Security Vulnerabilities - CVEs Published In November 2025
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-26
Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-26
Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-11-26
Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.
This issue affects Frappe CRM: 1.53.1.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-26
OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-26
A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-26
Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-26
Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-11-26
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-26
OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-26