Vulnerability Details

CVE-2025-44831 • published on May 13, 2025 EngineerCMS v1.02 through v2.0.5 has a SQL injection vulnerability in the /project/addproject interface.

CVE-2025-44039 • published on May 13, 2025 CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. This vulnerability allows local attackers to connect to the UART port via a serial connection, read all boot sequence, and revealing internal system details and sensitive information without any authentication.

CVE-2025-45864 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolStart parameter in the formDhcpv6s interface.

CVE-2025-45746 • published on May 13, 2025 In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console.

CVE-2025-45858 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.

CVE-2025-45861 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the routername parameter in the formDnsv6 interface.

CVE-2025-45867 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the static_dns1 parameter in the formIpv6Setup interface.

CVE-2025-45857 • published on May 13, 2025 EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function.

CVE-2025-45859 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the bandstr parameter in the formMapDelDevice interface.

CVE-2025-45863 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the macstr parameter in the formMapDelDevice interface.

CVE-2025-45865 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the dnsaddr parameter in the formDhcpv6s interface.

CVE-2025-45866 • published on May 13, 2025 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolEnd parameter in the formDhcpv6s interface.

CVE-2025-47204 • published on May 13, 2025 An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).

CVE-2025-47905 • published on May 13, 2025 Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

CVE-2023-49641 • published on May 12, 2025 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the loginCheck.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE-2025-46825 • published on May 12, 2025 Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the `name` parameter of the `http://localhost/?controller=ProjectCreationController&action=create` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. Note that the default content security policy (CSP) blocks the JavaScript attack, though it can be exploited if an instance is badly configured and the software is vulnerable to CSS injection because of the unsafe-inline on the default CSP. Version 1.2.45 contains a fix for the issue.

CVE-2025-31220 • published on May 12, 2025 A privacy issue was addressed by removing sensitive data. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. A malicious app may be able to read sensitive location information.

CVE-2025-24258 • published on May 12, 2025 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Ventura 13.7.6, macOS Sonoma 14.7.6. An app may be able to gain root privileges.

CVE-2025-31236 • published on May 12, 2025 An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.5. An app may be able to access sensitive user data.

CVE-2025-24223 • published on May 12, 2025 The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.

Recent Vulnerabilities