Security Vulnerabilities
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Plan My Day planmyday allows PHP Local File Inclusion.This issue affects Plan My Day: from n/a through <= 1.1.13.
CVSS Score
8.1
EPSS Score
0.002
Published
2025-12-18
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-12-18
Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-12-18
Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication.
CVSS Score
9.0
EPSS Score
0.0
Published
2025-12-18
Information disclosure while processing system calls with invalid parameters.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-12-18
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-12-18
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-12-18
A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-12-18
A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-12-18
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the application to process state-changing requests (POST) without verifying a valid CSRF token. An unauthenticated remote attacker can exploit this by hosting a malicious web page. If a logged-in administrator visits this page, their browser is forced to send unauthorized requests to the application. A successful exploit allows the attacker to silently create a new Administrator account with full privileges, leading to a complete takeover of the system and loss of confidentiality, integrity, and availability. The vulnerability has been patched in version 3.4.2. The fix re-enables the CSRF filter in `app/Config/Filters.php` and resolves associated AJAX race conditions by adjusting token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter in `app/Config/Filters.php` by uncommenting the protection line. However, this is not recommended without applying the full patch, as it may cause functionality breakage in the Sales module due to token synchronization issues.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-12-17