| CVE-2025-53372 | node-code-sandbox-mcp is a Node.js–based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0. | high |
| CVE-2025-36600 | Dell Client Platform BIOS contains an Improper Access Control Applied to Mirrored or Aliased Memory Regions vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | high |
| CVE-2025-3630 | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-2827 | IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system. | medium |
| CVE-2025-2793 | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-29267 | SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request. | medium |
| CVE-2025-24474 | An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests. | low |
| CVE-2024-55599 | An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS version 7.6.0, version 7.4.7 and below, 7.0 all versions, 6.4 all versions and FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions may allow a remote unauthenticated user to bypass the DNS filter via Apple devices. | medium |
| CVE-2024-52965 | A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. | high |
| CVE-2025-7345 | A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. | high |
| CVE-2025-7181 | A vulnerability, which was classified as critical, was found in code-projects Staff Audit System 1.0. Affected is an unknown function of the file /test.php. The manipulation of the argument uploadedfile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | low |
| CVE-2025-7180 | A vulnerability, which was classified as critical, has been found in code-projects Staff Audit System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument User leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-47422 | Advanced Installer before 22.6 has an uncontrolled search path element local privilege escalation vulnerability. When running as SYSTEM in certain configurations, Advanced Installer looks in standard-user writable locations for non-existent binaries and executes them as SYSTEM. A low-privileged attacker can place a malicious binary in a targeted folder; when the installer is executed, the attacker achieves arbitrary SYSTEM code execution. | high |
| CVE-2025-7179 | A vulnerability classified as critical was found in code-projects Library System 1.0. This vulnerability affects unknown code of the file /add-teacher.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-7178 | A vulnerability classified as critical has been found in code-projects Food Distributor Site 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-50130 | A heap-based buffer overflow vulnerability exists in VS6Sim.exe contained in V-SFT and TELLUS provided by FUJI ELECTRIC CO., LTD. Opening V9 files or X1 files specially crafted by an attacker on the affected product may lead to arbitrary code execution. | high |
| CVE-2025-27061 | Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware. | high |
| CVE-2025-27058 | Memory corruption while processing packet data with exceedingly large packet. | high |
| CVE-2025-27057 | Transient DOS while handling beacon frames with invalid IE header length. | high |
| CVE-2025-27056 | Memory corruption during sub-system restart while processing clean-up to free up resources. | high |
| CVE-2025-27055 | Memory corruption during the image encoding process. | high |
| CVE-2025-27052 | Memory corruption while processing data packets in diag received from Unix clients. | high |
| CVE-2025-27051 | Memory corruption while processing command message in WLAN Host. | high |
| CVE-2025-27050 | Memory corruption while processing event close when client process terminates abruptly. | high |
| CVE-2025-27047 | Memory corruption while processing the TESTPATTERNCONFIG escape path. | high |
| CVE-2025-27046 | Memory corruption while processing multiple simultaneous escape calls. | high |
| CVE-2025-27044 | Memory corruption while executing timestamp video decode command with large input values. | high |
| CVE-2025-27043 | Memory corruption while processing manipulated payload in video firmware. | high |
| CVE-2025-27042 | Memory corruption while processing video packets received from video firmware. | high |
| CVE-2025-21466 | Memory corruption while processing a private escape command in an event trigger. | high |
| CVE-2025-21454 | Transient DOS while processing received beacon frame. | high |
| CVE-2025-21450 | Cryptographic issue occurs due to use of insecure connection method while downloading. | critical |
| CVE-2025-21449 | Transient DOS may occur while processing malformed length field in SSID IEs. | high |
| CVE-2025-21446 | Transient DOS may occur when processing vendor-specific information elements while parsing a WLAN frame for BTM requests. | high |
| CVE-2025-21445 | Memory corruption while copying the result to the transmission queue which is shared between the virtual machine and the host. | high |
| CVE-2025-21444 | Memory corruption while copying the result to the transmission queue in EMAC. | high |
| CVE-2025-21433 | Transient DOS when importing a PKCS#8-encoded RSA private key with a zero-sized modulus. | medium |
| CVE-2025-21432 | Memory corruption while retrieving the CBOR data from TA. | high |
| CVE-2025-21427 | Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network. | high |
| CVE-2025-21426 | Memory corruption while processing camera TPG write request. | high |
| CVE-2025-21422 | Cryptographic issue while processing crypto API calls, missing checks may lead to corrupted key usage or IV reuses. | high |
| CVE-2024-53009 | Memory corruption while operating the mailbox in Automotive. | high |
| CVE-2025-7177 | A vulnerability was found in PHPGurukul Car Washing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/editcar-washpoint.php. The manipulation of the argument wpid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | low |
| CVE-2025-7176 | A vulnerability was found in PHPGurukul Hospital Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view-medhistory.php. The manipulation of the argument viewid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-40721 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp. | medium |
| CVE-2025-40720 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the campo parameter in /<Client>FacturaE/VerFacturaPDF. | medium |
| CVE-2025-40719 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the id_concesion parameter in /<Client>FacturaE/VerFacturaPDF. | medium |
| CVE-2025-40718 | Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information. | medium |
| CVE-2025-40717 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the pagina.filter.categoria mensaje in /QuiterGatewayWeb/api/v1/sucesospagina. | critical |
| CVE-2025-40716 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the suceso.contenido mensaje in /QMSCliente/Sucesos.action. | critical |
