In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 30-31, 2025.
During this period, The National Vulnerability Database published 208, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 35
Medium: 26
Low: 3
Severity Not Assigned: 141
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-12082
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
References: https://www.drupal.org/sa-contrib-2025-112
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-12466
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
References: https://www.drupal.org/sa-contrib-2025-114
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-9954
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
References: https://www.drupal.org/sa-contrib-2025-105
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-62231
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.
References: https://access.redhat.com/security/cve/CVE-2025-62231
https://bugzilla.redhat.com/show_bug.cgi?id=2402660
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-62229
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
References: https://access.redhat.com/security/cve/CVE-2025-62229
https://bugzilla.redhat.com/show_bug.cgi?id=2402649
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-62230
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was discovered in the X.Org X server’s X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
References: https://access.redhat.com/security/cve/CVE-2025-62230
https://bugzilla.redhat.com/show_bug.cgi?id=2402653
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-54469
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values.
The entry process of the enforcer container is the monitor
process. When the enforcer container stops, the monitor process checks
whether the consul subprocess has exited. To perform this check, the
monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active.
The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT
are used directly to compose shell commands via popen without
validation or sanitization. This behavior could allow a malicious user
to inject malicious commands through these variables within the enforcer
container.
References: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54469
https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-54470
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server.
In affected versions, NeuVector does not enforce TLS
certificate verification when transmitting anonymous cluster data to the
telemetry server. As a result, the communication channel is susceptible
to man-in-the-middle (MITM) attacks, where an attacker could intercept
or modify the transmitted data. Additionally, NeuVector loads the
response of the telemetry server is loaded into memory without size
limitation, which makes it vulnerable to a Denial of Service(DoS)
attack
References: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54470
https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-43939
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-43940
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-43941
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary command with root privileges. This vulnerability only affects systems without a valid license install.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-43027
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no evidence that this vulnerability has been exploited in the wild.
References: https://resources.genetec.com/security-advisories/critical-security-vulnerability-affecting-the-alpr-manager-role-of-security-center
https://ressources.genetec.com/avis-de-securite/faille-de-securite-critique-affectant-le-role-gestionnaire-rapi-de-security-center
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-43942
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-46422
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-46423
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-61113
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access private group information, including join credentials. Successful exploitation may result in privacy breaches and unauthorized access to restricted resources.
References: https://kar1oz.notion.site/TalkTalk-2619a473ecb28072b600dfcc7791c9d2
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-61115
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/ABC-Fine-Wine-Spirits-2629a473ecb2807787e2f2557e504c7d
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-61116
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/AdForest-Classified-2629a473ecb2806cb787d3654f3e50b8
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-61117
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/Senza-Keto-Fasting-2629a473ecb28079bce0dab884d912a2
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-61118
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/mCarFix-Motorists-App-2629a473ecb280ac8679c73098423cf0
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-62712
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
References: https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-61114
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: 2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first character of the user_token, enabling attackers to brute force tokens and perform unauthorized queries on other user accounts. Successful exploitation could result in privacy breaches and unauthorized access to user data.
References: https://kar1oz.notion.site/2nd-Line-2629a473ecb280739ecac2d316da666c
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-61119
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request parameters. Successful exploitation could result in privacy breaches, unauthorized group access, and misuse of the platform.
References: https://kar1oz.notion.site/Kanova-2629a473ecb2801bac89ce99d0b30df7
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-61120
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: AG Life Logger Android App version v1.0.2.72 and before (package name com.donki.healthy), developed by IO FIT, K.K., contains improper access control vulnerabilities. Exposed credentials in traffic may allow attackers to misuse cloud resources, and predictable verification codes make brute-force account logins feasible. Successful exploitation could result in account compromise, privacy breaches, and abuse of cloud resources.
References: https://kar1oz.notion.site/AG-Life-Logger-2629a473ecb280c693e7d5d4a99de559
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-61121
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service credentials may allow attackers to obtain them and carry out unauthorized actions, such as sensitive information disclosure and abuse of cloud resources. Successful exploitation could result in privacy breaches and misuse of the platform infrastructure.
References: https://kar1oz.notion.site/Mobile-Scanner-2659a473ecb28058a9f3e06cff61781c
CWE-ID: CWE-523
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-61196
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An issue in BusinessNext CRMnext v.10.8.3.0 allows a remote attacker to execute arbitrary code via the comments unput parameter
References: https://github.com/zsamamah/CVE-2025-61196/blob/main/CVE-2025-61196.md
https://github.com/zsamamah/CVE-2025-61196/blob/main/CVE-2025-61196.md
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-62726
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
References: https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997
https://github.com/n8n-io/n8n/pull/19559
https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-62795
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
References: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-64096
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prier to 1.4.2, there is a missing bounds check in Crypto_Key_update() (crypto_key_mgmt.c) which allows a remote attacker to trigger a stack-based buffer overflow by supplying a TLV packet with a spoofed length field. The function calculates the number of keys from an attacker-controlled field (pdu_len), which may exceed the static array size (kblk[98]), leading to an out-of-bounds write and potential memory corruption. This vulnerability is fixed in 1.4.2.
References: https://github.com/nasa/CryptoLib/security/advisories/GHSA-w6c3-pxvr-6m6j
https://github.com/nasa/CryptoLib/security/advisories/GHSA-w6c3-pxvr-6m6j
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-64112
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
References: https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-36137
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
References: https://www.ibm.com/support/pages/node/7249678
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-63298
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server or underlying operating system.
References: https://github.com/z3rObyte/CVE-2025-63298
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/petgrooming_erp.zip
CWE-ID: CWE-24
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-63422
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Incorrect access control in the Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to arbitrarily change the administrator username and password via sending a crafted GET request.
References: https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-63422
https://imgur.com/a/X9DNOBj
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-3355
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
References: https://www.ibm.com/support/pages/node/7249694
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-3356
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.
References: https://www.ibm.com/support/pages/node/7249694
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-61141
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.
References: https://advisory.dw1.io/54/
https://github.com/sqls-server/sqls/
https://lukmanern.github.io/CVE-2025-61141.html
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-61498
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet.
References: http://tenda.com
https://github.com/sakshi-garg02/CVEs/tree/main/CVE-2025-61498
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-63423
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 was discovered to store the Administrator password.
References: https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-63423
https://imgur.com/a/X9DNOBj
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 30-31, 2025.
During this period, The National Vulnerability Database published 208, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 35
Medium: 26
Low: 3
Severity Not Assigned: 141
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-12082
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
References: https://www.drupal.org/sa-contrib-2025-112
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-12466
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
References: https://www.drupal.org/sa-contrib-2025-114
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-9954
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
References: https://www.drupal.org/sa-contrib-2025-105
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-62231
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.
References: https://access.redhat.com/security/cve/CVE-2025-62231
https://bugzilla.redhat.com/show_bug.cgi?id=2402660
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-62229
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
References: https://access.redhat.com/security/cve/CVE-2025-62229
https://bugzilla.redhat.com/show_bug.cgi?id=2402649
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-62230
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.5
Description: A flaw was discovered in the X.Org X server’s X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
References: https://access.redhat.com/security/cve/CVE-2025-62230
https://bugzilla.redhat.com/show_bug.cgi?id=2402653
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-54469
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values.
The entry process of the enforcer container is the monitor
process. When the enforcer container stops, the monitor process checks
whether the consul subprocess has exited. To perform this check, the
monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active.
The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT
are used directly to compose shell commands via popen without
validation or sanitization. This behavior could allow a malicious user
to inject malicious commands through these variables within the enforcer
container.
References: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54469
https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-54470
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server.
In affected versions, NeuVector does not enforce TLS
certificate verification when transmitting anonymous cluster data to the
telemetry server. As a result, the communication channel is susceptible
to man-in-the-middle (MITM) attacks, where an attacker could intercept
or modify the transmitted data. Additionally, NeuVector loads the
response of the telemetry server is loaded into memory without size
limitation, which makes it vulnerable to a Denial of Service(DoS)
attack
References: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54470
https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w
CWE-ID: CWE-295
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-43939
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-43940
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-43941
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary command with root privileges. This vulnerability only affects systems without a valid license install.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-43027
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no evidence that this vulnerability has been exploited in the wild.
References: https://resources.genetec.com/security-advisories/critical-security-vulnerability-affecting-the-alpr-manager-role-of-security-center
https://ressources.genetec.com/avis-de-securite/faille-de-securite-critique-affectant-le-role-gestionnaire-rapi-de-security-center
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-43942
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-46422
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-46423
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges.
References: https://www.dell.com/support/kbdoc/en-us/000385307/dsa-2025-379-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-61113
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access private group information, including join credentials. Successful exploitation may result in privacy breaches and unauthorized access to restricted resources.
References: https://kar1oz.notion.site/TalkTalk-2619a473ecb28072b600dfcc7791c9d2
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-61115
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/ABC-Fine-Wine-Spirits-2629a473ecb2807787e2f2557e504c7d
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-61116
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/AdForest-Classified-2629a473ecb2806cb787d3654f3e50b8
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-61117
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/Senza-Keto-Fasting-2629a473ecb28079bce0dab884d912a2
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-61118
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform.
References: https://kar1oz.notion.site/mCarFix-Motorists-App-2629a473ecb280ac8679c73098423cf0
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-62712
Base Score: 9.6
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.8
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.
References: https://github.com/jumpserver/jumpserver/commit/453ad331eec9d9667a38de735d6612608e558491
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-6ghx-6vpv-3wg7
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-61114
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: 2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first character of the user_token, enabling attackers to brute force tokens and perform unauthorized queries on other user accounts. Successful exploitation could result in privacy breaches and unauthorized access to user data.
References: https://kar1oz.notion.site/2nd-Line-2629a473ecb280739ecac2d316da666c
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-61119
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request parameters. Successful exploitation could result in privacy breaches, unauthorized group access, and misuse of the platform.
References: https://kar1oz.notion.site/Kanova-2629a473ecb2801bac89ce99d0b30df7
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-61120
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: AG Life Logger Android App version v1.0.2.72 and before (package name com.donki.healthy), developed by IO FIT, K.K., contains improper access control vulnerabilities. Exposed credentials in traffic may allow attackers to misuse cloud resources, and predictable verification codes make brute-force account logins feasible. Successful exploitation could result in account compromise, privacy breaches, and abuse of cloud resources.
References: https://kar1oz.notion.site/AG-Life-Logger-2629a473ecb280c693e7d5d4a99de559
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-61121
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service credentials may allow attackers to obtain them and carry out unauthorized actions, such as sensitive information disclosure and abuse of cloud resources. Successful exploitation could result in privacy breaches and misuse of the platform infrastructure.
References: https://kar1oz.notion.site/Mobile-Scanner-2659a473ecb28058a9f3e06cff61781c
CWE-ID: CWE-523
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-61196
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An issue in BusinessNext CRMnext v.10.8.3.0 allows a remote attacker to execute arbitrary code via the comments unput parameter
References: https://github.com/zsamamah/CVE-2025-61196/blob/main/CVE-2025-61196.md
https://github.com/zsamamah/CVE-2025-61196/blob/main/CVE-2025-61196.md
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-62726
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
References: https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997
https://github.com/n8n-io/n8n/pull/19559
https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-62795
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.
References: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-64096
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prier to 1.4.2, there is a missing bounds check in Crypto_Key_update() (crypto_key_mgmt.c) which allows a remote attacker to trigger a stack-based buffer overflow by supplying a TLV packet with a spoofed length field. The function calculates the number of keys from an attacker-controlled field (pdu_len), which may exceed the static array size (kblk[98]), leading to an out-of-bounds write and potential memory corruption. This vulnerability is fixed in 1.4.2.
References: https://github.com/nasa/CryptoLib/security/advisories/GHSA-w6c3-pxvr-6m6j
https://github.com/nasa/CryptoLib/security/advisories/GHSA-w6c3-pxvr-6m6j
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-64112
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1.
References: https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1
https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-36137
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
References: https://www.ibm.com/support/pages/node/7249678
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-63298
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server or underlying operating system.
References: https://github.com/z3rObyte/CVE-2025-63298
https://www.sourcecodester.com/sites/default/files/download/mayuri_k/petgrooming_erp.zip
CWE-ID: CWE-24
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-63422
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Incorrect access control in the Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to arbitrarily change the administrator username and password via sending a crafted GET request.
References: https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-63422
https://imgur.com/a/X9DNOBj
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-3355
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
References: https://www.ibm.com/support/pages/node/7249694
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-3356
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.
References: https://www.ibm.com/support/pages/node/7249694
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-61141
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.
References: https://advisory.dw1.io/54/
https://github.com/sqls-server/sqls/
https://lukmanern.github.io/CVE-2025-61141.html
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-61498
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet.
References: http://tenda.com
https://github.com/sakshi-garg02/CVEs/tree/main/CVE-2025-61498
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-63423
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 was discovered to store the Administrator password.
References: https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-63423
https://imgur.com/a/X9DNOBj
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found