📅 Weekly CVE Roundup
November 3 - November 9, 2025
🔴 Critical & High Severity Vulnerabilities
These are the most dangerous vulnerabilities disclosed this week. Prioritize patching these.
A remote code execution vulnerability in iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code through a crafted HTML page targeting t...
Nov 3This vulnerability is a heap buffer overflow in MediaTek modem firmware that allows remote code execution when a device connects to a malicious base s...
Nov 4This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MetInfo CMS that can be triggered via XML External Entity (XXE) injection. At...
Nov 6A vulnerability in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder firmware allows remote attackers to cause denial of service through the s...
Nov 6Open Source Social Network (OSSN) 8.6 contains a reflected cross-site scripting vulnerability in the administrator friends endpoint. Attackers can inj...
Nov 3FreePBX Endpoint Manager's filestore module contains a post-authentication command injection vulnerability in the SSH test connection function. Authen...
Nov 7🏢 Most Affected Vendors
🐛 Common Vulnerability Types
📋 All CVEs This Week
A remote code execution vulnerability in iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code through a...
This vulnerability is a heap buffer overflow in MediaTek modem firmware that allows remote code execution when a device ...
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MetInfo CMS that can be triggered via XML Exter...
A vulnerability in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder firmware allows remote attackers to cause d...
Open Source Social Network (OSSN) 8.6 contains a reflected cross-site scripting vulnerability in the administrator frien...
FreePBX Endpoint Manager's filestore module contains a post-authentication command injection vulnerability in the SSH te...
This vulnerability in Nuxt DevTools allows cross-site scripting (XSS) attacks that could extract authentication tokens u...
This vulnerability allows physical attackers to reset the admin password on Elspec G5 devices by inserting a USB drive w...
This vulnerability allows attackers to inject malicious code into Salesforce Agentforce Vibes Extension's LLM prompting ...
This vulnerability allows attackers to inject malicious code through improperly sanitized input used for LLM prompting i...
CVE-2025-63294 is an insecure permissions vulnerability in WorkDo HRM SaaS HR and Payroll Tool 8.1 that allows authentic...
This CVE describes an arbitrary file download vulnerability in GuoMinJim PersonManage software. Attackers can download a...
A reflected cross-site scripting (XSS) vulnerability in Zucchetti ZMaintenance Infinity and Infinity Zucchetti allows at...
A vulnerability in libarchive's bsdtar allows attackers to cause denial of service through unbounded memory allocation w...
This vulnerability allows attackers to manipulate writeable configuration files in Salesforce Mulesoft Anypoint Code Bui...
This vulnerability allows attackers to manipulate configuration files through improper input neutralization in Salesforc...
This vulnerability allows attackers to manipulate configuration files due to incorrect permission assignments in Salesfo...
codeshare v1.0.0 contains an information leakage vulnerability that allows unauthorized access to users' full collaborat...
This vulnerability allows attackers to manipulate LLM prompts to write malicious content to configuration files in Sales...
This stored XSS vulnerability in Magento-lts allows attackers with admin database access or control over admin notificat...
This vulnerability in Vercel's AI SDK allows users to bypass filetype whitelists when uploading files, potentially enabl...
