Security Vulnerabilities
Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the uniqueness of project names when editing them outside the application in affected versions. This vulnerability was remediated in version 7.5.021 of the product.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-09-30
Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-09-30
There is a memory corruption vulnerability due to an out of bounds write in XML_Serialize() when using SymbolEditor in NI Circuit Design Suite. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .sym file. This vulnerability affects NI Circuit Design Suite 14.3.1 and prior versions.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-09-30
There is a memory corruption vulnerability due to an out of bounds read in DefaultFontOptions() when using SymbolEditor in NI Circuit Design Suite. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .sym file. This vulnerability affects NI Circuit Design Suite 14.3.1 and prior versions.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-09-30
An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-09-30
SourceCodester Web-based Pharmacy Product Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in Category Management via the category name field.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-30
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-09-30
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-09-30
A Reflected Cross-Site Scripting (XSS) vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. This vulnerability allows remote attackers to execute arbitrary JavaScript code via the fname, lname, and contact parameters.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-09-30
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-30