New Templates Added: 50 | CVEs Added: 08 | First-time contributions: 3
π₯ Release Highlights π₯
- [CVE-2025-54782] NestJS DevTools Integration - Remote Code Execution (@nukunga) [critical] π₯
- [CVE-2025-25257] Fortinet FortiWeb - SQL Injection (@watchtowr, @johnk3r) [critical] π₯ (KEV)
- [CVE-2025-8286] GΓΌralp Systems FMUS Series - Unauthenticated Access (@darses) [critical] π₯
- [CVE-2025-8191] Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting (@dhiyaneshdk) [medium] π₯
- [CVE-2025-5394] Unauthenticated Arbitrary Plugin Upload in Alone Theme (@Nxploited, @dhiyaneshdk) [critical] π₯ (KEV)
- [CVE-2025-4334] Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation (@pussycat0x) [critical] π₯
- [CVE-2024-2053] Artica Proxy - Unauthenticated LFI (@pussycat0x) [high] π₯
- [CVE-2022-25237] Bonita Web 2021.2 - Authentication/Authorization Bypass (@Sourabh-Sahu) [critical] π₯ (KEV)
What's Changed
- [CVE-2025-54782] NestJS DevTools Integration - Remote Code Execution (@nukunga) [critical] π₯
- [CVE-2025-53558] ZTE ZXHN-F660T/F660A - Default Credentials (@dhiyaneshdk) [high]
- [CVE-2025-48954] Discourse OAuth Social Login - Cross-site Scripting (@ferreiraklet, @dhiyaneshdk, @pdresearch) [high]
- [CVE-2025-44177] White Star Software ProTop - Directory Traversal (@s-cu-bot) [high]
- [CVE-2025-25257] Fortinet FortiWeb - SQL Injection (@watchtowr, @johnk3r) [critical] π₯ (KEV)
- [CVE-2025-8286] GΓΌralp Systems FMUS Series - Unauthenticated Access (@darses) [critical] π₯
- [CVE-2025-8191] Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting (@dhiyaneshdk) [medium] π₯
- [CVE-2025-6197] Open Redirect via Organization Switching (@iamnoooob, @pdresearch) [medium]
- [CVE-2025-5394] Unauthenticated Arbitrary Plugin Upload in Alone Theme (@Nxploited, @dhiyaneshdk) [critical] π₯ (KEV)
- [CVE-2025-4334] Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation (@pussycat0x) [critical] π₯
- [CVE-2025-1595] EasyCVR <=2.1.2 - Information Disclosure (@ritikchaddha) [medium]
- [CVE-2024-2053] Artica Proxy - Unauthenticated LFI (@pussycat0x) [high] π₯
- [CVE-2022-25237] Bonita Web 2021.2 - Authentication/Authorization Bypass (@Sourabh-Sahu) [critical] π₯ (KEV)
- [apache-inlong-default-login] Apache InLong - Default Login (@icarot) [high]
- [openmetadata-default-login] OpenMetadata - Default Login (@icarot) [high]
- [meddream-dicom-viewer-panel] MedDream DICOM Viewer - Panel (@darses) [info]
- [opensign-panel] OpenSign Login Panel - Detect (@righettod) [info]
- [scalar-detection] Scalar API Documentation - Detect (@recepgunes) [info]
- [suse-manager-panel] SUSE Manager Server - Panel (@darses) [info]
- [dnt-policy-detect] DNT Policy Declaration (@rxerium) [info]
- [zipline-installer] Zipline - Installer (@pussycat0x) [critical]
- [titiler-ssrf] TiTiler - Blind Server Side Request Forgery (@xbow, @dhiyaneshdk) [high]
- [tomcat-directory-listing] Apache Tomcat - Directory Listing Enabled (@oleveloper) [medium]
- [9gag] 9GAG User Name Information - Detect (@princechaddha, @rxerium) [info]
- [apple-developer] Apple Developer User Name Information - Detect (@princechaddha, @rxerium) [info]
- [apple-discussions] Apple Discussions User Name Information - Detect (@princechaddha, @rxerium) [info]
- [atcoder] AtCoder User Name Information - Detect (@princechaddha, @rxerium) [info]
- [bluesky] Bluesky User Name Information - Detect (@princechaddha, @rxerium) [info]
- [cgtrader] CGTrader User Name Information - Detect (@princechaddha, @rxerium) [info]
- [codechef] CodeChef User Name Information - Detect (@princechaddha, @rxerium) [info]
- [geeksforgeeks] GeeksforGeeks User Name Information - Detect (@princechaddha, @rxerium) [info]
- [genius-users] Genius Users User Name Information - Detect (@princechaddha, @rxerium) [info]
- [giant-bomb] Giant Bomb User Name Information - Detect (@princechaddha, @rxerium) [info]
- [hudsonrock] HudsonRock User Name Information - Detect (@princechaddha, @rxerium) [info]
- [kaskus] Kaskus User Name Information - Detect (@princechaddha, @rxerium) [info]
- [lastfm] Last.fm User Name Information - Detect (@princechaddha, @rxerium) [info]
- [letterboxd] Letterboxd User Name Information - Detect (@princechaddha, @rxerium) [info]
- [mixcloud] Mixcloud User Name Information - Detect (@princechaddha, @rxerium) [info]
- [monkeytype] Monkeytype User Name Information - Detect (@princechaddha, @rxerium) [info]
- [mydramalist] MyDramaList User Name Information - Detect (@princechaddha, @rxerium) [info]
- [nationstates-nation] NationStates Nation User Name Information - Detect (@princechaddha, @rxerium) [info]
- [replit] Replit User Name Information - Detect (@princechaddha, @rxerium) [info]
- [reverbnation] ReverbNation User Name Information - Detect (@princechaddha, @rxerium) [info]
- [runescape] RuneScape User Name Information - Detect (@princechaddha, @rxerium) [info]
- [scribd] Scribd User Name Information - Detect (@princechaddha, @rxerium) [info]
- [sketchfab] Sketchfab User Name Information - Detect (@princechaddha, @rxerium) [info]
- [slack] Slack User Name Information - Detect (@princechaddha, @rxerium) [info]
- [strava] Strava User Name Information - Detect (@princechaddha) [info]
- [topcoder] Topcoder User Name Information - Detect (@princechaddha, @rxerium) [info]
- [weblate] Weblate User Name Information - Detect (@princechaddha, @rxerium) [info]
- [younow] YouNow User Name Information - Detect (@princechaddha, @rxerium) [info]
- [apache-inlong-detect] Apache InLong - Detect (@icarot) [info]
- [nocobase-detect] NocoBase - Detect (@fur1na) [info]
- [openmetadata-detect] OpenMetadata - Detect (@icarot) [info]
- [easycvr-user-info-disclosure] EasyCVR User - Information Disclosure (@dostghost) [medium]
New Contributors
- @Sourabh-Sahu made their first contribution in #12657
- @s-cu-bot made their first contribution in #12749
- @oleveloper made their first contribution in #12761
Full Changelog: v10.2.6...v10.2.7