CVE ID : CVE-2025-9839

Published : Sept. 2, 2025, 11:15 p.m. | 2 hours, 24 minutes ago

Description : A security flaw has been discovered in itsourcecode Student Information Management System 1.0. The affected element is an unknown function of the file /admin/modules/course/index.php. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-22438

Published : Sept. 2, 2025, 11:15 p.m. | 2 hours, 24 minutes ago

Description : In afterKeyEventLockedInterruptable of InputDispatcher.cpp, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-22439

Published : Sept. 2, 2025, 11:15 p.m. | 2 hours, 24 minutes ago

Description : In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-22442

Published : Sept. 2, 2025, 11:15 p.m. | 2 hours, 24 minutes ago

Description : In multiple functions of DevicePolicyManagerService.java, there is a possible way to install unauthorized applications into a newly created work profile due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-9840

Published : Sept. 2, 2025, 11:15 p.m. | 2 hours, 24 minutes ago

Description : A weakness has been identified in itsourcecode Sports Management System 1.0. The impacted element is an unknown function of the file /Admin/gametype.php. Executing manipulation of the argument code can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-54588

Published : Sept. 3, 2025, 12:15 a.m. | 1 hour, 24 minutes ago

Description : Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Versions 1.34.0 through 1.34.4 and 1.35.0 contain a use-after-free (UAF) vulnerability in the DNS cache, causing abnormal process termination. The vulnerability is in Envoy’s Dynamic Forward Proxy implementation, occurring when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur when the following conditions are met: dynamic Forwarding Filter is enabled, the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters. This issue is resolved in versions 1.34.5 and 1.35.1. To work around this issue, set the envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-9841

Published : Sept. 3, 2025, 12:15 a.m. | 1 hour, 24 minutes ago

Description : A security vulnerability has been detected in code-projects Mobile Shop Management System 1.0. This affects an unknown function of the file AddNewProduct.php. The manipulation of the argument ProductImage leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-9842

Published : Sept. 3, 2025, 12:15 a.m. | 1 hour, 24 minutes ago

Description : A vulnerability was detected in Das Parking Management System 停车场管理系统 6.2.0. This impacts an unknown function of the file /Operator/Search. The manipulation results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used.

Severity: 5.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-9260

Published : Sept. 3, 2025, 12:15 a.m. | 1 hour, 24 minutes ago

Description : The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible.
While the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-58163

Published : Sept. 3, 2025, 2:15 a.m. | 29 minutes ago

Description : FreeScout is a free help desk and shared inbox built with PHP’s Laravel framework. In versions 1.8.185 and below, the application performs deserialization of data that can allow authenticated attackers with knowledge of the application’s APP_KEY to achieve remote code execution. The vulnerability can be exploited via endpoint: `/help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}` where the `customer_id` and `timestamp` parameters are processed through the decrypt function in `app/Helper.php` without proper validation. The vulnerable code performs decryption using Laravel’s built-in encryption functions, which subsequently deserializes the decrypted payload without sanitization. This is fixed in version 1.8.186.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Pydio Cells is a full rewrite of the Pydio project using the Go language following a micro-service architecture. The post…

US judge in antitrust case rules Google can keep paying Mozilla and other companies for default search placement, but bans…

AList is a file list/WebDAV program that supports multiple storages, powered by Gin and Solidjs. The post AList – file…

OnTheSpot is an easy to use music downloader. It’s written in Python. The post OnTheSpot – GUI music downloader appeared…

GIMP 3.1.4 is out, a fresh development snapshot of what will become the next major stable release. It introduces two…

As coding agents have grown more powerful, a pattern has emerged: you describe your goal, get a block of code…

Gyroflow is an application that can stabilize your video by using motion data from a gyroscope and optionally an accelerometer.…

One of the newer CSS features that has piqued my interest: the light-dark() function. And I’ve been closely following it ever since…

I explore the apps already present on the Volla Phone Quintus, a premium smartphone running Ubuntu Touch. The post Volla…

Blade OS is a distro based on Debian with a clean UI and useful software pre-installed for all you need…