Overview A high-severity vulnerability, identified as CVE-2025-40936, has been discovered in the PS/IGES Parasolid Translator Component. This vulnerability affects all versions prior to V29.0.258. The vulnerability is an out-of-bounds read issue that occurs while parsing specially crafted IGS files. Successful exploitation could lead to application crashes or, more seriously, arbitrary code execution within the context of the current process. Technical Details The vulnerability lies in the way the PS/IGES Parasolid Translator Component handles IGS (Initial Graphics Exchange Specification) files. A specially crafted IGS file can trigger an out-of-bounds read when parsed by the affected component. This means the software attempts…
-
-
Overview CVE-2025-40834 describes a Cross-Site Scripting (XSS) vulnerability affecting the Mendix RichText widget. This vulnerability impacts versions V4.0.0 and up to, but not including, V4.6.1. An attacker could exploit this flaw to inject malicious scripts into a user’s browser, potentially leading to data theft, session hijacking, or defacement of the application. Technical Details The vulnerability lies in the insufficient neutralization of user-supplied input within the Mendix RichText widget. The widget fails to properly sanitize or encode user-provided data, allowing an attacker to inject arbitrary HTML and JavaScript code. When a user views content containing this malicious code, their browser executes…
-
Overview CVE-2025-13277 is a high-severity SQL injection vulnerability discovered in Nero Social Networking Site version 1.0. This flaw allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, unauthorized access, and complete compromise of the affected system. The vulnerability resides in the /friendsphoto.php file and is triggered by manipulating the ID argument. This vulnerability has been published and proof-of-concept exploit code is available, increasing the likelihood of exploitation in the wild. Users of Nero Social Networking Site 1.0 are strongly advised to take immediate action to mitigate this risk. Technical Details The vulnerability stems from insufficient input…
-
Overview CVE-2025-11681 is a security vulnerability affecting M-Files Server versions prior to 25.11.15392.1. This vulnerability allows an authenticated user to trigger a denial-of-service (DoS) condition by causing the core MFserver process to crash. While the CVSS score is currently unavailable, the potential impact on system availability necessitates immediate attention. Technical Details The specific technical details leading to the MFserver process crash are not fully disclosed in the initial advisory. However, the vulnerability stems from a flaw in how the M-Files Server handles certain inputs or requests from authenticated users. Exploitation of this vulnerability requires a valid user account within the…
-
Overview CVE-2025-13276 describes a critical SQL Injection vulnerability found in the g33kyrash Online-Banking-System. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the Username argument in the /index.php file. The exploit is publicly available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /index.php file of the g33kyrash Online-Banking-System. By crafting a malicious payload within the Username parameter of a request to this file, an attacker can inject arbitrary SQL code into the database query. This can lead to the disclosure of sensitive information, modification of data, or even complete compromise of the…
-
Overview CVE-2025-13275 identifies a medium-severity security vulnerability affecting Iqbolshoh php-business-website up to version 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability allows for unrestricted file uploads, potentially leading to remote code execution and other malicious activities. Technical Details The vulnerability exists within the /admin/about.php file of the affected software. An attacker can exploit this flaw by uploading arbitrary files without proper validation, bypassing security measures intended to restrict file types and sizes. The lack of input sanitization on uploaded files allows an attacker to upload executable files (e.g., PHP, .exe) that can then be accessed and executed by the web server, potentially compromising the entire…
-
Is Munich safe? Absolutely. Munich stands out as one of Europe’s most secure, well-managed, and traveler-friendly cities. With its low crime rate, strong public infrastructure, and advanced digital and emergency systems, visitors can explore with confidence. Combined with world-class attractions, Bavarian cuisine, cultural richness, and scenic landscapes, Munich offers a memorable and safe travel experience for all types of travelers. Munich, the capital of Bavaria, is one of Europe’s most secure, culturally rich, and welcoming cities. Known for its historic charm, technological innovation, calm environment, and well-organized public infrastructure, Munich offers a balanced experience for leisure travelers, families, and business…
-
Overview A medium severity SQL injection vulnerability, identified as CVE-2025-13251, has been discovered in WeiYe-Jing datax-web up to version 2.1.2. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating specific input parameters. The exploit is publicly available, posing a significant risk to systems running vulnerable versions of datax-web. Technical Details The vulnerability resides in an unspecified function within datax-web. By crafting malicious SQL injection payloads, an attacker can potentially bypass authentication, access sensitive data, modify database contents, or even execute arbitrary code on the underlying database server. The specific attack vector involves manipulating user-supplied input that…
-
Overview A medium-severity security vulnerability, identified as CVE-2025-13250, has been discovered in WeiYe-Jing datax-web versions up to 2.1.2. This vulnerability allows remote attackers to bypass access controls, potentially leading to unauthorized manipulation of data integration jobs. The exploit is publicly available, increasing the risk of exploitation. Technical Details The vulnerability resides within the Job Handler component of datax-web. Specifically, the remove, update, pause, start, and triggerJob functions are affected. An attacker can exploit this vulnerability by manipulating requests to these functions, circumventing the intended access controls. This allows them to perform actions on jobs they are not authorized to manage.…
-
Overview A security vulnerability, identified as CVE-2025-13249, has been discovered in Jiusi OA, specifically in versions up to 20251102. This medium severity vulnerability allows for unrestricted file uploads due to improper handling of the FileData argument within the /OfficeServer?isAjaxDownloadTemplate=false endpoint. This vulnerability can be exploited remotely, and a public exploit is already available. Technical Details The vulnerability resides in the OfficeServer Interface component of Jiusi OA. By manipulating the FileData argument in requests to the /OfficeServer?isAjaxDownloadTemplate=false endpoint, an attacker can upload arbitrary files to the server. The lack of proper validation and sanitization of the uploaded file content and type…