Trending now

CVE-2025-31207 refers to a vulnerability found in SourceCodester Apartment Visitors Management System 1.0. It involves a SQL injection vulnerability affecting the processing of the `/add-apartment.php` file. Specifically, the `apartmentno` argument can be manipulated to inject SQL code. The attack can be initiated remotely, and the exploit is publicly available. It is possible that other parameters are also affected by this vulnerability. Another vulnerability with the ID CVE-2025-34028 exists in Commvault Command Center, where a path traversal vulnerability allows a remote, unauthenticated attacker to execute arbitrary code. Also, CVE-2025-31201 describes an arbitrary read and write vulnerability in Apple iOS, iPadOS, macOS, and other Apple products that allows an attacker to bypass Pointer Authentication.

CVE-2025-23120 is a vulnerability in Veeam Backup & Replication software that allows remote code execution (RCE) by authenticated domain users. It affects version 12.3.0.310 and all earlier version 12 builds. The vulnerability was discovered by Piotr Bazydlo of watchTowr. The vulnerability exists because of uncontrolled deserialization within the Veeam codebase. Specifically, it can be exploited by any user who belongs to the local users group on the Windows host of the Veeam server, or by any domain user if the server is joined to the domain. Veeam has addressed this flaw in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139), and organizations are urged to apply the patch immediately.

CVE-2024-54676 is a vulnerability found in Apache OpenMeetings, an open-source web conferencing application. The flaw stems from the default clustering instructions provided by Apache OpenMeetings, which fail to specify appropriate whitelist or blacklist configurations for OpenJPA (Open Java Persistence Architecture). This improper configuration allows for the deserialization of untrusted data. An attacker could exploit this by sending malicious serialized objects, potentially leading to unauthorized access, remote code execution, or system compromise. The vulnerability affects Apache OpenMeetings versions from 2.1.0 up to, but not including, 8.0.0.

CVE-2025-15517 describes an authorization bypass vulnerability found in the HTTP server of several TP-Link Archer NX series routers, specifically models NX200, NX210, NX500, and NX600. This flaw allows unauthenticated attackers to access certain CGI endpoints that are intended for authenticated users. By exploiting this missing authentication check, an attacker can perform privileged actions on the affected devices without needing to authenticate. These actions include, but are not limited to, uploading new firmware or modifying device configurations.

CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.

CVE-2025-33073 is an elevation of privilege vulnerability affecting the Windows Server Message Block (SMB) client. It stems from improper access control within Windows SMB, potentially allowing an authorized attacker to elevate privileges over a network. To exploit this vulnerability, an attacker could execute a specially crafted script. This script would coerce the victim machine to connect back to the attacker's system using SMB and authenticate, potentially resulting in the attacker gaining SYSTEM privileges.

CVE-2025-15518 is a vulnerability stemming from improper input handling within a wireless-control administrative command-line interface (CLI) on several TP-Link Archer router models. Specifically, this flaw affects the TP-Link Archer NX200, NX210, NX500, and NX600. The vulnerability allows an authenticated attacker, possessing administrative privileges, to execute arbitrary operating system commands by crafting malicious input. This could potentially impact the confidentiality, integrity, and availability of the affected device.

CVE-2025-32975 is an authentication bypass vulnerability found in the Quest KACE Systems Management Appliance (SMA). This flaw specifically resides within the Single Sign-On (SSO) authentication handling mechanism of the affected software. Exploitation of this vulnerability allows an attacker to impersonate legitimate users, including those with administrative privileges, without needing valid credentials. This can lead to unauthorized access and potential administrative control over the compromised KACE SMA system. The vulnerability is categorized under CWE-287, which refers to improper authentication.

CVE-2025-33244 describes a vulnerability found in NVIDIA APEX for Linux. This flaw allows an unauthorized attacker to trigger a deserialization of untrusted data. The vulnerability specifically impacts environments utilizing PyTorch versions older than 2.6. Exploitation of this issue could potentially result in code execution, denial of service, escalation of privileges, data tampering, and information disclosure.

CVE-2025-71275 identifies a command injection vulnerability present in version 8.8.15 of the Zimbra Collaboration Suite (ZCS) PostJournal service. This flaw stems from improper sanitization of the `RCPT TO` parameter, which can be exploited through SMTP injection. Attackers can leverage this vulnerability by injecting shell expansion syntax into the `RCPT TO` parameter. This technique allows unauthenticated attackers to execute arbitrary system commands, leading to remote code execution within the context of the Zimbra service.