Overview A critical SQL injection vulnerability, identified as CVE-2025-65877, has been discovered in Lvzhou CMS. This flaw affects versions prior to commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (dated 2025-09-22). Exploitation of this vulnerability could allow attackers to execute arbitrary SQL queries, potentially leading to sensitive data exposure, modification, or even complete system compromise. Technical Details The vulnerability resides within the com.wanli.lvzhoucms.service.ContentService#findPage method. The ‘title’ parameter is directly concatenated into a dynamic SQL query without proper sanitization or the use of prepared statements. This insecure practice allows an attacker to inject malicious SQL code through the ‘title’ parameter. When the application executes the constructed SQL…

Overview A critical SQL Injection vulnerability, identified as CVE-2025-65379, has been discovered in PHPGurukul Billing System version 1.0. This vulnerability resides within the /admin/password-recovery.php endpoint and allows attackers to potentially compromise the application’s database by injecting malicious SQL code. Technical Details The vulnerability stems from the insufficient validation and sanitization of user-supplied input within the /admin/password-recovery.php script. Specifically, the username and mobileno parameters are directly concatenated into a backend SQL query without proper escaping. This allows a malicious actor to inject arbitrary SQL code by crafting a specially crafted request to the password recovery endpoint. For example: /admin/password-recovery.php?username='; DROP TABLE…

Overview CVE-2025-13658 is a critical vulnerability affecting Longwatch devices that allows unauthenticated attackers to execute arbitrary code remotely. This vulnerability stems from the absence of code signing and execution controls, enabling unauthorized HTTP GET requests to exploit an exposed endpoint. Successful exploitation grants the attacker SYSTEM-level privileges, potentially leading to complete system compromise. Technical Details The vulnerability resides in an exposed endpoint within Longwatch devices. Due to the lack of proper authentication and authorization mechanisms, an unauthenticated attacker can send specially crafted HTTP GET requests to this endpoint. The absence of code signing and execution controls allows the attacker to…

Overview A critical security vulnerability, identified as CVE-2025-13542, has been discovered in the DesignThemes LMS plugin for WordPress. This vulnerability affects all versions up to and including 1.0.4. It allows unauthenticated attackers to escalate their privileges to administrator, potentially leading to complete site compromise. If you are using the DesignThemes LMS plugin, immediate action is required. Technical Details The vulnerability resides in the dtlms_register_user_front_end function. This function lacks proper validation and authorization, specifically regarding user roles during registration. An attacker can exploit this flaw by providing the ‘administrator’ role as part of the registration process. Due to the insufficient role…

Overview A critical vulnerability, identified as CVE-2025-13510, has been discovered in the Iskra iHUB and iHUB Lite smart metering gateway. This vulnerability allows unauthenticated users to access the web management interface without requiring any credentials. This poses a significant security risk, potentially allowing malicious actors to access and modify critical device settings. This advisory is based on information published on December 2nd, 2025. Immediate action is recommended to mitigate this risk. Technical Details CVE-2025-13510 stems from the lack of proper authentication controls on the web management interface of the Iskra iHUB and iHUB Lite devices. An attacker on the same…

Overview A high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66468, has been discovered in the Aimeos GrapesJS CMS extension. This flaw allows malicious editors to inject arbitrary JavaScript code into content pages, potentially compromising the security and integrity of websites using the affected versions. The vulnerability exists because the extension, prior to versions 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, lacks sufficient input sanitization when a standard Content Security Policy (CSP) is disabled. This allows attackers to persist malicious code within the CMS, affecting other users who access the compromised pages. Technical Details The Aimeos GrapesJS CMS extension provides a…

Overview CVE-2025-66460 identifies a vulnerability in Lookyloo, a web interface for capturing website pages and analyzing their domain relationships. Versions prior to 1.35.3 are affected by improper data escaping within datatables that use the orthogonal-data feature. This flaw could lead to Cross-Site Scripting (XSS) attacks, allowing malicious actors to inject arbitrary code into the application through manipulated data. Technical Details The vulnerability stems from Lookyloo’s failure to properly sanitize user-supplied data before rendering it within datatables. Specifically, the orthogonal-data feature, which allows for different display and sorting data for the same column, is susceptible to this flaw. Unescaped values passed…

Overview CVE-2025-66459 identifies a Cross-Site Scripting (XSS) vulnerability found in Lookyloo, a web interface used for capturing website pages and displaying a tree of domain calls. This vulnerability affects versions prior to 1.35.3. Specifically, the XSS is triggered when a user submits a list of URLs for capture, and one of those URLs contains a malicious HTML element that causes the capture to fail. The error message, intended to inform the user about the failed capture, then inadvertently reflects the malicious URL, executing the embedded script within the user’s browser. Technical Details The vulnerability lies in how Lookyloo handles error…

Overview CVE-2025-66458 identifies a cross-site scripting (XSS) vulnerability found in Lookyloo, a web interface for capturing website pages and displaying domain call trees. Versions prior to 1.35.3 are affected. The vulnerability stems from the unsafe use of f-strings in Markup, potentially allowing malicious third-party servers to inject JavaScript code. An update to version 1.35.3 resolves this critical security flaw. Technical Details The XSS vulnerability in Lookyloo arises from the application’s handling of data received from external servers. Specifically, the unsafe use of f-strings in the Markup component allows a malicious actor to inject arbitrary JavaScript code into the rendered web…

Overview CVE-2025-66416 describes a DNS rebinding vulnerability affecting the MCP Python SDK, known as `mcp` on PyPI. This Python library implements the Model Context Protocol (MCP). Prior to version 1.23.0, the SDK did not enable DNS rebinding protection by default for HTTP-based servers. This could allow a malicious website to interact with a locally running MCP server under specific circumstances. Technical Details The vulnerability exists when an HTTP-based MCP server is running on localhost without authentication, utilizes FastMCP with streamable HTTP or SSE transport, and hasn’t explicitly configured TransportSecuritySettings. In this scenario, a malicious website could exploit DNS rebinding techniques…