CVE | THREATINT

New

CVE-2025-34425: MailEnable < 10.54 Reflected XSS in WindowContext Parameter of MAI/compose.aspx: MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a <script> context in the JavaScript va...

CVE-2023-53774: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol Remote Code Execution: MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely.

CVE-2023-53773: MiniDVBLinux 5.4 Unauthenticated Live Stream Disclosure via tv_action.sh: MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication.

CVE-2023-53772: MiniDVBLinux 5.4 Arbitrary File Read Vulnerability via About Page: MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device.

CVE-2023-53771: MiniDVBLinux 5.4 Unauthenticated Root Password Change via System Setup: MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials.

Updated

CVE-2025-67596: WordPress Business Directory plugin <= 6.4.19 - Cross Site Request Forgery (CSRF) vulnerability: Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.

CVE-2025-67597: WordPress Fluent Booking plugin <= 1.9.11 - Broken Access Control vulnerability: Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Booking: from n/a through <= 1.9.11.

CVE-2025-62562: Microsoft Outlook Remote Code Execution Vulnerability: Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.

CVE-2025-54100: PowerShell Remote Code Execution Vulnerability: Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

CVE-2025-62221: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability: Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

CISA Known Exploited Vulnerabilities

CVE-2025-62221 Microsoft Windows: Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.

CVE-2025-6218 RARLAB WinRAR: RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

CVE-2022-37055 D-Link Routers: D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

CVE-2025-66644 Array Networks ArrayOS AG: Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

CVE-2025-55182 Meta React Server Components: Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Additional information

EUVD (European Union Vulnerability Database) is maintained by ENISA (European Union Agency for Cybersecurity), under the European Union’s regulatory umbrella, serving as a centralized platform for vulnerability reporting specifically aligned with the EU’s legal frameworks such as NIS2 and the Cyber Resilience Act (CRA)

EUVD complements the CVE system by aggregating CVE data, but also assigns its own EUVD IDs to vulnerabilities, offers enriched metadata tailored for EU policies and compliance, and may highlight vulnerabilities particularly relevant to the European market.

Most vulnerabilities catalogued in EUVD will have both a CVE-ID and an EUVD-ID, acting as cross-references.

euvd.enisa.europa.eu

Source: media.ccc.de/v/eh22-138-panic-at-the-cve-o-theque.

A big "thank you" goes to @pennylane.

Welcome

New

Updated

CISA Known Exploited Vulnerabilities

Additional information