CVE | THREATINT

New

CVE-2025-14247: code-projects Simple Shopping Cart additems.php sql injection: A vulnerability was determined in code-projects Simple Shopping Cart 1.0. This issue affects some unknown processing of the file /Admin/additems.php. Executing manipulation of the argument item_name can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

CVE-2025-14246: code-projects Simple Shopping Cart settings.php sql injection: A vulnerability was found in code-projects Simple Shopping Cart 1.0. This vulnerability affects unknown code of the file /Customers/settings.php. Performing manipulation of the argument user_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

CVE-2025-14245: IdeaCMS Coupon.php whereRaw sql injection: A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-42620: CSRF vulnerability in CIRCL Vulnerability-Lookup: In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle d...

CVE-2025-42616: CSRF vulnerability in CIRCL Vulnerability-Lookup: Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tr...

Updated

CVE-2025-14214: itsourcecode Student Information System section_edit1.php sql injection: A vulnerability has been found in itsourcecode Student Information System 1.0. This affects an unknown part of the file /section_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

CVE-2025-14215: code-projects Currency Exchange System edit.php sql injection: A vulnerability was found in code-projects Currency Exchange System 1.0. This vulnerability affects unknown code of the file /edit.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

CVE-2025-14216: code-projects Currency Exchange System viewserial.php sql injection: A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

CVE-2025-14217: code-projects Currency Exchange System edittrns.php sql injection: A vulnerability was identified in code-projects Currency Exchange System 1.0. Impacted is an unknown function of the file /edittrns.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

CVE-2025-14222: code-projects Employee Profile Management System print_personnel_report.php sql injection: A flaw has been found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file /print_personnel_report.php. This manipulation of the argument per_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

CISA Known Exploited Vulnerabilities

CVE-2025-55182 Meta React Server Components: Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

CVE-2021-26828 OpenPLC ScadaBR: OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

CVE-2025-48633 Android Framework: Android Framework contains an unspecified vulnerability that allows for information disclosure.

CVE-2025-48572 Android Framework: Android Framework contains an unspecified vulnerability that allows for privilege escalation.

CVE-2021-26829 OpenPLC ScadaBR: OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.

Additional information

EUVD (European Union Vulnerability Database) is maintained by ENISA (European Union Agency for Cybersecurity), under the European Union’s regulatory umbrella, serving as a centralized platform for vulnerability reporting specifically aligned with the EU’s legal frameworks such as NIS2 and the Cyber Resilience Act (CRA)

EUVD complements the CVE system by aggregating CVE data, but also assigns its own EUVD IDs to vulnerabilities, offers enriched metadata tailored for EU policies and compliance, and may highlight vulnerabilities particularly relevant to the European market.

Most vulnerabilities catalogued in EUVD will have both a CVE-ID and an EUVD-ID, acting as cross-references.

euvd.enisa.europa.eu

Source: media.ccc.de/v/eh22-138-panic-at-the-cve-o-theque.

A big "thank you" goes to @pennylane.

Welcome

New

Updated

CISA Known Exploited Vulnerabilities

Additional information