Overview A high-severity security vulnerability, identified as CVE-2025-13288, has been discovered in Tenda CH22 version 1.0.0.1 routers. This vulnerability exposes the router to remote attacks due to a buffer overflow in the fromPptpUserSetting function within the /goform/PPTPUserSetting file. Public exploits are available, increasing the urgency for users to apply mitigations. Technical Details The vulnerability stems from insufficient input validation when handling the delno argument in the fromPptpUserSetting function. By crafting a malicious request with an overly long delno value, attackers can overwrite memory buffers, potentially leading to arbitrary code execution or denial-of-service conditions. The attack can be performed remotely, making…

Overview CVE-2025-4321 describes a denial-of-service (DoS) vulnerability affecting Bluetooth devices utilizing the RS9116-WiseConnect SDK. This vulnerability can be triggered when the device receives malformed L2CAP (Logical Link Control and Adaptation Protocol) packets. Upon receiving such packets, the device enters a state requiring a hard reset to restore normal operation, effectively causing a denial of service. Technical Details The vulnerability stems from insufficient input validation within the RS9116-WiseConnect SDK’s L2CAP packet processing routines. When a malformed L2CAP packet is received, the SDK fails to handle the error gracefully, leading to a system crash or lock-up. The exact nature of the malformation…

Overview CVE-2025-13287 describes a medium severity SQL injection vulnerability found in itsourcecode Online Voting System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the id or category parameter in the /index.php?page=categories endpoint. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running the affected software. Technical Details The vulnerability stems from insufficient input validation on the id or category parameters within the /index.php?page=categories page. By injecting malicious SQL code into these parameters, an attacker can bypass intended security measures and interact directly with the underlying database. This could…

Overview CVE-2025-13286 details a security vulnerability present in itsourcecode Online Voting System version 1.0. This vulnerability is classified as a SQL Injection and allows remote attackers to potentially execute arbitrary SQL commands, leading to unauthorized access to sensitive data and system compromise. The flaw resides within the /ajax.php?action=save_user file, specifically through manipulation of the ID argument. This vulnerability has been publicly disclosed, increasing the risk of active exploitation. Technical Details The vulnerability lies in the lack of proper sanitization of user-supplied input within the /ajax.php?action=save_user endpoint. By manipulating the ID parameter, an attacker can inject malicious SQL code into the…

Overview A high-severity SQL Injection vulnerability, identified as CVE-2025-13285, has been discovered in itsourcecode Online Voting System version 1.0. This flaw allows remote attackers to potentially execute arbitrary SQL commands by manipulating the Username parameter within the /login.php file. The vulnerability is actively being exploited, making immediate action crucial to protect affected systems. Technical Details The vulnerability resides in the /login.php file of the itsourcecode Online Voting System 1.0. The application fails to properly sanitize user-supplied input to the Username parameter, allowing an attacker to inject malicious SQL code. This can lead to unauthorized access to sensitive data, modification of…

Overview CVE-2025-13280 describes a high-severity SQL injection vulnerability found in CodeAstro Simple Inventory System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the Username parameter during the login process. Publicly available exploits exist, making this a critical issue to address. Technical Details The vulnerability resides within the /index.php file, specifically in the Login component. By injecting malicious SQL code into the Username field, an attacker can bypass authentication and potentially gain unauthorized access to sensitive data stored in the database. The vulnerable function does not properly sanitize or validate user input, allowing the…

Overview CVE-2025-13279 identifies a medium-severity SQL injection vulnerability in Nero Social Networking Site version 1.0. This flaw allows a remote attacker to execute arbitrary SQL queries by manipulating the ID argument in the /profilefriends.php file. Publicly available exploit code exists, increasing the risk of exploitation. Technical Details The vulnerability stems from improper sanitization of user-supplied input passed to the ID parameter in the /profilefriends.php script. An attacker can inject malicious SQL code into this parameter, which, when processed by the application’s database query, can lead to unauthorized data access, modification, or even complete database compromise. The specific injection point lies…

Overview CVE-2025-13278 is a medium severity SQL injection vulnerability discovered in projectworlds Advanced Library Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the datefrom and dateto arguments in the /borrowed_book_search.php file. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running the affected software. Published: 2025-11-17T13:15:54.980 Technical Details The SQL injection vulnerability resides in the /borrowed_book_search.php file of the Advanced Library Management System 1.0. The application fails to properly sanitize user-supplied input in the datefrom and dateto parameters. This allows an attacker to inject malicious SQL…

Overview A high-severity vulnerability, identified as CVE-2025-40936, has been discovered in the PS/IGES Parasolid Translator Component. This vulnerability affects all versions prior to V29.0.258. The vulnerability is an out-of-bounds read issue that occurs while parsing specially crafted IGS files. Successful exploitation could lead to application crashes or, more seriously, arbitrary code execution within the context of the current process. Technical Details The vulnerability lies in the way the PS/IGES Parasolid Translator Component handles IGS (Initial Graphics Exchange Specification) files. A specially crafted IGS file can trigger an out-of-bounds read when parsed by the affected component. This means the software attempts…

Overview CVE-2025-40834 describes a Cross-Site Scripting (XSS) vulnerability affecting the Mendix RichText widget. This vulnerability impacts versions V4.0.0 and up to, but not including, V4.6.1. An attacker could exploit this flaw to inject malicious scripts into a user’s browser, potentially leading to data theft, session hijacking, or defacement of the application. Technical Details The vulnerability lies in the insufficient neutralization of user-supplied input within the Mendix RichText widget. The widget fails to properly sanitize or encode user-provided data, allowing an attacker to inject arbitrary HTML and JavaScript code. When a user views content containing this malicious code, their browser executes…