Security Vulnerabilities - CVEs Published In April 2025
ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are renaming) with an injection payload. This issue has been patched in commit f504ed8. A workaround for this vulnerability involves setting `$wgManageWiki['namespaces'] = false;`.
CVSS Score
8.0
EPSS Score
0.001
Published
2025-04-21
A vulnerability was found in panhainan DS-Java 1.0 and classified as critical. This issue affects the function uploadUserPic.action of the file src/com/phn/action/FileUpload.java. The manipulation of the argument fileUpload leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-04-21
A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9. This affects an unknown part of the file jam.py of the component Jinja2 Template Handler. The manipulation of the argument config['template'] leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-04-21
Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-04-21
Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-04-21
A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication.
CVSS Score
8.1
EPSS Score
0.001
Published
2025-04-21
The quarantine - restore function in Qi-ANXIN Tianqing Endpoint Security Management System v10.0 allows user to restore a malicious file to an arbitrary file path. Attackers can write malicious DLL to system path and perform privilege escalation by leveraging Windows DLL hijacking vulnerabilities.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-04-21
opencms V2.3 is vulnerable to Arbitrary file read in src/main/webapp/view/admin/document/dataPage.jsp,
CVSS Score
4.3
EPSS Score
0.001
Published
2025-04-21
A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-04-21
open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-04-21