Security Vulnerabilities
A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways.
CVSS Score
7.2
EPSS Score
0.011
Published
2025-10-21
An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-10-21
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-10-21
PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) in the worksheet.php file via the participant_name parameter.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-10-20
In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply. With a crafted packet, an attacker could cause an out of memory read.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-10-20
CVE-2025-61932
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.
Known exploited
CVSS Score
9.8
EPSS Score
0.103
Published
2025-10-20
A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88a1f2697f9b35. It is recommended to apply a patch to fix this issue.
CVSS Score
4.7
EPSS Score
0.0
Published
2025-10-19
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-10-17
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-10-17
Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-10-17