Security Vulnerabilities - CVEs Published In May 2025
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function.
CVSS Score
9.8
EPSS Score
0.014
Published
2025-05-05
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.
CVSS Score
9.8
EPSS Score
0.014
Published
2025-05-05
October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. This issue has been patched in v3.7.5.
CVSS Score
4.9
EPSS Score
0.001
Published
2025-05-05
A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web application’s response. This vulnerability occurs when user-controlled input is reflected back into the browser without proper sanitization or encoding.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-05-05
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.
CVSS Score
8.1
EPSS Score
0.002
Published
2025-05-05
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.
CVSS Score
9.8
EPSS Score
0.015
Published
2025-05-05
A Directory Listing Vulnerability was found in the /osms/Requester/ directory of the Kashipara Online Service Management Portal V1.0.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-05
kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in /osms/Requester/Requesterchangepass.php via the parameter: rPassword.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-05-05
kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in osms/Requester/CheckStatus.php via the checkid parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-05-05
An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-05-05