) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2025-60753 - An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Me... read CVE-2025-60753
Published: November 05, 2025; 11:15:40 AM -0500 -
CVE-2025-59392 - On Elspec G5 devices through 1.2.2.19, a person with physical access to the device can reset the Admin password by inserting a USB drive (containing a publicly documented reset string) into a USB port.
Published: November 06, 2025; 11:16:01 AM -0500 -
CVE-2025-63560 - An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component.
Published: November 06, 2025; 12:15:46 PM -0500 -
CVE-2025-63551 - A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an atta... read CVE-2025-63551
Published: November 06, 2025; 2:15:43 PM -0500 -
CVE-2025-64174 - Magento-lts is a long-term support alternative to Magento Community Edition (CE). Versions 20.15.0 and below are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin with direct database access or the admi... read CVE-2025-64174
Published: November 06, 2025; 4:15:43 PM -0500V3.1: 4.8 MEDIUM
-
CVE-2025-48985 - A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https:/... read CVE-2025-48985
Published: November 06, 2025; 8:15:36 PM -0500V3.1: 5.3 MEDIUM
-
CVE-2025-52662 - A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/... read CVE-2025-52662
Published: November 06, 2025; 8:15:36 PM -0500V3.1: 6.1 MEDIUM
-
CVE-2025-63686 - There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system.
Published: November 07, 2025; 11:15:42 AM -0500 -
CVE-2025-63225 - The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network config... read CVE-2025-63225
Published: November 18, 2025; 2:15:50 PM -0500 -
CVE-2025-63292 - Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifie... read CVE-2025-63292
Published: November 17, 2025; 2:16:20 PM -0500 -
CVE-2025-13187 - A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials... read CVE-2025-13187
Published: November 14, 2025; 5:15:45 PM -0500V3.1: 7.5 HIGH
-
CVE-2025-63883 - A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it int... read CVE-2025-63883
Published: November 18, 2025; 10:16:36 AM -0500 -
CVE-2026-1140 - A vulnerability was found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made... read CVE-2026-1140
Published: January 19, 2026; 1:16:01 AM -0500V3.1: 8.8 HIGH
-
CVE-2026-1139 - A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit ... read CVE-2026-1139
Published: January 19, 2026; 12:16:09 AM -0500V3.1: 8.8 HIGH
-
CVE-2026-1138 - A flaw has been found in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published a... read CVE-2026-1138
Published: January 19, 2026; 12:16:09 AM -0500V3.1: 8.8 HIGH
-
CVE-2026-1137 - A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out rem... read CVE-2026-1137
Published: January 19, 2026; 12:16:05 AM -0500V3.1: 8.8 HIGH
-
CVE-2026-1118 - A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate t... read CVE-2026-1118
Published: January 18, 2026; 6:15:48 AM -0500V3.1: 9.8 CRITICAL
-
CVE-2026-1119 - A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible... read CVE-2026-1119
Published: January 18, 2026; 7:15:48 AM -0500V3.1: 9.8 CRITICAL
-
CVE-2026-1135 - A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched... read CVE-2026-1135
Published: January 18, 2026; 11:15:59 PM -0500V3.1: 6.1 MEDIUM
-
CVE-2025-22890 - Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained.
Published: February 06, 2025; 2:15:17 AM -0500V3.1: 8.8 HIGH