Latest Security Vulnerabilities

Sunday December 28, 2025

Zkteco Biotime

CVE-2025-15128 ZKTeco BioTime <9.5.2: Unprotected Credentials via backup_encryption_password_decrypt
 

Unclassified

CVE-2025-15122 JeecgBoot <=3.9.0: Improper Auth via loadDatarule (Remote)
CVE-2025-15125 Unauthorized Access via departId manipulation in JeecgBoot 3.9.0
CVE-2025-15123 JeecgBoot <=3.9.0 Improper Auth via SysDepartPermission DataRule
CVE-2025-15120 JeecgBoot <=3.9.0: getDeptRoleList Auth Bypass
CVE-2025-15119 JeecgBoot <3.9.0 remote auth flaw via deptId (CVE-2025-15119)
CVE-2025-15126 JeecgBoot <3.9.0 Improper Auth via getPositionUserList (PositionId)
CVE-2025-15131 ZSPACE Z4Pro+ 1.0.0440024 - HTTP POST Request Handler Command Injection
CVE-2025-15121 JeecgBoot <3.9.0 Info Disclosure via departId
CVE-2025-15124 JeecgBoot <=3.9.0 Improper Auth via departId in getParameterMap Remote
And others...

Trendnet

CVE-2025-15136 Command Injection in TRENDnet TEW-800MB 1.0.1.0 Management Interface

Dromara

CVE-2025-15117 Dromara Sa-Token <=1.44.0: Remote Deserialization via SaJdkSerializer

Macrozheng

CVE-2025-15118 Improper auth in MacroZheng Mall Member Endpoint before v1.0.3

Opencart

CVE-2025-15116 OpenCart SRCCHandler Race Condition CVE-2025-15116 (4.1.0.3)

Saturday December 27, 2025

PHP

CVE-2025-14180 PHP 8.x PDO PgSQL Emulate Prepares Null Deref Crash (CVE-2025-14180)
CVE-2025-14177 PHP 8.x getimagesize() Info Disclosure in APPn Segments (before 8.4.16)
CVE-2025-14178 Heap Buffer Overflow IN PHP array_merge (8.18.5) pre 8.5.1

Gnupg

CVE-2025-68972 GnuPG 2.4.8+ signature bypass via '\f' line terminator
 

Unclassified

CVE-2025-15122 JeecgBoot <=3.9.0: Improper Auth via loadDatarule (Remote)
CVE-2025-15125 Unauthorized Access via departId manipulation in JeecgBoot 3.9.0
CVE-2025-15123 JeecgBoot <=3.9.0 Improper Auth via SysDepartPermission DataRule
CVE-2025-15120 JeecgBoot <=3.9.0: getDeptRoleList Auth Bypass
CVE-2025-15119 JeecgBoot <3.9.0 remote auth flaw via deptId (CVE-2025-15119)
CVE-2025-15126 JeecgBoot <3.9.0 Improper Auth via getPositionUserList (PositionId)
CVE-2025-15131 ZSPACE Z4Pro+ 1.0.0440024 - HTTP POST Request Handler Command Injection
CVE-2025-15121 JeecgBoot <3.9.0 Info Disclosure via departId
CVE-2025-15124 JeecgBoot <=3.9.0 Improper Auth via departId in getParameterMap Remote
And others...

Friday December 26, 2025

IBM Aspera Faspex 5

CVE-2025-36229 IBM Aspera Faspex 5 Authenticated Package ID Enumeration (v5.0.0-5.0.14.1)
CVE-2025-36228 IBM Aspera Faspex 5 5.0.05.0.14.1 UI/API Permission Leak
CVE-2025-36230 IBM Aspera Faspex 5 5.0.0-5.0.14.1 HTML Injection

IBM Ds8900f Firmware

CVE-2025-36192 IBM DS8000 R10.x Local CCW Update Perm Allows Backup Deletion (CVE-2025-36192)

IBM Concert

CVE-2025-1721 IBM Concert 1.0.0-2.1.0 Remote Heap Memory Disclosure via Improper Clearing
CVE-2025-64645 IBM Concert 2.1.0 Local Priv Esc via Symlink Race
CVE-2025-12771 IBM Concert 1.0.0-2.1.0 Stack-Based Buffer Overflow (buf overrun)

Gitea

CVE-2025-68940 Gitea 1.22.5: Branch Deletion Permissions Not Properly Enforced
CVE-2025-68939 Gitea <1.23.0: Attachment API Bypasses Forbidden Extension Check
CVE-2025-68941 Gitea <1.22.3: Limited-API-token can read private resources
CVE-2025-68942 Gitea <1.22.2 XSS: search box uses v-html (v-text missing)
CVE-2025-68943 Gitea <=1.21.7: Login Time Disclosure via explore/users Order
CVE-2025-68945 Gitea <1.21.2: Anonymous View of Private Projects
CVE-2025-68944 Token Scope Propagation Flaw in Gitea <1.22.2 (Package Registry Access Control)
CVE-2025-68946 Gitea <1.20.1 XSS via forbidden URL Scheme
CVE-2025-68938 Gitea <1.25.2 Release deletion auth bypass

IBM Api Connect

CVE-2025-13915 IBM API Connect 10.0.8.010.0.8.5/10.0.11.0: Auth Bypass Remote

Alteryx Server

CVE-2025-15097 Alteryx Server Improper Auth /gallery/api/status/ Fixed in 2025.1.1.1.31

Eaton

CVE-2025-59887 Eaton UPS Companion Improper Auth of Lib Files Leading to Code Exec
CVE-2025-59888 Eaton UPS Companion Installer Quotation Flaw Allows RCE
CVE-2025-67450 Eaton UPS Companion insecure lib loading leads to RCE
 

Unclassified

CVE-2025-15122 JeecgBoot <=3.9.0: Improper Auth via loadDatarule (Remote)
CVE-2025-15125 Unauthorized Access via departId manipulation in JeecgBoot 3.9.0
CVE-2025-15123 JeecgBoot <=3.9.0 Improper Auth via SysDepartPermission DataRule
CVE-2025-15120 JeecgBoot <=3.9.0: getDeptRoleList Auth Bypass
CVE-2025-15119 JeecgBoot <3.9.0 remote auth flaw via deptId (CVE-2025-15119)
CVE-2025-15126 JeecgBoot <3.9.0 Improper Auth via getPositionUserList (PositionId)
CVE-2025-15131 ZSPACE Z4Pro+ 1.0.0440024 - HTTP POST Request Handler Command Injection
CVE-2025-15121 JeecgBoot <3.9.0 Info Disclosure via departId
CVE-2025-15124 JeecgBoot <=3.9.0 Improper Auth via departId in getParameterMap Remote
And others...

Espressif Esp Idf

CVE-2025-68473 ESP-IDF 5.5.15.1.6: OOB Write in BlueDroid SDP (uuid_list[32])
CVE-2025-68474 ESP-IDF 5.x AVRCP Stack OOB Write in avrc_vendor_msg() (CVE-2025-68474)

N8n

CVE-2025-68668 n8n Pyodide Sandbox Bypass Python Code Node (<=1.99)
CVE-2025-68697 n8n 2.0.0 File System Access Bypass in Code Node Pre2.0.0 Auth Escalation
CVE-2025-61914 n8n 1.114.0: Stored XSS in Respond to Webhook node

IBM Db2

CVE-2025-14687 IBM Db2 Int'l Center 1.1.0-1.1.2 Auth Bypass via Client-Side (CVE-2025-14687)

Freshrss

CVE-2025-68148 FreshRSS DoS via 429 Retry-After in Proxy (v1.27.x fixed 1.28.0)
CVE-2025-68932 FreshRSS Token Leakage via Weak RNG before v1.28.0

Delta Electronics

CVE-2025-62578 Modbus/TCP Cleartext Transmission in DVP-12SE Industrial Controller

Thursday December 25, 2025

Pexip Infinity

CVE-2025-32095 Pexip Infinity <37.0: Signaling Input Validation DoS
CVE-2025-32096 Pexip Infinity 33.0-37.0 Improper Input Val via Signaling DoS
CVE-2025-49088 Pexip Infinity OTJ Service DoS via Crafted Invite (32.0-37.1)
CVE-2025-66378 Pexip Infinity RTMP Access Control Bypass v38.x (fixed v39.0)
CVE-2025-66377 Pexip Infinity 39.0 Missing Auth on Internal API Enables Node Downtime
CVE-2025-66379 Pexip Infinity <39.0 Improper Input Validation in Media Impl. Causing Remote DoS
CVE-2025-66443 Pexip Infinity 35.038.1 Improper Input Validation (Pre-39.0) SIG Abort DoS
CVE-2025-48704 Pexip Infinity 35.0-37.2 Improper Input Val'd in Signalling DoS
CVE-2025-59683 Pexip Infinity 15.038.0 Secure Scheduler IAC Unauthenticated Read & DoS

Onlyoffice Document Server

CVE-2025-68935 ONLYOFFICE Docs XSS via Font field before 9.2.1 (DocumentServer)
CVE-2025-68936 ONLYOFFICE Docs 9.x XSS via Color Theme Name in DocumentServer
 

Unclassified

CVE-2025-15122 JeecgBoot <=3.9.0: Improper Auth via loadDatarule (Remote)
CVE-2025-15125 Unauthorized Access via departId manipulation in JeecgBoot 3.9.0
CVE-2025-15123 JeecgBoot <=3.9.0 Improper Auth via SysDepartPermission DataRule
CVE-2025-15120 JeecgBoot <=3.9.0: getDeptRoleList Auth Bypass
CVE-2025-15119 JeecgBoot <3.9.0 remote auth flaw via deptId (CVE-2025-15119)
CVE-2025-15126 JeecgBoot <3.9.0 Improper Auth via getPositionUserList (PositionId)
CVE-2025-15131 ZSPACE Z4Pro+ 1.0.0440024 - HTTP POST Request Handler Command Injection
CVE-2025-15121 JeecgBoot <3.9.0 Info Disclosure via departId
CVE-2025-15124 JeecgBoot <=3.9.0 Improper Auth via departId in getParameterMap Remote
And others...

Forgejo

CVE-2025-68937 Forgejo <13.0.2 - Symlink Dest. Write to Unintended Files & Shell Access

Tenda Ch22

CVE-2025-15076 Path Traversal in Tenda CH22 1.0.0.1 /public/ (remote)

Ketr Jepaas

CVE-2025-15088 ketr JEPaaS SQLi in postilService.loadPostils before 7.2.8

Itsourcecode

CVE-2025-15078 SQLi in itsourcecode Student Management System 1.0 via /list_report.php
CVE-2025-15077 itsourcecode Student Management System 1.0 SQLi via /form137.php
CVE-2025-15075 SQLi in itsourcecode Student Management Sys v1.0 via /student_p.php
CVE-2025-15074 SQLi in itsourcecode OFFOS 1.0 via /customer_details.php

Wednesday December 24, 2025

Linux Kernel

CVE-2022-50702 Linux Kernel vdpa_sim Module Memory Leak When device_register Fails
CVE-2022-50704 Linux Kernel Gadget UAF During USB Config Switch
CVE-2022-50706 Linux kernel PF_IEEE802154 raw_sendmsg zero-length packet issue
CVE-2022-50707 Linux kernel virtio-crypto memleak in virtio_crypto_alg_skcipher_close_session
CVE-2022-50712 Linux Kernel: devlink Region Snapshot Lock Assertion (CVE202250712)
CVE-2022-50716 Linux Kernel AR5523 WiFi Driver USEAFTERFREE on cmd
CVE-2022-50719 Linux Kernel ALSA line6: stack overflow via MIDI sysex
CVE-2022-50723 Linux kernel bnxt_en: Mem Leak in bnxt_nvm_test()
CVE-2022-50726 Linux Kernel: mlx5 Async UAF in mlx5_cmd_cleanup_async_ctx
And others...