Security Vulnerabilities
grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-15
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered
CVSS Score
9.1
EPSS Score
0.0
Published
2025-12-15
An issue in Hitron HI3120 v.7.2.4.5.2b1 allows a local attacker to obtain sensitive information via the Logout option in the index.html
CVSS Score
5.5
EPSS Score
0.0
Published
2025-12-15
A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-12-15
FNT Command 13.4.0 is vulnerable to Directory Traversal.
CVSS Score
8.3
EPSS Score
0.0
Published
2025-12-15
FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-12-15
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-12-15