Overview CVE-2025-64750 describes a medium severity security vulnerability affecting SingularityCE and SingularityPRO, open-source container platforms. This vulnerability allows an attacker to potentially bypass Linux Security Module (LSM) restrictions under specific conditions. The vulnerability resides in how shared mounts are handled, allowing a malicious container to redirect LSM label write operations, effectively disabling LSM security controls. Technical Details This vulnerability arises when a user relies on LSM restrictions to prevent malicious operations within a SingularityCE or SingularityPRO container. An attacker can exploit this by crafting a malicious container image that redirects the mount of /proc to a destination that’s a shared…

Overview This article details a critical command injection vulnerability identified as CVE-2025-60854 affecting D-Link R15 (AX1500) routers running firmware version 1.20.01 and below. This vulnerability allows an attacker to potentially execute arbitrary commands on the router’s operating system via a maliciously crafted password change request. Technical Details CVE-2025-60854 stems from insufficient input validation of the model name parameter within the web administrator page. Specifically, when a user initiates a password change request, the model name parameter, which is ostensibly intended for display purposes only, is not properly sanitized. By injecting shell commands into this parameter, an attacker can potentially execute…

Overview CVE-2025-58386 is a critical vulnerability affecting Terminalfour versions 8 through 8.4.1.1. This flaw allows a Power User to escalate their privileges (or those of other low-privileged accounts) to that of an Administrator. This is achieved by manipulating the userLevel parameter in the user management function during account creation or modification. Technical Details The vulnerability lies in the lack of proper server-side authorization checks when handling the userLevel parameter. A Power User, by intercepting and modifying the network request involved in user creation or modification, can assign the Administrator role to a target account. This account can be an existing…

Overview CVE-2025-52622 identifies a vulnerability within the BigFix SaaS platform related to missing security headers in HTTP responses. The absence of these headers weakens the client-side security posture of the application, making it more susceptible to various web-based attacks. This vulnerability was published on 2025-12-02T18:15:47.820 and assigned a CVSS score of 5.4, indicating a medium severity. Technical Details The vulnerability stems from the lack of proper security headers in the HTTP responses generated by the BigFix SaaS application. Security headers are crucial for instructing the browser on how to behave when handling the response. The missing headers may include, but…

Overview CVE-2025-65656 describes a file inclusion vulnerability discovered in dcat-admin, a PHP admin panel framework. Specifically, versions 2.2.3-beta and earlier are susceptible. This vulnerability resides in the admin/src/Extend/VersionManager.php file. An attacker could potentially exploit this flaw to include arbitrary files, leading to sensitive information disclosure or even remote code execution. Technical Details The vulnerability stems from insufficient sanitization or validation of user-supplied input used when including files within the VersionManager.php file. The exact mechanism of exploitation requires further analysis of the vulnerable code. However, the core problem is that an attacker can manipulate the file path used in an include…

Overview CVE-2025-65358 details a significant SQL injection vulnerability affecting Edoc Doctor Appointment System version 1.0.1. This vulnerability allows attackers to potentially execute arbitrary SQL queries, leading to data breaches, modification, or complete system compromise. The vulnerability exists within the /admin/appointment.php file, specifically through the unsanitized ‘docid’ parameter. Technical Details The vulnerability lies in the lack of proper input validation and sanitization of the docid parameter within the /admin/appointment.php script. An attacker can craft a malicious SQL query within this parameter, which, when processed by the application, can lead to the execution of arbitrary SQL commands. This bypasses the intended database…

Overview This article details CVE-2025-65186, a stored Cross-Site Scripting (XSS) vulnerability affecting Grav CMS version 1.7.49. This vulnerability allows authenticated users with page editing privileges to inject malicious JavaScript code into page content via the Markdown editor. When other users, particularly administrators, view the affected page in the Grav CMS admin interface, the injected script executes, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability lies in the inadequate sanitization of user-supplied input within the page editor’s Markdown functionality. Specifically, the application fails to properly escape or remove <script> tags. An attacker can craft…

Overview CVE-2025-64070 describes a Cross-Site Scripting (XSS) vulnerability discovered in Sourcecodester Student Grades Management System version 1.0. This vulnerability allows an attacker to inject malicious scripts into the “Add New Subject Description” field, potentially compromising user accounts and data. Technical Details The vulnerability resides in the lack of proper input sanitization within the “Add New Subject Description” functionality. An attacker can input malicious JavaScript code into this field. When a user views the subject description, the injected script will execute within their browser. This can lead to: Account hijacking: Stealing user cookies or session tokens. Data theft: Accessing and exfiltrating…

Overview CVE-2025-13828 describes a significant security vulnerability in Mautic, a popular open-source marketing automation platform. This flaw allows a non-privileged user to install and remove arbitrary packages via Composer, even when the “enable composer based update” setting is disabled. This circumvents intended security controls and creates a pathway for attackers to inject malicious code into the Mautic instance. Technical Details The vulnerability stems from insufficient access control checks within the Composer integration. Despite disabling the Composer-based update feature, the application fails to properly restrict Composer functionality for unauthenticated or low-privileged users. This oversight allows a malicious actor to leverage Composer…

Overview CVE-2025-13827 describes an arbitrary file upload vulnerability affecting the GrapesJS Builder. This vulnerability stems from a lack of restriction on the types of files that can be uploaded through the builder. If the webserver’s media folder is improperly configured, allowing execution of uploaded files, this can lead to Remote Code Execution (RCE). Technical Details The GrapesJS Builder, when integrated into applications (such as Mautic), typically allows users to upload media assets like images. However, CVE-2025-13827 highlights the absence of proper validation or filtering on the file types being uploaded. This means a malicious actor could potentially upload executable files…