🟧 PT-2025-54423
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47742
Vendor: Epic Games
Product: Epic Games Psyonix Rocket League
Severity: ⚠ HIGH (8.8)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges.
🛠 CWE: CWE-732
💥 Tag: Incorrect Permission
📊 CVSS Metrics:
• NVD: 8.8 (HIGH)
• Mitre: 8.8 (HIGH)
📚 References:
• exchange.xforce.ibmcloud.com
• packetstormsecurity.com
• zeroscience.mk
• nvd.nist.gov
• rocketleague.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54423
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47742
Vendor: Epic Games
Product: Epic Games Psyonix Rocket League
Severity: ⚠ HIGH (8.8)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges.
🛠 CWE: CWE-732
💥 Tag: Incorrect Permission
📊 CVSS Metrics:
• NVD: 8.8 (HIGH)
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Mitre: 8.8 (HIGH)
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
📚 References:
• exchange.xforce.ibmcloud.com
• packetstormsecurity.com
• zeroscience.mk
• nvd.nist.gov
• rocketleague.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54423
🟨 PT-2025-54419
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47725
Vendor: Stvs Sa
Product: Stvs Provision
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site.
🛠 CWE: CWE-79
💥 Tag: XSS
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
• Mitre: 5.4 (MEDIUM)
📚 References:
• packetstormsecurity.com
• zeroscience.mk
• exchange.xforce.ibmcloud.com
• stvs.com
• vulncheck.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54419
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47725
Vendor: Stvs Sa
Product: Stvs Provision
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site.
🛠 CWE: CWE-79
💥 Tag: XSS
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
• Mitre: 5.4 (MEDIUM)
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
📚 References:
• packetstormsecurity.com
• zeroscience.mk
• exchange.xforce.ibmcloud.com
• stvs.com
• vulncheck.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54419
🟨 PT-2025-54456
🗓 Published: 31.12.2025
CVE ID: CVE-2023-7331
Vendor: Pkrystian
Product: Full-Stack-Bank
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue.
🛠 CWE: CWE-89, CWE-74
💥 Tag: SQL injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
• Mitre: 4.7 (MEDIUM)
📚 References:
• github.com
• vuldb.com
• github.com
• vuldb.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54456
🗓 Published: 31.12.2025
CVE ID: CVE-2023-7331
Vendor: Pkrystian
Product: Full-Stack-Bank
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue.
🛠 CWE: CWE-89, CWE-74
💥 Tag: SQL injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
AV:N/AC:L/Au:M/C:P/I:P/A:P
• Mitre: 4.7 (MEDIUM)
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
📚 References:
• github.com
• vuldb.com
• github.com
• vuldb.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54456
🟧 PT-2025-54455
🗓 Published: 31.12.2025
CVE ID: CVE-2015-10145
Vendor: Undefined
Product: Undefined
Severity: ⚠ HIGH (8.7)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
🛠 CWE: CWE-78
💥 Tag: OS Command Injection
📊 CVSS Metrics:
• NVD: 8.7 (HIGH)
📚 References:
• vulncheck.com
• nvd.nist.gov
• gargoyle-router.com
• blog.xlab.qianxin.com
• packetstorm.news
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54455
🗓 Published: 31.12.2025
CVE ID: CVE-2015-10145
Vendor: Undefined
Product: Undefined
Severity: ⚠ HIGH (8.7)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
🛠 CWE: CWE-78
💥 Tag: OS Command Injection
📊 CVSS Metrics:
• NVD: 8.7 (HIGH)
AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
📚 References:
• vulncheck.com
• nvd.nist.gov
• gargoyle-router.com
• blog.xlab.qianxin.com
• packetstorm.news
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54455
🟧 PT-2025-54425
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47744
Vendor: Cypress Solutions
Product: Cypress Solutions Ctm-200
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.
🛠 CWE: CWE-798
💥 Tag: Using Hardcoded Credentials
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
• Mitre: 7.5 (HIGH)
• X.com: 7.5 (HIGH)
• X.com: 7.5 (HIGH)
• Positive Technologies: 7.5 (HIGH)
📚 References:
• cypress.bc.ca
• exploit-db.com
• vulncheck.com
• twitter.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54425
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47744
Vendor: Cypress Solutions
Product: Cypress Solutions Ctm-200
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.
🛠 CWE: CWE-798
💥 Tag: Using Hardcoded Credentials
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Mitre: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• X.com: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• X.com: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Positive Technologies: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
📚 References:
• cypress.bc.ca
• exploit-db.com
• vulncheck.com
• twitter.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54425
🟧 PT-2025-54457
🗓 Published: 31.12.2025
CVE ID: CVE-2023-7332
Vendor: Pmmp
Product: Pocketmine-Mp
Severity: ⚠ HIGH (7.1)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.
🛠 CWE: CWE-1284
📊 CVSS Metrics:
• NVD: 7.1 (HIGH)
• Mitre: 7.1 (HIGH)
📚 References:
• github.com
• vulncheck.com
• github.com
• github.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54457
🗓 Published: 31.12.2025
CVE ID: CVE-2023-7332
Vendor: Pmmp
Product: Pocketmine-Mp
Severity: ⚠ HIGH (7.1)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.
🛠 CWE: CWE-1284
📊 CVSS Metrics:
• NVD: 7.1 (HIGH)
AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
• Mitre: 7.1 (HIGH)
AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
📚 References:
• github.com
• vulncheck.com
• github.com
• github.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54457
🟨 PT-2025-54328
🗓 Published: 31.12.2025
CVE ID: CVE-2025-59003
Vendor: Inkthemescom
Product: Black Rider
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3.
🛠 CWE: CWE-201
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
• Mitre: 5.8 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54328
🗓 Published: 31.12.2025
CVE ID: CVE-2025-59003
Vendor: Inkthemescom
Product: Black Rider
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3.
🛠 CWE: CWE-201
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
• Mitre: 5.8 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54328
🟨 PT-2025-54335
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62117
Vendor: Jayce53
Product: Easyindex
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
• Mitre: 5.4 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54335
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62117
Vendor: Jayce53
Product: Easyindex
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
• Mitre: 5.4 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54335
🟨 PT-2025-54357
🗓 Published: 31.12.2025
CVE ID: CVE-2025-59136
Vendor: Efí Bank
Product: Gerencianet Oficial
Severity: ⚠ MEDIUM (5.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through 3.1.3.
🛠 CWE: CWE-201
📊 CVSS Metrics:
• NVD: 5.3 (MEDIUM)
• Mitre: 5.3 (MEDIUM)
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54357
🗓 Published: 31.12.2025
CVE ID: CVE-2025-59136
Vendor: Efí Bank
Product: Gerencianet Oficial
Severity: ⚠ MEDIUM (5.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through 3.1.3.
🛠 CWE: CWE-201
📊 CVSS Metrics:
• NVD: 5.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
• Mitre: 5.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54357
🟨 PT-2025-54361
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62092
Vendor: Wiremo
Product: Wiremo
Severity: ⚠ MEDIUM (5.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 5.3 (MEDIUM)
• Mitre: 5.3 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54361
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62092
Vendor: Wiremo
Product: Wiremo
Severity: ⚠ MEDIUM (5.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 5.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• Mitre: 5.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54361
🟨 PT-2025-54377
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62089
Vendor: Mergado
Product: Mergado Pack
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through 4.2.0.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
• Mitre: 4.3 (MEDIUM)
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54377
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62089
Vendor: Mergado
Product: Mergado Pack
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through 4.2.0.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• Mitre: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54377
🟨 PT-2025-54375
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62084
Vendor: Imdad Next Web
Product: Inext Woo Pincode Checker
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through 2.3.1.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
• Mitre: 4.3 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54375
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62084
Vendor: Imdad Next Web
Product: Inext Woo Pincode Checker
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through 2.3.1.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• Mitre: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54375
🟨 PT-2025-54384
🗓 Published: 31.12.2025
CVE ID: CVE-2025-63014
Vendor: Serhii Pasyuk
Product: Gmedia Photo Gallery
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through 1.24.1.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
• Mitre: 4.3 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54384
🗓 Published: 31.12.2025
CVE ID: CVE-2025-63014
Vendor: Serhii Pasyuk
Product: Gmedia Photo Gallery
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through 1.24.1.
🛠 CWE: CWE-352
💥 Tag: CSRF
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• Mitre: 4.3 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54384
🟨 PT-2025-54382
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62751
Vendor: Extend Themes
Product: Vireo
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
• Mitre: 4.3 (MEDIUM)
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54382
🗓 Published: 31.12.2025
CVE ID: CVE-2025-62751
Vendor: Extend Themes
Product: Vireo
Severity: ⚠ MEDIUM (4.3)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 4.3 (MEDIUM)
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• Mitre: 4.3 (MEDIUM)
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
📚 References:
• nvd.nist.gov
• vdp.patchstack.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54382
🟨 PT-2025-54436
🗓 Published: 31.12.2025
CVE ID: CVE-2025-15394
Vendor: Undefined
Product: Undefined
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 💥 Exploit available
Researchers: {'place': 1307, 'name': 'Hiro', 'email': None, 'company': None, 'vulner_count': 23, 'vulner_rating': 146.5, 'vulner_average_rating': 6.4, 'verified': False}
📖 Description:
A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🛠 CWE: CWE-94, CWE-74
💥 Tag: Code Injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
• Mitre: 4.7 (MEDIUM)
📚 References:
• vuldb.com
• vuldb.com
• nvd.nist.gov
• note-hxlab.wetolink.com
• vuldb.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54436
🗓 Published: 31.12.2025
CVE ID: CVE-2025-15394
Vendor: Undefined
Product: Undefined
Severity: ⚠ MEDIUM (5.8)
Status: ✅ Fix available | 💥 Exploit available
Researchers: {'place': 1307, 'name': 'Hiro', 'email': None, 'company': None, 'vulner_count': 23, 'vulner_rating': 146.5, 'vulner_average_rating': 6.4, 'verified': False}
📖 Description:
A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🛠 CWE: CWE-94, CWE-74
💥 Tag: Code Injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 5.8 (MEDIUM)
AV:N/AC:L/Au:M/C:P/I:P/A:P
• Mitre: 4.7 (MEDIUM)
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
📚 References:
• vuldb.com
• vuldb.com
• nvd.nist.gov
• note-hxlab.wetolink.com
• vuldb.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54436
🟨 PT-2025-54431
🗓 Published: 31.12.2025
CVE ID: CVE-2025-66149
Vendor: Merkulove
Product: Ungrabber
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in merkulove UnGrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through 3.1.3.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
• Mitre: 5.4 (MEDIUM)
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54431
🗓 Published: 31.12.2025
CVE ID: CVE-2025-66149
Vendor: Merkulove
Product: Ungrabber
Severity: ⚠ MEDIUM (5.4)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: Unknown
📖 Description:
Missing Authorization vulnerability in merkulove UnGrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through 3.1.3.
🛠 CWE: CWE-862
💥 Tag: Missing Authorization
📊 CVSS Metrics:
• NVD: 5.4 (MEDIUM)
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
• Mitre: 5.4 (MEDIUM)
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
📚 References:
• vdp.patchstack.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54431
🟨 PT-2025-54428
🗓 Published: 31.12.2025
CVE ID: CVE-2025-15393
Vendor: Kohana
Product: Kodicms
Severity: ⚠ MEDIUM (6.5)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: {'place': 1307, 'name': 'Hiro', 'email': None, 'company': None, 'vulner_count': 23, 'vulner_rating': 146.5, 'vulner_average_rating': 6.4, 'verified': False}
📖 Description:
A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🛠 CWE: CWE-94, CWE-74
💥 Tag: Code Injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 6.5 (MEDIUM)
• Mitre: 6.3 (MEDIUM)
📚 References:
• vuldb.com
• vuldb.com
• vuldb.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54428
🗓 Published: 31.12.2025
CVE ID: CVE-2025-15393
Vendor: Kohana
Product: Kodicms
Severity: ⚠ MEDIUM (6.5)
Status: ✅ Fix available | 🛡 No known exploit
Researchers: {'place': 1307, 'name': 'Hiro', 'email': None, 'company': None, 'vulner_count': 23, 'vulner_rating': 146.5, 'vulner_average_rating': 6.4, 'verified': False}
📖 Description:
A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🛠 CWE: CWE-94, CWE-74
💥 Tag: Code Injection, Special Elements Injection
📊 CVSS Metrics:
• NVD: 6.5 (MEDIUM)
AV:N/AC:L/Au:S/C:P/I:P/A:P
• Mitre: 6.3 (MEDIUM)
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
📚 References:
• vuldb.com
• vuldb.com
• vuldb.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54428
🟧 PT-2025-54418
🗓 Published: 31.12.2025
CVE ID: CVE-2020-36904
Vendor: Selea
Product: Selea Carplateserver
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO LIST EXE PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands.
🛠 CWE: CWE-306
💥 Tag: Missing Authentication
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
• Mitre: 7.5 (HIGH)
📚 References:
• selea.com
• nvd.nist.gov
• zeroscience.mk
• vulncheck.com
• exploit-db.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54418
🗓 Published: 31.12.2025
CVE ID: CVE-2020-36904
Vendor: Selea
Product: Selea Carplateserver
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO LIST EXE PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands.
🛠 CWE: CWE-306
💥 Tag: Missing Authentication
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Mitre: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
📚 References:
• selea.com
• nvd.nist.gov
• zeroscience.mk
• vulncheck.com
• exploit-db.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54418
🟨 PT-2025-54424
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47743
Vendor: Commax
Product: Commax Biometric Access Control System
Severity: ⚠ MEDIUM (6.1)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX ADMIN NM' and 'CMX COMPLEX NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session.
🛠 CWE: CWE-79
💥 Tag: XSS
📊 CVSS Metrics:
• NVD: 6.1 (MEDIUM)
• Mitre: 6.1 (MEDIUM)
• X.com: 6.1 (MEDIUM)
• Positive Technologies: 6.1 (MEDIUM)
📚 References:
• zeroscience.mk
• commax.com
• twitter.com
• cxsecurity.com
• packetstormsecurity.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54424
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47743
Vendor: Commax
Product: Commax Biometric Access Control System
Severity: ⚠ MEDIUM (6.1)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX ADMIN NM' and 'CMX COMPLEX NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session.
🛠 CWE: CWE-79
💥 Tag: XSS
📊 CVSS Metrics:
• NVD: 6.1 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
• Mitre: 6.1 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
• X.com: 6.1 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
• Positive Technologies: 6.1 (MEDIUM)
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
📚 References:
• zeroscience.mk
• commax.com
• twitter.com
• cxsecurity.com
• packetstormsecurity.com
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54424
🟧 PT-2025-54421
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47740
Vendor: Kztech
Product: Kztech Jt3500V 4G Lte Cpe
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms.
🛠 CWE: CWE-613
💥 Tag: Insufficient Session Expiration
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
• Mitre: 7.5 (HIGH)
• X.com: 7.5 (HIGH)
• Positive Technologies: 7.5 (HIGH)
📚 References:
• kzbtech.com
• vulncheck.com
• jatontech.com
• packetstormsecurity.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54421
🗓 Published: 31.12.2025
CVE ID: CVE-2021-47740
Vendor: Kztech
Product: Kztech Jt3500V 4G Lte Cpe
Severity: ⚠ HIGH (7.5)
Status: ✅ Fix available | 💥 Exploit available
Researchers: Unknown
📖 Description:
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms.
🛠 CWE: CWE-613
💥 Tag: Insufficient Session Expiration
📊 CVSS Metrics:
• NVD: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Mitre: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• X.com: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Positive Technologies: 7.5 (HIGH)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
📚 References:
• kzbtech.com
• vulncheck.com
• jatontech.com
• packetstormsecurity.com
• nvd.nist.gov
🔗 More details:
https://dbugs.ptsecurity.com/vulnerability/PT-2025-54421