Security Vulnerabilities
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-12-16
Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-12-16
A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).
CVSS Score
10.0
EPSS Score
0.022
Published
2025-12-16
Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter password.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-16
Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-16
A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-16
CVE-2025-37164
A remote code execution issue exists in HPE OneView.
Known exploited
CVSS Score
10.0
EPSS Score
0.873
Published
2025-12-16
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-16
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
CVSS Score
9.8
EPSS Score
0.002
Published
2025-12-16
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-16