Security Vulnerabilities
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-01
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-12-01
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim's browser when the page is viewed.
CVSS Score
8.5
EPSS Score
0.0
Published
2025-12-01
A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system.
CVSS Score
9.6
EPSS Score
0.001
Published
2025-12-01
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.
This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3.
Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-12-01
An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php.
CVSS Score
9.6
EPSS Score
0.0
Published
2025-12-01
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed.
CVSS Score
8.5
EPSS Score
0.0
Published
2025-12-01
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed.
CVSS Score
8.5
EPSS Score
0.0
Published
2025-12-01
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed.
CVSS Score
8.5
EPSS Score
0.0
Published
2025-12-01
A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-12-01