| CVE-2025-2493 | Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the ‘id’ parameter of the ‘/softdial/scheduler/load.php’ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk. | high |
| CVE-2025-2489 | Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json. | medium |
| CVE-2025-1468 | An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy. | high |
| CVE-2025-0694 | Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access. | medium |
| CVE-2024-41975 | An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs. | medium |
| CVE-2024-23943 | An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected. | critical |
| CVE-2024-23942 | A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS. | high |
| CVE-2025-25220 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.1_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker. | high |
| CVE-2025-24306 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.0_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker with an administrative privilege. | high |
| CVE-2025-0755 | The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16 | high |
| CVE-2025-2262 | The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | high |
| CVE-2025-2473 | A vulnerability was found in PHPGurukul Company Visitor Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /index.php of the component Sign In. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-2472 | A vulnerability has been found in PHPGurukul Apartment Visitors Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Sign In. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-2471 | A vulnerability, which was classified as critical, was found in PHPGurukul Boat Booking System 1.0. Affected is an unknown function of the file /boat-details.php. The manipulation of the argument bid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-29913 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. A critical heap buffer overflow vulnerability was identified in the `Crypto_TC_Prep_AAD` function of CryptoLib versions 1.3.3 and prior. This vulnerability allows an attacker to trigger a Denial of Service (DoS) or potentially execute arbitrary code (RCE) by providing a maliciously crafted telecommand (TC) frame that causes an unsigned integer underflow. The vulnerability lies in the function `Crypto_TC_Prep_AAD`, specifically during the computation of `tc_mac_start_index`. The affected code incorrectly calculates the MAC start index without ensuring it remains within the bounds of the `ingest` buffer. When `tc_mac_start_index` underflows due to an incorrect length calculation, the function attempts to access an out-of-bounds memory location, leading to a segmentation fault. The vulnerability is still present in the repository as of commit `d3cc420ace96d02a5b7e83d88cbd2e48010d5723`. | critical |
| CVE-2025-29912 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. In versions 1.3.3 and prior, an unsigned integer underflow in the `Crypto_TC_ProcessSecurity` function of CryptoLib leads to a heap buffer overflow. The vulnerability is triggered when the `fl` (frame length) field in a Telecommand (TC) packet is set to 0. This underflow causes the frame length to be interpreted as 65535, resulting in out-of-bounds memory access. This critical vulnerability can be exploited to cause a denial of service (DoS) or potentially achieve remote code execution. Users of CryptoLib are advised to apply the recommended patch or avoid processing untrusted TC packets until a fix is available. | critical |
| CVE-2025-29911 | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. A critical heap buffer overflow vulnerability was identified in the `Crypto_AOS_ProcessSecurity` function of CryptoLib versions 1.3.3 and prior. This vulnerability allows an attacker to trigger a Denial of Service (DoS) or potentially execute arbitrary code (RCE) by providing a maliciously crafted AOS frame with an insufficient length. The vulnerability lies in the function `Crypto_AOS_ProcessSecurity`, specifically during the processing of the Frame Error Control Field (FECF). The affected code attempts to read from the `p_ingest` buffer at indices `current_managed_parameters_struct.max_frame_size - 2` and `current_managed_parameters_struct.max_frame_size - 1` without verifying if `len_ingest` is sufficiently large. This leads to a heap buffer overflow when `len_ingest` is smaller than `max_frame_size`. As of time of publication, no known patched versions exist. | critical |
| CVE-2025-27768 | Rejected reason: Not used | No Score |
| CVE-2025-27767 | Rejected reason: Not used | No Score |
| CVE-2025-27766 | Rejected reason: Not used | No Score |
| CVE-2025-27765 | Rejected reason: Not used | No Score |
| CVE-2025-2420 | A vulnerability classified as problematic was found in 猫宁i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | medium |
| CVE-2025-27764 | Rejected reason: Not used | No Score |
| CVE-2025-27763 | Rejected reason: Not used | No Score |
| CVE-2025-27762 | Rejected reason: Not used | No Score |
| CVE-2025-27761 | Rejected reason: Not used | No Score |
| CVE-2025-27760 | Rejected reason: Not used | No Score |
| CVE-2024-56506 | Rejected reason: Not used | No Score |
| CVE-2024-56505 | Rejected reason: Not used | No Score |
| CVE-2024-56504 | Rejected reason: Not used | No Score |
| CVE-2024-56503 | Rejected reason: Not used | No Score |
| CVE-2024-56502 | Rejected reason: Not used | No Score |
| CVE-2024-56501 | Rejected reason: Not used | No Score |
| CVE-2024-56500 | Rejected reason: Not used | No Score |
| CVE-2024-56499 | Rejected reason: Not used | No Score |
| CVE-2024-56498 | Rejected reason: Not used | No Score |
| CVE-2023-50185 | Rejected reason: Not used | No Score |
| CVE-2023-50184 | Rejected reason: Not used | No Score |
| CVE-2023-50183 | Rejected reason: Not used | No Score |
| CVE-2023-50182 | Rejected reason: Not used | No Score |
| CVE-2023-47535 | Rejected reason: Not used | No Score |
| CVE-2023-46721 | Rejected reason: Not used | No Score |
| CVE-2023-46719 | Rejected reason: Not used | No Score |
| CVE-2023-45589 | Rejected reason: Not used | No Score |
| CVE-2022-47405 | Rejected reason: Not used | No Score |
| CVE-2022-47404 | Rejected reason: Not used | No Score |
| CVE-2022-47403 | Rejected reason: Not used | No Score |
| CVE-2022-47402 | Rejected reason: Not used | No Score |
| CVE-2022-47401 | Rejected reason: Not used | No Score |
| CVE-2022-47400 | Rejected reason: Not used | No Score |
