Security Vulnerabilities - CVEs Published In December 2025
Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root privileges. This flaw allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-12-17
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-12-17
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-12-17
A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-17
RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.
CVSS Score
7.2
EPSS Score
0.004
Published
2025-12-17
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-12-17
A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.
CVSS Score
7.2
EPSS Score
0.002
Published
2025-12-17
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-17
A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL queries without the need for appropriate cleaning or validation.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-12-17
The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions,
CVSS Score
7.8
EPSS Score
0.0
Published
2025-12-17