.3
CVE-2025-30005 - Xorcom CompletePBX <= 5.2.35 Authenticated Path Traversal & File Deletion
Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to and prior to 5.2.35
4.4
CVE-2025-31116 - Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS β¦
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. Tβ¦
8.8
CVE-2025-30004 - Xorcom CompletePBX <= 5.2.35 Task Scheduler Authenticated Command Injection
Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35
6.5
CVE-2025-2292 - Xorcom CompletePBX <= 5.2.35 Authenticated File Disclosure
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.
2.7
CVE-2025-30369 - Zulip allows the deletion of Custom profile fields by administrators of a different organization
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any orgβ¦
5.3
CVE-2025-3003 - ESAFENET CDG UserAjax sql injection
A vulnerability, which was classified as critical, was found in ESAFENET CDG 3. Affected is an unknown function of the file /CDGServer3/UserAjax. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the pubβ¦
2.7
CVE-2025-30368 - Zulip allows the deletion of organization by administrators of a different organization
Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was β¦