Security Vulnerabilities
CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-23
A command injection vulnerability in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN up to v15.0.0 allows attackers to execute arbitrary commands with root-level privileges.
CVSS Score
8.4
EPSS Score
0.0
Published
2025-12-23
Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-12-23
A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted input into the filename parameter.
CVSS Score
6.2
EPSS Score
0.0
Published
2025-12-23
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.
CVSS Score
4.0
EPSS Score
0.0
Published
2025-12-23
SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.
CVSS Score
10.0
EPSS Score
0.003
Published
2025-12-23
Linksys E5600 V1.1.0.26 is vulnerable to command injection in the runtime.macClone function via the mc.ip parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-12-23
linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-12-23