Security Vulnerabilities
A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-12-30
A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-12-29
givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php.
CVSS Score
7.5
EPSS Score
0.004
Published
2025-12-29
givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-29
givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-12-29
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-12-29
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-12-29
A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-12-29
A weakness has been identified in code-projects College Notes Uploading System 1.0. This issue affects some unknown processing of the file /login.php. Executing manipulation of the argument User can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-12-29
Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available.
CVSS Score
9.0
EPSS Score
0.001
Published
2025-12-29