| cve | titre | vendor | product | version | lessThanOrEqual | problem | description | published | lastModified | exploitabnilityScore | impactScore | attackVector | attackComplexity | privilegesRequired | userInteraction | scope | confidentialityImpact | integrityImpact | availabilityImpact | baseScore | baseSeverity | criteria | references |
|---|
| CVE-2025-54236 | Adobe Commerce | Improper Input Validation (CWE-20) | Adobe | Adobe Commerce | 0 | 2.4.4-p15 | Improper Input Validation (CWE-20) | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction. | 2025-09-09T14:15:46.563 | 2025-12-10T02:00:02.557 | 3.9 | 5.2 | NETWORK | LOW | NONE | NONE | UNCHANGED | HIGH | HIGH | NONE | 9.1 | CRITICAL | | https://helpx.adobe.com/security/products/magento/apsb25-88.html__https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397__https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento__https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236__ |
| CVE-2025-66581 | Frappe LMS is Missing Server-Side Authorization in Business Logic | frappe | lms | < 2.41.0 | | CWE-863: Incorrect Authorization | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0. | 2025-12-05T19:15:52.713 | 2025-12-11T00:08:39.787 | 2.8 | 3.6 | NETWORK | LOW | LOW | NONE | UNCHANGED | NONE | HIGH | NONE | 6.5 | MEDIUM | | https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m__ |
| CVE-2025-14225 | D-Link DCS-930L alphapd setSystemAdmin command injection | D-Link | DCS-930L | 1.15.04 | | Command Injection | A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08T10:15:59.500 | 2025-12-11T00:07:47.713 | 2.8 | 3.4 | NETWORK | LOW | LOW | NONE | UNCHANGED | LOW | LOW | LOW | 6.3 | MEDIUM | | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-1/D-Link%20Vulnerability.md__https://vuldb.com/?ctiid.334667__https://vuldb.com/?id.334667__https://vuldb.com/?submit.701774__https://www.dlink.com/__ |
| CVE-2025-14245 | IdeaCMS Coupon.php whereRaw sql injection | n/a | IdeaCMS | 1.0 | | SQL Injection | A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08T13:15:46.893 | 2025-12-11T00:07:10.557 | 3.9 | 3.4 | NETWORK | LOW | NONE | NONE | UNCHANGED | LOW | LOW | LOW | 7.3 | HIGH | | https://github.com/rassec2/dbcve/issues/17__https://vuldb.com/?ctiid.334755__https://vuldb.com/?id.334755__https://vuldb.com/?submit.702437__ |
| CVE-2025-63721 | | n/a | n/a | n/a | | n/a | HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | 2025-12-08T17:16:20.230 | 2025-12-11T00:05:53.317 | 2.8 | 5.9 | NETWORK | LOW | LOW | NONE | UNCHANGED | HIGH | HIGH | HIGH | 8.8 | HIGH | | https://gist.github.com/k1ng0fic3/e8c8c9353fff8fa95e2c2952587e9266__https://github.com/k1ng0fic3/secrisk/blob/main/README.md__ |
| CVE-2025-65797 | | n/a | n/a | n/a | | n/a | Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS). | 2025-12-08T17:16:21.207 | 2025-12-11T00:04:16.973 | 2.8 | 3.6 | NETWORK | LOW | LOW | NONE | UNCHANGED | NONE | NONE | HIGH | 6.5 | MEDIUM | | http://memos.com__http://usememos.com__https://github.com/usememos/memos/pull/5217__https://herolab.usd.de/security-advisories/usd-2025-0057/__ |
| CVE-2025-65804 | | n/a | n/a | n/a | | n/a | Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE). | 2025-12-08T18:15:53.980 | 2025-12-11T00:03:09.970 | 2.8 | 3.6 | ADJACENT_NETWORK | LOW | NONE | NONE | UNCHANGED | NONE | NONE | HIGH | 6.5 | MEDIUM | | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2aaa595a7aef8072968edc528a2d95b1__ |
| CVE-2025-12635 | IBM WebSphere Application Server and WebSphere Application Server Liberty Cross-Site Scripting | IBM | WebSphere Application Server | 9.0 | 2.0.18 | CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site. | 2025-12-08T22:15:49.390 | 2025-12-11T00:01:21.897 | 2.3 | 2.7 | NETWORK | LOW | LOW | REQUIRED | CHANGED | LOW | LOW | NONE | 5.4 | MEDIUM | | https://www.ibm.com/support/pages/node/7254078__ |
| CVE-2025-67511 | Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool | aliasrobotics | cai | <= 0.5.9 | | CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') | Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication. | 2025-12-11T00:16:22.907 | 2025-12-11T00:16:22.907 | 2.8 | 6 | NETWORK | LOW | NONE | REQUIRED | CHANGED | HIGH | HIGH | HIGH | 9.6 | CRITICAL | | https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c__https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h__ |
| CVE-2025-67512 | | | | | | | | 2025-12-11T00:16:23.090 | 2025-12-11T00:16:23.090 | | | | | | | | | | | | | | |