$cat /research/zero-day-discoveries.txt

>> ZERO-DAY DISCOVERIES

Original vulnerability research uncovering previously unknown security flaws in popular software and frameworks. Each discovery includes technical analysis, impact assessment, and responsible disclosure timelines. Multiple CVE assignments and vendor acknowledgments.

[CVE]

CVE-2025-41228

VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS). The application fails to sanitize input passed via a query string to the /folder endpoint, resulting in arbitrary JavaScript execution when the reflected value is rendered into an HTML form's action attribute.

Vendor:VMware

Product:vSphere Client 8.0.3.0

Status:Acknowledged & Patched

XSSWEB_APPSREFLECTED

[CLICK TO VIEW DETAILS] → Technical analysis, proof of concept, and remediation

[CVE]

CVE-2025-44177

Local File Inclusion in White Star Software Protop v4.4.2-2024-11-27. A directory traversal vulnerability exists in the /pt3upd/ endpoint. An unauthenticated attacker can remotely access arbitrary files on the server by sending crafted requests using encoded traversal sequences.

Vendor:White Star Software

Product:Protop v4.4.2-2024-11-27

Status:Acknowledged & Patched

LFIDIRECTORY_TRAVERSALUNAUTHENTICATED

[CLICK TO VIEW DETAILS] → Technical analysis, proof of concept, and remediation

[CVE]

CVE-2025-56447

Authentication Bypass & Plaintext Credential Disclosure in TM2 Monitoring v3.04. The system is vulnerable to remote authentication bypass and plaintext credential disclosure due to reliance on client-side JavaScript for access control and absence of server-side session validation.

Vendor:RT Systems

Product:TM2 Monitoring v3.04

CVSS:9.8 (Critical)

Status:Acknowledged & Patched

AUTH_BYPASSCREDENTIAL_DISCLOSURECRITICAL

[CLICK TO VIEW DETAILS] → Technical analysis, proof of concept, and remediation