Patch Tuesday — January 2025
2025-01-14 · 1182 CVEs
CVEs published or modified the week of 2025-01-14, partitioned by vendor.
Microsoft (173 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21311 | Critical | 9.8 | — | 2025-01-14 | Windows NTLM V1 Elevation of Privilege Vulnerability |
CVE-2025-21307 | Critical | 9.8 | — | 2025-01-14 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
CVE-2025-21298 | Critical | 9.8 | — | 2025-01-14 | Windows OLE Remote Code Execution Vulnerability |
CVE-2025-0502 | Critical | 9.1 | — | 2025-01-15 | Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0… |
CVE-2025-21417 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21413 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21411 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21409 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21339 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21306 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21305 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21303 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21302 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21293 | High | 8.8 | — | 2025-01-14 | Active Directory Domain Services Elevation of Privilege Vulnerability |
CVE-2025-21292 | High | 8.8 | — | 2025-01-14 | Windows Search Service Elevation of Privilege Vulnerability |
CVE-2025-21291 | High | 8.8 | — | 2025-01-14 | Windows Direct Show Remote Code Execution Vulnerability |
CVE-2025-21286 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21282 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21273 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21266 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21252 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21250 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21248 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21246 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21245 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21244 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21243 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21241 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21240 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21239 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21238 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21237 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21236 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21233 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21223 | High | 8.8 | — | 2025-01-14 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2025-21178 | High | 8.8 | — | 2025-01-14 | Visual Studio Remote Code Execution Vulnerability |
CVE-2025-21176 | High | 8.8 | — | 2025-01-14 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability |
CVE-2025-21362 | High | 8.4 | — | 2025-01-14 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2025-21354 | High | 8.4 | — | 2025-01-14 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2025-21309 | High | 8.1 | — | 2025-01-14 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
CVE-2025-21297 | High | 8.1 | — | 2025-01-14 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
CVE-2025-21295 | High | 8.1 | — | 2025-01-14 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability |
CVE-2025-21294 | High | 8.1 | — | 2025-01-14 | Microsoft Digest Authentication Remote Code Execution Vulnerability |
CVE-2025-21224 | High | 8.1 | — | 2025-01-14 | Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability |
CVE-2025-21325 | High | 7.8 | — | 2025-01-17 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
CVE-2025-21135 | High | 7.8 | — | 2025-01-14 | Animate versions 24.0.6, 23.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21132 | High | 7.8 | — | 2025-01-14 | Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21131 | High | 7.8 | — | 2025-01-14 | Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21130 | High | 7.8 | — | 2025-01-14 | Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21129 | High | 7.8 | — | 2025-01-14 | Substance3D - Stager versions 3.0.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21128 | High | 7.8 | — | 2025-01-14 | Substance3D - Stager versions 3.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21127 | High | 7.8 | — | 2025-01-14 | Photoshop Desktop versions 25.12, 26.1 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could lead to arbitrary code execution. |
CVE-2025-21122 | High | 7.8 | — | 2025-01-14 | Photoshop Desktop versions 25.12, 26.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21402 | High | 7.8 | — | 2025-01-14 | Microsoft Office OneNote Remote Code Execution Vulnerability |
CVE-2025-21395 | High | 7.8 | — | 2025-01-14 | Microsoft Access Remote Code Execution Vulnerability |
CVE-2025-21382 | High | 7.8 | — | 2025-01-14 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2025-21378 | High | 7.8 | — | 2025-01-14 | Windows CSC Service Elevation of Privilege Vulnerability |
CVE-2025-21372 | High | 7.8 | — | 2025-01-14 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
CVE-2025-21370 | High | 7.8 | — | 2025-01-14 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
CVE-2025-21366 | High | 7.8 | — | 2025-01-14 | Microsoft Access Remote Code Execution Vulnerability |
CVE-2025-21365 | High | 7.8 | — | 2025-01-14 | Microsoft Office Remote Code Execution Vulnerability |
CVE-2025-21364 | High | 7.8 | — | 2025-01-14 | Microsoft Excel Security Feature Bypass Vulnerability |
CVE-2025-21363 | High | 7.8 | — | 2025-01-14 | Microsoft Word Remote Code Execution Vulnerability |
CVE-2025-21361 | High | 7.8 | — | 2025-01-14 | Microsoft Outlook Remote Code Execution Vulnerability |
CVE-2025-21360 | High | 7.8 | — | 2025-01-14 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability |
CVE-2025-21356 | High | 7.8 | — | 2025-01-14 | Microsoft Office Visio Remote Code Execution Vulnerability |
CVE-2025-21345 | High | 7.8 | — | 2025-01-14 | Microsoft Office Visio Remote Code Execution Vulnerability |
CVE-2025-21344 | High | 7.8 | — | 2025-01-14 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
CVE-2025-21338 | High | 7.8 | — | 2025-01-14 | GDI+ Remote Code Execution Vulnerability |
CVE-2025-21335 | High | 7.8 | KEV | 2025-01-14 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
CVE-2025-21334 | High | 7.8 | KEV | 2025-01-14 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
CVE-2025-21333 | High | 7.8 | KEV | 2025-01-14 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
CVE-2025-21326 | High | 7.8 | — | 2025-01-14 | Internet Explorer Remote Code Execution Vulnerability |
CVE-2025-21315 | High | 7.8 | — | 2025-01-14 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
CVE-2025-21304 | High | 7.8 | — | 2025-01-14 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
CVE-2025-21287 | High | 7.8 | — | 2025-01-14 | Windows Installer Elevation of Privilege Vulnerability |
CVE-2025-21281 | High | 7.8 | — | 2025-01-14 | Microsoft COM for Windows Elevation of Privilege Vulnerability |
CVE-2025-21275 | High | 7.8 | — | 2025-01-14 | Windows App Package Installer Elevation of Privilege Vulnerability |
CVE-2025-21271 | High | 7.8 | — | 2025-01-14 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2025-21235 | High | 7.8 | — | 2025-01-14 | Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability |
CVE-2025-21234 | High | 7.8 | — | 2025-01-14 | Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability |
CVE-2025-21187 | High | 7.8 | — | 2025-01-14 | Microsoft Power Automate Remote Code Execution Vulnerability |
CVE-2025-21186 | High | 7.8 | — | 2025-01-14 | Microsoft Access Remote Code Execution Vulnerability |
CVE-2025-21389 | High | 7.5 | — | 2025-01-14 | Uncontrolled resource consumption in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to deny service over a network. |
CVE-2025-21343 | High | 7.5 | — | 2025-01-14 | Windows Web Threat Defense User Service Information Disclosure Vulnerability |
CVE-2025-21330 | High | 7.5 | — | 2025-01-14 | Windows Remote Desktop Services Denial of Service Vulnerability |
CVE-2025-21300 | High | 7.5 | — | 2025-01-14 | Windows Universal Plug and Play (UPnP) Device Host Denial of Service Vulnerability |
CVE-2025-21296 | High | 7.5 | — | 2025-01-14 | BranchCache Remote Code Execution Vulnerability |
CVE-2025-21290 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21289 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21285 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21277 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21276 | High | 7.5 | — | 2025-01-14 | Windows MapUrlToZone Denial of Service Vulnerability |
CVE-2025-21270 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21251 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21231 | High | 7.5 | — | 2025-01-14 | IP Helper Denial of Service Vulnerability |
CVE-2025-21230 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
CVE-2025-21220 | High | 7.5 | — | 2025-01-14 | Microsoft Message Queuing Information Disclosure Vulnerability |
CVE-2025-21218 | High | 7.5 | — | 2025-01-14 | Windows Kerberos Denial of Service Vulnerability |
CVE-2025-21207 | High | 7.5 | — | 2025-01-14 | Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability |
CVE-2025-21172 | High | 7.5 | — | 2025-01-14 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2025-21171 | High | 7.5 | — | 2025-01-14 | .NET Remote Code Execution Vulnerability |
CVE-2025-21399 | High | 7.4 | — | 2025-01-17 | Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability |
CVE-2025-21405 | High | 7.3 | — | 2025-01-14 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2025-21331 | High | 7.3 | — | 2025-01-14 | Windows Installer Elevation of Privilege Vulnerability |
CVE-2025-21173 | High | 7.3 | — | 2025-01-14 | .NET Elevation of Privilege Vulnerability |
CVE-2025-21348 | High | 7.2 | — | 2025-01-14 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
CVE-2025-21346 | High | 7.1 | — | 2025-01-14 | Microsoft Office Security Feature Bypass Vulnerability |
CVE-2025-21299 | High | 7.1 | — | 2025-01-14 | Windows Kerberos Security Feature Bypass Vulnerability |
CVE-2025-21211 | Medium | 6.8 | — | 2025-01-14 | Secure Boot Security Feature Bypass Vulnerability |
CVE-2025-21357 | Medium | 6.7 | — | 2025-01-14 | Microsoft Outlook Remote Code Execution Vulnerability |
CVE-2025-21341 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21327 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21324 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21310 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21265 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21263 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21261 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21260 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21258 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21256 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21255 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21249 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21232 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21229 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21228 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21227 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21226 | Medium | 6.6 | — | 2025-01-14 | Windows Digital Media Elevation of Privilege Vulnerability |
CVE-2025-21185 | Medium | 6.5 | — | 2025-01-17 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2024-52363 | Medium | 6.5 | — | 2025-01-17 | IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system. |
CVE-2025-0440 | Medium | 6.5 | — | 2025-01-15 | Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. |
CVE-2025-21314 | Medium | 6.5 | — | 2025-01-14 | Windows SmartScreen Spoofing Vulnerability |
CVE-2025-21313 | Medium | 6.5 | — | 2025-01-14 | Windows Security Account Manager (SAM) Denial of Service Vulnerability |
CVE-2025-21308 | Medium | 6.5 | — | 2025-01-14 | Windows Themes Spoofing Vulnerability |
CVE-2025-21301 | Medium | 6.5 | — | 2025-01-14 | Windows Geolocation Service Information Disclosure Vulnerability |
CVE-2025-21288 | Medium | 6.5 | — | 2025-01-14 | Windows COM Server Information Disclosure Vulnerability |
CVE-2025-21272 | Medium | 6.5 | — | 2025-01-14 | Windows COM Server Information Disclosure Vulnerability |
CVE-2025-21217 | Medium | 6.5 | — | 2025-01-14 | Windows NTLM Spoofing Vulnerability |
CVE-2025-21193 | Medium | 6.5 | — | 2025-01-14 | Active Directory Federation Server Spoofing Vulnerability |
CVE-2025-21403 | Medium | 6.4 | — | 2025-01-14 | On-Premises Data Gateway Information Disclosure Vulnerability |
CVE-2025-21393 | Medium | 6.3 | — | 2025-01-14 | Microsoft SharePoint Server Spoofing Vulnerability |
CVE-2025-21278 | Medium | 6.2 | — | 2025-01-14 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability |
CVE-2024-52898 | Medium | 6.2 | — | 2025-01-14 | IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD web console could allow a local user to obtain sensitive information when a detailed technical error message is returned. |
CVE-2025-21202 | Medium | 6.1 | — | 2025-01-14 | Windows Recovery Environment Agent Elevation of Privilege Vulnerability |
CVE-2025-21242 | Medium | 5.9 | — | 2025-01-14 | Windows Kerberos Information Disclosure Vulnerability |
CVE-2025-21225 | Medium | 5.9 | — | 2025-01-14 | Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability |
CVE-2025-21336 | Medium | 5.6 | — | 2025-01-14 | Windows Cryptographic Information Disclosure Vulnerability |
CVE-2025-21374 | Medium | 5.5 | — | 2025-01-14 | Windows CSC Service Information Disclosure Vulnerability |
CVE-2025-21340 | Medium | 5.5 | — | 2025-01-14 | Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability |
CVE-2025-21323 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21321 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21320 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21319 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21318 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21317 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21316 | Medium | 5.5 | — | 2025-01-14 | Windows Kernel Memory Information Disclosure Vulnerability |
CVE-2025-21284 | Medium | 5.5 | — | 2025-01-14 | Windows Virtual Trusted Platform Module Denial of Service Vulnerability |
CVE-2025-21280 | Medium | 5.5 | — | 2025-01-14 | Windows Virtual Trusted Platform Module Denial of Service Vulnerability |
CVE-2025-21274 | Medium | 5.5 | — | 2025-01-14 | Windows Event Tracing Denial of Service Vulnerability |
CVE-2025-21257 | Medium | 5.5 | — | 2025-01-14 | Windows WLAN AutoConfig Service Information Disclosure Vulnerability |
CVE-2025-21215 | Medium | 4.6 | — | 2025-01-14 | Secure Boot Security Feature Bypass Vulnerability |
CVE-2025-21213 | Medium | 4.6 | — | 2025-01-14 | Secure Boot Security Feature Bypass Vulnerability |
CVE-2024-54540 | Medium | 4.3 | — | 2025-01-15 | The issue was addressed with improved input sanitization. |
CVE-2025-21332 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21329 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21328 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21269 | Medium | 4.3 | — | 2025-01-14 | Windows HTML Platforms Security Feature Bypass Vulnerability |
CVE-2025-21268 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21219 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21189 | Medium | 4.3 | — | 2025-01-14 | MapUrlToZone Security Feature Bypass Vulnerability |
CVE-2025-21214 | Medium | 4.2 | — | 2025-01-14 | Windows BitLocker Information Disclosure Vulnerability |
CVE-2025-21210 | Medium | 4.2 | — | 2025-01-14 | Windows BitLocker Information Disclosure Vulnerability |
CVE-2025-21312 | Low | 2.4 | — | 2025-01-14 | Windows Smart Card Reader Information Disclosure Vulnerability |
Other vendors (1009 CVEs across 445 vendors)
N/a · 143 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57726 | Critical | 9.9 | KEV | 2025-01-15 | SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. |
CVE-2024-57035 | Critical | 9.8 | — | 2025-01-17 | WeGIA v3.2.0 is vulnerable to SQL Injection viathe nextPage parameter in /controle/control.php. |
CVE-2024-57034 | Critical | 9.8 | — | 2025-01-17 | WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter. |
CVE-2024-57032 | Critical | 9.8 | — | 2025-01-17 | WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. |
CVE-2024-57031 | Critical | 9.8 | — | 2025-01-17 | WeGIA < 3.2.0 is vulnerable to SQL Injection in /funcionario/remuneracao.php via the id_funcionario parameter. |
CVE-2024-57703 | Critical | 9.8 | — | 2025-01-16 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. |
CVE-2024-57583 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a command injection vulnerability via the usbName parameter in the formSetSambaConf function. |
CVE-2024-57582 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the startIP parameter in the formSetPPTPServer function. |
CVE-2024-57581 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function. |
CVE-2024-57580 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function. |
CVE-2024-57579 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the limitSpeedUp parameter in the formSetClientState function. |
CVE-2024-57575 | Critical | 9.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the ssid parameter in the form_fast_setting_wifi_set function. |
CVE-2024-48126 | Critical | 9.8 | — | 2025-01-15 | HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. |
CVE-2024-57483 | Critical | 9.8 | — | 2025-01-14 | Tenda i24 V2.0.0.5 is vulnerable to Buffer Overflow in the addWifiMacFilter function. |
CVE-2024-53553 | Critical | 9.1 | — | 2025-01-16 | An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests. |
CVE-2024-57766 | Critical | 9.1 | — | 2025-01-15 | MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. |
CVE-2024-57764 | Critical | 9.1 | — | 2025-01-15 | MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. |
CVE-2024-57763 | Critical | 9.1 | — | 2025-01-15 | MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. |
CVE-2024-57811 | Critical | 9.1 | — | 2025-01-13 | In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. |
CVE-2024-46310 | Critical | 9.1 | — | 2025-01-13 | Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint |
CVE-2024-57704 | High | 8.8 | — | 2025-01-16 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. |
CVE-2024-57578 | High | 8.8 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the funcpara1 parameter in the formSetCfm function. |
CVE-2024-57022 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sHour" parameter in setWiFiScheduleCfg. |
CVE-2024-57021 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eHour" parameter in setWiFiScheduleCfg. |
CVE-2024-57020 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sMinute" parameter in setWiFiScheduleCfg. |
CVE-2024-57019 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "limit" parameter in setVpnAccountCfg. |
CVE-2024-57018 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setVpnAccountCfg. |
CVE-2024-57017 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in setVpnAccountCfg. |
CVE-2024-57016 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "user" parameter in setVpnAccountCfg. |
CVE-2024-57015 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in setScheduleCfg. |
CVE-2024-57014 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "recHour" parameter in setScheduleCfg. |
CVE-2024-57013 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "switch" parameter in setScheduleCfg. |
CVE-2024-57012 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setScheduleCfg. |
CVE-2024-57011 | High | 8.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "minute" parameters in setScheduleCfg. |
CVE-2023-42244 | High | 8.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42228 | High | 8.8 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. |
CVE-2024-54660 | High | 8.7 | — | 2025-01-16 | A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. |
CVE-2024-53561 | High | 8.7 | — | 2025-01-14 | A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request. |
CVE-2024-57767 | High | 8.6 | — | 2025-01-15 | MSFM before v2025.01.01 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /file/download. |
CVE-2024-48123 | High | 8.4 | — | 2025-01-15 | An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device. |
CVE-2024-57030 | High | 8.1 | — | 2025-01-17 | Wegia < 3.2.0 is vulnerable to Cross Site Scripting (XSS) in /geral/documentos_funcionario.php via the id parameter. |
CVE-2024-46450 | High | 8.1 | — | 2025-01-16 | Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. |
CVE-2023-42231 | High | 8.1 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. |
CVE-2024-55511 | High | 7.8 | — | 2025-01-16 | A null pointer dereference vulnerability in Macrium Reflect prior to 8.1.8017 allows a local attacker to cause a system crash or potentially elevate their privileges via executing a specially crafted executable. |
CVE-2024-57727 | High | 7.5 | KEV | 2025-01-15 | SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. |
CVE-2024-48125 | High | 7.5 | — | 2025-01-15 | An issue in the AsDB service of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to enumerate user credentials via crafted GIOP protocol requests. |
CVE-2024-50954 | High | 7.5 | — | 2025-01-15 | The XINJE XL5E-16T and XD5E-24R-E programmable logic controllers V3.5.3b-V3.7.2a have a vulnerability in handling Modbus messages. |
CVE-2024-50953 | High | 7.5 | — | 2025-01-15 | An issue in XINJE XL5E-16T V3.7.2a allows attackers to cause a Denial of Service (DoS) via a crafted Modbus message. |
CVE-2024-57765 | High | 7.5 | — | 2025-01-15 | MSFM before 2025.01.01 was discovered to contain a SQL injection vulnerability via the s_name parameter at table/list. |
CVE-2024-57762 | High | 7.5 | — | 2025-01-15 | MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. |
CVE-2024-54730 | High | 7.5 | — | 2025-01-14 | Flatnotes <v5.3.1 is vulnerable to denial of service through the upload image function. |
CVE-2025-22984 | High | 7.5 | — | 2025-01-14 | An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information. |
CVE-2025-22983 | High | 7.5 | — | 2025-01-14 | An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information. |
CVE-2024-57664 | High | 7.5 | — | 2025-01-14 | An issue in the sqlg_group_node component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57663 | High | 7.5 | — | 2025-01-14 | An issue in the sqlg_place_dpipes component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57662 | High | 7.5 | — | 2025-01-14 | An issue in the sqlg_hash_source component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57661 | High | 7.5 | — | 2025-01-14 | An issue in the sqlo_df component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57660 | High | 7.5 | — | 2025-01-14 | An issue in the sqlo_expand_jts component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57659 | High | 7.5 | — | 2025-01-14 | An issue in the sqlg_parallel_ts_seq component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57658 | High | 7.5 | — | 2025-01-14 | An issue in the sql_tree_hash_1 component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57657 | High | 7.5 | — | 2025-01-14 | An issue in the sqlg_vec_upd component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57656 | High | 7.5 | — | 2025-01-14 | An issue in the sqlc_add_distinct_node component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57655 | High | 7.5 | — | 2025-01-14 | An issue in the dfe_n_in_order component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57654 | High | 7.5 | — | 2025-01-14 | An issue in the qst_vec_get_int64 component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57653 | High | 7.5 | — | 2025-01-14 | An issue in the qst_vec_set_copy component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57652 | High | 7.5 | — | 2025-01-14 | An issue in the numeric_to_dv component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57651 | High | 7.5 | — | 2025-01-14 | An issue in the jp_add component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57650 | High | 7.5 | — | 2025-01-14 | An issue in the qi_inst_state_free component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57649 | High | 7.5 | — | 2025-01-14 | An issue in the qst_vec_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57648 | High | 7.5 | — | 2025-01-14 | An issue in the itc_set_param_row component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57647 | High | 7.5 | — | 2025-01-14 | An issue in the row_insert_cast component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57646 | High | 7.5 | — | 2025-01-14 | An issue in the psiginfo component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57645 | High | 7.5 | — | 2025-01-14 | An issue in the qi_inst_state_free component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57644 | High | 7.5 | — | 2025-01-14 | An issue in the itc_hash_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57643 | High | 7.5 | — | 2025-01-14 | An issue in the box_deserialize_string component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57642 | High | 7.5 | — | 2025-01-14 | An issue in the dfe_inx_op_col_def_table component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57641 | High | 7.5 | — | 2025-01-14 | An issue in the sqlexp component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57640 | High | 7.5 | — | 2025-01-14 | An issue in the dc_add_int component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57639 | High | 7.5 | — | 2025-01-14 | An issue in the dc_elt_size component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57638 | High | 7.5 | — | 2025-01-14 | An issue in the dfe_body_copy component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57637 | High | 7.5 | — | 2025-01-14 | An issue in the dfe_unit_gb_dependant component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57636 | High | 7.5 | — | 2025-01-14 | An issue in the itc_sample_row_check component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57635 | High | 7.5 | — | 2025-01-14 | An issue in the chash_array component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2023-42232 | High | 7.5 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Navigator/Index function. |
CVE-2023-42227 | High | 7.5 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the WSCView/Save function. |
CVE-2023-42226 | High | 7.5 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function. |
CVE-2023-42225 | High | 7.5 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function. |
CVE-2024-42911 | High | 7.4 | — | 2025-01-14 | ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability. |
CVE-2025-0465 | High | 7.3 | — | 2025-01-14 | A vulnerability was found in AquilaCMS 1.412.13. |
CVE-2025-0460 | High | 7.3 | — | 2025-01-14 | A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart. |
CVE-2024-57728 | High | 7.2 | KEV | 2025-01-15 | SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. |
CVE-2024-52870 | High | 7.1 | — | 2025-01-17 | Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium Developer Tools) that can result in a client user accessing arbitrary remote w… |
CVE-2025-22976 | High | 7.1 | — | 2025-01-15 | SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a local attacker to execute arbitrary code via not filtering the content correctly at the "checkOrder.php" shopId module. |
CVE-2024-57025 | Medium | 6.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setWiFiScheduleCfg. |
CVE-2024-57024 | Medium | 6.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in setWiFiScheduleCfg. |
CVE-2024-57023 | Medium | 6.8 | — | 2025-01-15 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setWiFiScheduleCfg. |
CVE-2024-48122 | Medium | 6.7 | — | 2025-01-15 | Insecure default configurations in HI-SCAN 6040i Hitrax HX-03-19-I allow authenticated attackers with low-level privileges to escalate to root-level privileges. |
CVE-2024-50967 | Medium | 6.5 | — | 2025-01-17 | The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. |
CVE-2024-41454 | Medium | 6.5 | — | 2025-01-15 | An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file. |
CVE-2024-39967 | Medium | 6.5 | — | 2025-01-15 | Insecure permissions in Aginode GigaSwitch v5 allows attackers to access sensitive information via using the SCP command. |
CVE-2024-36751 | Medium | 6.5 | — | 2025-01-15 | An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. |
CVE-2024-48121 | Medium | 6.5 | — | 2025-01-15 | The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol. |
CVE-2023-42248 | Medium | 6.5 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42229 | Medium | 6.5 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal. |
CVE-2024-46921 | Medium | 6.5 | — | 2025-01-13 | An issue was discovered in Samsung Mobile Processor and Modem Exynos 9820, 9825, 980, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2024-46920 | Medium | 6.5 | — | 2025-01-13 | An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280. |
CVE-2024-57369 | Medium | 6.4 | — | 2025-01-17 | Clickjacking vulnerability in typecho v1.2.1. |
CVE-2024-57033 | Medium | 6.1 | — | 2025-01-17 | WeGIA < 3.2.0 is vulnerable to Cross Site Scripting (XSS) via the dados_addInfo parameter of documentos_funcionario.php. |
CVE-2024-57372 | Medium | 6.1 | — | 2025-01-17 | Cross Site Scripting vulnerability in InformationPush master version allows a remote attacker to obtain sensitive information via the title, time and msg parameters |
CVE-2024-57370 | Medium | 6.1 | — | 2025-01-17 | Cross Site Scripting vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter. |
CVE-2023-42250 | Medium | 6.1 | — | 2025-01-13 | Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via /common/autocomplete.php. |
CVE-2023-42249 | Medium | 6.1 | — | 2025-01-13 | Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via vam/vam_visits.php. |
CVE-2023-42247 | Medium | 6.1 | — | 2025-01-13 | Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via monitor/s_monitor_map.php. |
CVE-2023-42246 | Medium | 6.1 | — | 2025-01-13 | Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via /vam/vam_ep.php. |
CVE-2023-42245 | Medium | 6.1 | — | 2025-01-13 | Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via monitor/s_scheduledfile.php. |
CVE-2023-42233 | Medium | 6.1 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the Filter/FilterEditor function. |
CVE-2023-42230 | Medium | 6.1 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the WSCView/Save function. |
CVE-2024-44771 | Medium | 6.1 | — | 2025-01-13 | BigId PrivacyPortal v179 is vulnerable to Cross Site Scripting (XSS) via the "Label" field in the Report template function. |
CVE-2024-57577 | Medium | 5.7 | — | 2025-01-16 | Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the speed_dir parameter in the formSetSpeedWan function. |
CVE-2024-57784 | Medium | 5.5 | — | 2025-01-16 | An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal. |
CVE-2024-53563 | Medium | 5.4 | — | 2025-01-14 | A stored cross-site scripting (XSS) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. |
CVE-2023-42243 | Medium | 5.4 | — | 2025-01-13 | In Selesta Visual Access Manager < 4.42.2, an authenticated user can access the administrative page /common/vam_Sql.php, which allows for arbitrary SQL queries. |
CVE-2023-42234 | Medium | 5.4 | — | 2025-01-13 | Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Request Forgery (CSRF) via the WSCView function. |
CVE-2024-46919 | Medium | 5.3 | — | 2025-01-13 | An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280. |
CVE-2024-52783 | Medium | 5.1 | — | 2025-01-15 | Insecure permissions in the XNetSocketClient component of XINJE XDPPro.exe v3.2.2 to v3.7.17c allows attackers to execute arbitrary code via modification of the configuration file. |
CVE-2024-57785 | Medium | 4.9 | — | 2025-01-16 | Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php. |
CVE-2024-41453 | Medium | 4.8 | — | 2025-01-15 | A cross-site scripting (XSS) vulnerability in Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter. |
CVE-2024-40514 | Medium | 4.6 | — | 2025-01-16 | Insecure Permissions vulnerability in themesebrand Chatvia v.5.3.2 allows a remote attacker to escalate privileges via the User profile name and image upload functions. |
CVE-2024-40513 | Medium | 4.6 | — | 2025-01-16 | An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function. |
CVE-2024-57252 | Medium | 4.3 | — | 2025-01-17 | OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily. |
CVE-2024-48460 | Medium | 4.3 | — | 2025-01-16 | An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails. |
CVE-2025-0480 | Medium | 4.3 | — | 2025-01-15 | A vulnerability classified as problematic has been found in wuzhicms 4.1.0. |
CVE-2024-48883 | Medium | 4.3 | — | 2025-01-13 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, and Modem 5300. |
CVE-2023-42242 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42241 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42240 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42239 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42238 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42237 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42236 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2023-42235 | Low | 3.8 | — | 2025-01-13 | An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. |
CVE-2024-53407 | Low | 3.3 | — | 2025-01-15 | In Phiewer 4.1.0, a dylib injection leads to Command Execution which allow attackers to inject dylib file potentially leading to remote control and unauthorized access to sensitive user data. |
CVE-2024-37181 | Low | 2.6 | — | 2025-01-16 | Time-of-check time-of-use race condition in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable information disclosure via adjacent access. |
Wavlink · 62 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-39761 | Critical | 10.0 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39760 | Critical | 10.0 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39759 | Critical | 10.0 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39754 | Critical | 10.0 | — | 2025-01-14 | A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39608 | Critical | 10.0 | — | 2025-01-14 | A firmware update vulnerability exists in the login.cgi functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-36290 | Critical | 10.0 | — | 2025-01-14 | A buffer overflow vulnerability exists in the login.cgi Goto_chidx() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-36258 | Critical | 10.0 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-34166 | Critical | 10.0 | — | 2025-01-14 | An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39363 | Critical | 9.6 | — | 2025-01-14 | A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39803 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39802 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39801 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39800 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39799 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39798 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39795 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39794 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39793 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39790 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39789 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39788 | Critical | 9.1 | — | 2025-01-14 | Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39787 | Critical | 9.1 | — | 2025-01-14 | Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39786 | Critical | 9.1 | — | 2025-01-14 | Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39785 | Critical | 9.1 | — | 2025-01-14 | Multiple command execution vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39784 | Critical | 9.1 | — | 2025-01-14 | Multiple command execution vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39783 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39782 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39781 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39774 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi set_sys_adm() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39770 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39769 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39768 | Critical | 9.1 | — | 2025-01-14 | Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39765 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39764 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39763 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39762 | Critical | 9.1 | — | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39757 | Critical | 9.1 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the wireless.cgi AddMac() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39756 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi rep_as_router() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39603 | Critical | 9.1 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the wireless.cgi set_wifi_basic_mesh() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39602 | Critical | 9.1 | — | 2025-01-14 | An external config control vulnerability exists in the nas.cgi set_nas() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39370 | Critical | 9.1 | — | 2025-01-14 | An arbitrary code execution vulnerability exists in the adm.cgi set_MeshAp() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39367 | Critical | 9.1 | — | 2025-01-14 | An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39360 | Critical | 9.1 | — | 2025-01-14 | An os command injection vulnerability exists in the nas.cgi remove_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39359 | Critical | 9.1 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the wireless.cgi DeleteMac() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39358 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi set_wzap() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39357 | Critical | 9.1 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the wireless.cgi SetName() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39299 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the qos.cgi qos_sta_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39294 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi set_wzdgw4G() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39288 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39280 | Critical | 9.1 | — | 2025-01-14 | An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-38666 | Critical | 9.1 | — | 2025-01-14 | An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-37357 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-37186 | Critical | 9.1 | — | 2025-01-14 | An os command injection vulnerability exists in the adm.cgi set_ledonoff() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-37184 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the adm.cgi rep_as_bridge() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-36493 | Critical | 9.1 | — | 2025-01-14 | A stack-based buffer overflow vulnerability exists in the wireless.cgi set_wifi_basic() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-36295 | Critical | 9.1 | — | 2025-01-14 | A command execution vulnerability exists in the qos.cgi qos_sta() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-36272 | Critical | 9.1 | — | 2025-01-14 | A buffer overflow vulnerability exists in the usbip.cgi set_info() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-34544 | Critical | 9.1 | — | 2025-01-14 | A command injection vulnerability exists in the wireless.cgi AddMac() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-21797 | Critical | 9.1 | — | 2025-01-14 | A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39604 | Critical | 9.0 | — | 2025-01-14 | A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39273 | Critical | 9.0 | — | 2025-01-14 | A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. |
CVE-2024-39773 | Medium | 5.3 | — | 2025-01-14 | An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505. |
Fortinet · 51 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55591 | Critical | 9.8 | KEV | 2025-01-14 | An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-… |
CVE-2023-37936 | Critical | 9.8 | — | 2025-01-14 | A use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized co… |
CVE-2024-48886 | Critical | 9.0 | — | 2025-01-14 | A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0… |
CVE-2024-47572 | Critical | 9.0 | — | 2025-01-14 | An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file |
CVE-2024-27778 | High | 8.8 | — | 2025-01-14 | An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 al… |
CVE-2023-37931 | High | 8.8 | — | 2025-01-14 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql in… |
CVE-2024-35277 | High | 8.6 | — | 2025-01-14 | A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the… |
CVE-2024-47571 | High | 8.1 | — | 2025-01-14 | An operation on a resource after expiration or release in Fortinet FortiManager 6.4.12 through 7.4.0 allows an attacker to gain improper access to FortiGate via valid credentials. |
CVE-2024-23106 | High | 8.1 | — | 2025-01-14 | An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via cr… |
CVE-2023-37937 | High | 7.8 | — | 2025-01-14 | An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0… |
CVE-2024-48884 | High | 7.5 | — | 2025-01-14 | A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7… |
CVE-2024-46670 | High | 7.5 | — | 2025-01-14 | An Out-of-bounds Read vulnerability [CWE-125] in FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below and FortiSASE FortiOS tenant version 24.3.b IPsec IKE service may allow an unauthenticated remote attacker to trigger… |
CVE-2024-46668 | High | 7.5 | — | 2025-01-14 | An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenti… |
CVE-2024-46667 | High | 7.5 | — | 2025-01-14 | A allocation of resources without limits or throttling in Fortinet FortiSIEM 5.3 all versions, 5.4 all versions, 6.x all versions, 7.0 all versions, and 7.1.0 through 7.1.5 may allow an attacker to deny valid TLS traffic via consuming all… |
CVE-2024-50563 | High | 7.3 | — | 2025-01-16 | A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiM… |
CVE-2024-45331 | High | 7.3 | — | 2025-01-16 | A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13… |
CVE-2024-50566 | High | 7.2 | — | 2025-01-14 | A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiManager Cloud 7.6.0 through 7.6.1, FortiManager Cloud 7.4.0 through 7.4.4, FortiManager Cloud 7.2.2 through 7.2.7… |
CVE-2024-36512 | High | 7.2 | — | 2025-01-14 | An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer 7.4.0 through 7.4.3 and 7.2.0 through 7.2.5 and 7.0.2 through 7.0.12 and 6.2.10 through 6.2.13 allows attacker to exe… |
CVE-2024-35273 | High | 7.2 | — | 2025-01-14 | A out-of-bounds write in Fortinet FortiManager version 7.4.0 through 7.4.2, FortiAnalyzer version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests. |
CVE-2024-48893 | Medium | 6.8 | — | 2025-01-14 | An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the c… |
CVE-2024-56497 | Medium | 6.7 | — | 2025-01-14 | An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 throug… |
CVE-2024-40587 | Medium | 6.7 | — | 2025-01-14 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiVoice version 7.0.0 through 7.0.4 and before 6.4.9 allows an authenticated privileged attacker to execute… |
CVE-2024-33503 | Medium | 6.7 | — | 2025-01-14 | A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6… |
CVE-2024-26012 | Medium | 6.7 | — | 2025-01-14 | A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiAP-S 6.2 all verisons, and 6.4.0 through 6.4.9, FortiAP-W2 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.3, and 7.4.0 thr… |
CVE-2024-48890 | Medium | 6.6 | — | 2025-01-14 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or co… |
CVE-2024-35275 | Medium | 6.6 | — | 2025-01-14 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, FortiManager version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially… |
CVE-2024-54021 | Medium | 6.5 | — | 2025-01-14 | An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass… |
CVE-2024-36504 | Medium | 6.5 | — | 2025-01-14 | An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all verisons, and 6.4 all versions may allow an authenticated attacker to perform a denial of servic… |
CVE-2024-33502 | Medium | 6.5 | — | 2025-01-14 | An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 thro… |
CVE-2023-42786 | Medium | 6.5 | — | 2025-01-14 | A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request. |
CVE-2023-42785 | Medium | 6.5 | — | 2025-01-14 | A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request. |
CVE-2024-21758 | Medium | 6.4 | — | 2025-01-14 | A stack-based buffer overflow in Fortinet FortiWeb versions 7.2.0 through 7.2.7, and 7.4.0 through 7.4.1 may allow a privileged user to execute arbitrary code via specially crafted CLI commands, provided the user is able to evade FortiWeb… |
CVE-2024-35276 | Medium | 5.6 | — | 2025-01-14 | A stack-based buffer overflow in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6… |
CVE-2024-46664 | Medium | 5.5 | — | 2025-01-14 | A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to read files from the underlying filesystem via crafted HTTP or HTTPs requests. |
CVE-2024-32115 | Medium | 5.5 | — | 2025-01-14 | A relative path traversal vulnerability [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. |
CVE-2024-35280 | Medium | 5.4 | — | 2025-01-15 | A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiDeceptor 5.3.0, FortiDeceptor 5.2.0, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 al… |
CVE-2024-48885 | Medium | 5.3 | — | 2025-01-16 | A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9… |
CVE-2024-46666 | Medium | 5.3 | — | 2025-01-14 | An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS versions 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow a remote unauthenticated attacker to pr… |
CVE-2024-36510 | Medium | 5.3 | — | 2025-01-14 | An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions… |
CVE-2024-47566 | Medium | 5.1 | — | 2025-01-14 | A improper limitation of a pathname to a restricted directory ('path traversal') [CWE-23] in Fortinet FortiRecorder version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to delete files from the underlying filesystem vi… |
CVE-2023-46715 | Medium | 5.0 | — | 2025-01-14 | An origin validation error [CWE-346] vulnerability in Fortinet FortiOS IPSec VPN version 7.4.0 through 7.4.1 and version 7.2.6 and below allows an authenticated IPSec VPN user with dynamic IP addressing to send (but not receive) packets s… |
CVE-2024-45326 | Medium | 4.3 | — | 2025-01-14 | An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an a… |
CVE-2024-35278 | Medium | 4.3 | — | 2025-01-14 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-… |
CVE-2024-52969 | Medium | 4.1 | — | 2025-01-14 | An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and b… |
CVE-2024-52963 | Low | 3.7 | — | 2025-01-14 | A out-of-bounds write in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4.0 through 6.4.15 allows attacker to trigger a denial of service via specially crafted packets. |
CVE-2024-46665 | Low | 3.7 | — | 2025-01-14 | An insertion of sensitive information into sent data vulnerability [CWE-201] in FortiOS 7.6.0, 7.4.0 through 7.4.4 may allow an attacker in a man-in-the-middle position to retrieve the RADIUS accounting server shared secret via interceptin… |
CVE-2024-36506 | Low | 3.7 | — | 2025-01-14 | An improper verification of source of a communication channel vulnerability [CWE-940] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, 6.4 all versions may allow a remote attacker to bypass the trusted host feature via sessi… |
CVE-2024-52967 | Low | 3.5 | — | 2025-01-14 | An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection. |
CVE-2024-46669 | Low | 3.5 | — | 2025-01-14 | An Integer Overflow or Wraparound vulnerability [CWE-190] in version 7.4.4 and below, version 7.2.10 and below; FortiSASE version 23.4.b FortiOS tenant IPsec IKE service may allow an authenticated attacker to crash the IPsec tunnel via cra… |
CVE-2024-50564 | Low | 3.3 | — | 2025-01-14 | A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named p… |
CVE-2024-55593 | Low | 2.7 | — | 2025-01-14 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries |
Linux · 32 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57900 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempte… |
CVE-2024-57899 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes. |
CVE-2024-57896 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kt… |
CVE-2024-57892 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses… |
CVE-2024-57887 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: drm: adv7511: Fix use-after-free in adv7533_attach_dsi() The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the sam… |
CVE-2024-57857 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device. |
CVE-2024-57801 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. |
CVE-2024-57795 | High | 7.8 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in… |
CVE-2024-57893 | Medium | 6.3 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine t… |
CVE-2025-21629 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise N… |
CVE-2024-57903 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1]. |
CVE-2024-57902 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_tci() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. |
CVE-2024-57901 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. |
CVE-2024-57897 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Correct the migration DMA map direction The SVM DMA device map direction should be set the same as the DMA unmap setting, otherwise the DMA core will report … |
CVE-2024-57895 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is coming like the following. |
CVE-2024-57891 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix invalid irq restore in scx_ops_bypass() While adding outer irqsave/restore locking, 0e7ffff1b811 ("scx: Fix raciness in scx_ops_bypass()") forgot to conve… |
CVE-2024-57890 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication… |
CVE-2024-57889 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: slee… |
CVE-2024-57888 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECL… |
CVE-2024-57886 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". |
CVE-2024-57885 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: fix sleeping function called from invalid context at print message Address a bug in the kernel that triggers a "sleeping function called from invalid contex… |
CVE-2024-57884 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() The task sometimes continues looping in throttle_direct_reclaim() because allow_… |
CVE-2024-57883 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. |
CVE-2024-57882 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. |
CVE-2024-57844 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix fault on fd close after unbind If userspace holds an fd open, unbinds the device and then closes it, the driver shouldn't try to access the hardware. |
CVE-2024-57841 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in tcp_conn_request() If inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will return without free the dst memory, which allocated i… |
CVE-2024-57802 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. |
CVE-2024-54031 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unab… |
CVE-2024-53681 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: nvmet: Don't overflow subsysnqn nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size… |
CVE-2024-39282 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix FSM command timeout issue When driver processes the internal state change command, it use an asynchronous thread to process the command operation. |
CVE-2024-36476 | Medium | 5.5 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible fo… |
CVE-2024-57898 | Low | 3.3 | — | 2025-01-15 | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: clear link ID from bitmap during link delete after clean up Currently, during link deletion, the link ID is first removed from the valid_links bitmap bef… |
Google · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0447 | High | 8.8 | — | 2025-01-15 | Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. |
CVE-2025-0443 | High | 8.8 | — | 2025-01-15 | Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. |
CVE-2025-0438 | High | 8.8 | — | 2025-01-15 | Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. |
CVE-2025-0437 | High | 8.8 | — | 2025-01-15 | Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2025-0436 | High | 8.8 | — | 2025-01-15 | Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2025-0434 | High | 8.8 | — | 2025-01-15 | Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2018-9434 | High | 7.8 | — | 2025-01-17 | In multiple functions of Parcel.cpp, there is a possible way to bypass address space layout randomization. |
CVE-2018-9382 | High | 7.8 | — | 2025-01-17 | In multiple functions of WifiServiceImpl.java, there is a possible way to activate Wi-Fi hotspot from a non-owner profile due to a missing permission check. |
CVE-2018-9375 | High | 7.8 | — | 2025-01-17 | In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy. |
CVE-2025-0442 | Medium | 6.5 | — | 2025-01-15 | Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
CVE-2025-0441 | Medium | 6.5 | — | 2025-01-15 | Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page. |
CVE-2025-0439 | Medium | 6.5 | — | 2025-01-15 | Race in Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
CVE-2025-0435 | Medium | 6.5 | — | 2025-01-15 | Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. |
CVE-2018-9447 | Medium | 5.5 | — | 2025-01-17 | In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible way to crash the emergency callback mode due to a missing null check. |
CVE-2018-9379 | Medium | 5.5 | — | 2025-01-17 | In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy. |
CVE-2017-13322 | Medium | 5.5 | — | 2025-01-17 | In endCallForSubscriber of PhoneInterfaceManager.java, there is a possible way to prevent access to emergency services due to a logic error in the code. |
CVE-2018-9384 | Medium | 4.4 | — | 2025-01-17 | In multiple locations, there is a possible way to bypass KASLR due to an unusual root cause. |
CVE-2018-9383 | Medium | 4.4 | — | 2025-01-17 | In asn1_ber_decoder of asn1_decoder.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-0448 | Medium | 4.3 | — | 2025-01-15 | Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. |
CVE-2025-0446 | Medium | 4.3 | — | 2025-01-15 | Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. |
Ivanti · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13161 | Critical | 9.8 | KEV | 2025-01-14 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. |
CVE-2024-13160 | Critical | 9.8 | KEV | 2025-01-14 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. |
CVE-2024-13159 | Critical | 9.8 | KEV | 2025-01-14 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. |
CVE-2024-10811 | Critical | 9.8 | — | 2025-01-14 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. |
CVE-2024-13172 | High | 7.8 | — | 2025-01-14 | Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2024-13171 | High | 7.8 | — | 2025-01-14 | Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2024-13169 | High | 7.8 | — | 2025-01-14 | An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. |
CVE-2024-13164 | High | 7.8 | — | 2025-01-14 | An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. |
CVE-2024-13163 | High | 7.8 | — | 2025-01-14 | Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2024-10630 | High | 7.8 | — | 2025-01-14 | A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application blocking functionality. |
CVE-2024-13170 | High | 7.5 | — | 2025-01-14 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-13168 | High | 7.5 | — | 2025-01-14 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-13167 | High | 7.5 | — | 2025-01-14 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-13166 | High | 7.5 | — | 2025-01-14 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-13165 | High | 7.5 | — | 2025-01-14 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-13180 | High | 7.5 | — | 2025-01-14 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. |
CVE-2024-13181 | High | 7.3 | — | 2025-01-14 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. |
CVE-2024-13179 | High | 7.3 | — | 2025-01-14 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. |
CVE-2024-13162 | High | 7.2 | — | 2025-01-14 | SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-13158 | High | 7.2 | — | 2025-01-14 | An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
Monetdb · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57634 | High | 7.5 | — | 2025-01-14 | An issue in the exp_copy component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57633 | High | 7.5 | — | 2025-01-14 | An issue in the exps_bind_column component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57632 | High | 7.5 | — | 2025-01-14 | An issue in the is_column_unique component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57631 | High | 7.5 | — | 2025-01-14 | An issue in the exp_ref component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57630 | High | 7.5 | — | 2025-01-14 | An issue in the exps_card component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57629 | High | 7.5 | — | 2025-01-14 | An issue in the tail_type component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57628 | High | 7.5 | — | 2025-01-14 | An issue in the exp_values_set_supertype component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57627 | High | 7.5 | — | 2025-01-14 | An issue in the gc_col component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57626 | High | 7.5 | — | 2025-01-14 | An issue in the mat_join2 component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57625 | High | 7.5 | — | 2025-01-14 | An issue in the merge_table_prune_and_unionize component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57624 | High | 7.5 | — | 2025-01-14 | An issue in the exp_atom component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57623 | High | 7.5 | — | 2025-01-14 | An issue in the HEAP_malloc component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57622 | High | 7.5 | — | 2025-01-14 | An issue in the exp_bin component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57621 | High | 7.5 | — | 2025-01-14 | An issue in the GDKanalytical_correlation component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57620 | High | 7.5 | — | 2025-01-14 | An issue in the trimchars component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57619 | High | 7.5 | — | 2025-01-14 | An issue in the atom_get_int component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57618 | High | 7.5 | — | 2025-01-14 | An issue in the bind_col_exp component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57617 | High | 7.5 | — | 2025-01-14 | An issue in the dameraulevenshtein component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57616 | High | 7.5 | — | 2025-01-14 | An issue in the vscanf component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
CVE-2024-57615 | High | 7.5 | — | 2025-01-14 | An issue in the BATcalcbetween_intern component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. |
Labredescefetrj · 16 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23034 | Medium | 6.1 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23030 | Medium | 6.1 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22619 | Medium | 6.1 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22617 | Medium | 6.1 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22615 | Medium | 6.1 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23038 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23037 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23036 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23035 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23033 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23032 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-23031 | Medium | 5.4 | — | 2025-01-14 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22618 | Medium | 5.4 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22616 | Medium | 5.4 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22614 | Medium | 5.4 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
CVE-2025-22613 | Medium | 5.4 | — | 2025-01-13 | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. |
Dlink · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57684 | Critical | 9.8 | — | 2025-01-16 | An access control issue in the component formDMZ.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the DMZ service of the device via a crafted POST request. |
CVE-2025-22968 | Critical | 9.8 | — | 2025-01-15 | An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions |
CVE-2024-57682 | Medium | 6.5 | — | 2025-01-16 | An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request. |
CVE-2024-57679 | Medium | 6.5 | — | 2025-01-16 | An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request. |
CVE-2024-57678 | Medium | 6.5 | — | 2025-01-16 | An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted POST request. |
CVE-2024-57677 | Medium | 6.5 | — | 2025-01-16 | An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request. |
CVE-2024-57676 | Medium | 6.5 | — | 2025-01-16 | An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request. |
CVE-2024-57681 | Medium | 5.3 | — | 2025-01-16 | An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request. |
CVE-2024-57680 | Medium | 5.3 | — | 2025-01-16 | An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request. |
CVE-2024-57683 | Medium | 4.3 | — | 2025-01-16 | An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request. |
Fanli2012 · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0486 | High | 7.3 | — | 2025-01-15 | A vulnerability was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0484 | High | 7.3 | — | 2025-01-15 | A vulnerability was found in Fanli2012 native-php-cms 1.0 and classified as critical. |
CVE-2025-0482 | High | 7.3 | — | 2025-01-15 | A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0491 | Medium | 6.3 | — | 2025-01-15 | A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0490 | Medium | 6.3 | — | 2025-01-15 | A vulnerability, which was classified as critical, has been found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0489 | Medium | 6.3 | — | 2025-01-15 | A vulnerability classified as critical was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0488 | Medium | 6.3 | — | 2025-01-15 | A vulnerability classified as critical has been found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0487 | Medium | 6.3 | — | 2025-01-15 | A vulnerability was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0485 | Low | 3.5 | — | 2025-01-15 | A vulnerability was found in Fanli2012 native-php-cms 1.0. |
CVE-2025-0483 | Low | 3.5 | — | 2025-01-15 | A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic. |
Typo3 · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55924 | High | 8.0 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55921 | High | 7.5 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55922 | Medium | 5.4 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55892 | Medium | 4.8 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55945 | Medium | 4.3 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55923 | Medium | 4.3 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55920 | Medium | 4.3 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55894 | Medium | 4.3 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55893 | Medium | 4.3 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
CVE-2024-55891 | Low | 3.1 | — | 2025-01-14 | TYPO3 is a free and open source Content Management Framework. |
Jfinaloa_project · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57768 | Critical | 9.8 | — | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key. |
CVE-2024-57775 | High | 8.8 | — | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid. |
CVE-2024-57770 | High | 8.8 | — | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id. |
CVE-2024-57769 | High | 8.8 | — | 2025-01-16 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser. |
CVE-2024-57774 | Medium | 4.8 | — | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2024-57773 | Medium | 4.8 | — | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2024-57772 | Medium | 4.8 | — | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2024-57771 | Medium | 4.8 | — | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2024-57776 | Medium | 4.6 | — | 2025-01-16 | A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
Mattermost · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20630 | Medium | 6.5 | — | 2025-01-16 | Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel. |
CVE-2025-20621 | Medium | 6.5 | — | 2025-01-16 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to cr… |
CVE-2025-20072 | Medium | 6.5 | — | 2025-01-16 | Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input. |
CVE-2025-21083 | Medium | 6.5 | — | 2025-01-15 | Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. |
CVE-2025-20088 | Medium | 6.5 | — | 2025-01-15 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. |
CVE-2025-20086 | Medium | 6.5 | — | 2025-01-15 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. |
CVE-2025-20036 | Medium | 6.5 | — | 2025-01-15 | Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. |
CVE-2025-21088 | Medium | 6.5 | — | 2025-01-15 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend… |
CVE-2025-0476 | Medium | 4.3 | — | 2025-01-16 | Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment |
Apple · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-40771 | High | 7.8 | — | 2025-01-15 | The issue was addressed with improved memory handling. |
CVE-2024-27856 | High | 7.8 | — | 2025-01-15 | The issue was addressed with improved checks. |
CVE-2024-40854 | Medium | 5.5 | — | 2025-01-15 | A memory initialization issue was addressed with improved memory handling. |
CVE-2024-54470 | Medium | 4.6 | — | 2025-01-15 | A logic issue was addressed with improved checks. |
CVE-2024-44136 | Medium | 4.6 | — | 2025-01-15 | This issue was addressed through improved state management. |
CVE-2024-54535 | Medium | 4.3 | — | 2025-01-15 | A path handling issue was addressed with improved logic. |
CVE-2024-55503 | Low | 3.3 | — | 2025-01-15 | An issue in termius before v.9.9.0 allows a local attacker to execute arbitrary code via a crafted script to the DYLD_INSERT_LIBRARIES component. |
CVE-2024-40839 | Low | 2.4 | — | 2025-01-15 | This issue was addressed through improved state management. |
Sap_se · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0070 | Critical | 9.9 | — | 2025-01-14 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. |
CVE-2025-0069 | High | 7.8 | — | 2025-01-14 | Due to DLL injection vulnerability in SAPSetup, an attacker with either local user privileges or with access to a compromised corporate user�s Windows account could gain higher privileges. |
CVE-2025-0067 | Medium | 6.3 | — | 2025-01-14 | Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the applicat… |
CVE-2025-0059 | Medium | 6.0 | — | 2025-01-14 | Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. |
CVE-2025-0056 | Medium | 6.0 | — | 2025-01-14 | SAP GUI for Java saves user input on the client PC to improve usability. |
CVE-2025-0055 | Medium | 6.0 | — | 2025-01-14 | SAP GUI for Windows stores user input on the client PC to improve usability. |
CVE-2025-0057 | Medium | 4.8 | — | 2025-01-14 | SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. |
CVE-2025-0068 | Medium | 4.3 | — | 2025-01-14 | An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. |
Schneider Electric · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10497 | High | 8.8 | — | 2025-01-17 | CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HT… |
CVE-2024-12142 | High | 8.6 | — | 2025-01-17 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause information disclosure of restricted web page, modification of web page and denial of service when specific web pages are modified an… |
CVE-2024-12703 | High | 7.8 | — | 2025-01-17 | CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. |
CVE-2024-12476 | High | 7.8 | — | 2025-01-17 | CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific craft… |
CVE-2024-11425 | High | 7.5 | — | 2025-01-17 | CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver. |
CVE-2024-12399 | High | 7.1 | — | 2025-01-17 | CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs m… |
CVE-2024-10498 | Medium | 6.5 | — | 2025-01-17 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could allow an unauthorized attacker to modify configuration values outside of the normal range when the attacker sends specific Mod… |
CVE-2024-11139 | — | — | — | 2025-01-17 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could allow local attackers to exploit these issues to potentially execute arbitrary code when opening a malicious project file. |
Edimax · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22916 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the pppUserName parameter in the formPPPoESetup function. |
CVE-2025-22913 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formStaDrvSetup function. |
CVE-2025-22912 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept. |
CVE-2025-22907 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the selSSID parameter in the formWlSiteSurvey function. |
CVE-2025-22906 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN. |
CVE-2025-22905 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp. |
CVE-2025-22904 | Critical | 9.8 | — | 2025-01-16 | RE11S v1.11 was discovered to contain a stack overflow via the pptpUserName parameter in the setWAN function. |
Imagination Technologies · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47897 | High | 8.8 | — | 2025-01-13 | Software installed and run as a non-privileged user may conduct improper GPU system calls resulting in platform instability and reboots. |
CVE-2024-52938 | High | 7.8 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to subvert reconstruction activities to trigger a write of data outside the Guest's virtualised GPU memory. |
CVE-2024-47895 | High | 7.1 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory. |
CVE-2024-47894 | High | 7.1 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory. |
CVE-2024-52937 | Medium | 6.7 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory. |
CVE-2024-52936 | Medium | 4.4 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to write data outside the Guest's virtualised GPU memory. |
CVE-2024-52935 | Medium | 4.1 | — | 2025-01-13 | Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory. |
Liujianview · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0410 | Medium | 6.3 | — | 2025-01-13 | A vulnerability classified as critical was found in liujianview gymxmjpa 1.0. |
CVE-2025-0409 | Medium | 6.3 | — | 2025-01-13 | A vulnerability classified as critical has been found in liujianview gymxmjpa 1.0. |
CVE-2025-0408 | Medium | 6.3 | — | 2025-01-13 | A vulnerability was found in liujianview gymxmjpa 1.0. |
CVE-2025-0407 | Medium | 6.3 | — | 2025-01-13 | A vulnerability was found in liujianview gymxmjpa 1.0. |
CVE-2025-0406 | Medium | 6.3 | — | 2025-01-13 | A vulnerability was found in liujianview gymxmjpa 1.0. |
CVE-2025-0405 | Medium | 6.3 | — | 2025-01-13 | A vulnerability was found in liujianview gymxmjpa 1.0 and classified as critical. |
CVE-2025-0404 | Medium | 6.3 | — | 2025-01-13 | A vulnerability has been found in liujianview gymxmjpa 1.0 and classified as critical. |
Adobe · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21139 | High | 7.8 | — | 2025-01-14 | Substance3D - Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21138 | High | 7.8 | — | 2025-01-14 | Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21137 | High | 7.8 | — | 2025-01-14 | Substance3D - Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21136 | High | 7.8 | — | 2025-01-14 | Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21134 | High | 7.8 | — | 2025-01-14 | Illustrator on iPad versions 3.0.7 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21133 | High | 7.8 | — | 2025-01-14 | Illustrator on iPad versions 3.0.7 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
Code-projects · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57488 | Medium | 6.5 | — | 2025-01-13 | Code-Projects Online Car Rental System 1.0 is vulnerable to Cross Site Scripting (XSS) via the vehicalorcview parameter in /admin/edit-vehicle.php. |
CVE-2024-57487 | Medium | 6.5 | — | 2025-01-13 | In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server. |
CVE-2025-0531 | Medium | 6.3 | — | 2025-01-17 | A vulnerability was found in code-projects Chat System 1.0 and classified as critical. |
CVE-2025-0529 | Medium | 5.3 | — | 2025-01-17 | A vulnerability, which was classified as critical, was found in code-projects Train Ticket Reservation System 1.0. |
CVE-2025-0538 | Low | 3.5 | — | 2025-01-17 | A vulnerability, which was classified as problematic, was found in code-projects Tourism Management System 1.0. |
CVE-2025-0537 | Low | 2.4 | — | 2025-01-17 | A vulnerability, which was classified as problematic, has been found in code-projects Car Rental Management System 1.0. |
Sap · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0066 | Critical | 9.9 | — | 2025-01-14 | Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. |
CVE-2025-0063 | High | 8.8 | — | 2025-01-14 | SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. |
CVE-2025-0061 | High | 8.7 | — | 2025-01-14 | SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. |
CVE-2025-0060 | Medium | 6.5 | — | 2025-01-14 | SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. |
CVE-2025-0058 | Medium | 6.5 | — | 2025-01-14 | In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. |
CVE-2025-0053 | Medium | 5.3 | — | 2025-01-14 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. |
Almalinux · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12084 | Critical | 9.8 | — | 2025-01-15 | A heap-based buffer overflow flaw was found in the rsync daemon. |
CVE-2024-12085 | High | 7.5 | — | 2025-01-14 | A flaw was found in rsync which could be triggered when rsync compares file checksums. |
CVE-2024-12088 | Medium | 6.5 | — | 2025-01-14 | A flaw was found in rsync. |
CVE-2024-12087 | Medium | 6.5 | — | 2025-01-14 | A path traversal vulnerability exists in rsync. |
CVE-2024-12086 | Medium | 6.1 | — | 2025-01-14 | A flaw was found in rsync. |
Blackberry · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48856 | Critical | 9.8 | — | 2025-01-14 | Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the context of the process using the image codec. |
CVE-2024-48858 | High | 7.5 | — | 2025-01-14 | Improper input validation in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec. |
CVE-2024-48857 | High | 7.5 | — | 2025-01-14 | NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec. |
CVE-2024-48855 | Medium | 5.3 | — | 2025-01-14 | Out-of-bounds read in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec. |
CVE-2024-48854 | Medium | 5.3 | — | 2025-01-14 | Off-by-one error in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec. |
Etic Telecom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-26153 | High | 7.4 | — | 2025-01-17 | All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). |
CVE-2024-26155 | Medium | 6.8 | — | 2025-01-17 | All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 expose clear text credentials in the web portal. |
CVE-2024-26157 | Medium | 6.1 | — | 2025-01-17 | All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in get view method under view parameter. |
CVE-2024-26156 | Medium | 4.8 | — | 2025-01-17 | All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in the method parameter. |
CVE-2024-26154 | Medium | 4.8 | — | 2025-01-17 | All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting in the appliance site name. |
Gestioip · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48760 | Critical | 9.8 | — | 2025-01-14 | An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. |
CVE-2024-50858 | High | 8.8 | — | 2025-01-14 | Multiple endpoints in GestioIP v3.5.7 are vulnerable to Cross-Site Request Forgery (CSRF). |
CVE-2024-50861 | Medium | 6.1 | — | 2025-01-14 | The ip_mod_dns_key_form.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS. |
CVE-2024-50859 | Medium | 4.8 | — | 2025-01-14 | The ip_import_acl_csv request in GestioIP v3.5.7 is vulnerable to Reflected XSS. |
CVE-2024-50857 | Medium | 4.8 | — | 2025-01-14 | The ip_do_job request in GestioIP v3.5.7 is vulnerable to Cross-Site Scripting (XSS). |
H3c · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57473 | Critical | 9.8 | — | 2025-01-14 | H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address editing function. |
CVE-2024-57482 | Critical | 9.8 | — | 2025-01-14 | H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the 5G wireless network processing function. |
CVE-2024-57480 | Critical | 9.8 | — | 2025-01-14 | H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the AP configuration function. |
CVE-2024-57479 | Critical | 9.8 | — | 2025-01-14 | H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address update function. |
CVE-2024-57471 | Critical | 9.8 | — | 2025-01-14 | H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the 2.4G wireless network processing function. |
Librenms · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23201 | Medium | 5.4 | — | 2025-01-16 | librenms is a community-based GPL-licensed network monitoring system. |
CVE-2025-23200 | Medium | 4.6 | — | 2025-01-16 | librenms is a community-based GPL-licensed network monitoring system. |
CVE-2025-23199 | Medium | 4.6 | — | 2025-01-16 | librenms is a community-based GPL-licensed network monitoring system. |
CVE-2025-23198 | Medium | 4.6 | — | 2025-01-16 | librenms is a community-based GPL-licensed network monitoring system. |
CVE-2024-56144 | Medium | 4.6 | — | 2025-01-16 | librenms is a community-based GPL-licensed network monitoring system. |
Red Hat · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23366 | Medium | 6.5 | — | 2025-01-14 | A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. |
CVE-2024-11734 | Medium | 6.5 | — | 2025-01-14 | A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. |
CVE-2024-12747 | Medium | 5.6 | — | 2025-01-14 | A flaw was found in rsync. |
CVE-2024-11029 | Medium | 5.5 | — | 2025-01-15 | A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. |
CVE-2024-11736 | Medium | 4.9 | — | 2025-01-14 | A vulnerability was found in Keycloak. |
T2bot · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56515 | Medium | 6.8 | — | 2025-01-16 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. |
CVE-2024-52791 | Medium | 5.3 | — | 2025-01-16 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. |
CVE-2024-36403 | Medium | 5.3 | — | 2025-01-16 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. |
CVE-2024-36402 | Medium | 5.3 | — | 2025-01-16 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. |
CVE-2024-52602 | Medium | 5.0 | — | 2025-01-16 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. |
Wikimedia Foundation · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23081 | Medium | 6.1 | — | 2025-01-14 | Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cros… |
CVE-2025-23072 | Medium | 5.4 | — | 2025-01-14 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Refresh… |
CVE-2025-23080 | Medium | 5.3 | — | 2025-01-14 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - OpenBadges… |
CVE-2025-23073 | Low | 3.5 | — | 2025-01-14 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. |
CVE-2025-23074 | Low | 2.4 | — | 2025-01-14 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.3… |
07fly · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57161 | Medium | 4.3 | — | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/edit.html |
CVE-2024-57160 | Medium | 4.3 | — | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaTask/edit.html. |
CVE-2024-57611 | Low | 3.5 | — | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop&shopId. |
CVE-2024-57159 | Low | 3.5 | — | 2025-01-16 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html. |
Boldgrid · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12365 | High | 8.5 | — | 2025-01-14 | The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. |
CVE-2025-22759 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Stored XSS.This issue affects Post and Page Builder by BoldGrid… |
CVE-2024-12008 | Medium | 5.3 | — | 2025-01-14 | The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. |
CVE-2024-12006 | Medium | 5.3 | — | 2025-01-14 | The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. |
Icegram · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12568 | Medium | 4.8 | — | 2025-01-13 | The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w… |
CVE-2024-12567 | Medium | 4.8 | — | 2025-01-13 | The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when… |
CVE-2024-12566 | Medium | 4.8 | — | 2025-01-13 | The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the… |
CVE-2024-11636 | Medium | 4.8 | — | 2025-01-13 | The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even… |
Siemens · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56841 | High | 7.4 | — | 2025-01-14 | A vulnerability has been identified in Mendix LDAP (All versions < V1.1.2). |
CVE-2024-47100 | High | 7.1 | — | 2025-01-14 | A vulnerability has been identified in SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C A… |
CVE-2024-53649 | Medium | 6.5 | — | 2025-01-14 | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.80), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD89 (CP300) (All versi… |
CVE-2024-45385 | Medium | 4.7 | — | 2025-01-14 | A vulnerability has been identified in Industrial Edge Management OS (IEM-OS) (All versions). |
1000 Projects · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0534 | High | 7.3 | — | 2025-01-17 | A vulnerability was found in 1000 Projects Campaign Management System Platform for Women 1.0. |
CVE-2025-0533 | High | 7.3 | — | 2025-01-17 | A vulnerability was found in 1000 Projects Campaign Management System Platform for Women 1.0. |
CVE-2025-0536 | Medium | 6.3 | — | 2025-01-17 | A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management System 1.0. |
1902756969 · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0402 | Medium | 6.3 | — | 2025-01-13 | A vulnerability classified as critical was found in 1902756969 reggie 1.0. |
CVE-2025-0403 | Medium | 5.3 | — | 2025-01-13 | A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. |
CVE-2025-0401 | Medium | 5.3 | — | 2025-01-13 | A vulnerability classified as critical has been found in 1902756969 reggie 1.0. |
51mis · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0463 | Medium | 6.3 | — | 2025-01-14 | A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0. |
CVE-2025-0462 | Medium | 6.3 | — | 2025-01-14 | A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0 and classified as critical. |
CVE-2025-0461 | Medium | 4.3 | — | 2025-01-14 | A vulnerability has been found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0 and classified as problematic. |
Amazon · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23206 | High | 8.1 | — | 2025-01-17 | The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. |
CVE-2025-0501 | High | 7.5 | — | 2025-01-15 | An issue in the native clients for Amazon WorkSpaces (when running PCoIP protocol) may allow an attacker to access remote sessions via man-in-the-middle. |
CVE-2025-0500 | High | 7.5 | — | 2025-01-15 | An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle. |
Coder426 · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12614 | High | 7.5 | — | 2025-01-16 | The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. |
CVE-2024-12613 | High | 7.5 | — | 2025-01-16 | The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX fuctions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack… |
CVE-2024-12615 | Medium | 6.5 | — | 2025-01-16 | The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX actions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack… |
Codezips · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0541 | Medium | 6.3 | — | 2025-01-17 | A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. |
CVE-2025-0535 | Medium | 6.3 | — | 2025-01-17 | A vulnerability classified as critical has been found in Codezips Gym Management System 1.0. |
CVE-2025-0532 | Medium | 6.3 | — | 2025-01-17 | A vulnerability was found in Codezips Gym Management System 1.0. |
Debian · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52006 | High | 7.5 | — | 2025-01-14 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. |
CVE-2024-56374 | Medium | 5.8 | — | 2025-01-14 | An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. |
CVE-2024-50349 | Medium | 4.7 | — | 2025-01-14 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. |
Lenovo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45102 | Medium | 6.8 | — | 2025-01-14 | A privilege escalation vulnerability was discovered that could allow a valid, authenticated LXCA user to escalate their permissions for a connected XCC instance when using LXCA as a Single Sign On (SSO) provider for XCC instances. |
CVE-2024-10254 | Medium | 4.7 | — | 2025-01-14 | A potential buffer overflow vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash. |
CVE-2024-10253 | Medium | 4.7 | — | 2025-01-14 | A potential TOCTOU vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash. |
Nec Corporation · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0355 | High | 7.5 | — | 2025-01-15 | Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and e… |
CVE-2025-0356 | High | 7.2 | — | 2025-01-15 | NEC Corporation Aterm WX1500HP Ver.1.4.2 and earlier and WX3600HP Ver.1.5.3 and earlier allows a attacker to execute arbitrary OS commands via the network. |
CVE-2025-0354 | Medium | 4.8 | — | 2025-01-15 | Cross-site scripting vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver… |
Netvision Information · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0456 | Critical | 9.8 | — | 2025-01-16 | The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords. |
CVE-2025-0455 | Critical | 9.8 | — | 2025-01-16 | The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. |
CVE-2025-0457 | High | 8.8 | — | 2025-01-16 | The airPASS from NetVision Information has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands. |
Observium · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47140 | High | 8.7 | — | 2025-01-15 | A cross-site scripting (xss) vulnerability exists in the add_alert_check page of Observium CE 24.4.13528. |
CVE-2024-47002 | High | 8.7 | — | 2025-01-15 | A html code injection vulnerability exists in the vlan management part of Observium CE 24.4.13528. |
CVE-2024-45061 | High | 8.7 | — | 2025-01-15 | A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. |
Ossur · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53683 | Medium | 4.4 | — | 2025-01-17 | A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. |
CVE-2024-45832 | Medium | 4.3 | — | 2025-01-17 | Hard-coded credentials were included as part of the application binary. |
CVE-2024-54681 | Low | 3.5 | — | 2025-01-17 | Multiple bash files were present in the application's private directory. |
Pmb Services · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0471 | Critical | 9.9 | — | 2025-01-16 | Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. |
CVE-2025-0472 | High | 7.5 | — | 2025-01-16 | Information exposure in the PMB platform affecting versions 4.2.13 and earlier. |
CVE-2025-0473 | Medium | 6.5 | — | 2025-01-16 | Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. |
Venki · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-46479 | Critical | 9.9 | — | 2025-01-13 | Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. |
CVE-2024-46480 | High | 8.4 | — | 2025-01-13 | An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system. |
CVE-2024-46481 | High | 7.2 | — | 2025-01-13 | The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS. |
Y's Corporation · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20055 | Critical | 9.8 | — | 2025-01-14 | OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340 provided by Y'S corporation. |
CVE-2025-20620 | High | 7.5 | — | 2025-01-14 | SQL Injection vulnerability exists in STEALTHONE D220/D340 provided by Y'S corporation. |
CVE-2025-20016 | High | 7.2 | — | 2025-01-14 | OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340/D440 provided by Y'S corporation. |
Alex Volkov · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23760 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. |
CVE-2025-23761 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in Alex Volkov Woo Tuner allows Exploiting Incorrectly Configured Access Control Security Levels. |
Anisha · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0527 | High | 7.3 | — | 2025-01-17 | A vulnerability classified as critical was found in code-projects Admission Management System 1.0. |
CVE-2025-0530 | Low | 3.5 | — | 2025-01-17 | A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. |
Apache · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45627 | Medium | 5.9 | — | 2025-01-14 | In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis serve… |
CVE-2025-22828 | Medium | 4.3 | — | 2025-01-13 | CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge… |
Arm · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11864 | High | 7.5 | — | 2025-01-14 | Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP |
CVE-2024-11863 | Medium | 5.3 | — | 2025-01-14 | Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP |
Artanik · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23713 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through <= 1.2. |
CVE-2025-23692 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in artanik Slider for Writers slider-for-writers allows Stored XSS.This issue affects Slider for Writers: from n/a through <= 1.3. |
Barteled · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13367 | Medium | 6.5 | — | 2025-01-17 | The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4. |
CVE-2024-13366 | Medium | 6.1 | — | 2025-01-17 | The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. |
Bitdefender · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-8094 | High | 7.8 | — | 2025-01-15 | An untrusted search path vulnerability in testinitsigs.exe as used in Bitdefender Antivirus Free 2020 allows a low-privilege attacker to execute code as SYSTEM via a specially crafted DLL file. |
CVE-2024-11128 | High | 7.8 | — | 2025-01-13 | A vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for MacOS may allow .dynamic library injection (DYLD injection) without being blocked by AppleMobileFileIntegrity (AMFI). |
Bplugins · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13156 | Medium | 6.4 | — | 2025-01-14 | The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and including, 2.5.35 due to insufficient input sanit… |
CVE-2025-22787 | Medium | 4.3 | — | 2025-01-15 | Missing Authorization vulnerability in bPlugins Button Block button-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Button Block: from n/a through <= 1.1.5. |
Chris Roberts · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23884 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through <= 2.1.1. |
CVE-2025-23886 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie annie allows Stored XSS.This issue affects Annie: from n/a through <= 2.1.1. |
Cybio · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23901 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in cybio GravatarLocalCache gravatarlocalcache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through <= 1.1.2. |
CVE-2025-23617 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in cybio Floatbox Plus floatbox-plus allows Stored XSS.This issue affects Floatbox Plus: from n/a through <= 1.4.4. |
D-link · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0492 | High | 7.5 | — | 2025-01-15 | A vulnerability has been found in D-Link DIR-823X 240126/240802 and classified as critical. |
CVE-2025-0481 | Medium | 5.3 | — | 2025-01-15 | A vulnerability classified as problematic has been found in D-Link DIR-878 1.03. |
Dell · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22394 | Medium | 6.7 | — | 2025-01-15 | Dell Display Manager, versions prior to 2.3.2.18, contain a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability. |
CVE-2025-21101 | Medium | 6.6 | — | 2025-01-15 | Dell Display Manager, versions prior to 2.3.2.20, contain a race condition vulnerability. |
Gravity Forms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13377 | High | 7.2 | — | 2025-01-17 | The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. |
CVE-2024-13378 | Medium | 5.4 | — | 2025-01-17 | The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. |
Hewlett Packard Enterprise (Hpe) · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23052 | High | 7.2 | — | 2025-01-14 | Authenticated command injection vulnerability in the command line interface of a network management service. |
CVE-2025-23051 | High | 7.2 | — | 2025-01-14 | An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. |
Ibm · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-41746 | High | 7.2 | — | 2025-01-16 | IBM CICS TX Advanced 10.1, 11.1, and Standard 11.1 is vulnerable to stored cross-site scripting. |
CVE-2024-51462 | Medium | 4.0 | — | 2025-01-17 | IBM QRadar WinCollect Agent 10.0.0 through 10.1.12 could allow a remote attacker to inject XML data into parameter values due to improper input validation of assumed immutable data. |
Ietf · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23019 | Medium | 5.4 | — | 2025-01-14 | IPv6-in-IPv4 tunneling (RFC 4213) allows an attacker to spoof and route traffic via an exposed network interface. |
CVE-2025-23018 | Medium | 5.4 | — | 2025-01-14 | IPv4-in-IPv6 and IPv6-in-IPv6 tunneling (RFC 2473) do not require the validation or verification of the source of a network packet, allowing an attacker to spoof and route arbitrary traffic via an exposed network interface. |
Intel · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-29980 | Low | 2.3 | — | 2025-01-14 | Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore™ for Intel Kaby Lake, Phoenix SecureCore™ for Intel Coffee Lake, Phoenix SecureCore™ for Intel Comet Lake, Phoenix SecureCore™ for Intel Ice Lake allo… |
CVE-2024-29979 | Low | 2.3 | — | 2025-01-14 | Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore™ for Intel Kaby Lake, Phoenix SecureCore™ for Intel Coffee Lake, Phoenix SecureCore™ for Intel Comet Lake, Phoenix SecureCore™ for Intel Ice Lake allo… |
Ivobrett · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23898 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through <= 2.3. |
CVE-2025-23897 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows DOM-Based XSS.This issue affects Apply with LinkedIn buttons: fro… |
Jd7777 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23513 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in jd7777 Bible Embed bible-embed allows Stored XSS.This issue affects Bible Embed: from n/a through <= 0.0.4. |
CVE-2025-23859 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jd7777 Daily Proverb daily-proverb allows Stored XSS.This issue affects Daily Proverb: from n/a through <= 2.0.3. |
Jeewms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57757 | High | 7.5 | — | 2025-01-15 | JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava. |
CVE-2024-57760 | Medium | 6.5 | — | 2025-01-15 | JeeWMS before v2025.01.01 was discovered to contain a SQL injection vulnerability via the ReportId parameter at /core/CGReportDao.java. |
Linksys · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22997 | Medium | 4.8 | — | 2025-01-15 | A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver. |
CVE-2025-22996 | Medium | 4.8 | — | 2025-01-15 | A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver. |
Moxa · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0193 | — | — | — | 2025-01-15 | A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality. |
CVE-2024-12297 | — | — | — | 2025-01-15 | Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism. |
Naa986 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13401 | Medium | 6.4 | — | 2025-01-17 | The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and outpu… |
CVE-2024-13398 | Medium | 6.4 | — | 2025-01-17 | The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escap… |
Namelessmc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22144 | Critical | 9.8 | — | 2025-01-13 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. |
CVE-2025-22142 | Medium | 5.4 | — | 2025-01-13 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. |
Newtec/idirect · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13503 | — | — | — | 2025-01-17 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Newtec NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM (Updating signaling process in the swdownload binary modules) allows Local Execution of Code, R… |
CVE-2024-13502 | — | — | — | 2025-01-17 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects NTC2218, NTC2250, NT… |
Nitropack · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11848 | High | 8.1 | — | 2025-01-15 | The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. |
CVE-2024-11851 | Medium | 4.3 | — | 2025-01-15 | The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. |
Notaryproject · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56138 | Medium | 4.0 | — | 2025-01-13 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. |
CVE-2024-51491 | Low | 3.3 | — | 2025-01-13 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. |
Offis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52333 | High | 8.4 | — | 2025-01-13 | An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8. |
CVE-2024-47796 | High | 8.4 | — | 2025-01-13 | An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8. |
Omron Corporation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12083 | Medium | 6.6 | — | 2025-01-14 | Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. |
CVE-2024-12298 | Medium | 5.5 | — | 2025-01-14 | We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. |
Ryscript · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23662 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in ryscript WP Panoramio wp-panoramio allows Stored XSS.This issue affects WP Panoramio: from n/a through <= 1.5.0. |
CVE-2025-23661 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in ryscript NV Slider nv-slider allows Stored XSS.This issue affects NV Slider: from n/a through <= 1.6. |
Saad Iqbal · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22736 | High | 8.8 | — | 2025-01-15 | Incorrect Privilege Assignment vulnerability in Saad Iqbal User Management user-management allows Privilege Escalation.This issue affects User Management: from n/a through <= 1.2. |
CVE-2025-22800 | Medium | 4.3 | — | 2025-01-13 | Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 2.9.11. |
Silabs.com · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7322 | Medium | 5.8 | — | 2025-01-15 | A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this change in node ID causes Denial of Service (DoS). |
CVE-2024-6352 | Medium | 4.3 | — | 2025-01-13 | A malformed packet can cause a buffer overflow in the APS layer of the Ember ZNet stack and lead to an assert |
Silverstripe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53277 | Medium | 5.4 | — | 2025-01-14 | Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. |
CVE-2024-47605 | Medium | 5.4 | — | 2025-01-14 | silverstripe-asset-admin is a silverstripe assets gallery for asset management. |
_Rccoder_ · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23794 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _rccoder_ wp_amaps wp-amaps allows Stored XSS.This issue affects wp_amaps: from n/a through <= 1.7. |
Addonsorg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12593 | Medium | 6.4 | — | 2025-01-15 | The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yeepdf_dotab shortcode in all versions up to, and including, 4.6.0 due to insufficient input sanitizati… |
Advancedfilemanager · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13333 | High | 7.5 | — | 2025-01-17 | The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. |
Agile Logix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22329 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agile Logix Free Google Maps wp-map allows Stored XSS.This issue affects Free Google Maps: from n/a through <= 1.0.1. |
Albdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23497 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in albdesign Simple Project Manager simple-project-managment allows Stored XSS.This issue affects Simple Project Manager: from n/a through <= 1.2.2. |
Aleapp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23821 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in aleapp WP Cookies Alert wp-cookies-alert allows Cross Site Request Forgery.This issue affects WP Cookies Alert: from n/a through <= 1.1.1. |
Aleksandar Arsovski · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23928 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart google-org-chart allows Stored XSS.This issue affects Google Org Chart: from n/a through <= 1.0.1. |
Alex Furr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23892 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr Progress Tracker progress-tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through <= 0.9.3. |
Alexander Weleczka · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23824 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0. |
Alicornea · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23822 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in alicornea Category Custom Fields categorycustomfields allows Cross Site Request Forgery.This issue affects Category Custom Fields: from n/a through <= 1.0. |
Alimir · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22738 | Medium | 5.9 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alimir WP ULike wp-ulike allows Stored XSS.This issue affects WP ULike: from n/a through <= 4.7.6. |
Alpha Bpo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23780 | High | 7.6 | — | 2025-01-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alpha BPO Easy Code Snippets easy-code-snippets allows SQL Injection.This issue affects Easy Code Snippets: from n/a through <= 1.0.2. |
Alti5 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23432 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlTi5 AlT Report alt-report allows Reflected XSS.This issue affects AlT Report: from n/a through <= 1.12.0. |
Altima-interactive · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23429 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altima-interactive Altima Lookbook Free for WooCommerce altima-lookbook-free-for-woocommerce allows Reflected XSS.This issue affects Alti… |
Ami · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-42444 | High | 7.5 | — | 2025-01-14 | APTIOV contains a vulnerability in BIOS where an attacker may cause a TOCTOU Race Condition by local means. |
Andrey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22780 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrey wp-pano wp-pano allows Stored XSS.This issue affects wp-pano: from n/a through <= 1.17. |
Angeljudesuarez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0540 | Medium | 6.3 | — | 2025-01-17 | A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical. |
Anmari · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23880 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in anmari amr personalise amr-personalise allows Cross Site Request Forgery.This issue affects amr personalise: from n/a through <= 2.10. |
Anshi Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23873 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshi Solutions Category D3 Tree category-d3-tree allows Stored XSS.This issue affects Category D3 Tree: from n/a through <= 1.1. |
Anshulsojatia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22583 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anshulsojatia Scan External Links scan-external-links allows Reflected XSS.This issue affects Scan External Links: from n/a through <= 1… |
Arete-it · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22568 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Post And Page Reactions post-and-page-reactions allows Reflected XSS.This issue affects Post And Page Reactions: from n/a throug… |
Artkanmedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23690 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in ArtkanMedia Book a Place book-a-place allows Stored XSS.This issue affects Book a Place: from n/a through <= 0.7.1. |
Aruvi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23943 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aruvi PDF.js Shortcode pdfjs-shortcode allows Stored XSS.This issue affects PDF.js Shortcode: from n/a through <= 1.0. |
Atanas Krachev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22587 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atanas Krachev SEO Bulk Editor seo-bulk-editor allows Stored XSS.This issue affects SEO Bulk Editor: from n/a through <= 1.1.0. |
August Infotech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23785 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in August Infotech AI Responsive Gallery Album ai-responsive-gallery-album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Responsive Gallery Album: from n/a… |
Awcode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23954 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in awcode Salvador – AI Image Generator salvador-ai-image-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salvador – AI Image Generator: from n/a thro… |
Awordpresslife · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11396 | Medium | 5.3 | — | 2025-01-14 | The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. |
Ays Pro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56295 | Medium | 6.5 | — | 2025-01-15 | Missing Authorization vulnerability in Ays Pro Poll Maker poll-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through <= 5.5.6. |
B&r Industrial Automation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8603 | High | 7.5 | — | 2025-01-15 | A “Use of a Broken or Risky Cryptographic Algorithm” vulnerability in the SSL/TLS component used in B&R Automation Runtime versions before 6.1 and B&R mapp View versions before 6.1 may be abused by unauthenticated network-based attackers t… |
Bas Matthee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23871 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder lsd-google-maps-embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through <= 1.1. |
Bavington · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22755 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bavington WP Headmaster wp-headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through <= 0.3. |
Belledonne Communications · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0430 | High | 7.5 | — | 2025-01-17 | Belledonne Communications Linphone-Desktop is vulnerable to a NULL Dereference vulnerability, which could allow a remote attacker to create a denial-of-service condition. |
Berkman Klein Center · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22754 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Klein Center Amber amberlink allows Reflected XSS.This issue affects Amber: from n/a through <= 1.4.4. |
Binesh Dobhal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23426 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Binesh Dobhal go Social go-social allows Stored XSS.This issue affects go Social: from n/a through <= 1.0. |
Bjoerne · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22745 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bjoerne Navigation Du Lapin Blanc navigation-du-lapin-blanc allows DOM-Based XSS.This issue affects Navigation Du Lapin Blanc: from n/a t… |
Bnovotny · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23424 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in bnovotny Marquee Style RSS News Ticker marquee-style-rss-news-ticker allows Cross Site Request Forgery.This issue affects Marquee Style RSS News Ticker: from n/a through <= 3.2.0. |
Bold · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22793 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bold Bold pagos en linea bold-pagos-en-linea allows DOM-Based XSS.This issue affects Bold pagos en linea: from n/a through <= 3.1.4. |
Bookalet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23899 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookalet Bookalet bookalet allows Stored XSS.This issue affects Bookalet: from n/a through <= 1.0.3. |
Brandondove · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12203 | Medium | 4.4 | — | 2025-01-17 | The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. |
Braulio Aquino · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23691 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Braulio Aquino Send to Twitter send-to-twitter allows Stored XSS.This issue affects Send to Twitter: from n/a through <= 1.7.2. |
C4.yberpower · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11322 | High | 7.5 | — | 2025-01-15 | A denial-of-service vulnerability exists in CyberPower PowerPanel Business (PPB) 4.11.0. |
Caido · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23039 | Medium | 5.2 | — | 2025-01-17 | Caido is a web security auditing toolkit. |
Campcodes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57162 | High | 7.2 | — | 2025-01-16 | Campcodes Cybercafe Management System v1.0 is vulnerable to SQL Injection in /ccms/view-user-detail.php. |
Capa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23436 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in capa Wp-Scribd-List wp-scribd-list allows Stored XSS.This issue affects Wp-Scribd-List: from n/a through <= 1.2. |
Carrotbits · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23783 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in carrotbits Greek Namedays Widget From Eortologio.Net greek-namedays-widget allows Stored XSS.This issue affects Greek Namedays Widget Fro… |
Casid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23026 | Medium | 6.1 | — | 2025-01-13 | jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. |
Cern · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50633 | Unrated | — | — | 2025-01-16 | A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. |
Ces Taiwan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7344 | High | 8.2 | — | 2025-01-14 | Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path. |
Chandrika Guntur, Morgan Kay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23917 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in Chandrika Guntur, Morgan Kay Chamber Dashboard Business Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chamber Dashboard Business Directory: from… |
Chr Designer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22798 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CHR Designer Responsive jQuery Slider responsive-jquery-slider allows Stored XSS.This issue affects Responsive jQuery Slider: from n/a th… |
Chuck1982 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13434 | Medium | 6.1 | — | 2025-01-17 | The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. |
Ciprian Turcu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23793 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Turcu Auto FTP auto-ftp allows Stored XSS.This issue affects Auto FTP: from n/a through <= 1.0.1. |
Closed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23907 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in closed SOCIAL.NINJA allows Stored XSS. |
Codeaffairs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22779 | Medium | 4.3 | — | 2025-01-15 | Missing Authorization vulnerability in codeaffairs WP News Sliders wp-news-sliders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP News Sliders: from n/a through <= 1.0. |
Codebard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22760 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard CodeBard Help Desk codebard-help-desk allows Reflected XSS.This issue affects CodeBard Help Desk: from n/a through <= 1.1.2. |
Codebycarter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22776 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codebycarter WP Bulletin Board wp-bulletin-board allows Reflected XSS.This issue affects WP Bulletin Board: from n/a through <= 1.1.4. |
Codepeople · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12274 | High | 7.5 | — | 2025-01-13 | The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access t… |
Codexpert, Inc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22788 | Medium | 5.9 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codexpert, Inc CoDesigner woolementor allows Stored XSS.This issue affects CoDesigner: from n/a through <= 4.29. |
Codidact · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22138 | — | — | — | 2025-01-13 | @codidact/qpixel is a Q&A-based community knowledge-sharing software. |
Common Ninja · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23909 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Common Ninja Compare Ninja compare-ninja-comparison-tables allows Stored XSS.This issue affects Compare Ninja: from n/a through <= 2.1.0. |
Commotion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22785 | Critical | 9.3 | — | 2025-01-15 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System course-booking-system allows SQL Injection.This issue affects Course Booking System: from n/a through <=… |
Cozmoslabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12919 | Critical | 9.8 | — | 2025-01-14 | The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. |
Crea8xion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23860 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in crea8xion Charity-thermometer charitydonation-thermometer allows Stored XSS.This issue affects Charity-thermometer: from n/a through <= 1… |
Creative Brahma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22769 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative Brahma Multifox allows Stored XSS.This issue affects Multifox: from n/a through 1.3.7. |
Cstoltenkamp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23703 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in cstoltenkamp Free MailClient FMC mailclient allows Stored XSS.This issue affects Free MailClient FMC: from n/a through <= 1.0. |
Damniel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22778 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in damniel Lijit Search wp-lijit-wijit allows Reflected XSS.This issue affects Lijit Search: from n/a through <= 1.1. |
Dan Cameron · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23895 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Dan Cameron Add RSS add-rss allows Stored XSS.This issue affects Add RSS: from n/a through <= 1.5. |
Data443 Risk Mitigation, Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22734 | Medium | 5.9 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Mitigation, Inc. |
Dave Konopka · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23572 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Dave Konopka UpDownUpDown updownupdown-postcomment-voting allows Stored XSS.This issue affects UpDownUpDown: from n/a through <= 1.1. |
Davidanderson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0215 | Medium | 6.1 | — | 2025-01-15 | The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input san… |
Ddsn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22964 | High | 8.1 | — | 2025-01-15 | DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerability caused by insufficient input sanitization and validation in the "table" parameter. |
Desktop · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23040 | Medium | 6.6 | — | 2025-01-15 | GitHub Desktop is an open-source Electron-based GitHub app designed for git development. |
Devycreates · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23202 | — | — | — | 2025-01-17 | Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. |
Digitaldonkey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22795 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digitaldonkey Multilang Contact Form multilang-contact-form allows Reflected XSS.This issue affects Multilang Contact Form: from n/a thro… |
Digitalfisherman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23558 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in digitalfisherman Geotagged Media geotagged-media allows Stored XSS.This issue affects Geotagged Media: from n/a through <= 0.3.0. |
Discourse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-54142 | Critical | 9.0 | — | 2025-01-14 | Discourse AI is a Discourse plugin which provides a number of AI features. |
Divengine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23951 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DIVENGINE Gallery: Hybrid – Advanced Visual Gallery hybrid-gallery allows Stored XSS.This issue affects Gallery: Hybrid – Advanced Visual… |
Dkukral · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23673 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in dkukral Email on Publish email-on-publish allows Stored XSS.This issue affects Email on Publish: from n/a through <= 1.5. |
Dominic Fallows · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23708 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Dominic Fallows DF Draggable df-draggable allows Stored XSS.This issue affects DF Draggable: from n/a through <= 1.13.2. |
Dpowney · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23848 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in dpowney Hotspots Analytics hotspots allows Stored XSS.This issue affects Hotspots Analytics: from n/a through <= 4.0.12. |
Dsmidge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23677 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in DSmidge HTTP to HTTPS link changer by Eyga.net https-links-in-content allows Stored XSS.This issue affects HTTP to HTTPS link changer by Eyga.net: from n/a through <= 0.2.4. |
Dstoever · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22586 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dstoever WPEX Replace DB Urls wpex-replace allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through <= 0.4.0. |
Dutch Van Andel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23808 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Dutch van Andel Custom List Table Example custom-list-table-example allows Reflected XSS.This issue affects Custom List Table Example: from n/a through <= 1.4.1. |
Editionguard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23452 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EditionGuard EditionGuard for WooCommerce – eBook Sales with DRM editionguard-for-woocommerce-ebook-sales-with-drm allows Reflected XSS.T… |
Ekaterir · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23776 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in ekaterir Cache Sniper for Nginx snipe-nginx-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cache Sniper for Nginx: from n/a through <= 1.0.4.2. |
Element Invader · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22786 | High | 7.5 | — | 2025-01-15 | Path Traversal: '.../...//' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through <… |
Ella Van Durpe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23919 | Medium | 5.4 | — | 2025-01-16 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella Van Durpe Slides & Presentations slide allows Code Injection.This issue affects Slides & Presentations: from n/a through <= 0.0.39. |
Enituretechnology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56301 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows Reflected XSS.This issue affects Distance… |
Etemplates · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23471 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in etemplates ECT Add to Cart Button ect-add-to-cart-button allows Stored XSS.This issue affects ECT Add to Cart Button: from n/a through <= 1.4. |
Eugenio Petulla’ · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23772 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla’ imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7. |
Evehome · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5743 | Critical | 9.8 | — | 2025-01-13 | An attacker could exploit the 'Use of Password Hash With Insufficient Computational Effort' vulnerability in EveHome Eve Play to execute arbitrary code. |
Exelban · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21606 | — | — | — | 2025-01-17 | stats is a macOS system monitor in for the menu bar. |
Ezmarketing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23950 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ezmarketing EZPlayer ezplayer allows Stored XSS.This issue affects EZPlayer: from n/a through <= 1.0.10. |
Fahadmahmood · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13387 | Medium | 6.4 | — | 2025-01-16 | The WP Responsive Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprtabs' shortcode in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user su… |
Faizaan Gagan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22346 | Medium | 6.4 | — | 2025-01-15 | Server-Side Request Forgery (SSRF) vulnerability in Faizaan Gagan Course Migration for LearnDash allows Server Side Request Forgery.This issue affects Course Migration for LearnDash: from 1.0.2 through n/a. |
Faktor Vier · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22499 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree f4-tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through <= 1.1.18. |
Falldeaf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22742 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL wp-viewstl allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through <= 1.0. |
Farinspace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22751 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Partners partners allows Reflected XSS.This issue affects Partners: from n/a through <= 0.2.0. |
Fengler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23935 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fengler Magic Google Maps magic-google-maps allows Stored XSS.This issue affects Magic Google Maps: from n/a through <= 1.0.4. |
Ffmpeg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0518 | Medium | 5.3 | — | 2025-01-16 | Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. |
Flymke · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23963 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in flymke Mark Posts mark-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark Posts: from n/a through <= 2.2.4. |
Foo123 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23841 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foo123 Top Flash Embed top-flash-embed allows Stored XSS.This issue affects Top Flash Embed: from n/a through <= 0.3.4. |
Frenchsquared · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23627 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in frenchsquared Comment-Emailer comment-emailer allows Stored XSS.This issue affects Comment-Emailer: from n/a through <= 1.0.5. |
Fuji Electric · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-34579 | High | 7.8 | — | 2025-01-17 | Fuji Electric Alpha5 SMART is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. |
Fuzzguard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23801 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in FuzzGuard Style Admin style-admin allows Stored XSS.This issue affects Style Admin: from n/a through <= 1.4.3. |
Gallery Ape · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22317 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gallery Ape Photo Gallery – Image Gallery by Ape gallery-images-ape allows Reflected XSS.This issue affects Photo Gallery – Image Gallery… |
Genivia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4227 | High | 7.5 | — | 2025-01-15 | In Genivia gSOAP with a specific configuration an unauthenticated remote attacker can generate a high CPU load when forcing to parse an XML having duplicate ID attributes which can lead to a DoS. |
Genkisan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23900 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in genkisan Genki Announcement genki-announcement allows Cross Site Request Forgery.This issue affects Genki Announcement: from n/a through <= 1.4.1. |
Getsentry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22146 | Critical | 9.1 | — | 2025-01-15 | Sentry is a developer-first error tracking and performance monitoring tool. |
Ghuger · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23795 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ghuger Easy FAQs easy-faqs allows Stored XSS.This issue affects Easy FAQs: from n/a through <= 3.2.1. |
Git · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52005 | High | 8.8 | — | 2025-01-15 | Git is a source code management tool. |
Git-ecosystem · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50338 | High | 7.4 | — | 2025-01-14 | Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. |
Git-lfs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53263 | — | — | — | 2025-01-14 | Git LFS is a Git extension for versioning large files. |
Givewp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22777 | Critical | 9.8 | — | 2025-01-13 | Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3. |
Glofoxwebdev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12508 | Medium | 6.4 | — | 2025-01-17 | The Glofox Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glofox' and 'glofox_lead_capture ' shortcodes in all versions up to, and including, 2.6 due to insufficient input sanitization and ou… |
Gpriday · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12240 | Medium | 6.4 | — | 2025-01-14 | The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the row label parameter in all versions up to, and including, 2.31.0 due to insufficient input sanitization and output escaping. |
Gradio-app · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23042 | High | 7.5 | — | 2025-01-14 | Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. |
Grandslambert · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22569 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GrandSlambert Featured Page Widget featured-page-widget allows Reflected XSS.This issue affects Featured Page Widget: from n/a through <=… |
Gsheetconnector · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22752 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WesternDeal GSheetConnector for Forminator Forms gsheetconnector-forminator allows Reflected XSS.This issue affects GSheetConnector for F… |
Gwendydd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11452 | Medium | 6.4 | — | 2025-01-16 | The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'business_categories' shortcode in all versions up to, and including, 3.3.8 due to insufficient input sanitization… |
Harnani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22758 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harnani Elementor AI Addons ai-addons-for-elementor allows DOM-Based XSS.This issue affects Elementor AI Addons: from n/a through <= 2.2… |
Harsh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23922 | Critical | 10.0 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0. |
Harun R. Rayhan(thecrazycoder) · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23936 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. |
Haydenbleasel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23027 | — | — | — | 2025-01-13 | next-forge is a Next.js project boilerplate for modern web application. |
Hernanjh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23659 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in hernanjh MercadoLibre Integration mercadolibre-integration allows Stored XSS.This issue affects MercadoLibre Integration: from n/a through <= 1.1. |
Horiyuki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23940 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in horiyuki Image Switcher image-switcher allows Stored XSS.This issue affects Image Switcher: from n/a through <= 0.1.1. |
Hoyce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23483 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in hoyce Universal Analytics Injector universal-analytics-injector allows Stored XSS.This issue affects Universal Analytics Injector: from n/a through <= 1.0.3. |
Huayi-tec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57761 | High | 8.1 | — | 2025-01-15 | An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file. |
I3 Verticals · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11146 | Medium | 6.3 | — | 2025-01-17 | TrueFiling is a collaborative, web-based electronic filing system where attorneys, paralegals, court reporters and self-represented filers collect public legal documentation into cases. |
Igor Sazonov · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23810 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Igor Sazonov Len Slider len-slider allows Reflected XSS.This issue affects Len Slider: from n/a through <= 2.0.11. |
Imithemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10799 | Medium | 6.5 | — | 2025-01-17 | The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. |
Infomaniak Network · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22729 | Medium | 4.3 | — | 2025-01-15 | Missing Authorization vulnerability in Infomaniak Network VOD Infomaniak vod-infomaniak allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VOD Infomaniak: from n/a through <= 1.5.9. |
Infosoftplugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22337 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin Order Audit Log for WooCommerce order-audit-log-for-woocommerce allows Reflected XSS.This issue affects Order Audit Log fo… |
Intelligence_lab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22588 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in intelligence_lab Scanventory woocommerce-inventory-management allows Reflected XSS.This issue affects Scanventory: from n/a through <= 1… |
Invoice Ninja · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0474 | High | 7.7 | — | 2025-01-14 | Invoice Ninja is vulnerable to authenticated Server-Side Request Forgery (SSRF) allowing for arbitrary file read and network resource requests as the application user. |
Isnowfy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23476 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in isnowfy my-related-posts my-related-posts allows Stored XSS.This issue affects my-related-posts: from n/a through <= 1.1. |
Itamarg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23805 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in itamarg SEOReseller Partner sr-partner allows Cross Site Request Forgery.This issue affects SEOReseller Partner: from n/a through <= 1.3.15. |
Itmooti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23717 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in itmooti Theme My Ontraport Smartform theme-my-ontraport-smartform allows Stored XSS.This issue affects Theme My Ontraport Smartform: from n/a through <= 1.2.11. |
Ivanra10 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23698 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in ivanra10 WP Custom Google Search wp-custom-google-search allows Stored XSS.This issue affects WP Custom Google Search: from n/a through <= 1.0. |
Jamsheer K · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23844 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Jamsheer K Custom Widget Classes custom-widget-classes allows Cross Site Request Forgery.This issue affects Custom Widget Classes: from n/a through <= 1.1. |
Jan Štětina · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23510 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Jan Štětina WordPress Logging Service wordpress-logging-service allows Stored XSS.This issue affects WordPress Logging Service: from n/a through <= 1.5.4. |
Jeremy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23924 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeremy WP Photo Sphere wp-photo-sphere allows Stored XSS.This issue affects WP Photo Sphere: from n/a through <= 3.8. |
Jim2212001 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23807 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jim2212001 Spiderpowa Embed PDF spiderpowa-embed-pdf allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through <= 1.0. |
Jjtrabucco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23962 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in jjtrabucco Goldstar goldstar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Goldstar: from n/a through <= 2.1.1. |
Jobair · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23830 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jobair JB Horizontal Scroller News Ticker jb-horizontal-scroller-news-ticker allows DOM-Based XSS.This issue affects JB Horizontal Scroll… |
Jp2112 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23925 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jp2112 Feedburner Optin Form feedburner-optin-form allows Stored XSS.This issue affects Feedburner Optin Form: from n/a through <= 0.2.8. |
Jprintf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23823 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in jprintf CNZZ&51LA for WordPress cnzz51la-for-wordpress allows Cross Site Request Forgery.This issue affects CNZZ&51LA for WordPress: from n/a through <= 1.0.1. |
Jupyter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23205 | — | — | — | 2025-01-17 | nbgrader is a system for assigning and grading notebooks. |
Justin.kuepper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23644 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in justin.kuepper QuoteMedia Tools quotemedia-tools allows DOM-Based XSS.This issue affects QuoteMedia Tools: from n/a through <= 1.0. |
Kapostintegrations · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23712 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in kapostintegrations Kapost kapost-byline allows Stored XSS.This issue affects Kapost: from n/a through <= 2.2.9. |
Katex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23207 | Medium | 6.3 | — | 2025-01-17 | KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. |
Kathleen Malone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23557 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Kathleen Malone Find Your Reps find-your-reps allows Stored XSS.This issue affects Find Your Reps: from n/a through <= 1.2. |
Katsushi-kawamori · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12637 | Medium | 5.3 | — | 2025-01-17 | The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality. |
Kelvin Ng · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23569 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Kelvin Ng Shortcode in Comment shortcode-in-comment allows Stored XSS.This issue affects Shortcode in Comment: from n/a through <= 1.1.1. |
Khan-it · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23939 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KHAN-IT Image Switcher image-switcher allows Stored XSS.This issue affects Image Switcher: from n/a through <= 1.1. |
Kopatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23965 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kopatheme Kopa Nictitate Toolkit kopa-nictitate-toolkit allows Stored XSS.This issue affects Kopa Nictitate Toolkit: from n/a through <=… |
Kreg Steppe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23649 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Kreg Steppe Auphonic Importer auphonic-importer allows Stored XSS.This issue affects Auphonic Importer: from n/a through <= 1.5.1. |
Krolow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23654 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in krolow Twitter Post twitterpost allows Stored XSS.This issue affects Twitter Post: from n/a through <= 0.1. |
Le-pixel-solitaire · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23946 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Le-Pixel-Solitaire Enhanced YouTube Shortcode enhanced-youtube-shortcode allows Stored XSS.This issue affects Enhanced YouTube Shortcode… |
Lexmark · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-50738 | Medium | 4.3 | — | 2025-01-17 | A new feature to prevent Firmware downgrades was recently added to some Lexmark products. |
Libretro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0459 | Medium | 5.3 | — | 2025-01-14 | A vulnerability, which was classified as problematic, has been found in libretro RetroArch up to 1.19.1 on Windows. |
Linickx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23815 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in linickx root Cookie allows Cross Site Request Forgery. |
Luke America · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23864 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luke America WCS QR Code Generator wcs-qr-code-generator allows Stored XSS.This issue affects WCS QR Code Generator: from n/a through <=… |
Luxion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0412 | High | 7.8 | — | 2025-01-13 | Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability. |
M.j · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23947 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M.J WP-Player wp-player allows Stored XSS.This issue affects WP-Player: from n/a through <= 2.6.1. |
Madeglobal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23875 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in madeglobal Better Protected Pages better-protected-pages allows Stored XSS.This issue affects Better Protected Pages: from n/a through <= 1.0. |
Magepeopleteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22737 | Medium | 5.3 | — | 2025-01-15 | Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WpTravelly: from n/a through <= 1.8.5. |
Mahadirz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23817 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in mahadirz MHR-Custom-Anti-Copy mhr-custom-anti-copy allows Stored XSS.This issue affects MHR-Custom-Anti-Copy: from n/a through <= 2.0. |
Mahesh Bisen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23623 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahesh Bisen Contact Form 7 – CCAvenue Add-on cf7-cc-avenue-add-on allows Reflected XSS.This issue affects Contact Form 7 – CCAvenue Add-… |
Manny Costales · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23893 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manny Costales GMap Shortcode gmap-shortcode allows DOM-Based XSS.This issue affects GMap Shortcode: from n/a through <= 2.0. |
Marco Castelluccio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23720 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Marco Castelluccio Web Push web-push allows Stored XSS.This issue affects Web Push: from n/a through <= 1.4.0. |
Marcucci · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23435 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in marcucci Password Protect Plugin for WordPress password-protect-plugin-for-wordpress allows Stored XSS.This issue affects Password Protect Plugin for WordPress: from n/a through <= 0.8.1.0. |
Marcus Downing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22576 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus Downing Site PIN site-pin allows Reflected XSS.This issue affects Site PIN: from n/a through <= 1.3. |
Martijnscheijbeler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23743 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in MartijnScheijbeler Social Analytics social-analytics allows Stored XSS.This issue affects Social Analytics: from n/a through <= 0.2. |
Masoud Amini · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22766 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Masoud Amini Zarinpal Paid Download zarinpal-paid-downloads allows Reflected XSS.This issue affects Zarinpal Paid Download: from n/a thro… |
Massimo.serpilli · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23927 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in massimo.serpilli Incredible Font Awesome incredible-font-awesome allows Stored XSS.This issue affects Incredible Font Awesome: from n/a t… |
Master Software Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23455 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Master Software Solutions WP VTiger Synchronization msstiger allows Stored XSS.This issue affects WP VTiger Synchronization: from n/a through <= 1.1.1. |
Matrix-org · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52594 | Medium | 4.3 | — | 2025-01-16 | Gomatrixserverlib is a Go library for matrix federation. |
Matt Gibbs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23832 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup admin-cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through <= 1.0.2. |
Mayur Sojitra · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23710 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Mayur Sojitra Flying Twitter Birds flying-twitter-birds allows Stored XSS.This issue affects Flying Twitter Birds: from n/a through <= 1.8. |
Mayurik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55000 | Medium | 5.4 | — | 2025-01-14 | Sourcecodester House Rental Management system v1.0 is vulnerable to Cross Site Scripting (XSS) in rental/manage_categories.php. |
Mdc_youtube_downloader_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23639 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0. |
Mdjekic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22570 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdjekic Inline Tweets inline-tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through <= 2.0. |
Meinturnierplan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23941 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in meinturnierplan MeinTurnierplan.de Widget Viewer meinturnierplande-widget-viewer allows Stored XSS.This issue affects MeinTurnierplan.de… |
Metaphorcreations · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23816 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. |
Mikakaltoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23791 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mikakaltoft Horizontal Line Shortcode horizontal-line-shortcode allows Stored XSS.This issue affects Horizontal Line Shortcode: from n/a… |
Mike Selander · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23797 | Critical | 9.8 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1. |
Mliebelt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23868 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mliebelt Chess Tempo Viewer chesstempoviewer allows Stored XSS.This issue affects Chess Tempo Viewer: from n/a through <= 0.9.5. |
Mobstac · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23831 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mobstac QR Code Generator qrcode-wprhe allows DOM-Based XSS.This issue affects QR Code Generator: from n/a through <= 1.2.6. |
Mohsin Rasool · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22743 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Rasool Twitter Bootstrap Collapse aka Accordian Shortcode twitter-bootstrap-collapse-aka-accordian-shortcode allows DOM-Based XSS… |
Mojofywp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22724 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP Product Carousel For WooCommerce – WoorouSell allows Stored XSS.This issue affects Product Carousel For WooCommerce – WoorouSell… |
Mondula · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12427 | Medium | 5.3 | — | 2025-01-16 | The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. |
Mongoosejs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23061 | Critical | 9.0 | — | 2025-01-15 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. |
Monicahq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-54999 | Medium | 6.5 | — | 2025-01-13 | MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module. |
Mosterd3d · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23528 | High | 8.8 | — | 2025-01-16 | Incorrect Privilege Assignment vulnerability in Mosterd3d DD Roles dd-roles allows Privilege Escalation.This issue affects DD Roles: from n/a through <= 4.1. |
Mschertel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23442 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in mschertel Shockingly Big IE6 Warning shockingly-big-ie6-warning allows Stored XSS.This issue affects Shockingly Big IE6 Warning: from n/a through <= 1.6.3. |
Mukesh Dak · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23463 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Mukesh Dak MD Custom content after or before of post md-custom-content allows Stored XSS.This issue affects MD Custom content after or before of post: from n/a through <= 1.0. |
Myriad Solutionz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23453 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through <= 1.7. |
N3wnormal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22498 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in N3wNormal LucidLMS lucidlms allows Reflected XSS.This issue affects LucidLMS: from n/a through <= 1.0.5. |
Nasir179125 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23444 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nasir179125 Scroll Top Advanced scroll-top-advanced allows Stored XSS.This issue affects Scroll Top Advanced: from n/a through <= 2.5. |
Nativery · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22781 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6. |
Nazmul Ahsan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23640 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan Rename Author Slug rename-author-slug allows Stored XSS.This issue affects Rename Author Slug: from n/a through <= 1.2.0. |
Nedap Librix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12757 | High | 8.6 | — | 2025-01-17 | Nedap Librix Ecoreader is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code. |
Neovim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22134 | Medium | 4.2 | — | 2025-01-13 | When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a b… |
Neran · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13351 | High | 7.2 | — | 2025-01-15 | The Social proof testimonials and reviews by Repuso plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rw_image_badge1' shortcode in all versions up to, and including, 5.20 due to insufficient input sanitiz… |
Nilesh Shiragave · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23842 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin wordpress-gallery-plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through <= 1.4. |
Nitethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23877 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nitethemes Nite Shortcodes nite-shortcodes allows Stored XSS.This issue affects Nite Shortcodes: from n/a through <= 1.0. |
Nmedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13355 | Medium | 5.4 | — | 2025-01-16 | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including… |
No-nonsense · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23876 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in No-Nonsense WP krpano wp-krpano allows Stored XSS.This issue affects WP krpano: from n/a through <= 1.2.1. |
Nova706 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23800 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in nova706 OrangeBox orangebox allows Cross Site Request Forgery.This issue affects OrangeBox: from n/a through <= 3.0.0. |
Nuanced Media · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23916 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in Nuanced Media WP Meetup wp-meetup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Meetup: from n/a through <= 2.3.0. |
Octopus Deploy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12226 | Medium | 6.5 | — | 2025-01-16 | In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. |
Octrace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22762 | Medium | 5.9 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace WordPress HelpDesk & Support Ticket System Plugin – Octrace Support octrace-support allows Stored XSS.This issue affects WordPres… |
Oddthinking · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23456 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Oddthinking EmailShroud emailshroud allows Reflected XSS.This issue affects EmailShroud: from n/a through <= 2.2.1. |
Odyno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23856 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Odyno Simple Vertical Timeline simple-vertical-timeline allows DOM-Based XSS.This issue affects Simple Vertical Timeline: from n/a throug… |
Olaf Lederer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22761 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Olaf Lederer Ajax Contact Form fws-ajax-contact-form allows Stored XSS.This issue affects Ajax Contact Form: from n/a through <= 1.4.1. |
Openfga · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56323 | Critical | 9.8 | — | 2025-01-13 | OpenFGA is an authorization/permission engine. |
Openobserve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55954 | High | 8.7 | — | 2025-01-16 | OpenObserve is a cloud-native observability platform. |
Opentext™ · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7085 | — | — | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Solutions Business Manager (SBM) allows Stored XSS. The vulnerability could result in the exposure of private informat… |
Openvpn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5198 | Low | 3.3 | — | 2025-01-15 | OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt. |
Oren Yomtov · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23430 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Oren Yomtov Mass Custom Fields Manager mass-custom-fields-manager allows Reflected XSS.This issue affects Mass Custom Fields Manager: from n/a through <= 1.5. |
Oretnom23 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0464 | Low | 2.4 | — | 2025-01-14 | A vulnerability was found in SourceCodester Task Reminder System 1.0. |
Origothemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23508 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in OrigoThemes Extra Options – Favicons extra-options-favicons allows Stored XSS.This issue affects Extra Options – Favicons: from n/a through <= 1.1.0. |
Osuthorpe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23825 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Shortcode Buttons easy-shortcode-buttons allows Stored XSS.This issue affects Easy Shortcode Buttons: from n/a through <=… |
Oğulcan Özügenç · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22797 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox gallery-and-lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through <=… |
Pankajpragma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23913 | High | 8.5 | — | 2025-01-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pankajpragma WordPress Google Map Professional google-map-professional allows SQL Injection.This issue affects WordPress Google Map Profe… |
Pascal Casier · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23499 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Pascal Casier Board Election board-election allows Stored XSS.This issue affects Board Election: from n/a through <= 1.0.1. |
Patel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22750 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel Post Carousel & Slider post-types-carousel-slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through… |
Payform · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23872 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in payform PayForm payform allows Stored XSS.This issue affects PayForm: from n/a through <= 2.0. |
Paypalmuse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23930 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in paypalmuse PayPal Marketing Solutions paypal-promotions-and-insights allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Marketing Solutions: from n/a thr… |
Pedjas · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23826 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pedjas Stop Comment Spam stop-comment-spam allows Stored XSS.This issue affects Stop Comment Spam: from n/a through <= 0.5.3. |
Pega · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12211 | Medium | 5.4 | — | 2025-01-13 | Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile. |
Pflonk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23642 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pflonk Sidebar-Content from Shortcode sidebar-content-from-shortcode allows DOM-Based XSS.This issue affects Sidebar-Content from Shortco… |
Philipp Speck · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23912 | High | 8.5 | — | 2025-01-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Philipp Speck WordPress Custom Sidebar wordpress-custom-sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: f… |
Phoenix Contact · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11497 | High | 8.8 | — | 2025-01-14 | An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access. |
Pickplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9636 | Critical | 9.8 | — | 2025-01-15 | The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. |
Piotnetdotcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10775 | Medium | 4.3 | — | 2025-01-15 | The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included. |
Plumwd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23560 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in plumwd Web Testimonials web-testimonials allows Stored XSS.This issue affects Web Testimonials: from n/a through <= 1.2. |
Poco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23689 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Poco Blogger Image Import allows Stored XSS.This issue affects Blogger Image Import: from 2.1 through n/a. |
Powiet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23641 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PowieT Powie's pLinks PagePeeker plinks allows DOM-Based XSS.This issue affects Powie's pLinks PagePeeker: from n/a through <= 1.0.2. |
Pravin Durugkar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23778 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign registered-user-sync-activecampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n… |
Pressfore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23865 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pressfore Winning Portfolio winning-portfolio allows Stored XSS.This issue affects Winning Portfolio: from n/a through <= 1.1. |
Progpars.net · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23749 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS.This issue affects mybb Last Topics: from n/a through <= 1.0. |
Project-zot · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23208 | High | 7.3 | — | 2025-01-17 | zot is a production-ready vendor-neutral OCI image registry. |
Pyko · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23818 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in pyko More Link Modifier more-link-modifier allows Stored XSS.This issue affects More Link Modifier: from n/a through <= 1.0.3. |
Rami Yushuvaev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23908 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rami Yushuvaev Pastebin pastebin-embed allows Stored XSS.This issue affects Pastebin: from n/a through <= 1.5. |
Raminmt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23833 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RaminMT Links/Problem Reporter report-broken-links allows DOM-Based XSS.This issue affects Links/Problem Reporter: from n/a through <= 2… |
Rasahq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49375 | Critical | 9.0 | — | 2025-01-14 | Open source machine learning framework. |
Ravi Kumar Vanukuru · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23665 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Ravi Kumar Vanukuru RSV GMaps rsv-google-maps allows Stored XSS.This issue affects RSV GMaps: from n/a through <= 1.5. |
Raymonddesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23715 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in RaymondDesign Post & Page Notes post-page-notes allows Stored XSS.This issue affects Post & Page Notes: from n/a through <= 0.1.1. |
Real Seguro Viagem · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23664 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Real Seguro Viagem Real Seguro Viagem seguro-viagem allows Stored XSS.This issue affects Real Seguro Viagem: from n/a through <= 2.0.5. |
Realwebcare · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12403 | Medium | 6.1 | — | 2025-01-15 | The Image Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'awsmgallery' parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output… |
Regios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23532 | High | 8.8 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Regios MyAnime Widget myanime-widget allows Privilege Escalation.This issue affects MyAnime Widget: from n/a through <= 1.0. |
Revoxis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23767 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revoxis Marmoset Viewer marmoset-viewer allows Stored XSS.This issue affects Marmoset Viewer: from n/a through <= 1.9.3. |
Robdavenport · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12818 | Medium | 6.4 | — | 2025-01-15 | The WP Smart TV plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tv-video-player' shortcode in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user s… |
Roche Diagnostics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13026 | — | — | — | 2025-01-17 | A vulnerability exists in Algo Edge up to 2.1.1 - a previously used (legacy) component of navify® Algorithm Suite. |
Roninwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23915 | High | 7.5 | — | 2025-01-16 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a thro… |
Royal-elementor-addons · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0393 | Medium | 6.1 | — | 2025-01-14 | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. |
Sabaoh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23863 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sabaoh Rollover Tab rollover-tab allows Stored XSS.This issue affects Rollover Tab: from n/a through <= 1.3.2. |
Saleswonder Team: Tobias · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56065 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.4.2. |
Sam Brodie · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23934 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sam Brodie Giveaways and Contests by PromoSimple giveaways-contests-by-promosimple allows Stored XSS.This issue affects Giveaways and Con… |
Sammyb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23573 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in sammyb WP Background Tile wp-background-tile allows Stored XSS.This issue affects WP Background Tile: from n/a through <= 1.0. |
Sana Ullah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23675 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Sana Ullah Import Users to MailChimp import-users-to-mailchimp allows Stored XSS.This issue affects Import Users to MailChimp: from n/a through <= 1.0. |
Sanjay Prasad · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23514 | Medium | 5.3 | — | 2025-01-16 | Missing Authorization vulnerability in Sanjay Prasad Loginplus loginplus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Loginplus: from n/a through <= 1.2. |
Schalk Burger · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23702 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Schalk Burger Anonymize Links anonymize-links allows Stored XSS.This issue affects Anonymize Links: from n/a through <= 1.1. |
Scott Reilly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23878 | Medium | 5.9 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Post-to-Post Links easy-post-to-post-links allows Stored XSS.This issue affects Post-to-Post Links: from n/a through <= 4.2. |
Scottpaterson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12423 | Medium | 6.1 | — | 2025-01-15 | The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escapi… |
Scottswezey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23445 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in scottswezey Easy Tynt easy-tynt allows Cross Site Request Forgery.This issue affects Easy Tynt: from n/a through <= 0.2.5.1. |
Scottwallick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23887 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottwallick Blog Summary blog-summary allows Stored XSS.This issue affects Blog Summary: from n/a through <= 0.1.2 β. |
Scribit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12466 | Medium | 6.1 | — | 2025-01-17 | The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. |
Scriptsbundle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0170 | Medium | 6.1 | — | 2025-01-16 | The DWT - Directory & Listing WordPress Theme is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping on the 'sort_by' and 'token' parameters. |
Seodev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22744 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seodev S-DEV SEO s-dev-seo allows Stored XSS.This issue affects S-DEV SEO: from n/a through <= 1.88. |
Setmore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22748 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Setmore SetMore Theme – Custom Post Types service-provider-profile-cpt allows Stored XSS.This issue affects SetMore Theme – Custom Post T… |
Shabboscommerce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23694 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in shabboscommerce Shabbos and Yom Tov shabbos-and-yom-tov allows Stored XSS.This issue affects Shabbos and Yom Tov: from n/a through <= 1.9. |
Shawfactor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23547 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shawfactor LH Login Page lh-login-page allows Reflected XSS.This issue affects LH Login Page: from n/a through <= 2.14. |
Shibulijack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23869 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Custom Content cj-custom-content allows Stored XSS.This issue affects CJ Custom Content: from n/a through <= 2.0. |
Shiv Prakash Tiwari · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23804 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Shiv Prakash Tiwari WP Service Payment Form With Authorize.net wp-service-payment-form-with-authorizenet allows Reflected XSS.This issue affects WP Service Payment Form With Authorize.net… |
Silverplugins217 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22731 | Medium | 4.3 | — | 2025-01-15 | Cross-Site Request Forgery (CSRF) vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Cross Site Request Forgery.This issue affects Build Private Store For Woocommerce: from n/a… |
Sindhi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23828 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sindhi WordPress Data Guard wordpress-data-guards allows Stored XSS.This issue affects WordPress Data Guard: from n/a through <= 8. |
Sismics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22963 | High | 7.5 | — | 2025-01-13 | Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin. |
Smackcoders Inc., · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23423 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in Smackcoders Inc., SendGrid for WordPress wp-sendgrid-mailer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SendGrid for WordPress: from n/a through <= 1.4. |
Smart Agenda · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22506 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda smart-agenda-prise-de-rendez-vous-en-ligne allows Stored XSS.This issue affects Smart Agenda: from n/a through… |
Solidres · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23911 | High | 8.5 | — | 2025-01-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in solidres Solidres – Hotel booking plugin solidres allows SQL Injection.This issue affects Solidres – Hotel booking plugin: from n/a throu… |
Sourov Amin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23577 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3. |
Sprucejoy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23501 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in SpruceJoy Cookie Consent & Autoblock for GDPR/CCPA cookie-consent-autoblock allows Stored XSS.This issue affects Cookie Consent & Autoblock for GDPR/CCPA: from n/a through <= 1.0.1. |
Stargazer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23511 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Stargazer WP-BlackCheck wp-blackcheck allows Stored XSS.This issue affects WP-BlackCheck: from n/a through <= 2.7.2. |
Starise · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23618 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in starise Twitter Shortcode twitter-shortcode allows Stored XSS.This issue affects Twitter Shortcode: from n/a through <= 0.9. |
Stepan Stepasyuk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23559 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Stepan Stepasyuk MemeOne allows Stored XSS.This issue affects MemeOne: from n/a through 2.0.5. |
Stevesoehl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23802 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SteveSoehl WP-Revive Adserver wp-revive-adserver allows Stored XSS.This issue affects WP-Revive Adserver: from n/a through <= 2.2.1. |
Straps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23827 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in straps Strx Magic Floating Sidebar Maker strx-magic-floating-sidebar-maker allows Stored XSS.This issue affects Strx Magic Floating Sideb… |
Stylemix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10970 | Medium | 5.4 | — | 2025-01-16 | The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. |
Surdotly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23957 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in surdotly Sur.ly surly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sur.ly: from n/a through <= 3.0.3. |
Swarminteractive · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13394 | Medium | 6.4 | — | 2025-01-15 | The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.18 due to insufficient input sanitization and output escaping on user supp… |
Swedish Boy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22784 | High | 8.6 | — | 2025-01-15 | Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Background Control background-control allows Path Traversal.This issue affects Background Control: from n/a through <= 1.0.5. |
Swift Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0343 | High | 7.5 | — | 2025-01-15 | Swift ASN.1 can be caused to crash when parsing certain BER/DER constructions. |
Syedamirhussain91 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23566 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in syedamirhussain91 Custom Post custom-post-type-gui allows Stored XSS.This issue affects Custom Post: from n/a through <= 1.0. |
Szmake · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23862 | Medium | 5.3 | — | 2025-01-16 | Missing Authorization vulnerability in SzMake Contact Form 7 Anti Spambot contact-form-7-anti-spambot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form 7 Anti Spambot: from n/a through… |
Tamer Ziady · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23567 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Tamer Ziady GDReseller gdreseller allows Stored XSS.This issue affects GDReseller: from n/a through <= 1.6. |
Taras Dashkevych · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23902 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification error-notification allows Cross Site Request Forgery.This issue affects Error Notification: from n/a through <= 0.2.7. |
Tc.k · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23926 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TC.K Ajax WP Query Search Filter ajax-wp-query-search-filter allows Stored XSS.This issue affects Ajax WP Query Search Filter: from n/a t… |
Techmix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23699 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Event Countdown Timer Plugin by TechMix event-countdown-timer allows Reflected XSS.This issue affects Event Countdown Timer Plugi… |
Tenda · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0528 | High | 7.2 | — | 2025-01-17 | A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. |
Thapa.laxman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23820 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in thapa.laxman Content Security Policy Pro content-security-policy-pro allows Cross Site Request Forgery.This issue affects Content Security Policy Pro: from n/a through <= 1.3.5. |
The Dimensional Gate Co. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55577 | High | 7.0 | — | 2025-01-15 | Stack-based buffer overflow vulnerability exists in Linux Ratfor 1.06 and earlier. |
Themescraft.co · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22749 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemesCraft.co Social Media Engine social-media-engine allows Stored XSS.This issue affects Social Media Engine: from n/a through <= 1.0… |
Theverylastperson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13334 | Medium | 6.1 | — | 2025-01-15 | The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_condition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. |
Thimpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12370 | Medium | 5.3 | — | 2025-01-17 | The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. |
Thom4 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23896 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thom4 Mindmeister Shortcode mindmeister-shortcode allows DOM-Based XSS.This issue affects Mindmeister Shortcode: from n/a through <= 1.0. |
Timmcdaniels · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22344 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in timmcdaniels Media Category Library media-category-library allows Reflected XSS.This issue affects Media Category Library: from n/a throu… |
Tobig · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13386 | Medium | 6.4 | — | 2025-01-17 | The quote-posttype-plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Author field in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. |
Tom Ewer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23890 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tom Ewer Easy Tweet Embed easy-tweet-embed allows DOM-Based XSS.This issue affects Easy Tweet Embed: from n/a through <= 1.7. |
Tormorten · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22747 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten Foundation Columns foundation-columns allows Stored XSS.This issue affects Foundation Columns: from n/a through <= 0.8. |
Trainingbusinesspros · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0394 | High | 8.8 | — | 2025-01-14 | The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_big_file_upload() function in all versions… |
Trof · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23620 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trof Captchelfie – Captcha by Selfie captchelfie-captcha-by-selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfi… |
Trustist · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22567 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trustist TRUSTist REVIEWer trustist-reviewer allows Reflected XSS.This issue affects TRUSTist REVIEWer: from n/a through <= 2.0. |
Turbosmtp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22753 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in turboSMTP turboSMTP turbosmtp allows Reflected XSS.This issue affects turboSMTP: from n/a through <= 4.6. |
Tushar Patel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23796 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tushar Patel Easy Portfolio easy-portfolio allows Stored XSS.This issue affects Easy Portfolio: from n/a through <= 1.3. |
Tussendoor B.v. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23745 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Tussendoor B.V. |
Ujjavaljani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23764 | Medium | 5.3 | — | 2025-01-16 | Missing Authorization vulnerability in ujjavaljani Copy Move Posts copy-move-posts.This issue affects Copy Move Posts: from n/a through <= 1.6. |
Umbraco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23041 | Medium | 5.8 | — | 2025-01-14 | Umbraco.Forms is a web form framework written for the nuget ecosystem. |
Uosiu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23693 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in uosiu Secure CAPTCHA secure-captcha allows Stored XSS.This issue affects Secure CAPTCHA: from n/a through <= 1.2. |
Vcita · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11870 | Medium | 6.4 | — | 2025-01-15 | The Event Registration Calendar By vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping o… |
Veeam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23082 | High | 7.2 | — | 2025-01-14 | Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). |
Vertim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22799 | High | 8.5 | — | 2025-01-15 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/… |
Viher3 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23434 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in viher3 Easy EU Cookie law easy-eu-cookie-law allows Stored XSS.This issue affects Easy EU Cookie law: from n/a through <= 1.3.3.1. |
Vimal.ghorecha · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23467 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in vimal.ghorecha RSS News Scroller rss-news-scroller allows Stored XSS.This issue affects RSS News Scroller: from n/a through <= 2.0.0. |
Vincent Loy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23891 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Loy Yet Another Countdown yacp allows DOM-Based XSS.This issue affects Yet Another Countdown: from n/a through <= 1.0.1. |
Vincent Mimoun-prat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23438 | High | 7.1 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Mimoun-Prat WP PT-Viewer wp-ptviewer allows Reflected XSS.This issue affects WP PT-Viewer: from n/a through <= 2.0.2. |
Vipul Jariwala · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22764 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vipul Jariwala WP Post Corrector wp-post-corrector allows Reflected XSS.This issue affects WP Post Corrector: from n/a through <= 1.0.2. |
Virtual Computer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0458 | Medium | 4.3 | — | 2025-01-14 | A vulnerability classified as problematic was found in Virtual Computer Vysual RH Solution 2024.12.1. |
Vyperlang · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21607 | High | 7.5 | — | 2025-01-14 | Vyper is a Pythonic Smart Contract Language for the EVM. |
W3speedster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23765 | Medium | 4.3 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp allows Cross Site Request Forgery.This issue affects W3SPEEDSTER: from n/a through <= 7.33. |
Wago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2018-25108 | High | 7.5 | — | 2025-01-16 | An unauthenticated remote attacker can cause a DoS in the controller due to uncontrolled resource consumption. |
Waltercerrudo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23660 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in waltercerrudo MFPlugin mfplugin allows Stored XSS.This issue affects MFPlugin: from n/a through <= 1.3. |
Web Ready Now · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22782 | Critical | 9.9 | — | 2025-01-15 | Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Wooco… |
Web-mv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23779 | High | 7.6 | — | 2025-01-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in web-mv ResAds resads allows SQL Injection.This issue affects ResAds: from n/a through <= 2.0.5. |
Webtechstreet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13215 | Medium | 4.3 | — | 2025-01-15 | The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php. |
Weiluri · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22765 | High | 7.1 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weiluri WP Order By wp-order-by allows Reflected XSS.This issue affects WP Order By: from n/a through <= 1.4.2. |
Willowsconsulting · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23777 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willowsconsulting GDPR Personal Data Reports gdpr-personal-data-reports allows Stored XSS.This issue affects GDPR Personal Data Reports… |
Wishfulthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23929 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in wishfulthemes Email Capture & Lead Generation email-capture-lead-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email Capture & Lead Generation… |
Wp Chill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22773 | Medium | 5.3 | — | 2025-01-15 | Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects… |
Wp Scripts · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22314 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup food-store allows Reflected XSS.This issue affects Food Store – Online Food Deliver… |
Wpbookingcalendar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13323 | Medium | 6.4 | — | 2025-01-14 | The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user… |
Wpeventmanager · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10789 | Medium | 4.3 | — | 2025-01-16 | The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. |
Wpfreeware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23933 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpfreeware WpF Ultimate Carousel wpf-ultimate-carousel allows Stored XSS.This issue affects WpF Ultimate Carousel: from n/a through <= 1… |
Wptasker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23961 | Medium | 5.4 | — | 2025-01-16 | Missing Authorization vulnerability in wptasker WordPress Graphs & Charts graph-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through <= 2.0.8. |
Wwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23775 | Medium | 6.5 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WWP GMAPS for WPBakery Page Builder Free gmaps-for-visual-composer-free allows Stored XSS.This issue affects GMAPS for WPBakery Page Buil… |
Wygk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23870 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in wygk Copyright Safeguard Footer Notice copyright-safeguard-footer-notice allows Stored XSS.This issue affects Copyright Safeguard Footer Notice: from n/a through <= 3.0. |
Xavsio4 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23470 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in xavsio4 Visit Site Link enhanced visit-site-link-enhanced allows Stored XSS.This issue affects Visit Site Link enhanced: from n/a through <= 1.0. |
Xola · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23955 | Medium | 4.3 | — | 2025-01-16 | Missing Authorization vulnerability in xola Xola xola-bookings-for-tours-activities allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xola: from n/a through <= 1.6. |
Xwiki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23025 | Critical | 9.0 | — | 2025-01-14 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. |
Yamna Khawaja · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22514 | High | 7.1 | — | 2025-01-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Khawaja KNR Author List Widget knr-author-list-widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a thro… |
Yesstreamingdev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23854 | Medium | 5.9 | — | 2025-01-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstrea… |
Yonisink · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23530 | High | 8.8 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Lockdown custom-post-type-lockdown allows Privilege Escalation.This issue affects Custom Post Type Lockdown: from n/a through <= 1.11. |
Yubico · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23013 | — | — | — | 2025-01-15 | In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. |
Zack Katz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23861 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in Zack Katz Debt Calculator debt-calculator allows Cross Site Request Forgery.This issue affects Debt Calculator: from n/a through <= 1.0.1. |
Zartis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22746 | Medium | 6.5 | — | 2025-01-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zartis HireHive Job Plugin zartis-job-plugin allows Stored XSS.This issue affects HireHive Job Plugin: from n/a through <= 2.9.0. |
Zetxek · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23533 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in zetxek WP Lyrics wplyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through <= 0.4.1. |
Zookatron · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12598 | Medium | 6.4 | — | 2025-01-17 | The MyBookProgress by Stormhill Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘book’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. |
Zulip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56136 | Medium | 5.3 | — | 2025-01-16 | Zulip server provides an open-source team chat that helps teams stay productive and focused. |
Zyxel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12398 | High | 8.8 | — | 2025-01-14 | An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited pri… |
קידום ובניית אתרים · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23537 | High | 7.1 | — | 2025-01-16 | Cross-Site Request Forgery (CSRF) vulnerability in קידום ובניית אתרים add custom google tag manager add-custom-google-tag-manager allows Stored XSS.This issue affects add custom google tag manager: from n/a through <= 1.0.3. |