In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 24-25, 2025.
During this period, The National Vulnerability Database published 109, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 38
Medium: 34
Low: 1
Severity Not Assigned: 29
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-62868
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Edge CPT allows PHP Local File Inclusion.This issue affects Edge CPT: from n/a through 1.4.
References: https://vdp.patchstack.com/database/wordpress/plugin/edge-cpt/security-policy/vdp/vulnerability/wordpress-edge-cpt-plugin-1-4-local-file-inclusion-vulnerability?_s_id=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-6440
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2f8da1-7503-45e3-8a7d-0031ce264edf?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-11253
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection.This issue affects Netty ERP: before V.1.1000.
References: https://www.usom.gov.tr/bildirim/tr-25-0359
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-11504
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.
References: https://wordpress.org/plugins/quickcreator/
https://www.wordfence.com/threat-intel/vulnerabilities/id/561f171e-f13e-408b-a63e-bf6a512d4463?source=cve
CWE-ID: CWE-532
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-11889
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://wordpress.org/plugins/all-in-one-forms/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-12028
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
References: https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L411
https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L418
https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L476
https://www.wordfence.com/threat-intel/vulnerabilities/id/42b373da-d5a6-4e3b-90f4-059da3641841?source=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-10680
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
References: https://community.openvpn.net/Security%20Announcements/CVE-2025-10680
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00149.html
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-10861
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
References: https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L15
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L35
https://plugins.trac.wordpress.org/changeset/3369146/
https://plugins.trac.wordpress.org/changeset/3379308/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f4767b5-5dd6-4a2a-b44a-5297432286b1?source=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-46183
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: The Utils.deserialize function in pgCodeKeeper 10.12.0 processes serialized data from untrusted sources. If an attacker provides a specially crafted .ser file, deserialization may result in unintended code execution or other malicious behavior on the target system.
References: https://github.com/hacktimepro/vulnerabilities/blob/main/Disclosure_CVE-2025-46183_pgcodekeeper.md
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-11145
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.This issue affects enVision: before 250566.
References: https://www.usom.gov.tr/bildirim/tr-25-0361
CWE-ID: CWE-200 CWE-203 CWE-359
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-43994
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
References: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-43995
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes.
References: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-60568
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAdvFirewall.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/23-buffer%20overflow-formAdvFirewall.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-60569
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetRoute.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/25-buffer%20overflow-formSetRoute.md
https://www.dlink.com/en/security-bulletin/
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-60570
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formLogDnsquery.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/26-buffer%20overflow-formLogDnsquery.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-60571
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600LAx FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetQoS.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/24-buffer%20overflow-formSetQoS.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-60572
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAdvNetwork.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/22-buffer%20overflow-formAdvNetwork.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-60938
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Emoncms 11.7.3 has a remote code execution vulnerability in the firmware upload feature that allows authenticated users to execute arbitrary commands on the target system. The vulnerability stems from insufficient input validation of user-controlled parameters including filename, port, baud_rate, core, and autoreset within the /admin/upload-custom-firmware endpoint.
References: https://github.com/emoncms/emoncms/issues/1941
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-60547
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWAN_Wizard7.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/02-buffer%20overflow-formSetWAN_Wizard7.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-60548
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formLanSetupRouterSettings.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/01-buffer%20overflow-formLanSetupRouterSettings.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-60549
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAutoDetecWAN_wizard4.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/05-buffer%20overflow-formAutoDetecWAN_wizard4.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-60550
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formEasySetTimezone.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/04-buffer%20overflow-formEasySetTimezone.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-60551
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the next_page parameter in the function formDeviceReboot.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/07-buffer%20overflow-formDeviceReboot.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-60552
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formTcpipSetup.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/06-buffer%20overflow-formTcpipSetup.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-60553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWAN_Wizard52.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/03-buffer%20overflow-formSetWAN_Wizard52.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-60554
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEnableWizard.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/08-buffer%20overflow-formSetEnableWizard.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-60555
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWizardSelectMode.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/10-buffer%20overflow-formSetWizardSelectMode.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-60556
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWizard1.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/09-buffer%20overflow-formSetWizard1.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-60557
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEasy_Wizard.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/13-buffer%20overflow-formSetEasy_Wizard.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-60558
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formVirtualServ.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/16-buffer%20overflow-formVirtualServ.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-60559
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetDomainFilter.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/19-buffer%20overflow-formSetDomainFilter.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-60561
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEmail.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/12-buffer%20overflow-formSetEmail.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-60562
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formWlSiteSurvey.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/15-buffer%20overflow-formWlSiteSurvey.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-60563
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetPortTr.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/18-buffer%20overflow-formSetPortTr.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-60564
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetLog.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/14-buffer%20overflow-formSetLog.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-60565
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSchedule.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/17-buffer%20overflow-formSchedule.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-60566
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetMACFilter.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/20-buffer%20overflow-formSetMACFilter.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-60801
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
References: https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%81%ef%bc%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/
https://github.com/jishenghua/jshERP/issues/132
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
39. CVE-2025-60803
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Antabot White-Jotter up to commit 9bcadc was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the component /api/aaa;/../register.
References: https://github.com/Antabot/White-Jotter/issues/162
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
40. CVE-2025-60730
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Deletion/Arbitrary%20File%20Deletion%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-459
Common Platform Enumerations (CPE): Not Found
41. CVE-2025-60731
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Upload/Arbitrary%20File%20Upload%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
42. CVE-2025-60735
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Upload%202/Arbitrary%20File%20Upload%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
43. CVE-2025-62716
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.
References: https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f
CWE-ID: CWE-79 CWE-601
Common Platform Enumerations (CPE): Not Found
44. CVE-2025-52099
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function
References: http://sqlite3.com
https://github.com/SCREAMBBY/CVE-2025-52099
https://github.com/SCREAMBBY/CVE-2025-52099
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
45. CVE-2025-60954
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts.
References: https://gist.github.com/progprnv/feae2b76f2db0cb2ac6e14b1bf7d8646
https://github.com/microweber/microweber
https://github.com/progprnv/CVE-Reports/blob/main/CVE-2025-60954
CWE-ID: CWE-521
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 24-25, 2025.
During this period, The National Vulnerability Database published 109, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 7
High: 38
Medium: 34
Low: 1
Severity Not Assigned: 29
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-62868
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Edge CPT allows PHP Local File Inclusion.This issue affects Edge CPT: from n/a through 1.4.
References: https://vdp.patchstack.com/database/wordpress/plugin/edge-cpt/security-policy/vdp/vulnerability/wordpress-edge-cpt-plugin-1-4-local-file-inclusion-vulnerability?_s_id=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-6440
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2f8da1-7503-45e3-8a7d-0031ce264edf?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-11253
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection.This issue affects Netty ERP: before V.1.1000.
References: https://www.usom.gov.tr/bildirim/tr-25-0359
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-11504
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.
References: https://wordpress.org/plugins/quickcreator/
https://www.wordfence.com/threat-intel/vulnerabilities/id/561f171e-f13e-408b-a63e-bf6a512d4463?source=cve
CWE-ID: CWE-532
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-11889
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://wordpress.org/plugins/all-in-one-forms/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-12028
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
References: https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L411
https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L418
https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L476
https://www.wordfence.com/threat-intel/vulnerabilities/id/42b373da-d5a6-4e3b-90f4-059da3641841?source=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-10680
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
References: https://community.openvpn.net/Security%20Announcements/CVE-2025-10680
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00149.html
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-10861
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
References: https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L15
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.2/includes/Routes/FetchDemo.php#L35
https://plugins.trac.wordpress.org/changeset/3369146/
https://plugins.trac.wordpress.org/changeset/3379308/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f4767b5-5dd6-4a2a-b44a-5297432286b1?source=cve
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-46183
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: The Utils.deserialize function in pgCodeKeeper 10.12.0 processes serialized data from untrusted sources. If an attacker provides a specially crafted .ser file, deserialization may result in unintended code execution or other malicious behavior on the target system.
References: https://github.com/hacktimepro/vulnerabilities/blob/main/Disclosure_CVE-2025-46183_pgcodekeeper.md
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-11145
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.This issue affects enVision: before 250566.
References: https://www.usom.gov.tr/bildirim/tr-25-0361
CWE-ID: CWE-200 CWE-203 CWE-359
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-43994
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
References: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-43995
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Dell Storage Center - Dell Storage Manager, version(s) 20.1.21, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId. These userid are special users created in compellentservicesapi for special purposes.
References: https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-60568
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAdvFirewall.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/23-buffer%20overflow-formAdvFirewall.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-60569
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetRoute.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/25-buffer%20overflow-formSetRoute.md
https://www.dlink.com/en/security-bulletin/
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-60570
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formLogDnsquery.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/26-buffer%20overflow-formLogDnsquery.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-60571
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600LAx FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetQoS.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/24-buffer%20overflow-formSetQoS.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-60572
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAdvNetwork.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/22-buffer%20overflow-formAdvNetwork.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-60938
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Emoncms 11.7.3 has a remote code execution vulnerability in the firmware upload feature that allows authenticated users to execute arbitrary commands on the target system. The vulnerability stems from insufficient input validation of user-controlled parameters including filename, port, baud_rate, core, and autoreset within the /admin/upload-custom-firmware endpoint.
References: https://github.com/emoncms/emoncms/issues/1941
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-60547
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWAN_Wizard7.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/02-buffer%20overflow-formSetWAN_Wizard7.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-60548
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formLanSetupRouterSettings.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/01-buffer%20overflow-formLanSetupRouterSettings.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-60549
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formAutoDetecWAN_wizard4.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/05-buffer%20overflow-formAutoDetecWAN_wizard4.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-60550
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formEasySetTimezone.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/04-buffer%20overflow-formEasySetTimezone.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-60551
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the next_page parameter in the function formDeviceReboot.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/07-buffer%20overflow-formDeviceReboot.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-60552
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formTcpipSetup.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/06-buffer%20overflow-formTcpipSetup.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-60553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWAN_Wizard52.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/03-buffer%20overflow-formSetWAN_Wizard52.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-60554
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEnableWizard.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/08-buffer%20overflow-formSetEnableWizard.md
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-60555
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWizardSelectMode.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/10-buffer%20overflow-formSetWizardSelectMode.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-60556
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetWizard1.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/09-buffer%20overflow-formSetWizard1.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-60557
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEasy_Wizard.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/13-buffer%20overflow-formSetEasy_Wizard.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-60558
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formVirtualServ.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/16-buffer%20overflow-formVirtualServ.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-60559
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetDomainFilter.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/19-buffer%20overflow-formSetDomainFilter.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-60561
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetEmail.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/12-buffer%20overflow-formSetEmail.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-60562
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formWlSiteSurvey.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/15-buffer%20overflow-formWlSiteSurvey.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-60563
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetPortTr.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/18-buffer%20overflow-formSetPortTr.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-60564
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetLog.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/14-buffer%20overflow-formSetLog.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-60565
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSchedule.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/17-buffer%20overflow-formSchedule.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-60566
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the curTime parameter in the function formSetMACFilter.
References: https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/20-buffer%20overflow-formSetMACFilter.md
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-60801
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
References: https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%81%ef%bc%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/
https://github.com/jishenghua/jshERP/issues/132
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
39. CVE-2025-60803
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Antabot White-Jotter up to commit 9bcadc was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the component /api/aaa;/../register.
References: https://github.com/Antabot/White-Jotter/issues/162
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
40. CVE-2025-60730
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Deletion/Arbitrary%20File%20Deletion%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-459
Common Platform Enumerations (CPE): Not Found
41. CVE-2025-60731
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Upload/Arbitrary%20File%20Upload%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
42. CVE-2025-60735
Base Score: 7.6
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.7
Description: PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function
References: http://perfreeblog.com
https://github.com/dengxmenglihua/cve/blob/main/PerfreeBlog/File%20Upload%202/Arbitrary%20File%20Upload%20Vulnerability%20in%20PerfreeBlog%20System.md
https://perfree.org.cn/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
43. CVE-2025-62716
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.
References: https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f
CWE-ID: CWE-79 CWE-601
Common Platform Enumerations (CPE): Not Found
44. CVE-2025-52099
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function
References: http://sqlite3.com
https://github.com/SCREAMBBY/CVE-2025-52099
https://github.com/SCREAMBBY/CVE-2025-52099
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
45. CVE-2025-60954
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts.
References: https://gist.github.com/progprnv/feae2b76f2db0cb2ac6e14b1bf7d8646
https://github.com/microweber/microweber
https://github.com/progprnv/CVE-Reports/blob/main/CVE-2025-60954
CWE-ID: CWE-521
Common Platform Enumerations (CPE): Not Found