Aggregator

Submit #704088 / VDB-336195

Submit #704087 / VDB-336194

Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. [...]

Submit #703886 / VDB-336193

A vulnerability identified as critical has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql injection. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is documented as CVE-2025-14568. The attack can be initiated remotely. Additionally, an exploit exists. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability categorized as problematic has been discovered in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is registered as CVE-2025-14567. It is possible to launch the attack remotely. Furthermore, an exploit is available. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #703880 / VDB-336192

Submit #703879 / VDB-336191

A vulnerability was found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. It has been rated as critical. The impacted element is an unknown function of the file /Profilers/SProfile/reg.php. Performing manipulation of the argument USN results in sql injection. This vulnerability is cataloged as CVE-2025-14566. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. It has been declared as critical. The affected element is an unknown function of the file /Profilers/SProfile/login1.php. Such manipulation of the argument Username leads to sql injection. This vulnerability is listed as CVE-2025-14565. The attack may be performed from remote. In addition, an exploit is available.

Elastic found a new Windows backdoor, NANOREMOTE, similar to FINALDRAFT/REF7707, using the Google Drive API for C2. Elastic Security Labs researchers uncovered NANOREMOTE, a new Windows backdoor that uses the Google Drive API for C2. Elastic says it shares code with the FINALDRAFT (Squidoor) implant, which uses Microsoft Graph API and is linked to threat […]

Submit #703877 / VDB-26245

A vulnerability was found in Apache Airflow up to 3.1.3. It has been classified as problematic. Impacted is an unknown function of the component Template Handler. This manipulation causes information disclosure. This vulnerability is tracked as CVE-2025-66388. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in Apache Airflow up to 3.1.3 and classified as problematic. This issue affects some unknown processing of the component kwargs. The manipulation results in information disclosure. This vulnerability is identified as CVE-2025-65995. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.

Submit #703878 / VDB-323913

Submit #703876 / VDB-336190

Submit #703875 / VDB-336189

A vulnerability has been found in Bookit Plugin up to 2.5.0 on WordPress and classified as problematic. This vulnerability affects unknown code of the component REST Endpoint. The manipulation leads to missing authorization. This vulnerability is referenced as CVE-2025-12841. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Siemens Simcenter Femap. This affects an unknown part of the component SLDPRT File Parser. Executing manipulation can lead to uninitialized resource. The identification of this vulnerability is CVE-2025-40829. The attack may be launched remotely. There is no exploit available. You should upgrade the affected component.