CVE-2025-48371 - OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ... read CVE-2025-48371
Published: May 22, 2025; 7:15:19 PM -0400

V3.1: 8.8 HIGH

CVE-2025-66877 - Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8.
Published: December 29, 2025; 1:15:43 PM -0500

CVE-2025-66869 - Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.
Published: December 29, 2025; 12:15:46 PM -0500

CVE-2025-60935 - An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or to... read CVE-2025-60935
Published: December 24, 2025; 10:16:01 AM -0500

V3.1: 6.1 MEDIUM

CVE-2025-68706 - A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack... read CVE-2025-68706
Published: December 29, 2025; 2:15:57 PM -0500

CVE-2025-8679 - In ExtremeGuest Essentials before 25.5.0, captive-portal may permit unauthorized access via manual brute-force procedure. Under certain ExtremeGuest Essentials captive-portal SSID configurations, repeated manual login attempts may allow an unauthe... read CVE-2025-8679
Published: October 01, 2025; 2:15:46 PM -0400

V3.1: 9.8 CRITICAL

CVE-2025-67255 - In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.
Published: December 29, 2025; 2:15:56 PM -0500

CVE-2025-67254 - NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php.
Published: December 29, 2025; 2:15:56 PM -0500

CVE-2025-11192 - A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSen... read CVE-2025-11192
Published: October 07, 2025; 3:15:33 PM -0400

V3.1: 8.6 HIGH

CVE-2026-0547 - A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo... read CVE-2026-0547
Published: January 02, 2026; 5:15:41 AM -0500

V3.1: 8.8 HIGH

CVE-2025-68617 - FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pendin... read CVE-2025-68617
Published: December 23, 2025; 6:15:44 PM -0500

V3.1: 7.0 HIGH

CVE-2025-14253 - Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files.
Published: December 08, 2025; 3:15:51 AM -0500

CVE-2025-14254 - Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Published: December 08, 2025; 3:15:52 AM -0500

CVE-2025-14255 - Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Published: December 08, 2025; 3:15:52 AM -0500

CVE-2025-15372 - A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. I... read CVE-2025-15372
Published: December 30, 2025; 10:15:53 PM -0500

V3.1: 4.8 MEDIUM

CVE-2026-22605 - OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, th... read CVE-2026-22605
Published: January 09, 2026; 9:15:49 PM -0500

CVE-2026-22604 - OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user... read CVE-2026-22604
Published: January 09, 2026; 9:15:49 PM -0500

V3.1: 5.3 MEDIUM

CVE-2026-22603 - OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the... read CVE-2026-22603
Published: January 09, 2026; 9:15:49 PM -0500

V3.1: 6.5 MEDIUM

CVE-2026-22602 - OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an a... read CVE-2026-22602
Published: January 09, 2026; 9:15:49 PM -0500

CVE-2026-22601 - OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has b... read CVE-2026-22601
Published: January 09, 2026; 9:15:48 PM -0500

V3.1: 7.2 HIGH