CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2025-0421
Medium

Podatność CVE-2025-0421 dotyczy niewłaściwego ograniczenia renderowanych warstw interfejsu użytkownika lub ramek w oprogramowaniu Shopside firmy Shopside Software Technologies Inc. Problem ten występuje w wersji Shopside do 05022025, umożliwiając wykorzystanie nakładek iFrame.

CVE-2025-61664
Medium

A Use After Free vulnerability has been identified in the GRUB2 bootloader's normal module. The flaw occurs because the normal_exit command is not properly unregistered when its module is unloaded. An attacker can invoke the command after module removal, causing access to freed memory.

CVE-2025-61663
Medium

A Use-after-Free vulnerability has been found in the GRUB2 bootloader's 'normal' command. The flaw occurs because the command is not properly unregistered when the module is unloaded, allowing an attacker to access invalid memory locations. Successful exploitation leads to system instability and a complete crash.

CVE-2025-61661
Medium

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component due to improper string conversion when reading data from a USB device. A local attacker can connect a maliciously configured USB device during boot sequence, causing GRUB to crash and leading to a Denial of Service (DoS). Data corruption may also be possible, but due to exploit complexity the impact is likely limited.

CVE-2025-54771
Medium

A use-after-free vulnerability has been identified in GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service.

CVE-2025-54770
Medium

A Use-after-Free vulnerability has been found in the GRUB2 bootloader's network module. The flaw is caused by improper unregistration of the net_set_vlan command when the module is unloaded from memory. An attacker can exploit this to cause system instability and a complete crash.

CVE-2025-63258
Medium

A remote command execution (RCE) vulnerability was found in H3C ERG3/ERG5, XiaoBei routers, cloud gateways, and wireless access points. Attackers can inject crafted commands via the sessionid parameter.

CVE-2025-63892
Medium

A stored cross-site scripting vulnerability was found in SourceCodester Student Grades Management System 1.0. The create_classroom function in /classroom.php fails to sanitize the name/description arguments, allowing script injection.

CVE-2025-13193
Medium

A flaw was found in libvirt where external inactive snapshots for shut-down VMs are incorrectly created as world-readable, allowing unprivileged users to inspect guest OS contents. This results in an information disclosure vulnerability.

CVE-2025-64046
Medium

OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in the /system/update-run.php file. This allows an attacker to inject malicious JavaScript code that can be executed in the victim's browser.

CVE-2025-64308
Medium

The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle to Brightpick AI's documentation portal.

CVE-2025-64307
Medium

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes.

CVE-2025-63291
Medium

Serwer Alteryx w wersjach 2022.1.1.42654 i 2024.1 nie weryfikował uprawnień użytkowników do dostępu do określonych identyfikatorów obiektów MongoDB podczas przetwarzania żądań API. Umożliwia to atakującym uzyskanie dostępu do rekordów innych użytkowników, w tym kluczy API administracyjnych i prywatnych kluczy API studia.

CVE-2025-60676
MediumEPSS 87%

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetNetworkSettings' functionality of prog.cgi, where the 'IPAddress' and 'SubnetMask' parameters are directly concatenated into shell commands executed via system().

CVE-2025-60675
MediumEPSS 67%

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries. The vulnerability occurs because parsed fields from the /tmp/new_qos.rule configuration file are concatenated into command strings and executed via system() without any sanitization.

CVE-2025-60674
Medium

A stack buffer overflow vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin in the USB storage handling module. The issue occurs when the "Serial Number" field from a USB device is read via sscanf into a 64-byte stack buffer, while fgets reads up to 127 bytes, causing a stack overflow.

CVE-2025-60673
MediumEPSS 88%

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.

CVE-2025-60672
MediumEPSS 88%

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The issue is in the 'SetDynamicDNSSettings' functionality, where 'ServerAddress' and 'Hostname' parameters are stored in NVRAM and later used to construct system commands executed via twsystem(). An attacker can exploit this remotely without authentication by sending a crafted HTTP request, leading to arbitrary command execution on the device.

CVE-2025-60693
Medium

A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to six user-supplied CGI parameters matching <parameter>_0~5 into a fixed-size buffer (a2) without proper bounds checking, appending colon delimiters during concatenation. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.

CVE-2025-60671
MediumEPSS 67%

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit file. The vulnerability occurs because content read from this file is only partially validated for a prefix and then formatted using vsnprintf() before being executed with system(), allowing an attacker with write access to /var/system/linux_vlan_reinit to execute arbitrary commands on the device.

PreviousPage 257 of 550Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS