Latest Security Vulnerabilities

Thursday September 18, 2025

Linux Kernel

CVE-2023-53390 Linux Kernel dd: Fix memory leak from debugfs_lookup
CVE-2023-53392 Linux Kernel Panic via NULL fw_client in intel-ish-hid (warm reset)
CVE-2023-53395 Linux Kernel: ACPI Timer Instruction Flag Fix Prevents UBSAN Crash
CVE-2023-53400 Linux Kernel ALSA HDA Oops via 9.1 Channel Overflow
CVE-2022-50400 Linux Kernel Debugfs Leak in Greybus Audio Helper
CVE-2023-53402 Linux kernel memory leak: debugfs_lookup in printk module
CVE-2023-53403 Linux Kernel Memory Leak via debugfs_lookup()
CVE-2023-53404 Linux Kernel USB Fotg210 Mem Leak via debugfs_lookup()
CVE-2023-53406 Linux kernel USB gadget pxa25x_udc memory leak fix
And others...

Abb

CVE-2024-48851 ABB FLXEON <9.3.5: Improper Input Validation RCE
CVE-2025-10207 ABB FLXEON <9.3.5 Improper Input Type Validation Vulnerability
CVE-2024-48842 Use of Hard-Coded Credentials in ABB FLXEON v9.3.5+

Ericsson

CVE-2024-25011 Auth Required by Default in Ericsson Catalog Manager & Order Care APIs
 

D-Link Dlink

CVE-2025-10629 Remote Cmd Injection via SSDP in D-Link DIR-852 1.00CN B09
CVE-2025-10628 D-Link DIR-852 1.00CN B09: Web UI Command Injection via hedwig.cgi
CVE-2025-10634 D-Link DIR-823X RE 240126/240802/250416 Command Injection in goahead
CVE-2025-10666 D-Link DIR-825 2.10 Buffer Overflow via countdown_time (apply.cgi)
 

Unclassified

CVE-2025-5305 WP Plugin 'Password Reset with Code' v<0.0.17 Unsafe OTP Gen -> Account Takeover
CVE-2025-6237 InvokeAI <6.0.0a1: Path Traversal & File Delete via /api/v1/images/download
CVE-2025-8565 WP Legal Pages <=3.4.3: Auth Contributor Bypass Check to Install Plugins
CVE-2025-8942 WP Hotel Booking <=2.2.3 Review Rating Manipulation
CVE-2025-10493 Chained Quiz WP Plugin v<=1.3.4 IDOR via chained_completion_id
CVE-2024-13151 Retail Sales Mgmt SQLi via User-PK (CVE-2024-13151)
CVE-2025-10665 SQL Injection via csem in kidaze CourseSelectionSystem COUNT3s3.php
CVE-2025-0547 Bizmu XSS in Web Page Gen (v2.27.0-20250212)
CVE-2025-9992 Stored XSS in Ghost Kit <=3.4.3 via custom JS field
And others...

Ninjaforms Ninja Forms

CVE-2025-9083 Ninja Forms <3.11.1: PHP Object Injection via Untrusted Unserialization

Torproject Tor

CVE-2025-4444 Tor v0.4.8.17 Onion Service Descriptor Handler Resource Exhaustion

Powerdns

CVE-2025-30187 DNSdist nghttp2 DoH I/O Loop DOS Vulnerability

Itsourcecode

CVE-2025-10632 CVE-2025-10632: PHP XSS in itsourcecode Online Petshop MS 1.0 (availableframe.php)
CVE-2025-10631 Online Petshop Management Sys 1.0 XSS via addcnp.php
CVE-2025-10667 SQLi in itsourcecode Online Discussion Forum 1.0 (compose_msg.php) Remote
CVE-2025-10670 SQL Injection in E-Logbook for COVID-19 1.0 check_profile.php
CVE-2025-10616 Unrestricted File Upload in itsourcecode E-Commerce Web 1.0 – /admin/users.php
 

PHPGurukul Online Course Registration

CVE-2025-10663 PHPGurukul Online Course Reg 3.1 SQLi via cgpa in /my-profile.php
 

PHPGurukul Small Crm

CVE-2025-10664 PHPGurukul Small CRM 4.0 SQLi via /create-ticket.php subject param

Nokia

CVE-2023-49564 CBIS/NCS Manager API Auth Bypass via Malicious Header
CVE-2023-49565 Podman cbis_manager RCE via /api/plugins Header Injection

Wednesday September 17, 2025

Linux Kernel

CVE-2023-53390 Linux Kernel dd: Fix memory leak from debugfs_lookup
CVE-2023-53392 Linux Kernel Panic via NULL fw_client in intel-ish-hid (warm reset)
CVE-2023-53395 Linux Kernel: ACPI Timer Instruction Flag Fix Prevents UBSAN Crash
CVE-2023-53400 Linux Kernel ALSA HDA Oops via 9.1 Channel Overflow
CVE-2022-50400 Linux Kernel Debugfs Leak in Greybus Audio Helper
CVE-2023-53402 Linux kernel memory leak: debugfs_lookup in printk module
CVE-2023-53403 Linux Kernel Memory Leak via debugfs_lookup()
CVE-2023-53404 Linux Kernel USB Fotg210 Mem Leak via debugfs_lookup()
CVE-2023-53406 Linux kernel USB gadget pxa25x_udc memory leak fix
And others...

Jenkins

CVE-2025-59474 Jenkins <=2.527 LTS: Sidepanel Exec Widget Auth Bypass (CVE-2025-59474)
CVE-2025-59475 Jenkins 2.527 & LTS 2.516.2 Authenticated-User Profile Dropdown Bypass
CVE-2025-59476 Jenkins 2.527/LTS 2.516.2: Log Injection via Unrestricted Char in Log Msg

NVIDIA Triton Inference Server

CVE-2025-23268 NVIDIA Triton Inference Server DALI Backend Improper Input Validation RCE
CVE-2025-23316 Remote Code Execution via Model Name in NVIDIA Triton Inference Server (Python backend)
CVE-2025-23336 NVIDIA Triton Inference Server DoS via Misconfigured Model
CVE-2025-23328 NVIDIA Triton Inference Server OOB Write DoS via Crafted Input
CVE-2025-23329 NVIDIA Triton Inference Server: ShMem Python Bknd Corruption -> DoS

Dassault

CVE-2025-9447 SOLIDWORKS eDrawings OOB Read in PAR File (CVE-2025-9447)

Dassault Solidworks Edrawings

CVE-2025-9450 Uninitialized Variable in SOLIDWORKS eDrawings JT Reader Enables Arbitrary Code Exec
CVE-2025-9449 Use-After-Free in SOLIDWORKS eDrawings PAR Loader
 

Unclassified

CVE-2025-5305 WP Plugin 'Password Reset with Code' v<0.0.17 Unsafe OTP Gen -> Account Takeover
CVE-2025-6237 InvokeAI <6.0.0a1: Path Traversal & File Delete via /api/v1/images/download
CVE-2025-8565 WP Legal Pages <=3.4.3: Auth Contributor Bypass Check to Install Plugins
CVE-2025-8942 WP Hotel Booking <=2.2.3 Review Rating Manipulation
CVE-2025-10493 Chained Quiz WP Plugin v<=1.3.4 IDOR via chained_completion_id
CVE-2024-13151 Retail Sales Mgmt SQLi via User-PK (CVE-2024-13151)
CVE-2025-10665 SQL Injection via csem in kidaze CourseSelectionSystem COUNT3s3.php
CVE-2025-0547 Bizmu XSS in Web Page Gen (v2.27.0-20250212)
CVE-2025-9992 Stored XSS in Ghost Kit <=3.4.3 via custom JS field
And others...

JetBrains Teamcity

CVE-2025-59456 JetBrains TeamCity <2025.07.2 PT on Project Archive Upload
CVE-2025-59455 JetBrains TeamCity Project Isolation Bypass (Race Cond.)

Nuxt

CVE-2025-59414 Nuxt <3.19.0/4.1.0 Path Traversal in Island Payload Revival

Wondershare Repairit

CVE-2025-10643 Wondershare Repairit Auth Bypass via Incorrect Storage Token Permission
CVE-2025-10644 Wondershare Repairit Auth Bypass via SAS Token Priv Esc

Bplugins

CVE-2025-9203 MP for Elementor v1.0.5 XSS via subtitle_ssize, track_title, track_artist_name

JetBrains Junie

CVE-2025-59458 Code Exec via Cmd Validation in JetBrains Junie <252.284.66

Ruby Rexml

CVE-2025-58767 REXML DoS: Multiple XML Declarations 3.3.3–3.4.1

Zimbra Collaboration

CVE-2025-54390 CSRF in Zimbra ResetPasswordRequest Enables Unauthorized Password Reset

Nec Univerge Ix

CVE-2025-8153 CVE-2025-8153 XSS in NEC UNIVERGE IX 9.5-10.7,10.8.21–10.8.36,10.9.11–10.9.24,10.10.21–10.10.31,10.1

Ays Pro Quiz Maker

CVE-2025-10042 WordPress Quiz Maker 6.7.0.56 SQLi via spoofed IP X-Forwarded-For

Smackcoders

CVE-2025-10057 WP Import Ultimate CSV XML Importer <=7.28 – RCE via write_to_customfile
CVE-2025-10058 WP Import Ultimate CSV XML Importer v7.27: Arbitrary File Deletion

Watchguard Fireware Os

CVE-2025-9242 OOB Write WatchGuard Fireware OS 11.10.2-12.11.3 Mobile/Branch VPN (IKEv2) RCE

Athemes Sydney

CVE-2025-8999 Wp Sydney Theme <=2.56: Unauth Data Mod via activate_modules

NVIDIA

CVE-2025-23337 Privilege Escalation In NVIDIA HGX/DGX HMC via BMC Admin Access

Suse Neuvector

CVE-2025-53884 NeuVector unsalted hash vulnerable to rainbow table attacks
CVE-2025-54467 NeuVector Process Rule Violation Logs Expose Passwords
CVE-2025-8077 NeuVector <5.4.5 Default admin password exposes full API access

Ghost

CVE-2025-9862 Ghost SSRF (6.0.0–6.0.8,5.99–5.130.3) – vulnerable HTTP client

Sourcecodester

CVE-2025-10602 SQL Injection in SourceCodester Exam Form Submission 1.0 admin/delete_s1.php

Strangerstudios

CVE-2025-10125 Memberlite Shortcodes WP Plugin XSS via 'row' Shortcode, v<=1.4

Abb Flxeon

CVE-2025-10205 Predictable Salt in ABB FLXEON <9.3.5 & Newer (CVE-2025-10205)

Portabilis I Educar

CVE-2025-10605 Portabilis i-Educar <=2.10 XSS via tipoacao in agenda_preferencias.php
CVE-2025-10608 Portabilis i-Educar 2.10 Improper Access in /enrollment-history/
CVE-2025-10607 Info Disclosure via /module/Avaliacao/diarioAPI in Portabilis i-Educar <2.10
CVE-2025-10590 Portabilis i-Educar 2.10 XSS via ref_pessoa in educar_usuario_det.php
CVE-2025-10606 i-Educar <=2.10 XSS in ConfiguracaoMovimentoGeral via tipoacao

Hpe

CVE-2025-37122 Unauthenticated Reflected XSS in Network Access Control Web Interface

Abb

CVE-2024-48851 ABB FLXEON <9.3.5: Improper Input Validation RCE
CVE-2025-10207 ABB FLXEON <9.3.5 Improper Input Type Validation Vulnerability
CVE-2024-48842 Use of Hard-Coded Credentials in ABB FLXEON v9.3.5+

Ovh The Bastion

CVE-2025-59339 Bastion osh-encrypt-rsync silently fails to sign session logs

Itsourcecode

CVE-2025-10632 CVE-2025-10632: PHP XSS in itsourcecode Online Petshop MS 1.0 (availableframe.php)
CVE-2025-10631 Online Petshop Management Sys 1.0 XSS via addcnp.php
CVE-2025-10667 SQLi in itsourcecode Online Discussion Forum 1.0 (compose_msg.php) Remote
CVE-2025-10670 SQL Injection in E-Logbook for COVID-19 1.0 check_profile.php
CVE-2025-10616 Unrestricted File Upload in itsourcecode E-Commerce Web 1.0 – /admin/users.php

Open5gs

CVE-2025-55904 Open5GS v2.7.5 NULL Pointer Deref (SBI) – DoS