Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13422, has been discovered in FreeProjectCodes Sports Club Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands on the system’s database, potentially leading to data breaches, unauthorized access, and complete system compromise. The exploit is publicly available, increasing the urgency of addressing this issue. Technical Details The vulnerability resides in the /dashboard/admin/change_s_pwd.php file. Specifically, an unknown function handling the login_id argument is susceptible to SQL injection. By manipulating the login_id parameter, an attacker can inject malicious SQL code into database queries. The lack of proper input…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13421, has been discovered in itsourcecode Human Resource Management System 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating the noticeDesc argument within the /src/store/NoticeStore.php file. The exploit is publicly available, making immediate action critical for affected systems. Technical Details The vulnerability resides within the /src/store/NoticeStore.php file of the itsourcecode Human Resource Management System 1.0. Specifically, an unknown function is susceptible to SQL injection through the noticeDesc parameter. By crafting malicious SQL code within this parameter, a remote attacker can potentially read, modify, or delete sensitive data stored…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13420, has been discovered in itsourcecode Human Resource Management System (HRM) version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to sensitive data breaches, system compromise, and other malicious activities. Given its publicly available exploit and ease of exploitation, organizations using this software are strongly advised to take immediate action. Technical Details The vulnerability resides within the /src/store/EventStore.php file. Specifically, the application fails to properly sanitize the eventSubject argument, leading to SQL injection. An attacker can manipulate this parameter to inject malicious SQL code into database queries.…

Overview CVE-2025-13415 is a low-severity Cross-Site Scripting (XSS) vulnerability identified in icret EasyImages versions up to 2.8.6. The vulnerability resides within the SVG Image Handler component of the software. An attacker can exploit this flaw by manipulating the ‘File’ argument in the /app/upload.php script, leading to the injection of malicious scripts into the application. This attack can be initiated remotely. Technical Details The vulnerability stems from insufficient sanitization and validation of user-supplied input within the /app/upload.php script when handling SVG image uploads. Specifically, the ‘File’ argument, which carries the uploaded SVG file data, is not properly filtered for potentially malicious…

Overview This article provides a comprehensive overview of CVE-2025-11884, a Stored Cross-Site Scripting (XSS) vulnerability affecting OpenText uCMDB version 24.4. This vulnerability allows an attacker with high-level access to uCMDB to inject malicious scripts into the application’s data, potentially compromising the confidentiality, integrity, and availability of the system. Technical Details CVE-2025-11884 is a Stored XSS vulnerability. It occurs because uCMDB fails to properly neutralize user-supplied input during web page generation. An attacker with sufficient privileges (high-level access to uCMDB) can create or update data records within uCMDB, embedding malicious JavaScript code within these records. When other users view these records…

Overview A critical vulnerability, identified as CVE-2025-11001, has been discovered in 7-Zip. This flaw allows remote attackers to execute arbitrary code on systems using affected versions of the software. Exploitation requires user interaction, typically involving opening a specially crafted ZIP file. This vulnerability stems from improper handling of symbolic links within ZIP archives. Technical Details CVE-2025-11001 is a directory traversal vulnerability residing within 7-Zip’s ZIP file parsing functionality. Specifically, the vulnerability arises from the incorrect handling of symbolic links embedded within ZIP archives. A specially crafted ZIP file containing malicious symbolic links can cause 7-Zip to traverse to unintended directories…

Overview This article details a critical security vulnerability identified as CVE-2025-63719, affecting Campcodes Online Hospital Management System version 1.0. The vulnerability is a SQL Injection flaw located in the /admin/index.php file, specifically through the username parameter. This flaw could allow an attacker to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and unauthorized access to sensitive information. Technical Details The SQL Injection vulnerability exists because the application fails to properly sanitize user-supplied input before using it in a SQL query. An attacker can inject malicious SQL code into the username parameter when attempting to log into the…

Overview This article details a directory traversal vulnerability identified as CVE-2025-63371 affecting Milos Paripovic’s OneCommander version 3.102.0.0. This vulnerability resides within the application’s ZIP file processing component, specifically the functionality responsible for extracting and handling the contents of ZIP archives. An attacker could potentially exploit this vulnerability to write files to arbitrary locations on the file system, potentially leading to code execution or data compromise. Technical Details The core issue lies in the insufficient validation of file paths embedded within ZIP archives processed by OneCommander. Specifically, when extracting files from a ZIP archive, OneCommander fails to properly sanitize or normalize…

Overview CVE-2025-58181 is a medium severity vulnerability affecting SSH servers. It stems from improper validation of the number of mechanisms specified in GSSAPI authentication requests. An attacker can exploit this flaw by sending a specially crafted request with an excessive number of mechanisms, leading to unbounded memory consumption on the server and potentially causing a denial-of-service (DoS). Technical Details The vulnerability resides in the GSSAPI authentication handling logic of SSH servers. During GSSAPI authentication, the client sends a list of supported mechanisms to the server. The server then iterates through this list to find a mutually supported mechanism. However, if…

Overview CVE-2025-47914 is a medium severity vulnerability affecting SSH Agent servers. The vulnerability stems from a failure to properly validate the size of incoming messages when processing new identity requests. This can lead to an out-of-bounds read if a malformed message is received, potentially causing the program to panic and crash. Technical Details The core issue lies within the SSH Agent’s handling of message lengths related to identity requests. Specifically, when a client attempts to add a new identity to the agent, the agent receives a message indicating the size of the identity data. CVE-2025-47914 arises because the agent doesn’t…