CVE-2025-9638
published 2025-12-09CVE-2025-9638: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting…
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.18%
7.4th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint.
This issue affects i-Educar: 2.10.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| portabilis | i-educar | — | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-71292 kernel: jfs: nlink overflow in jfs_rename
bugzilla·2026-05-06
CVE-2025-71292 [MEDIUM] CVE-2025-71292 kernel: jfs: nlink overflow in jfs_rename
CVE-2025-71292 kernel: jfs: nlink overflow in jfs_rename
In the Linux kernel, the following vulnerability has been resolved:
jfs: nlink overflow in jfs_rename
If nlink is maximal for a directory (-1) and inside that directory you
perform a rename for some child directory (not moving from the parent),
then the nlink of the first directory is first incremented and later
decremented. Normally this is fine, but when nlink = -1 this causes a
wrap around to 0, and then drop_nlink issues a warning.
After applying the patch syzbot no longer issues any warnings. I also
ran some basic fs tests to look for any regressions.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050632-CVE-2025-71292-9638@gregkh/T
Bugzilla
CVE-2025-38309 kernel: drm/xe/vm: move xe_svm_init() earlier
bugzilla·2025-07-10·CVSS 5.5
CVE-2025-38309 [MEDIUM] CVE-2025-38309 kernel: drm/xe/vm: move xe_svm_init() earlier
CVE-2025-38309 kernel: drm/xe/vm: move xe_svm_init() earlier
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/vm: move xe_svm_init() earlier
In xe_vm_close_and_put() we need to be able to call xe_svm_fini(),
however during vm creation we can call this on the error path, before
having actually initialised the svm state, leading to various splats
followed by a fatal NPD.
(cherry picked from commit 4f296d77cf49fcb5f90b4674123ad7f3a0676165)
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025071014-CVE-2025-38309-9638@gregkh/T
2025-12-09
Published