Common Vulnerabilities and Exposures (CVE)

CVE-2025-64063

Nov 26, 2025 16:50:38 UTC

Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the...

CVE-2025-65237

Nov 26, 2025 16:50:16 UTC

A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.

CVE-2025-63938

Nov 26, 2025 16:45:07 UTC

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

CVE-2025-64656

Nov 26, 2025 16:44:02 UTC

Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.

CVE-2025-65235

Nov 26, 2025 16:42:55 UTC

OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.

CVE-2025-65239

Nov 26, 2025 16:40:51 UTC

Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.

CVE-2025-59820

Nov 26, 2025 16:35:11 UTC

In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

CVE-2025-65238

Nov 26, 2025 16:24:42 UTC

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.

CVE-2025-55174

Nov 26, 2025 16:15:56 UTC

In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice...

CVE-2025-65963

Nov 26, 2025 16:13:16 UTC

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public sp...

CVE-2025-66019

Nov 26, 2025 16:12:49 UTC

pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a p...

CVE-2025-46175

Nov 26, 2025 16:12:19 UTC

Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.

CVE-2025-65957

Nov 26, 2025 16:11:42 UTC

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks...

CVE-2025-65956

Nov 26, 2025 16:11:03 UTC

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who access...

CVE-2025-66263

Nov 26, 2025 16:10:21 UTC

Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injectio...