Patch Tuesday — January 2025

2025-01-14 · 1182 CVEs

CVEs published or modified the week of 2025-01-14, partitioned by vendor.

Microsoft (173 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-21311Critical9.82025-01-14Windows NTLM V1 Elevation of Privilege Vulnerability
CVE-2025-21307Critical9.82025-01-14Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
CVE-2025-21298Critical9.82025-01-14Windows OLE Remote Code Execution Vulnerability
CVE-2025-0502Critical9.12025-01-15Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0…
CVE-2025-21417High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21413High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21411High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21409High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21339High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21306High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21305High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21303High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21302High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21293High8.82025-01-14Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2025-21292High8.82025-01-14Windows Search Service Elevation of Privilege Vulnerability
CVE-2025-21291High8.82025-01-14Windows Direct Show Remote Code Execution Vulnerability
CVE-2025-21286High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21282High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21273High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21266High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21252High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21250High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21248High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21246High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21245High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21244High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21243High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21241High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21240High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21239High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21238High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21237High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21236High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21233High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21223High8.82025-01-14Windows Telephony Service Remote Code Execution Vulnerability
CVE-2025-21178High8.82025-01-14Visual Studio Remote Code Execution Vulnerability
CVE-2025-21176High8.82025-01-14.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2025-21362High8.42025-01-14Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-21354High8.42025-01-14Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-21309High8.12025-01-14Windows Remote Desktop Services Remote Code Execution Vulnerability
CVE-2025-21297High8.12025-01-14Windows Remote Desktop Services Remote Code Execution Vulnerability
CVE-2025-21295High8.12025-01-14SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
CVE-2025-21294High8.12025-01-14Microsoft Digest Authentication Remote Code Execution Vulnerability
CVE-2025-21224High8.12025-01-14Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
CVE-2025-21325High7.82025-01-17Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2025-21135High7.82025-01-14Animate versions 24.0.6, 23.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21132High7.82025-01-14Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21131High7.82025-01-14Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21130High7.82025-01-14Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21129High7.82025-01-14Substance3D - Stager versions 3.0.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21128High7.82025-01-14Substance3D - Stager versions 3.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21127High7.82025-01-14Photoshop Desktop versions 25.12, 26.1 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could lead to arbitrary code execution.
CVE-2025-21122High7.82025-01-14Photoshop Desktop versions 25.12, 26.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21402High7.82025-01-14Microsoft Office OneNote Remote Code Execution Vulnerability
CVE-2025-21395High7.82025-01-14Microsoft Access Remote Code Execution Vulnerability
CVE-2025-21382High7.82025-01-14Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2025-21378High7.82025-01-14Windows CSC Service Elevation of Privilege Vulnerability
CVE-2025-21372High7.82025-01-14Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2025-21370High7.82025-01-14Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
CVE-2025-21366High7.82025-01-14Microsoft Access Remote Code Execution Vulnerability
CVE-2025-21365High7.82025-01-14Microsoft Office Remote Code Execution Vulnerability
CVE-2025-21364High7.82025-01-14Microsoft Excel Security Feature Bypass Vulnerability
CVE-2025-21363High7.82025-01-14Microsoft Word Remote Code Execution Vulnerability
CVE-2025-21361High7.82025-01-14Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-21360High7.82025-01-14Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVE-2025-21356High7.82025-01-14Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2025-21345High7.82025-01-14Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2025-21344High7.82025-01-14Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2025-21338High7.82025-01-14GDI+ Remote Code Execution Vulnerability
CVE-2025-21335High7.8KEV2025-01-14Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
CVE-2025-21334High7.8KEV2025-01-14Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
CVE-2025-21333High7.8KEV2025-01-14Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
CVE-2025-21326High7.82025-01-14Internet Explorer Remote Code Execution Vulnerability
CVE-2025-21315High7.82025-01-14Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2025-21304High7.82025-01-14Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2025-21287High7.82025-01-14Windows Installer Elevation of Privilege Vulnerability
CVE-2025-21281High7.82025-01-14Microsoft COM for Windows Elevation of Privilege Vulnerability
CVE-2025-21275High7.82025-01-14Windows App Package Installer Elevation of Privilege Vulnerability
CVE-2025-21271High7.82025-01-14Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2025-21235High7.82025-01-14Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
CVE-2025-21234High7.82025-01-14Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
CVE-2025-21187High7.82025-01-14Microsoft Power Automate Remote Code Execution Vulnerability
CVE-2025-21186High7.82025-01-14Microsoft Access Remote Code Execution Vulnerability
CVE-2025-21389High7.52025-01-14Uncontrolled resource consumption in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to deny service over a network.
CVE-2025-21343High7.52025-01-14Windows Web Threat Defense User Service Information Disclosure Vulnerability
CVE-2025-21330High7.52025-01-14Windows Remote Desktop Services Denial of Service Vulnerability
CVE-2025-21300High7.52025-01-14Windows Universal Plug and Play (UPnP) Device Host Denial of Service Vulnerability
CVE-2025-21296High7.52025-01-14BranchCache Remote Code Execution Vulnerability
CVE-2025-21290High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21289High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21285High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21277High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21276High7.52025-01-14Windows MapUrlToZone Denial of Service Vulnerability
CVE-2025-21270High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21251High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21231High7.52025-01-14IP Helper Denial of Service Vulnerability
CVE-2025-21230High7.52025-01-14Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
CVE-2025-21220High7.52025-01-14Microsoft Message Queuing Information Disclosure Vulnerability
CVE-2025-21218High7.52025-01-14Windows Kerberos Denial of Service Vulnerability
CVE-2025-21207High7.52025-01-14Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability
CVE-2025-21172High7.52025-01-14.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2025-21171High7.52025-01-14.NET Remote Code Execution Vulnerability
CVE-2025-21399High7.42025-01-17Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability
CVE-2025-21405High7.32025-01-14Visual Studio Elevation of Privilege Vulnerability
CVE-2025-21331High7.32025-01-14Windows Installer Elevation of Privilege Vulnerability
CVE-2025-21173High7.32025-01-14.NET Elevation of Privilege Vulnerability
CVE-2025-21348High7.22025-01-14Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2025-21346High7.12025-01-14Microsoft Office Security Feature Bypass Vulnerability
CVE-2025-21299High7.12025-01-14Windows Kerberos Security Feature Bypass Vulnerability
CVE-2025-21211Medium6.82025-01-14Secure Boot Security Feature Bypass Vulnerability
CVE-2025-21357Medium6.72025-01-14Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-21341Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21327Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21324Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21310Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21265Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21263Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21261Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21260Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21258Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21256Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21255Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21249Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21232Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21229Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21228Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21227Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21226Medium6.62025-01-14Windows Digital Media Elevation of Privilege Vulnerability
CVE-2025-21185Medium6.52025-01-17Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2024-52363Medium6.52025-01-17IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system.
CVE-2025-0440Medium6.52025-01-15Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-21314Medium6.52025-01-14Windows SmartScreen Spoofing Vulnerability
CVE-2025-21313Medium6.52025-01-14Windows Security Account Manager (SAM) Denial of Service Vulnerability
CVE-2025-21308Medium6.52025-01-14Windows Themes Spoofing Vulnerability
CVE-2025-21301Medium6.52025-01-14Windows Geolocation Service Information Disclosure Vulnerability
CVE-2025-21288Medium6.52025-01-14Windows COM Server Information Disclosure Vulnerability
CVE-2025-21272Medium6.52025-01-14Windows COM Server Information Disclosure Vulnerability
CVE-2025-21217Medium6.52025-01-14Windows NTLM Spoofing Vulnerability
CVE-2025-21193Medium6.52025-01-14Active Directory Federation Server Spoofing Vulnerability
CVE-2025-21403Medium6.42025-01-14On-Premises Data Gateway Information Disclosure Vulnerability
CVE-2025-21393Medium6.32025-01-14Microsoft SharePoint Server Spoofing Vulnerability
CVE-2025-21278Medium6.22025-01-14Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
CVE-2024-52898Medium6.22025-01-14IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD web console could allow a local user to obtain sensitive information when a detailed technical error message is returned.
CVE-2025-21202Medium6.12025-01-14Windows Recovery Environment Agent Elevation of Privilege Vulnerability
CVE-2025-21242Medium5.92025-01-14Windows Kerberos Information Disclosure Vulnerability
CVE-2025-21225Medium5.92025-01-14Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
CVE-2025-21336Medium5.62025-01-14Windows Cryptographic Information Disclosure Vulnerability
CVE-2025-21374Medium5.52025-01-14Windows CSC Service Information Disclosure Vulnerability
CVE-2025-21340Medium5.52025-01-14Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability
CVE-2025-21323Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21321Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21320Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21319Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21318Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21317Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21316Medium5.52025-01-14Windows Kernel Memory Information Disclosure Vulnerability
CVE-2025-21284Medium5.52025-01-14Windows Virtual Trusted Platform Module Denial of Service Vulnerability
CVE-2025-21280Medium5.52025-01-14Windows Virtual Trusted Platform Module Denial of Service Vulnerability
CVE-2025-21274Medium5.52025-01-14Windows Event Tracing Denial of Service Vulnerability
CVE-2025-21257Medium5.52025-01-14Windows WLAN AutoConfig Service Information Disclosure Vulnerability
CVE-2025-21215Medium4.62025-01-14Secure Boot Security Feature Bypass Vulnerability
CVE-2025-21213Medium4.62025-01-14Secure Boot Security Feature Bypass Vulnerability
CVE-2024-54540Medium4.32025-01-15The issue was addressed with improved input sanitization.
CVE-2025-21332Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21329Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21328Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21269Medium4.32025-01-14Windows HTML Platforms Security Feature Bypass Vulnerability
CVE-2025-21268Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21219Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21189Medium4.32025-01-14MapUrlToZone Security Feature Bypass Vulnerability
CVE-2025-21214Medium4.22025-01-14Windows BitLocker Information Disclosure Vulnerability
CVE-2025-21210Medium4.22025-01-14Windows BitLocker Information Disclosure Vulnerability
CVE-2025-21312Low2.42025-01-14Windows Smart Card Reader Information Disclosure Vulnerability

Other vendors (1009 CVEs across 445 vendors)

N/a · 143 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57726Critical9.9KEV2025-01-15SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions.
CVE-2024-57035Critical9.82025-01-17WeGIA v3.2.0 is vulnerable to SQL Injection viathe nextPage parameter in /controle/control.php.
CVE-2024-57034Critical9.82025-01-17WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter.
CVE-2024-57032Critical9.82025-01-17WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php.
CVE-2024-57031Critical9.82025-01-17WeGIA < 3.2.0 is vulnerable to SQL Injection in /funcionario/remuneracao.php via the id_funcionario parameter.
CVE-2024-57703Critical9.82025-01-16Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability.
CVE-2024-57583Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a command injection vulnerability via the usbName parameter in the formSetSambaConf function.
CVE-2024-57582Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the startIP parameter in the formSetPPTPServer function.
CVE-2024-57581Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function.
CVE-2024-57580Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function.
CVE-2024-57579Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the limitSpeedUp parameter in the formSetClientState function.
CVE-2024-57575Critical9.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the ssid parameter in the form_fast_setting_wifi_set function.
CVE-2024-48126Critical9.82025-01-15HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.
CVE-2024-57483Critical9.82025-01-14Tenda i24 V2.0.0.5 is vulnerable to Buffer Overflow in the addWifiMacFilter function.
CVE-2024-53553Critical9.12025-01-16An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests.
CVE-2024-57766Critical9.12025-01-15MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField.
CVE-2024-57764Critical9.12025-01-15MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.
CVE-2024-57763Critical9.12025-01-15MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField.
CVE-2024-57811Critical9.12025-01-13In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH.
CVE-2024-46310Critical9.12025-01-13Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint
CVE-2024-57704High8.82025-01-16Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability.
CVE-2024-57578High8.82025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the funcpara1 parameter in the formSetCfm function.
CVE-2024-57022High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sHour" parameter in setWiFiScheduleCfg.
CVE-2024-57021High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eHour" parameter in setWiFiScheduleCfg.
CVE-2024-57020High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sMinute" parameter in setWiFiScheduleCfg.
CVE-2024-57019High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "limit" parameter in setVpnAccountCfg.
CVE-2024-57018High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setVpnAccountCfg.
CVE-2024-57017High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in setVpnAccountCfg.
CVE-2024-57016High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "user" parameter in setVpnAccountCfg.
CVE-2024-57015High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in setScheduleCfg.
CVE-2024-57014High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "recHour" parameter in setScheduleCfg.
CVE-2024-57013High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "switch" parameter in setScheduleCfg.
CVE-2024-57012High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setScheduleCfg.
CVE-2024-57011High8.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "minute" parameters in setScheduleCfg.
CVE-2023-42244High8.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42228High8.82025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control.
CVE-2024-54660High8.72025-01-16A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35.
CVE-2024-53561High8.72025-01-14A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request.
CVE-2024-57767High8.62025-01-15MSFM before v2025.01.01 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /file/download.
CVE-2024-48123High8.42025-01-15An issue in the USB Autorun function of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to execute arbitrary code via uploading a crafted script from a USB device.
CVE-2024-57030High8.12025-01-17Wegia < 3.2.0 is vulnerable to Cross Site Scripting (XSS) in /geral/documentos_funcionario.php via the id parameter.
CVE-2024-46450High8.12025-01-16Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.
CVE-2023-42231High8.12025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control.
CVE-2024-55511High7.82025-01-16A null pointer dereference vulnerability in Macrium Reflect prior to 8.1.8017 allows a local attacker to cause a system crash or potentially elevate their privileges via executing a specially crafted executable.
CVE-2024-57727High7.5KEV2025-01-15SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests.
CVE-2024-48125High7.52025-01-15An issue in the AsDB service of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to enumerate user credentials via crafted GIOP protocol requests.
CVE-2024-50954High7.52025-01-15The XINJE XL5E-16T and XD5E-24R-E programmable logic controllers V3.5.3b-V3.7.2a have a vulnerability in handling Modbus messages.
CVE-2024-50953High7.52025-01-15An issue in XINJE XL5E-16T V3.7.2a allows attackers to cause a Denial of Service (DoS) via a crafted Modbus message.
CVE-2024-57765High7.52025-01-15MSFM before 2025.01.01 was discovered to contain a SQL injection vulnerability via the s_name parameter at table/list.
CVE-2024-57762High7.52025-01-15MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file.
CVE-2024-54730High7.52025-01-14Flatnotes <v5.3.1 is vulnerable to denial of service through the upload image function.
CVE-2025-22984High7.52025-01-14An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.
CVE-2025-22983High7.52025-01-14An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.
CVE-2024-57664High7.52025-01-14An issue in the sqlg_group_node component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57663High7.52025-01-14An issue in the sqlg_place_dpipes component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57662High7.52025-01-14An issue in the sqlg_hash_source component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57661High7.52025-01-14An issue in the sqlo_df component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57660High7.52025-01-14An issue in the sqlo_expand_jts component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57659High7.52025-01-14An issue in the sqlg_parallel_ts_seq component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57658High7.52025-01-14An issue in the sql_tree_hash_1 component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57657High7.52025-01-14An issue in the sqlg_vec_upd component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57656High7.52025-01-14An issue in the sqlc_add_distinct_node component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57655High7.52025-01-14An issue in the dfe_n_in_order component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57654High7.52025-01-14An issue in the qst_vec_get_int64 component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57653High7.52025-01-14An issue in the qst_vec_set_copy component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57652High7.52025-01-14An issue in the numeric_to_dv component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57651High7.52025-01-14An issue in the jp_add component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57650High7.52025-01-14An issue in the qi_inst_state_free component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57649High7.52025-01-14An issue in the qst_vec_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57648High7.52025-01-14An issue in the itc_set_param_row component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57647High7.52025-01-14An issue in the row_insert_cast component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57646High7.52025-01-14An issue in the psiginfo component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57645High7.52025-01-14An issue in the qi_inst_state_free component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57644High7.52025-01-14An issue in the itc_hash_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57643High7.52025-01-14An issue in the box_deserialize_string component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57642High7.52025-01-14An issue in the dfe_inx_op_col_def_table component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57641High7.52025-01-14An issue in the sqlexp component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57640High7.52025-01-14An issue in the dc_add_int component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57639High7.52025-01-14An issue in the dc_elt_size component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57638High7.52025-01-14An issue in the dfe_body_copy component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57637High7.52025-01-14An issue in the dfe_unit_gb_dependant component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57636High7.52025-01-14An issue in the itc_sample_row_check component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57635High7.52025-01-14An issue in the chash_array component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2023-42232High7.52025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Navigator/Index function.
CVE-2023-42227High7.52025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the WSCView/Save function.
CVE-2023-42226High7.52025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function.
CVE-2023-42225High7.52025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function.
CVE-2024-42911High7.42025-01-14ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability.
CVE-2025-0465High7.32025-01-14A vulnerability was found in AquilaCMS 1.412.13.
CVE-2025-0460High7.32025-01-14A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart.
CVE-2024-57728High7.2KEV2025-01-15SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e.
CVE-2024-52870High7.12025-01-17Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium Developer Tools) that can result in a client user accessing arbitrary remote w…
CVE-2025-22976High7.12025-01-15SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a local attacker to execute arbitrary code via not filtering the content correctly at the "checkOrder.php" shopId module.
CVE-2024-57025Medium6.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setWiFiScheduleCfg.
CVE-2024-57024Medium6.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in setWiFiScheduleCfg.
CVE-2024-57023Medium6.82025-01-15TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setWiFiScheduleCfg.
CVE-2024-48122Medium6.72025-01-15Insecure default configurations in HI-SCAN 6040i Hitrax HX-03-19-I allow authenticated attackers with low-level privileges to escalate to root-level privileges.
CVE-2024-50967Medium6.52025-01-17The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability.
CVE-2024-41454Medium6.52025-01-15An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file.
CVE-2024-39967Medium6.52025-01-15Insecure permissions in Aginode GigaSwitch v5 allows attackers to access sensitive information via using the SCP command.
CVE-2024-36751Medium6.52025-01-15An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.
CVE-2024-48121Medium6.52025-01-15The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol.
CVE-2023-42248Medium6.52025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42229Medium6.52025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal.
CVE-2024-46921Medium6.52025-01-13An issue was discovered in Samsung Mobile Processor and Modem Exynos 9820, 9825, 980, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2024-46920Medium6.52025-01-13An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280.
CVE-2024-57369Medium6.42025-01-17Clickjacking vulnerability in typecho v1.2.1.
CVE-2024-57033Medium6.12025-01-17WeGIA < 3.2.0 is vulnerable to Cross Site Scripting (XSS) via the dados_addInfo parameter of documentos_funcionario.php.
CVE-2024-57372Medium6.12025-01-17Cross Site Scripting vulnerability in InformationPush master version allows a remote attacker to obtain sensitive information via the title, time and msg parameters
CVE-2024-57370Medium6.12025-01-17Cross Site Scripting vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter.
CVE-2023-42250Medium6.12025-01-13Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via /common/autocomplete.php.
CVE-2023-42249Medium6.12025-01-13Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via vam/vam_visits.php.
CVE-2023-42247Medium6.12025-01-13Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via monitor/s_monitor_map.php.
CVE-2023-42246Medium6.12025-01-13Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via /vam/vam_ep.php.
CVE-2023-42245Medium6.12025-01-13Selesta Visual Access Manager < 4.42.2 is vulnerable to Cross Site Scripting (XSS) via monitor/s_scheduledfile.php.
CVE-2023-42233Medium6.12025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the Filter/FilterEditor function.
CVE-2023-42230Medium6.12025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the WSCView/Save function.
CVE-2024-44771Medium6.12025-01-13BigId PrivacyPortal v179 is vulnerable to Cross Site Scripting (XSS) via the "Label" field in the Report template function.
CVE-2024-57577Medium5.72025-01-16Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the speed_dir parameter in the formSetSpeedWan function.
CVE-2024-57784Medium5.52025-01-16An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal.
CVE-2024-53563Medium5.42025-01-14A stored cross-site scripting (XSS) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
CVE-2023-42243Medium5.42025-01-13In Selesta Visual Access Manager < 4.42.2, an authenticated user can access the administrative page /common/vam_Sql.php, which allows for arbitrary SQL queries.
CVE-2023-42234Medium5.42025-01-13Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Request Forgery (CSRF) via the WSCView function.
CVE-2024-46919Medium5.32025-01-13An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280.
CVE-2024-52783Medium5.12025-01-15Insecure permissions in the XNetSocketClient component of XINJE XDPPro.exe v3.2.2 to v3.7.17c allows attackers to execute arbitrary code via modification of the configuration file.
CVE-2024-57785Medium4.92025-01-16Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php.
CVE-2024-41453Medium4.82025-01-15A cross-site scripting (XSS) vulnerability in Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.
CVE-2024-40514Medium4.62025-01-16Insecure Permissions vulnerability in themesebrand Chatvia v.5.3.2 allows a remote attacker to escalate privileges via the User profile name and image upload functions.
CVE-2024-40513Medium4.62025-01-16An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function.
CVE-2024-57252Medium4.32025-01-17OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily.
CVE-2024-48460Medium4.32025-01-16An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails.
CVE-2025-0480Medium4.32025-01-15A vulnerability classified as problematic has been found in wuzhicms 4.1.0.
CVE-2024-48883Medium4.32025-01-13An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, and Modem 5300.
CVE-2023-42242Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42241Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42240Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42239Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42238Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42237Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42236Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2023-42235Low3.82025-01-13An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2.
CVE-2024-53407Low3.32025-01-15In Phiewer 4.1.0, a dylib injection leads to Command Execution which allow attackers to inject dylib file potentially leading to remote control and unauthorized access to sensitive user data.
CVE-2024-37181Low2.62025-01-16Time-of-check time-of-use race condition in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable information disclosure via adjacent access.
CVESeverityCVSSKEVPublishedSummary
CVE-2024-39761Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39760Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39759Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39754Critical10.02025-01-14A static login vulnerability exists in the wctrls functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39608Critical10.02025-01-14A firmware update vulnerability exists in the login.cgi functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-36290Critical10.02025-01-14A buffer overflow vulnerability exists in the login.cgi Goto_chidx() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-36258Critical10.02025-01-14A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-34166Critical10.02025-01-14An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39363Critical9.62025-01-14A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39803Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39802Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39801Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the qos.cgi qos_settings() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39800Critical9.12025-01-14Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39799Critical9.12025-01-14Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39798Critical9.12025-01-14Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39795Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39794Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39793Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39790Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39789Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39788Critical9.12025-01-14Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39787Critical9.12025-01-14Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39786Critical9.12025-01-14Multiple directory traversal vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39785Critical9.12025-01-14Multiple command execution vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39784Critical9.12025-01-14Multiple command execution vulnerabilities exist in the nas.cgi add_dir() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39783Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39782Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39781Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39774Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi set_sys_adm() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39770Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39769Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39768Critical9.12025-01-14Multiple buffer overflow vulnerabilities exist in the internet.cgi set_qos() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39765Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39764Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39763Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39762Critical9.12025-01-14Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39757Critical9.12025-01-14A stack-based buffer overflow vulnerability exists in the wireless.cgi AddMac() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39756Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi rep_as_router() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39603Critical9.12025-01-14A stack-based buffer overflow vulnerability exists in the wireless.cgi set_wifi_basic_mesh() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39602Critical9.12025-01-14An external config control vulnerability exists in the nas.cgi set_nas() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39370Critical9.12025-01-14An arbitrary code execution vulnerability exists in the adm.cgi set_MeshAp() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39367Critical9.12025-01-14An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39360Critical9.12025-01-14An os command injection vulnerability exists in the nas.cgi remove_dir() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39359Critical9.12025-01-14A stack-based buffer overflow vulnerability exists in the wireless.cgi DeleteMac() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39358Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi set_wzap() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39357Critical9.12025-01-14A stack-based buffer overflow vulnerability exists in the wireless.cgi SetName() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39299Critical9.12025-01-14A buffer overflow vulnerability exists in the qos.cgi qos_sta_settings() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39294Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi set_wzdgw4G() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39288Critical9.12025-01-14A buffer overflow vulnerability exists in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39280Critical9.12025-01-14An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-38666Critical9.12025-01-14An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-37357Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-37186Critical9.12025-01-14An os command injection vulnerability exists in the adm.cgi set_ledonoff() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-37184Critical9.12025-01-14A buffer overflow vulnerability exists in the adm.cgi rep_as_bridge() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-36493Critical9.12025-01-14A stack-based buffer overflow vulnerability exists in the wireless.cgi set_wifi_basic() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-36295Critical9.12025-01-14A command execution vulnerability exists in the qos.cgi qos_sta() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-36272Critical9.12025-01-14A buffer overflow vulnerability exists in the usbip.cgi set_info() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-34544Critical9.12025-01-14A command injection vulnerability exists in the wireless.cgi AddMac() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-21797Critical9.12025-01-14A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39604Critical9.02025-01-14A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39273Critical9.02025-01-14A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505.
CVE-2024-39773Medium5.32025-01-14An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505.

Fortinet · 51 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-55591Critical9.8KEV2025-01-14An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-…
CVE-2023-37936Critical9.82025-01-14A use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized co…
CVE-2024-48886Critical9.02025-01-14A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0…
CVE-2024-47572Critical9.02025-01-14An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file
CVE-2024-27778High8.82025-01-14An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 al…
CVE-2023-37931High8.82025-01-14An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql in…
CVE-2024-35277High8.62025-01-14A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the…
CVE-2024-47571High8.12025-01-14An operation on a resource after expiration or release in Fortinet FortiManager 6.4.12 through 7.4.0 allows an attacker to gain improper access to FortiGate via valid credentials.
CVE-2024-23106High8.12025-01-14An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via cr…
CVE-2023-37937High7.82025-01-14An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0…
CVE-2024-48884High7.52025-01-14A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7…
CVE-2024-46670High7.52025-01-14An Out-of-bounds Read vulnerability [CWE-125] in FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below and FortiSASE FortiOS tenant version 24.3.b IPsec IKE service may allow an unauthenticated remote attacker to trigger…
CVE-2024-46668High7.52025-01-14An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenti…
CVE-2024-46667High7.52025-01-14A allocation of resources without limits or throttling in Fortinet FortiSIEM 5.3 all versions, 5.4 all versions, 6.x all versions, 7.0 all versions, and 7.1.0 through 7.1.5 may allow an attacker to deny valid TLS traffic via consuming all…
CVE-2024-50563High7.32025-01-16A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiM…
CVE-2024-45331High7.32025-01-16A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13…
CVE-2024-50566High7.22025-01-14A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiManager Cloud 7.6.0 through 7.6.1, FortiManager Cloud 7.4.0 through 7.4.4, FortiManager Cloud 7.2.2 through 7.2.7…
CVE-2024-36512High7.22025-01-14An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer 7.4.0 through 7.4.3 and 7.2.0 through 7.2.5 and 7.0.2 through 7.0.12 and 6.2.10 through 6.2.13 allows attacker to exe…
CVE-2024-35273High7.22025-01-14A out-of-bounds write in Fortinet FortiManager version 7.4.0 through 7.4.2, FortiAnalyzer version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests.
CVE-2024-48893Medium6.82025-01-14An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the c…
CVE-2024-56497Medium6.72025-01-14An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 throug…
CVE-2024-40587Medium6.72025-01-14An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiVoice version 7.0.0 through 7.0.4 and before 6.4.9 allows an authenticated privileged attacker to execute…
CVE-2024-33503Medium6.72025-01-14A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6…
CVE-2024-26012Medium6.72025-01-14A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiAP-S 6.2 all verisons, and 6.4.0 through 6.4.9, FortiAP-W2 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.3, and 7.4.0 thr…
CVE-2024-48890Medium6.62025-01-14An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or co…
CVE-2024-35275Medium6.62025-01-14A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, FortiManager version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially…
CVE-2024-54021Medium6.52025-01-14An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 may allow a remote unauthenticated attacker to bypass…
CVE-2024-36504Medium6.52025-01-14An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all verisons, and 6.4 all versions may allow an authenticated attacker to perform a denial of servic…
CVE-2024-33502Medium6.52025-01-14An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 thro…
CVE-2023-42786Medium6.52025-01-14A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request.
CVE-2023-42785Medium6.52025-01-14A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request.
CVE-2024-21758Medium6.42025-01-14A stack-based buffer overflow in Fortinet FortiWeb versions 7.2.0 through 7.2.7, and 7.4.0 through 7.4.1 may allow a privileged user to execute arbitrary code via specially crafted CLI commands, provided the user is able to evade FortiWeb…
CVE-2024-35276Medium5.62025-01-14A stack-based buffer overflow in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6…
CVE-2024-46664Medium5.52025-01-14A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to read files from the underlying filesystem via crafted HTTP or HTTPs requests.
CVE-2024-32115Medium5.52025-01-14A relative path traversal vulnerability [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests.
CVE-2024-35280Medium5.42025-01-15A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiDeceptor 5.3.0, FortiDeceptor 5.2.0, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 al…
CVE-2024-48885Medium5.32025-01-16A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9…
CVE-2024-46666Medium5.32025-01-14An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS versions 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow a remote unauthenticated attacker to pr…
CVE-2024-36510Medium5.32025-01-14An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions…
CVE-2024-47566Medium5.12025-01-14A improper limitation of a pathname to a restricted directory ('path traversal') [CWE-23] in Fortinet FortiRecorder version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to delete files from the underlying filesystem vi…
CVE-2023-46715Medium5.02025-01-14An origin validation error [CWE-346] vulnerability in Fortinet FortiOS IPSec VPN version 7.4.0 through 7.4.1 and version 7.2.6 and below allows an authenticated IPSec VPN user with dynamic IP addressing to send (but not receive) packets s…
CVE-2024-45326Medium4.32025-01-14An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an a…
CVE-2024-35278Medium4.32025-01-14A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-…
CVE-2024-52969Medium4.12025-01-14An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and b…
CVE-2024-52963Low3.72025-01-14A out-of-bounds write in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4.0 through 6.4.15 allows attacker to trigger a denial of service via specially crafted packets.
CVE-2024-46665Low3.72025-01-14An insertion of sensitive information into sent data vulnerability [CWE-201] in FortiOS 7.6.0, 7.4.0 through 7.4.4 may allow an attacker in a man-in-the-middle position to retrieve the RADIUS accounting server shared secret via interceptin…
CVE-2024-36506Low3.72025-01-14An improper verification of source of a communication channel vulnerability [CWE-940] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, 6.4 all versions may allow a remote attacker to bypass the trusted host feature via sessi…
CVE-2024-52967Low3.52025-01-14An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection.
CVE-2024-46669Low3.52025-01-14An Integer Overflow or Wraparound vulnerability [CWE-190] in version 7.4.4 and below, version 7.2.10 and below; FortiSASE version 23.4.b FortiOS tenant IPsec IKE service may allow an authenticated attacker to crash the IPsec tunnel via cra…
CVE-2024-50564Low3.32025-01-14A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named p…
CVE-2024-55593Low2.72025-01-14A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries

Linux · 32 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57900High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempte…
CVE-2024-57899High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix mbss changed flags corruption on 32 bit systems On 32-bit systems, the size of an unsigned long is 4 bytes, while a u64 is 8 bytes.
CVE-2024-57896High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kt…
CVE-2024-57892High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses…
CVE-2024-57887High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: drm: adv7511: Fix use-after-free in adv7533_attach_dsi() The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the sam…
CVE-2024-57857High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Remove direct link to net_device Do not manage a per device direct link to net_device.
CVE-2024-57801High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep.
CVE-2024-57795High7.82025-01-15In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in…
CVE-2024-57893Medium6.32025-01-15In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine t…
CVE-2025-21629Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise N…
CVE-2024-57903Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: net: restrict SO_REUSEPORT to inet sockets After blamed commit, crypto sockets could accidentally be destroyed from RCU call back, as spotted by zyzbot [1].
CVE-2024-57902Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_tci() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot.
CVE-2024-57901Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot.
CVE-2024-57897Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Correct the migration DMA map direction The SVM DMA device map direction should be set the same as the DMA unmap setting, otherwise the DMA core will report …
CVE-2024-57895Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is coming like the following.
CVE-2024-57891Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix invalid irq restore in scx_ops_bypass() While adding outer irqsave/restore locking, 0e7ffff1b811 ("scx: Fix raciness in scx_ops_bypass()") forgot to conve…
CVE-2024-57890Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication…
CVE-2024-57889Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: slee…
CVE-2024-57888Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECL…
CVE-2024-57886Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()".
CVE-2024-57885Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: fix sleeping function called from invalid context at print message Address a bug in the kernel that triggers a "sleeping function called from invalid contex…
CVE-2024-57884Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() The task sometimes continues looping in throttle_direct_reclaim() because allow_…
CVE-2024-57883Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages.
CVE-2024-57882Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow.
CVE-2024-57844Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix fault on fd close after unbind If userspace holds an fd open, unbinds the device and then closes it, the driver shouldn't try to access the hardware.
CVE-2024-57841Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in tcp_conn_request() If inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will return without free the dst memory, which allocated i…
CVE-2024-57802Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation.
CVE-2024-54031Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unab…
CVE-2024-53681Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: nvmet: Don't overflow subsysnqn nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size…
CVE-2024-39282Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix FSM command timeout issue When driver processes the internal state change command, it use an asynchronous thread to process the command operation.
CVE-2024-36476Medium5.52025-01-15In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible fo…
CVE-2024-57898Low3.32025-01-15In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: clear link ID from bitmap during link delete after clean up Currently, during link deletion, the link ID is first removed from the valid_links bitmap bef…

Google · 20 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0447High8.82025-01-15Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page.
CVE-2025-0443High8.82025-01-15Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page.
CVE-2025-0438High8.82025-01-15Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.
CVE-2025-0437High8.82025-01-15Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-0436High8.82025-01-15Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-0434High8.82025-01-15Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2018-9434High7.82025-01-17In multiple functions of Parcel.cpp, there is a possible way to bypass address space layout randomization.
CVE-2018-9382High7.82025-01-17In multiple functions of WifiServiceImpl.java, there is a possible way to activate Wi-Fi hotspot from a non-owner profile due to a missing permission check.
CVE-2018-9375High7.82025-01-17In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy.
CVE-2025-0442Medium6.52025-01-15Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
CVE-2025-0441Medium6.52025-01-15Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page.
CVE-2025-0439Medium6.52025-01-15Race in Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
CVE-2025-0435Medium6.52025-01-15Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2018-9447Medium5.52025-01-17In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible way to crash the emergency callback mode due to a missing null check.
CVE-2018-9379Medium5.52025-01-17In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy.
CVE-2017-13322Medium5.52025-01-17In endCallForSubscriber of PhoneInterfaceManager.java, there is a possible way to prevent access to emergency services due to a logic error in the code.
CVE-2018-9384Medium4.42025-01-17In multiple locations, there is a possible way to bypass KASLR due to an unusual root cause.
CVE-2018-9383Medium4.42025-01-17In asn1_ber_decoder of asn1_decoder.c, there is a possible out of bounds read due to a missing bounds check.
CVE-2025-0448Medium4.32025-01-15Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-0446Medium4.32025-01-15Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension.

Ivanti · 20 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13161Critical9.8KEV2025-01-14Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13160Critical9.8KEV2025-01-14Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13159Critical9.8KEV2025-01-14Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-10811Critical9.82025-01-14Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13172High7.82025-01-14Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-13171High7.82025-01-14Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-13169High7.82025-01-14An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
CVE-2024-13164High7.82025-01-14An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
CVE-2024-13163High7.82025-01-14Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-10630High7.82025-01-14A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application blocking functionality.
CVE-2024-13170High7.52025-01-14An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-13168High7.52025-01-14An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-13167High7.52025-01-14An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-13166High7.52025-01-14An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-13165High7.52025-01-14An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
CVE-2024-13180High7.52025-01-14Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13181High7.32025-01-14Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-13179High7.32025-01-14Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-13162High7.22025-01-14SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
CVE-2024-13158High7.22025-01-14An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Monetdb · 20 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57634High7.52025-01-14An issue in the exp_copy component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57633High7.52025-01-14An issue in the exps_bind_column component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57632High7.52025-01-14An issue in the is_column_unique component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57631High7.52025-01-14An issue in the exp_ref component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57630High7.52025-01-14An issue in the exps_card component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57629High7.52025-01-14An issue in the tail_type component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57628High7.52025-01-14An issue in the exp_values_set_supertype component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57627High7.52025-01-14An issue in the gc_col component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57626High7.52025-01-14An issue in the mat_join2 component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57625High7.52025-01-14An issue in the merge_table_prune_and_unionize component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57624High7.52025-01-14An issue in the exp_atom component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57623High7.52025-01-14An issue in the HEAP_malloc component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57622High7.52025-01-14An issue in the exp_bin component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57621High7.52025-01-14An issue in the GDKanalytical_correlation component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57620High7.52025-01-14An issue in the trimchars component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57619High7.52025-01-14An issue in the atom_get_int component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57618High7.52025-01-14An issue in the bind_col_exp component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57617High7.52025-01-14An issue in the dameraulevenshtein component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57616High7.52025-01-14An issue in the vscanf component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVE-2024-57615High7.52025-01-14An issue in the BATcalcbetween_intern component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Labredescefetrj · 16 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23034Medium6.12025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23030Medium6.12025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22619Medium6.12025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22617Medium6.12025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22615Medium6.12025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23038Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23037Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23036Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23035Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23033Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23032Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-23031Medium5.42025-01-14WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22618Medium5.42025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22616Medium5.42025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22614Medium5.42025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVE-2025-22613Medium5.42025-01-13WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions.
CVESeverityCVSSKEVPublishedSummary
CVE-2024-57684Critical9.82025-01-16An access control issue in the component formDMZ.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the DMZ service of the device via a crafted POST request.
CVE-2025-22968Critical9.82025-01-15An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions
CVE-2024-57682Medium6.52025-01-16An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request.
CVE-2024-57679Medium6.52025-01-16An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request.
CVE-2024-57678Medium6.52025-01-16An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted POST request.
CVE-2024-57677Medium6.52025-01-16An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request.
CVE-2024-57676Medium6.52025-01-16An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request.
CVE-2024-57681Medium5.32025-01-16An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request.
CVE-2024-57680Medium5.32025-01-16An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request.
CVE-2024-57683Medium4.32025-01-16An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request.

Fanli2012 · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0486High7.32025-01-15A vulnerability was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0484High7.32025-01-15A vulnerability was found in Fanli2012 native-php-cms 1.0 and classified as critical.
CVE-2025-0482High7.32025-01-15A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0491Medium6.32025-01-15A vulnerability, which was classified as critical, was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0490Medium6.32025-01-15A vulnerability, which was classified as critical, has been found in Fanli2012 native-php-cms 1.0.
CVE-2025-0489Medium6.32025-01-15A vulnerability classified as critical was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0488Medium6.32025-01-15A vulnerability classified as critical has been found in Fanli2012 native-php-cms 1.0.
CVE-2025-0487Medium6.32025-01-15A vulnerability was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0485Low3.52025-01-15A vulnerability was found in Fanli2012 native-php-cms 1.0.
CVE-2025-0483Low3.52025-01-15A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic.

Typo3 · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-55924High8.02025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55921High7.52025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55922Medium5.42025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55892Medium4.82025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55945Medium4.32025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55923Medium4.32025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55920Medium4.32025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55894Medium4.32025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55893Medium4.32025-01-14TYPO3 is a free and open source Content Management Framework.
CVE-2024-55891Low3.12025-01-14TYPO3 is a free and open source Content Management Framework.

Jfinaloa_project · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57768Critical9.82025-01-16JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
CVE-2024-57775High8.82025-01-16JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
CVE-2024-57770High8.82025-01-16JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
CVE-2024-57769High8.82025-01-16JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.
CVE-2024-57774Medium4.82025-01-16A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-57773Medium4.82025-01-16A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-57772Medium4.82025-01-16A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-57771Medium4.82025-01-16A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-57776Medium4.62025-01-16A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Mattermost · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20630Medium6.52025-01-16Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
CVE-2025-20621Medium6.52025-01-16Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to cr…
CVE-2025-20072Medium6.52025-01-16Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
CVE-2025-21083Medium6.52025-01-15Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
CVE-2025-20088Medium6.52025-01-15Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
CVE-2025-20086Medium6.52025-01-15Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
CVE-2025-20036Medium6.52025-01-15Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
CVE-2025-21088Medium6.52025-01-15Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend…
CVE-2025-0476Medium4.32025-01-16Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment

Apple · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-40771High7.82025-01-15The issue was addressed with improved memory handling.
CVE-2024-27856High7.82025-01-15The issue was addressed with improved checks.
CVE-2024-40854Medium5.52025-01-15A memory initialization issue was addressed with improved memory handling.
CVE-2024-54470Medium4.62025-01-15A logic issue was addressed with improved checks.
CVE-2024-44136Medium4.62025-01-15This issue was addressed through improved state management.
CVE-2024-54535Medium4.32025-01-15A path handling issue was addressed with improved logic.
CVE-2024-55503Low3.32025-01-15An issue in termius before v.9.9.0 allows a local attacker to execute arbitrary code via a crafted script to the DYLD_INSERT_LIBRARIES component.
CVE-2024-40839Low2.42025-01-15This issue was addressed through improved state management.

Sap_se · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0070Critical9.92025-01-14SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation.
CVE-2025-0069High7.82025-01-14Due to DLL injection vulnerability in SAPSetup, an attacker with either local user privileges or with access to a compromised corporate user�s Windows account could gain higher privileges.
CVE-2025-0067Medium6.32025-01-14Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the applicat…
CVE-2025-0059Medium6.02025-01-14Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability.
CVE-2025-0056Medium6.02025-01-14SAP GUI for Java saves user input on the client PC to improve usability.
CVE-2025-0055Medium6.02025-01-14SAP GUI for Windows stores user input on the client PC to improve usability.
CVE-2025-0057Medium4.82025-01-14SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability.
CVE-2025-0068Medium4.32025-01-14An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks.

Schneider Electric · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10497High8.82025-01-17CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HT…
CVE-2024-12142High8.62025-01-17CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause information disclosure of restricted web page, modification of web page and denial of service when specific web pages are modified an…
CVE-2024-12703High7.82025-01-17CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
CVE-2024-12476High7.82025-01-17CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific craft…
CVE-2024-11425High7.52025-01-17CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.
CVE-2024-12399High7.12025-01-17CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs m…
CVE-2024-10498Medium6.52025-01-17CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could allow an unauthorized attacker to modify configuration values outside of the normal range when the attacker sends specific Mod…
CVE-2024-111392025-01-17CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could allow local attackers to exploit these issues to potentially execute arbitrary code when opening a malicious project file.

Edimax · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22916Critical9.82025-01-16RE11S v1.11 was discovered to contain a stack overflow via the pppUserName parameter in the formPPPoESetup function.
CVE-2025-22913Critical9.82025-01-16RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formStaDrvSetup function.
CVE-2025-22912Critical9.82025-01-16RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.
CVE-2025-22907Critical9.82025-01-16RE11S v1.11 was discovered to contain a stack overflow via the selSSID parameter in the formWlSiteSurvey function.
CVE-2025-22906Critical9.82025-01-16RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.
CVE-2025-22905Critical9.82025-01-16RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
CVE-2025-22904Critical9.82025-01-16RE11S v1.11 was discovered to contain a stack overflow via the pptpUserName parameter in the setWAN function.

Imagination Technologies · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-47897High8.82025-01-13Software installed and run as a non-privileged user may conduct improper GPU system calls resulting in platform instability and reboots.
CVE-2024-52938High7.82025-01-13Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to subvert reconstruction activities to trigger a write of data outside the Guest's virtualised GPU memory.
CVE-2024-47895High7.12025-01-13Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
CVE-2024-47894High7.12025-01-13Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
CVE-2024-52937Medium6.72025-01-13Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.
CVE-2024-52936Medium4.42025-01-13Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to write data outside the Guest's virtualised GPU memory.
CVE-2024-52935Medium4.12025-01-13Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.

Liujianview · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0410Medium6.32025-01-13A vulnerability classified as critical was found in liujianview gymxmjpa 1.0.
CVE-2025-0409Medium6.32025-01-13A vulnerability classified as critical has been found in liujianview gymxmjpa 1.0.
CVE-2025-0408Medium6.32025-01-13A vulnerability was found in liujianview gymxmjpa 1.0.
CVE-2025-0407Medium6.32025-01-13A vulnerability was found in liujianview gymxmjpa 1.0.
CVE-2025-0406Medium6.32025-01-13A vulnerability was found in liujianview gymxmjpa 1.0.
CVE-2025-0405Medium6.32025-01-13A vulnerability was found in liujianview gymxmjpa 1.0 and classified as critical.
CVE-2025-0404Medium6.32025-01-13A vulnerability has been found in liujianview gymxmjpa 1.0 and classified as critical.

Adobe · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-21139High7.82025-01-14Substance3D - Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21138High7.82025-01-14Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21137High7.82025-01-14Substance3D - Designer versions 14.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21136High7.82025-01-14Substance3D - Designer versions 14.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21134High7.82025-01-14Illustrator on iPad versions 3.0.7 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-21133High7.82025-01-14Illustrator on iPad versions 3.0.7 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.

Code-projects · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57488Medium6.52025-01-13Code-Projects Online Car Rental System 1.0 is vulnerable to Cross Site Scripting (XSS) via the vehicalorcview parameter in /admin/edit-vehicle.php.
CVE-2024-57487Medium6.52025-01-13In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server.
CVE-2025-0531Medium6.32025-01-17A vulnerability was found in code-projects Chat System 1.0 and classified as critical.
CVE-2025-0529Medium5.32025-01-17A vulnerability, which was classified as critical, was found in code-projects Train Ticket Reservation System 1.0.
CVE-2025-0538Low3.52025-01-17A vulnerability, which was classified as problematic, was found in code-projects Tourism Management System 1.0.
CVE-2025-0537Low2.42025-01-17A vulnerability, which was classified as problematic, has been found in code-projects Car Rental Management System 1.0.

Sap · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0066Critical9.92025-01-14Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls.
CVE-2025-0063High8.82025-01-14SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules.
CVE-2025-0061High8.72025-01-14SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability.
CVE-2025-0060Medium6.52025-01-14SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker.
CVE-2025-0058Medium6.52025-01-14In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted.
CVE-2025-0053Medium5.32025-01-14SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information.

Almalinux · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12084Critical9.82025-01-15A heap-based buffer overflow flaw was found in the rsync daemon.
CVE-2024-12085High7.52025-01-14A flaw was found in rsync which could be triggered when rsync compares file checksums.
CVE-2024-12088Medium6.52025-01-14A flaw was found in rsync.
CVE-2024-12087Medium6.52025-01-14A path traversal vulnerability exists in rsync.
CVE-2024-12086Medium6.12025-01-14A flaw was found in rsync.

Blackberry · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-48856Critical9.82025-01-14Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the context of the process using the image codec.
CVE-2024-48858High7.52025-01-14Improper input validation in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec.
CVE-2024-48857High7.52025-01-14NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec.
CVE-2024-48855Medium5.32025-01-14Out-of-bounds read in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.
CVE-2024-48854Medium5.32025-01-14Off-by-one error in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.

Etic Telecom · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-26153High7.42025-01-17All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF).
CVE-2024-26155Medium6.82025-01-17All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 expose clear text credentials in the web portal.
CVE-2024-26157Medium6.12025-01-17All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in get view method under view parameter.
CVE-2024-26156Medium4.82025-01-17All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in the method parameter.
CVE-2024-26154Medium4.82025-01-17All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting in the appliance site name.

Gestioip · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-48760Critical9.82025-01-14An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function.
CVE-2024-50858High8.82025-01-14Multiple endpoints in GestioIP v3.5.7 are vulnerable to Cross-Site Request Forgery (CSRF).
CVE-2024-50861Medium6.12025-01-14The ip_mod_dns_key_form.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS.
CVE-2024-50859Medium4.82025-01-14The ip_import_acl_csv request in GestioIP v3.5.7 is vulnerable to Reflected XSS.
CVE-2024-50857Medium4.82025-01-14The ip_do_job request in GestioIP v3.5.7 is vulnerable to Cross-Site Scripting (XSS).

H3c · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57473Critical9.82025-01-14H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address editing function.
CVE-2024-57482Critical9.82025-01-14H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the 5G wireless network processing function.
CVE-2024-57480Critical9.82025-01-14H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the AP configuration function.
CVE-2024-57479Critical9.82025-01-14H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the mac address update function.
CVE-2024-57471Critical9.82025-01-14H3C N12 V100R005 contains a buffer overflow vulnerability due to the lack of length verification in the 2.4G wireless network processing function.

Librenms · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23201Medium5.42025-01-16librenms is a community-based GPL-licensed network monitoring system.
CVE-2025-23200Medium4.62025-01-16librenms is a community-based GPL-licensed network monitoring system.
CVE-2025-23199Medium4.62025-01-16librenms is a community-based GPL-licensed network monitoring system.
CVE-2025-23198Medium4.62025-01-16librenms is a community-based GPL-licensed network monitoring system.
CVE-2024-56144Medium4.62025-01-16librenms is a community-based GPL-licensed network monitoring system.

Red Hat · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23366Medium6.52025-01-14A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users.
CVE-2024-11734Medium6.52025-01-14A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service.
CVE-2024-12747Medium5.62025-01-14A flaw was found in rsync.
CVE-2024-11029Medium5.52025-01-15A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl.
CVE-2024-11736Medium4.92025-01-14A vulnerability was found in Keycloak.

T2bot · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56515Medium6.82025-01-16Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix.
CVE-2024-52791Medium5.32025-01-16Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix.
CVE-2024-36403Medium5.32025-01-16Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix.
CVE-2024-36402Medium5.32025-01-16Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix.
CVE-2024-52602Medium5.02025-01-16Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix.

Wikimedia Foundation · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23081Medium6.12025-01-14Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cros…
CVE-2025-23072Medium5.42025-01-14Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RefreshSpecial Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Refresh…
CVE-2025-23080Medium5.32025-01-14Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - OpenBadges Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - OpenBadges…
CVE-2025-23073Low3.52025-01-14Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data.
CVE-2025-23074Low2.42025-01-14Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.3…

07fly · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57161Medium4.32025-01-1607FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/edit.html
CVE-2024-57160Medium4.32025-01-1607FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaTask/edit.html.
CVE-2024-57611Low3.52025-01-1607FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/doAdminAction.php?act=editShop&shopId.
CVE-2024-57159Low3.52025-01-1607FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via /erp.07fly.net:80/oa/OaWorkReport/add.html.

Boldgrid · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12365High8.52025-01-14The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1.
CVE-2025-22759Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Stored XSS.This issue affects Post and Page Builder by BoldGrid…
CVE-2024-12008Medium5.32025-01-14The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file.
CVE-2024-12006Medium5.32025-01-14The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1.

Icegram · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12568Medium4.82025-01-13The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w…
CVE-2024-12567Medium4.82025-01-13The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when…
CVE-2024-12566Medium4.82025-01-13The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the…
CVE-2024-11636Medium4.82025-01-13The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even…

Siemens · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56841High7.42025-01-14A vulnerability has been identified in Mendix LDAP (All versions < V1.1.2).
CVE-2024-47100High7.12025-01-14A vulnerability has been identified in SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C A…
CVE-2024-53649Medium6.52025-01-14A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.80), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V9.80), SIPROTEC 5 6MD89 (CP300) (All versi…
CVE-2024-45385Medium4.72025-01-14A vulnerability has been identified in Industrial Edge Management OS (IEM-OS) (All versions).

1000 Projects · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0534High7.32025-01-17A vulnerability was found in 1000 Projects Campaign Management System Platform for Women 1.0.
CVE-2025-0533High7.32025-01-17A vulnerability was found in 1000 Projects Campaign Management System Platform for Women 1.0.
CVE-2025-0536Medium6.32025-01-17A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management System 1.0.

1902756969 · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0402Medium6.32025-01-13A vulnerability classified as critical was found in 1902756969 reggie 1.0.
CVE-2025-0403Medium5.32025-01-13A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0.
CVE-2025-0401Medium5.32025-01-13A vulnerability classified as critical has been found in 1902756969 reggie 1.0.

51mis · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0463Medium6.32025-01-14A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0.
CVE-2025-0462Medium6.32025-01-14A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0 and classified as critical.
CVE-2025-0461Medium4.32025-01-14A vulnerability has been found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0 and classified as problematic.

Amazon · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23206High8.12025-01-17The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation.
CVE-2025-0501High7.52025-01-15An issue in the native clients for Amazon WorkSpaces (when running PCoIP protocol) may allow an attacker to access remote sessions via man-in-the-middle.
CVE-2025-0500High7.52025-01-15An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.

Coder426 · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12614High7.52025-01-16The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8.
CVE-2024-12613High7.52025-01-16The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX fuctions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack…
CVE-2024-12615Medium6.52025-01-16The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX actions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack…

Codezips · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0541Medium6.32025-01-17A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical.
CVE-2025-0535Medium6.32025-01-17A vulnerability classified as critical has been found in Codezips Gym Management System 1.0.
CVE-2025-0532Medium6.32025-01-17A vulnerability was found in Codezips Gym Management System 1.0.

Debian · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52006High7.52025-01-14Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals.
CVE-2024-56374Medium5.82025-01-14An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18.
CVE-2024-50349Medium4.72025-01-14Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals.

Lenovo · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-45102Medium6.82025-01-14A privilege escalation vulnerability was discovered that could allow a valid, authenticated LXCA user to escalate their permissions for a connected XCC instance when using LXCA as a Single Sign On (SSO) provider for XCC instances.
CVE-2024-10254Medium4.72025-01-14A potential buffer overflow vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash.
CVE-2024-10253Medium4.72025-01-14A potential TOCTOU vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash.

Nec Corporation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0355High7.52025-01-15Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and e…
CVE-2025-0356High7.22025-01-15NEC Corporation Aterm WX1500HP Ver.1.4.2 and earlier and WX3600HP Ver.1.5.3 and earlier allows a attacker to execute arbitrary OS commands via the network.
CVE-2025-0354Medium4.82025-01-15Cross-site scripting vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver…

Netvision Information · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0456Critical9.82025-01-16The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.
CVE-2025-0455Critical9.82025-01-16The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-0457High8.82025-01-16The airPASS from NetVision Information has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands.

Observium · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-47140High8.72025-01-15A cross-site scripting (xss) vulnerability exists in the add_alert_check page of Observium CE 24.4.13528.
CVE-2024-47002High8.72025-01-15A html code injection vulnerability exists in the vlan management part of Observium CE 24.4.13528.
CVE-2024-45061High8.72025-01-15A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528.

Ossur · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-53683Medium4.42025-01-17A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA.
CVE-2024-45832Medium4.32025-01-17Hard-coded credentials were included as part of the application binary.
CVE-2024-54681Low3.52025-01-17Multiple bash files were present in the application's private directory.

Pmb Services · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0471Critical9.92025-01-16Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above.
CVE-2025-0472High7.52025-01-16Information exposure in the PMB platform affecting versions 4.2.13 and earlier.
CVE-2025-0473Medium6.52025-01-16Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above.

Venki · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-46479Critical9.92025-01-13Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability.
CVE-2024-46480High8.42025-01-13An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system.
CVE-2024-46481High7.22025-01-13The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS.

Y's Corporation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20055Critical9.82025-01-14OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340 provided by Y'S corporation.
CVE-2025-20620High7.52025-01-14SQL Injection vulnerability exists in STEALTHONE D220/D340 provided by Y'S corporation.
CVE-2025-20016High7.22025-01-14OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340/D440 provided by Y'S corporation.

Alex Volkov · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23760High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS.
CVE-2025-23761Medium5.42025-01-16Missing Authorization vulnerability in Alex Volkov Woo Tuner allows Exploiting Incorrectly Configured Access Control Security Levels.

Anisha · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0527High7.32025-01-17A vulnerability classified as critical was found in code-projects Admission Management System 1.0.
CVE-2025-0530Low3.52025-01-17A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic.

Apache · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-45627Medium5.92025-01-14In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis serve…
CVE-2025-22828Medium4.32025-01-13CloudStack users can add and read comments (annotations) on resources they are authorised to access.  Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge…

Arm · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11864High7.52025-01-14Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP
CVE-2024-11863Medium5.32025-01-14Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP

Artanik · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23713High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through <= 1.2.
CVE-2025-23692High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in artanik Slider for Writers slider-for-writers allows Stored XSS.This issue affects Slider for Writers: from n/a through <= 1.3.

Barteled · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13367Medium6.52025-01-17The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4.
CVE-2024-13366Medium6.12025-01-17The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping.

Bitdefender · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-8094High7.82025-01-15An untrusted search path vulnerability in testinitsigs.exe as used in Bitdefender Antivirus Free 2020 allows a low-privilege attacker to execute code as SYSTEM via a specially crafted DLL file.
CVE-2024-11128High7.82025-01-13A vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for MacOS may allow .dynamic library injection (DYLD injection) without being blocked by AppleMobileFileIntegrity (AMFI).

Bplugins · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13156Medium6.42025-01-14The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and including, 2.5.35 due to insufficient input sanit…
CVE-2025-22787Medium4.32025-01-15Missing Authorization vulnerability in bPlugins Button Block button-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Button Block: from n/a through <= 1.1.5.

Chris Roberts · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23884High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through <= 2.1.1.
CVE-2025-23886Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Roberts Annie annie allows Stored XSS.This issue affects Annie: from n/a through <= 2.1.1.

Cybio · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23901High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in cybio GravatarLocalCache gravatarlocalcache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through <= 1.1.2.
CVE-2025-23617High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in cybio Floatbox Plus floatbox-plus allows Stored XSS.This issue affects Floatbox Plus: from n/a through <= 1.4.4.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-0492High7.52025-01-15A vulnerability has been found in D-Link DIR-823X 240126/240802 and classified as critical.
CVE-2025-0481Medium5.32025-01-15A vulnerability classified as problematic has been found in D-Link DIR-878 1.03.

Dell · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22394Medium6.72025-01-15Dell Display Manager, versions prior to 2.3.2.18, contain a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability.
CVE-2025-21101Medium6.62025-01-15Dell Display Manager, versions prior to 2.3.2.20, contain a race condition vulnerability.

Gravity Forms · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13377High7.22025-01-17The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping.
CVE-2024-13378Medium5.42025-01-17The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping.

Hewlett Packard Enterprise (Hpe) · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23052High7.22025-01-14Authenticated command injection vulnerability in the command line interface of a network management service.
CVE-2025-23051High7.22025-01-14An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems.

Ibm · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-41746High7.22025-01-16IBM CICS TX Advanced 10.1, 11.1, and Standard 11.1 is vulnerable to stored cross-site scripting.
CVE-2024-51462Medium4.02025-01-17IBM QRadar WinCollect Agent 10.0.0 through 10.1.12 could allow a remote attacker to inject XML data into parameter values due to improper input validation of assumed immutable data.

Ietf · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23019Medium5.42025-01-14IPv6-in-IPv4 tunneling (RFC 4213) allows an attacker to spoof and route traffic via an exposed network interface.
CVE-2025-23018Medium5.42025-01-14IPv4-in-IPv6 and IPv6-in-IPv6 tunneling (RFC 2473) do not require the validation or verification of the source of a network packet, allowing an attacker to spoof and route arbitrary traffic via an exposed network interface.

Intel · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-29980Low2.32025-01-14Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore™ for Intel Kaby Lake, Phoenix SecureCore™ for Intel Coffee Lake, Phoenix SecureCore™ for Intel Comet Lake, Phoenix SecureCore™ for Intel Ice Lake allo…
CVE-2024-29979Low2.32025-01-14Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore™ for Intel Kaby Lake, Phoenix SecureCore™ for Intel Coffee Lake, Phoenix SecureCore™ for Intel Comet Lake, Phoenix SecureCore™ for Intel Ice Lake allo…

Ivobrett · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23898High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through <= 2.3.
CVE-2025-23897Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows DOM-Based XSS.This issue affects Apply with LinkedIn buttons: fro…

Jd7777 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23513High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in jd7777 Bible Embed bible-embed allows Stored XSS.This issue affects Bible Embed: from n/a through <= 0.0.4.
CVE-2025-23859Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jd7777 Daily Proverb daily-proverb allows Stored XSS.This issue affects Daily Proverb: from n/a through <= 2.0.3.

Jeewms · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57757High7.52025-01-15JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava.
CVE-2024-57760Medium6.52025-01-15JeeWMS before v2025.01.01 was discovered to contain a SQL injection vulnerability via the ReportId parameter at /core/CGReportDao.java.

Linksys · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22997Medium4.82025-01-15A stored cross-site scripting (XSS) vulnerability in the prf_table_content component of Linksys E5600 Router Ver.
CVE-2025-22996Medium4.82025-01-15A stored cross-site scripting (XSS) vulnerability in the spf_table_content component of Linksys E5600 Router Ver.

Moxa · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-01932025-01-15A stored Cross-site Scripting (XSS) vulnerability exists in the MGate 5121/5122/5123 Series firmware version v1.0 because of insufficient sanitization and encoding of user input in the "Login Message" functionality.
CVE-2024-122972025-01-15Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism.

Naa986 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13401Medium6.42025-01-17The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and outpu…
CVE-2024-13398Medium6.42025-01-17The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escap…

Namelessmc · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22144Critical9.82025-01-13NamelessMC is a free, easy to use & powerful website software for Minecraft servers.
CVE-2025-22142Medium5.42025-01-13NamelessMC is a free, easy to use & powerful website software for Minecraft servers.

Newtec/idirect · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-135032025-01-17Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Newtec NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM (Updating signaling process in the swdownload binary modules) allows Local Execution of Code, R…
CVE-2024-135022025-01-17Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects NTC2218, NTC2250, NT…

Nitropack · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11848High8.12025-01-15The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0.
CVE-2024-11851Medium4.32025-01-15The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0.

Notaryproject · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56138Medium4.02025-01-13notion-go is a collection of libraries for supporting sign and verify OCI artifacts.
CVE-2024-51491Low3.32025-01-13notion-go is a collection of libraries for supporting sign and verify OCI artifacts.

Offis · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52333High8.42025-01-13An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8.
CVE-2024-47796High8.42025-01-13An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8.

Omron Corporation · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12083Medium6.62025-01-14Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers.
CVE-2024-12298Medium5.52025-01-14We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer.

Ryscript · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23662High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in ryscript WP Panoramio wp-panoramio allows Stored XSS.This issue affects WP Panoramio: from n/a through <= 1.5.0.
CVE-2025-23661High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in ryscript NV Slider nv-slider allows Stored XSS.This issue affects NV Slider: from n/a through <= 1.6.

Saad Iqbal · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22736High8.82025-01-15Incorrect Privilege Assignment vulnerability in Saad Iqbal User Management user-management allows Privilege Escalation.This issue affects User Management: from n/a through <= 1.2.
CVE-2025-22800Medium4.32025-01-13Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 2.9.11.

Silabs.com · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7322Medium5.82025-01-15A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this change in node ID causes Denial of Service (DoS).
CVE-2024-6352Medium4.32025-01-13A malformed packet can cause a buffer overflow in the APS layer of the Ember ZNet stack and lead to an assert

Silverstripe · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-53277Medium5.42025-01-14Silverstripe Framework is a PHP framework which powers the Silverstripe CMS.
CVE-2024-47605Medium5.42025-01-14silverstripe-asset-admin is a silverstripe assets gallery for asset management.

_Rccoder_ · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23794Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _rccoder_ wp_amaps wp-amaps allows Stored XSS.This issue affects wp_amaps: from n/a through <= 1.7.

Addonsorg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12593Medium6.42025-01-15The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yeepdf_dotab shortcode in all versions up to, and including, 4.6.0 due to insufficient input sanitizati…

Advancedfilemanager · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13333High7.52025-01-17The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13.

Agile Logix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22329Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agile Logix Free Google Maps wp-map allows Stored XSS.This issue affects Free Google Maps: from n/a through <= 1.0.1.

Albdesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23497High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in albdesign Simple Project Manager simple-project-managment allows Stored XSS.This issue affects Simple Project Manager: from n/a through <= 1.2.2.

Aleapp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23821High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in aleapp WP Cookies Alert wp-cookies-alert allows Cross Site Request Forgery.This issue affects WP Cookies Alert: from n/a through <= 1.1.1.

Aleksandar Arsovski · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23928Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart google-org-chart allows Stored XSS.This issue affects Google Org Chart: from n/a through <= 1.0.1.

Alex Furr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23892Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr Progress Tracker progress-tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through <= 0.9.3.

Alexander Weleczka · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23824Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0.

Alicornea · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23822High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in alicornea Category Custom Fields categorycustomfields allows Cross Site Request Forgery.This issue affects Category Custom Fields: from n/a through <= 1.0.

Alimir · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22738Medium5.92025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alimir WP ULike wp-ulike allows Stored XSS.This issue affects WP ULike: from n/a through <= 4.7.6.

Alpha Bpo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23780High7.62025-01-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alpha BPO Easy Code Snippets easy-code-snippets allows SQL Injection.This issue affects Easy Code Snippets: from n/a through <= 1.0.2.

Alti5 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23432High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlTi5 AlT Report alt-report allows Reflected XSS.This issue affects AlT Report: from n/a through <= 1.12.0.

Altima-interactive · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23429High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altima-interactive Altima Lookbook Free for WooCommerce altima-lookbook-free-for-woocommerce allows Reflected XSS.This issue affects Alti…

Ami · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-42444High7.52025-01-14APTIOV contains a vulnerability in BIOS where an attacker may cause a TOCTOU Race Condition by local means.

Andrey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22780Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrey wp-pano wp-pano allows Stored XSS.This issue affects wp-pano: from n/a through <= 1.17.

Angeljudesuarez · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0540Medium6.32025-01-17A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as critical.

Anmari · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23880High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in anmari amr personalise amr-personalise allows Cross Site Request Forgery.This issue affects amr personalise: from n/a through <= 2.10.

Anshi Solutions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23873Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshi Solutions Category D3 Tree category-d3-tree allows Stored XSS.This issue affects Category D3 Tree: from n/a through <= 1.1.

Anshulsojatia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22583High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anshulsojatia Scan External Links scan-external-links allows Reflected XSS.This issue affects Scan External Links: from n/a through <= 1…

Arete-it · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22568High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Post And Page Reactions post-and-page-reactions allows Reflected XSS.This issue affects Post And Page Reactions: from n/a throug…

Artkanmedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23690High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in ArtkanMedia Book a Place book-a-place allows Stored XSS.This issue affects Book a Place: from n/a through <= 0.7.1.

Aruvi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23943Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aruvi PDF.js Shortcode pdfjs-shortcode allows Stored XSS.This issue affects PDF.js Shortcode: from n/a through <= 1.0.

Atanas Krachev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22587Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atanas Krachev SEO Bulk Editor seo-bulk-editor allows Stored XSS.This issue affects SEO Bulk Editor: from n/a through <= 1.1.0.

August Infotech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23785Medium4.32025-01-16Missing Authorization vulnerability in August Infotech AI Responsive Gallery Album ai-responsive-gallery-album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Responsive Gallery Album: from n/a…

Awcode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23954Medium4.32025-01-16Missing Authorization vulnerability in awcode Salvador – AI Image Generator salvador-ai-image-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salvador – AI Image Generator: from n/a thro…

Awordpresslife · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11396Medium5.32025-01-14The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file.

Ays Pro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56295Medium6.52025-01-15Missing Authorization vulnerability in Ays Pro Poll Maker poll-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through <= 5.5.6.

B&r Industrial Automation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8603High7.52025-01-15A “Use of a Broken or Risky Cryptographic Algorithm” vulnerability in the SSL/TLS component used in B&R Automation Runtime versions before 6.1 and B&R mapp View versions before 6.1 may be abused by unauthenticated network-based attackers t…

Bas Matthee · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23871High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder lsd-google-maps-embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through <= 1.1.

Bavington · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22755High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bavington WP Headmaster wp-headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through <= 0.3.

Belledonne Communications · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0430High7.52025-01-17Belledonne Communications Linphone-Desktop is vulnerable to a NULL Dereference vulnerability, which could allow a remote attacker to create a denial-of-service condition.

Berkman Klein Center · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22754High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Klein Center Amber amberlink allows Reflected XSS.This issue affects Amber: from n/a through <= 1.4.4.

Binesh Dobhal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23426High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Binesh Dobhal go Social go-social allows Stored XSS.This issue affects go Social: from n/a through <= 1.0.

Bjoerne · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22745Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bjoerne Navigation Du Lapin Blanc navigation-du-lapin-blanc allows DOM-Based XSS.This issue affects Navigation Du Lapin Blanc: from n/a t…

Bnovotny · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23424High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in bnovotny Marquee Style RSS News Ticker marquee-style-rss-news-ticker allows Cross Site Request Forgery.This issue affects Marquee Style RSS News Ticker: from n/a through <= 3.2.0.

Bold · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22793High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bold Bold pagos en linea bold-pagos-en-linea allows DOM-Based XSS.This issue affects Bold pagos en linea: from n/a through <= 3.1.4.

Bookalet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23899Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookalet Bookalet bookalet allows Stored XSS.This issue affects Bookalet: from n/a through <= 1.0.3.

Brandondove · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12203Medium4.42025-01-17The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping.

Braulio Aquino · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23691High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Braulio Aquino Send to Twitter send-to-twitter allows Stored XSS.This issue affects Send to Twitter: from n/a through <= 1.7.2.

C4.yberpower · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11322High7.52025-01-15A denial-of-service vulnerability exists in CyberPower PowerPanel Business (PPB) 4.11.0.

Caido · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23039Medium5.22025-01-17Caido is a web security auditing toolkit.

Campcodes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57162High7.22025-01-16Campcodes Cybercafe Management System v1.0 is vulnerable to SQL Injection in /ccms/view-user-detail.php.

Capa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23436High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in capa Wp-Scribd-List wp-scribd-list allows Stored XSS.This issue affects Wp-Scribd-List: from n/a through <= 1.2.

Carrotbits · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23783Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in carrotbits Greek Namedays Widget From Eortologio.Net greek-namedays-widget allows Stored XSS.This issue affects Greek Namedays Widget Fro…

Casid · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23026Medium6.12025-01-13jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin.

Cern · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-50633Unrated2025-01-16A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals.

Ces Taiwan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7344High8.22025-01-14Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Chandrika Guntur, Morgan Kay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23917Medium5.42025-01-16Missing Authorization vulnerability in Chandrika Guntur, Morgan Kay Chamber Dashboard Business Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chamber Dashboard Business Directory: from…

Chr Designer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22798Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CHR Designer Responsive jQuery Slider responsive-jquery-slider allows Stored XSS.This issue affects Responsive jQuery Slider: from n/a th…

Chuck1982 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13434Medium6.12025-01-17The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping.

Ciprian Turcu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23793High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Turcu Auto FTP auto-ftp allows Stored XSS.This issue affects Auto FTP: from n/a through <= 1.0.1.

Closed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23907Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in closed SOCIAL.NINJA allows Stored XSS.

Codeaffairs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22779Medium4.32025-01-15Missing Authorization vulnerability in codeaffairs WP News Sliders wp-news-sliders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP News Sliders: from n/a through <= 1.0.

Codebard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22760High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard CodeBard Help Desk codebard-help-desk allows Reflected XSS.This issue affects CodeBard Help Desk: from n/a through <= 1.1.2.

Codebycarter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22776High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codebycarter WP Bulletin Board wp-bulletin-board allows Reflected XSS.This issue affects WP Bulletin Board: from n/a through <= 1.1.4.

Codepeople · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12274High7.52025-01-13The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access t…

Codexpert, Inc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22788Medium5.92025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codexpert, Inc CoDesigner woolementor allows Stored XSS.This issue affects CoDesigner: from n/a through <= 4.29.

Codidact · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-221382025-01-13@codidact/qpixel is a Q&A-based community knowledge-sharing software.

Common Ninja · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23909Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Common Ninja Compare Ninja compare-ninja-comparison-tables allows Stored XSS.This issue affects Compare Ninja: from n/a through <= 2.1.0.

Commotion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22785Critical9.32025-01-15Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System course-booking-system allows SQL Injection.This issue affects Course Booking System: from n/a through <=…

Cozmoslabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12919Critical9.82025-01-14The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7.

Crea8xion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23860Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in crea8xion Charity-thermometer charitydonation-thermometer allows Stored XSS.This issue affects Charity-thermometer: from n/a through <= 1…

Creative Brahma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22769Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative Brahma Multifox allows Stored XSS.This issue affects Multifox: from n/a through 1.3.7.

Cstoltenkamp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23703High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in cstoltenkamp Free MailClient FMC mailclient allows Stored XSS.This issue affects Free MailClient FMC: from n/a through <= 1.0.

Damniel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22778High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in damniel Lijit Search wp-lijit-wijit allows Reflected XSS.This issue affects Lijit Search: from n/a through <= 1.1.

Dan Cameron · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23895High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Dan Cameron Add RSS add-rss allows Stored XSS.This issue affects Add RSS: from n/a through <= 1.5.

Data443 Risk Mitigation, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22734Medium5.92025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Mitigation, Inc.

Dave Konopka · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23572High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Dave Konopka UpDownUpDown updownupdown-postcomment-voting allows Stored XSS.This issue affects UpDownUpDown: from n/a through <= 1.1.

Davidanderson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0215Medium6.12025-01-15The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input san…

Ddsn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22964High8.12025-01-15DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerability caused by insufficient input sanitization and validation in the "table" parameter.

Desktop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23040Medium6.62025-01-15GitHub Desktop is an open-source Electron-based GitHub app designed for git development.

Devycreates · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-232022025-01-17Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games.

Digitaldonkey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22795High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digitaldonkey Multilang Contact Form multilang-contact-form allows Reflected XSS.This issue affects Multilang Contact Form: from n/a thro…

Digitalfisherman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23558High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in digitalfisherman Geotagged Media geotagged-media allows Stored XSS.This issue affects Geotagged Media: from n/a through <= 0.3.0.

Discourse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-54142Critical9.02025-01-14Discourse AI is a Discourse plugin which provides a number of AI features.

Divengine · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23951Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DIVENGINE Gallery: Hybrid – Advanced Visual Gallery hybrid-gallery allows Stored XSS.This issue affects Gallery: Hybrid – Advanced Visual…

Dkukral · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23673High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in dkukral Email on Publish email-on-publish allows Stored XSS.This issue affects Email on Publish: from n/a through <= 1.5.

Dominic Fallows · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23708High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Dominic Fallows DF Draggable df-draggable allows Stored XSS.This issue affects DF Draggable: from n/a through <= 1.13.2.

Dpowney · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23848High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in dpowney Hotspots Analytics hotspots allows Stored XSS.This issue affects Hotspots Analytics: from n/a through <= 4.0.12.

Dsmidge · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23677High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in DSmidge HTTP to HTTPS link changer by Eyga.net https-links-in-content allows Stored XSS.This issue affects HTTP to HTTPS link changer by Eyga.net: from n/a through <= 0.2.4.

Dstoever · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22586High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dstoever WPEX Replace DB Urls wpex-replace allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through <= 0.4.0.

Dutch Van Andel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23808High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Dutch van Andel Custom List Table Example custom-list-table-example allows Reflected XSS.This issue affects Custom List Table Example: from n/a through <= 1.4.1.

Editionguard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23452High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EditionGuard EditionGuard for WooCommerce – eBook Sales with DRM editionguard-for-woocommerce-ebook-sales-with-drm allows Reflected XSS.T…

Ekaterir · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23776Medium4.32025-01-16Missing Authorization vulnerability in ekaterir Cache Sniper for Nginx snipe-nginx-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cache Sniper for Nginx: from n/a through <= 1.0.4.2.

Element Invader · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22786High7.52025-01-15Path Traversal: '.../...//' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through <…

Ella Van Durpe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23919Medium5.42025-01-16Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella Van Durpe Slides & Presentations slide allows Code Injection.This issue affects Slides & Presentations: from n/a through <= 0.0.39.

Enituretechnology · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56301High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows Reflected XSS.This issue affects Distance…

Etemplates · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23471High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in etemplates ECT Add to Cart Button ect-add-to-cart-button allows Stored XSS.This issue affects ECT Add to Cart Button: from n/a through <= 1.4.

Eugenio Petulla’ · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23772Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla’ imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7.

Evehome · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-5743Critical9.82025-01-13An attacker could exploit the 'Use of Password Hash With Insufficient Computational Effort' vulnerability in EveHome Eve Play to execute arbitrary code.

Exelban · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-216062025-01-17stats is a macOS system monitor in for the menu bar.

Ezmarketing · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23950Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ezmarketing EZPlayer ezplayer allows Stored XSS.This issue affects EZPlayer: from n/a through <= 1.0.10.

Fahadmahmood · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13387Medium6.42025-01-16The WP Responsive Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprtabs' shortcode in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user su…

Faizaan Gagan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22346Medium6.42025-01-15Server-Side Request Forgery (SSRF) vulnerability in Faizaan Gagan Course Migration for LearnDash allows Server Side Request Forgery.This issue affects Course Migration for LearnDash: from 1.0.2 through n/a.

Faktor Vier · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22499High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree f4-tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through <= 1.1.18.

Falldeaf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22742Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL wp-viewstl allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through <= 1.0.

Farinspace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22751High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Partners partners allows Reflected XSS.This issue affects Partners: from n/a through <= 0.2.0.

Fengler · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23935Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fengler Magic Google Maps magic-google-maps allows Stored XSS.This issue affects Magic Google Maps: from n/a through <= 1.0.4.

Ffmpeg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0518Medium5.32025-01-16Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable.

Flymke · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23963Medium5.42025-01-16Missing Authorization vulnerability in flymke Mark Posts mark-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark Posts: from n/a through <= 2.2.4.

Foo123 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23841Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foo123 Top Flash Embed top-flash-embed allows Stored XSS.This issue affects Top Flash Embed: from n/a through <= 0.3.4.

Frenchsquared · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23627High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in frenchsquared Comment-Emailer comment-emailer allows Stored XSS.This issue affects Comment-Emailer: from n/a through <= 1.0.5.

Fuji Electric · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-34579High7.82025-01-17Fuji Electric Alpha5 SMART is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

Fuzzguard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23801High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in FuzzGuard Style Admin style-admin allows Stored XSS.This issue affects Style Admin: from n/a through <= 1.4.3.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-22317High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gallery Ape Photo Gallery – Image Gallery by Ape gallery-images-ape allows Reflected XSS.This issue affects Photo Gallery – Image Gallery…

Genivia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4227High7.52025-01-15In Genivia gSOAP with a specific configuration an unauthenticated remote attacker can generate a high CPU load when forcing to parse an XML having duplicate ID attributes which can lead to a DoS.

Genkisan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23900High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in genkisan Genki Announcement genki-announcement allows Cross Site Request Forgery.This issue affects Genki Announcement: from n/a through <= 1.4.1.

Getsentry · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22146Critical9.12025-01-15Sentry is a developer-first error tracking and performance monitoring tool.

Ghuger · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23795Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ghuger Easy FAQs easy-faqs allows Stored XSS.This issue affects Easy FAQs: from n/a through <= 3.2.1.

Git · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52005High8.82025-01-15Git is a source code management tool.

Git-ecosystem · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-50338High7.42025-01-14Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux.

Git-lfs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-532632025-01-14Git LFS is a Git extension for versioning large files.

Givewp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22777Critical9.82025-01-13Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3.

Glofoxwebdev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12508Medium6.42025-01-17The Glofox Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glofox' and 'glofox_lead_capture ' shortcodes in all versions up to, and including, 2.6 due to insufficient input sanitization and ou…

Gpriday · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12240Medium6.42025-01-14The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the row label parameter in all versions up to, and including, 2.31.0 due to insufficient input sanitization and output escaping.

Gradio-app · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23042High7.52025-01-14Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function.

Grandslambert · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22569High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GrandSlambert Featured Page Widget featured-page-widget allows Reflected XSS.This issue affects Featured Page Widget: from n/a through <=…

Gsheetconnector · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22752High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WesternDeal GSheetConnector for Forminator Forms gsheetconnector-forminator allows Reflected XSS.This issue affects GSheetConnector for F…

Gwendydd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11452Medium6.42025-01-16The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'business_categories' shortcode in all versions up to, and including, 3.3.8 due to insufficient input sanitization…

Harnani · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22758Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harnani Elementor AI Addons ai-addons-for-elementor allows DOM-Based XSS.This issue affects Elementor AI Addons: from n/a through <= 2.2…

Harsh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23922Critical10.02025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.

Harun R. Rayhan(thecrazycoder) · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23936Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R.

Haydenbleasel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-230272025-01-13next-forge is a Next.js project boilerplate for modern web application.

Hernanjh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23659High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in hernanjh MercadoLibre Integration mercadolibre-integration allows Stored XSS.This issue affects MercadoLibre Integration: from n/a through <= 1.1.

Horiyuki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23940Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in horiyuki Image Switcher image-switcher allows Stored XSS.This issue affects Image Switcher: from n/a through <= 0.1.1.

Hoyce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23483High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in hoyce Universal Analytics Injector universal-analytics-injector allows Stored XSS.This issue affects Universal Analytics Injector: from n/a through <= 1.0.3.

Huayi-tec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57761High8.12025-01-15An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file.

I3 Verticals · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11146Medium6.32025-01-17TrueFiling is a collaborative, web-based electronic filing system where attorneys, paralegals, court reporters and self-represented filers collect public legal documentation into cases.

Igor Sazonov · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23810High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Igor Sazonov Len Slider len-slider allows Reflected XSS.This issue affects Len Slider: from n/a through <= 2.0.11.

Imithemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10799Medium6.52025-01-17The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function.

Infomaniak Network · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22729Medium4.32025-01-15Missing Authorization vulnerability in Infomaniak Network VOD Infomaniak vod-infomaniak allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VOD Infomaniak: from n/a through <= 1.5.9.

Infosoftplugin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22337High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin Order Audit Log for WooCommerce order-audit-log-for-woocommerce allows Reflected XSS.This issue affects Order Audit Log fo…

Intelligence_lab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22588High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in intelligence_lab Scanventory woocommerce-inventory-management allows Reflected XSS.This issue affects Scanventory: from n/a through <= 1…

Invoice Ninja · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0474High7.72025-01-14Invoice Ninja is vulnerable to authenticated Server-Side Request Forgery (SSRF) allowing for arbitrary file read and network resource requests as the application user.

Isnowfy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23476High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in isnowfy my-related-posts my-related-posts allows Stored XSS.This issue affects my-related-posts: from n/a through <= 1.1.

Itamarg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23805High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in itamarg SEOReseller Partner sr-partner allows Cross Site Request Forgery.This issue affects SEOReseller Partner: from n/a through <= 1.3.15.

Itmooti · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23717High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in itmooti Theme My Ontraport Smartform theme-my-ontraport-smartform allows Stored XSS.This issue affects Theme My Ontraport Smartform: from n/a through <= 1.2.11.

Ivanra10 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23698High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in ivanra10 WP Custom Google Search wp-custom-google-search allows Stored XSS.This issue affects WP Custom Google Search: from n/a through <= 1.0.

Jamsheer K · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23844High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Jamsheer K Custom Widget Classes custom-widget-classes allows Cross Site Request Forgery.This issue affects Custom Widget Classes: from n/a through <= 1.1.

Jan Štětina · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23510High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Jan Štětina WordPress Logging Service wordpress-logging-service allows Stored XSS.This issue affects WordPress Logging Service: from n/a through <= 1.5.4.

Jeremy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23924Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeremy WP Photo Sphere wp-photo-sphere allows Stored XSS.This issue affects WP Photo Sphere: from n/a through <= 3.8.

Jim2212001 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23807Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jim2212001 Spiderpowa Embed PDF spiderpowa-embed-pdf allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through <= 1.0.

Jjtrabucco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23962Medium4.32025-01-16Missing Authorization vulnerability in jjtrabucco Goldstar goldstar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Goldstar: from n/a through <= 2.1.1.

Jobair · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23830Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jobair JB Horizontal Scroller News Ticker jb-horizontal-scroller-news-ticker allows DOM-Based XSS.This issue affects JB Horizontal Scroll…

Jp2112 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23925Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jp2112 Feedburner Optin Form feedburner-optin-form allows Stored XSS.This issue affects Feedburner Optin Form: from n/a through <= 0.2.8.

Jprintf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23823High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in jprintf CNZZ&51LA for WordPress cnzz51la-for-wordpress allows Cross Site Request Forgery.This issue affects CNZZ&51LA for WordPress: from n/a through <= 1.0.1.

Jupyter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-232052025-01-17nbgrader is a system for assigning and grading notebooks.

Justin.kuepper · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23644Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in justin.kuepper QuoteMedia Tools quotemedia-tools allows DOM-Based XSS.This issue affects QuoteMedia Tools: from n/a through <= 1.0.

Kapostintegrations · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23712High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in kapostintegrations Kapost kapost-byline allows Stored XSS.This issue affects Kapost: from n/a through <= 2.2.9.

Katex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23207Medium6.32025-01-17KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web.

Kathleen Malone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23557High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Kathleen Malone Find Your Reps find-your-reps allows Stored XSS.This issue affects Find Your Reps: from n/a through <= 1.2.

Katsushi-kawamori · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12637Medium5.32025-01-17The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality.

Kelvin Ng · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23569High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Kelvin Ng Shortcode in Comment shortcode-in-comment allows Stored XSS.This issue affects Shortcode in Comment: from n/a through <= 1.1.1.

Khan-it · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23939Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KHAN-IT Image Switcher image-switcher allows Stored XSS.This issue affects Image Switcher: from n/a through <= 1.1.

Kopatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23965Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kopatheme Kopa Nictitate Toolkit kopa-nictitate-toolkit allows Stored XSS.This issue affects Kopa Nictitate Toolkit: from n/a through <=…

Kreg Steppe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23649High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Kreg Steppe Auphonic Importer auphonic-importer allows Stored XSS.This issue affects Auphonic Importer: from n/a through <= 1.5.1.

Krolow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23654High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in krolow Twitter Post twitterpost allows Stored XSS.This issue affects Twitter Post: from n/a through <= 0.1.

Le-pixel-solitaire · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23946Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Le-Pixel-Solitaire Enhanced YouTube Shortcode enhanced-youtube-shortcode allows Stored XSS.This issue affects Enhanced YouTube Shortcode…

Lexmark · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-50738Medium4.32025-01-17A new feature to prevent Firmware downgrades was recently added to some Lexmark products.

Libretro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0459Medium5.32025-01-14A vulnerability, which was classified as problematic, has been found in libretro RetroArch up to 1.19.1 on Windows.

Linickx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23815High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in linickx root Cookie allows Cross Site Request Forgery.

Luke America · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23864Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luke America WCS QR Code Generator wcs-qr-code-generator allows Stored XSS.This issue affects WCS QR Code Generator: from n/a through <=…

Luxion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0412High7.82025-01-13Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability.

M.j · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23947Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M.J WP-Player wp-player allows Stored XSS.This issue affects WP-Player: from n/a through <= 2.6.1.

Madeglobal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23875High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in madeglobal Better Protected Pages better-protected-pages allows Stored XSS.This issue affects Better Protected Pages: from n/a through <= 1.0.

Magepeopleteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22737Medium5.32025-01-15Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WpTravelly: from n/a through <= 1.8.5.

Mahadirz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23817High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in mahadirz MHR-Custom-Anti-Copy mhr-custom-anti-copy allows Stored XSS.This issue affects MHR-Custom-Anti-Copy: from n/a through <= 2.0.

Mahesh Bisen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23623High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahesh Bisen Contact Form 7 – CCAvenue Add-on cf7-cc-avenue-add-on allows Reflected XSS.This issue affects Contact Form 7 – CCAvenue Add-…

Manny Costales · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23893Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manny Costales GMap Shortcode gmap-shortcode allows DOM-Based XSS.This issue affects GMap Shortcode: from n/a through <= 2.0.

Marco Castelluccio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23720High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Marco Castelluccio Web Push web-push allows Stored XSS.This issue affects Web Push: from n/a through <= 1.4.0.

Marcucci · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23435High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in marcucci Password Protect Plugin for WordPress password-protect-plugin-for-wordpress allows Stored XSS.This issue affects Password Protect Plugin for WordPress: from n/a through <= 0.8.1.0.

Marcus Downing · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22576High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus Downing Site PIN site-pin allows Reflected XSS.This issue affects Site PIN: from n/a through <= 1.3.

Martijnscheijbeler · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23743High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in MartijnScheijbeler Social Analytics social-analytics allows Stored XSS.This issue affects Social Analytics: from n/a through <= 0.2.

Masoud Amini · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22766High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Masoud Amini Zarinpal Paid Download zarinpal-paid-downloads allows Reflected XSS.This issue affects Zarinpal Paid Download: from n/a thro…

Massimo.serpilli · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23927Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in massimo.serpilli Incredible Font Awesome incredible-font-awesome allows Stored XSS.This issue affects Incredible Font Awesome: from n/a t…

Master Software Solutions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23455High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Master Software Solutions WP VTiger Synchronization msstiger allows Stored XSS.This issue affects WP VTiger Synchronization: from n/a through <= 1.1.1.

Matrix-org · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52594Medium4.32025-01-16Gomatrixserverlib is a Go library for matrix federation.

Matt Gibbs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23832High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup admin-cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through <= 1.0.2.

Mayur Sojitra · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23710High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Mayur Sojitra Flying Twitter Birds flying-twitter-birds allows Stored XSS.This issue affects Flying Twitter Birds: from n/a through <= 1.8.

Mayurik · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-55000Medium5.42025-01-14Sourcecodester House Rental Management system v1.0 is vulnerable to Cross Site Scripting (XSS) in rental/manage_categories.php.

Mdc_youtube_downloader_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23639High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0.

Mdjekic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22570High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdjekic Inline Tweets inline-tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through <= 2.0.

Meinturnierplan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23941Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in meinturnierplan MeinTurnierplan.de Widget Viewer meinturnierplande-widget-viewer allows Stored XSS.This issue affects MeinTurnierplan.de…

Metaphorcreations · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23816Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS.

Mikakaltoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23791Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mikakaltoft Horizontal Line Shortcode horizontal-line-shortcode allows Stored XSS.This issue affects Horizontal Line Shortcode: from n/a…

Mike Selander · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23797Critical9.82025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1.

Mliebelt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23868Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mliebelt Chess Tempo Viewer chesstempoviewer allows Stored XSS.This issue affects Chess Tempo Viewer: from n/a through <= 0.9.5.

Mobstac · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23831Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mobstac QR Code Generator qrcode-wprhe allows DOM-Based XSS.This issue affects QR Code Generator: from n/a through <= 1.2.6.

Mohsin Rasool · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22743Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Rasool Twitter Bootstrap Collapse aka Accordian Shortcode twitter-bootstrap-collapse-aka-accordian-shortcode allows DOM-Based XSS…

Mojofywp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22724Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP Product Carousel For WooCommerce – WoorouSell allows Stored XSS.This issue affects Product Carousel For WooCommerce – WoorouSell…

Mondula · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12427Medium5.32025-01-16The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23.

Mongoosejs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23061Critical9.02025-01-15Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection.

Monicahq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-54999Medium6.52025-01-13MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.

Mosterd3d · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23528High8.82025-01-16Incorrect Privilege Assignment vulnerability in Mosterd3d DD Roles dd-roles allows Privilege Escalation.This issue affects DD Roles: from n/a through <= 4.1.

Mschertel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23442High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in mschertel Shockingly Big IE6 Warning shockingly-big-ie6-warning allows Stored XSS.This issue affects Shockingly Big IE6 Warning: from n/a through <= 1.6.3.

Mukesh Dak · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23463High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Mukesh Dak MD Custom content after or before of post md-custom-content allows Stored XSS.This issue affects MD Custom content after or before of post: from n/a through <= 1.0.

Myriad Solutionz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23453High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through <= 1.7.

N3wnormal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22498High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in N3wNormal LucidLMS lucidlms allows Reflected XSS.This issue affects LucidLMS: from n/a through <= 1.0.5.

Nasir179125 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23444Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nasir179125 Scroll Top Advanced scroll-top-advanced allows Stored XSS.This issue affects Scroll Top Advanced: from n/a through <= 2.5.

Nativery · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22781Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6.

Nazmul Ahsan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23640High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan Rename Author Slug rename-author-slug allows Stored XSS.This issue affects Rename Author Slug: from n/a through <= 1.2.0.

Nedap Librix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12757High8.62025-01-17Nedap Librix Ecoreader is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.

Neovim · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22134Medium4.22025-01-13When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a b…

Neran · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13351High7.22025-01-15The Social proof testimonials and reviews by Repuso plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rw_image_badge1' shortcode in all versions up to, and including, 5.20 due to insufficient input sanitiz…

Nilesh Shiragave · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23842High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin wordpress-gallery-plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through <= 1.4.

Nitethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23877Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nitethemes Nite Shortcodes nite-shortcodes allows Stored XSS.This issue affects Nite Shortcodes: from n/a through <= 1.0.

Nmedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13355Medium5.42025-01-16The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including…

No-nonsense · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23876Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in No-Nonsense WP krpano wp-krpano allows Stored XSS.This issue affects WP krpano: from n/a through <= 1.2.1.

Nova706 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23800High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in nova706 OrangeBox orangebox allows Cross Site Request Forgery.This issue affects OrangeBox: from n/a through <= 3.0.0.

Nuanced Media · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23916Medium5.42025-01-16Missing Authorization vulnerability in Nuanced Media WP Meetup wp-meetup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Meetup: from n/a through <= 2.3.0.

Octopus Deploy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12226Medium6.52025-01-16In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text.

Octrace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22762Medium5.92025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace WordPress HelpDesk & Support Ticket System Plugin – Octrace Support octrace-support allows Stored XSS.This issue affects WordPres…

Oddthinking · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23456High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Oddthinking EmailShroud emailshroud allows Reflected XSS.This issue affects EmailShroud: from n/a through <= 2.2.1.

Odyno · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23856Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Odyno Simple Vertical Timeline simple-vertical-timeline allows DOM-Based XSS.This issue affects Simple Vertical Timeline: from n/a throug…

Olaf Lederer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22761Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Olaf Lederer Ajax Contact Form fws-ajax-contact-form allows Stored XSS.This issue affects Ajax Contact Form: from n/a through <= 1.4.1.

Openfga · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56323Critical9.82025-01-13OpenFGA is an authorization/permission engine.

Openobserve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-55954High8.72025-01-16OpenObserve is a cloud-native observability platform.

Opentext™ · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-70852025-01-15Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Solutions Business Manager (SBM) allows Stored XSS.  The vulnerability could result in the exposure of private informat…

Openvpn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-5198Low3.32025-01-15OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.

Oren Yomtov · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23430High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Oren Yomtov Mass Custom Fields Manager mass-custom-fields-manager allows Reflected XSS.This issue affects Mass Custom Fields Manager: from n/a through <= 1.5.

Oretnom23 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0464Low2.42025-01-14A vulnerability was found in SourceCodester Task Reminder System 1.0.

Origothemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23508High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in OrigoThemes Extra Options – Favicons extra-options-favicons allows Stored XSS.This issue affects Extra Options – Favicons: from n/a through <= 1.1.0.

Osuthorpe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23825Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Shortcode Buttons easy-shortcode-buttons allows Stored XSS.This issue affects Easy Shortcode Buttons: from n/a through <=…

Oğulcan Özügenç · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22797Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oğulcan Özügenç Gallery and Lightbox gallery-and-lightbox allows Stored XSS.This issue affects Gallery and Lightbox: from n/a through <=…

Pankajpragma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23913High8.52025-01-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pankajpragma WordPress Google Map Professional google-map-professional allows SQL Injection.This issue affects WordPress Google Map Profe…

Pascal Casier · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23499High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Pascal Casier Board Election board-election allows Stored XSS.This issue affects Board Election: from n/a through <= 1.0.1.

Patel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22750High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel Post Carousel & Slider post-types-carousel-slider allows Reflected XSS.This issue affects Post Carousel & Slider: from n/a through…

Payform · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23872High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in payform PayForm payform allows Stored XSS.This issue affects PayForm: from n/a through <= 2.0.

Paypalmuse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23930Medium4.32025-01-16Missing Authorization vulnerability in paypalmuse PayPal Marketing Solutions paypal-promotions-and-insights allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Marketing Solutions: from n/a thr…

Pedjas · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23826High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pedjas Stop Comment Spam stop-comment-spam allows Stored XSS.This issue affects Stop Comment Spam: from n/a through <= 0.5.3.

Pega · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12211Medium5.42025-01-13Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.

Pflonk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23642Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pflonk Sidebar-Content from Shortcode sidebar-content-from-shortcode allows DOM-Based XSS.This issue affects Sidebar-Content from Shortco…

Philipp Speck · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23912High8.52025-01-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Philipp Speck WordPress Custom Sidebar wordpress-custom-sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: f…

Phoenix Contact · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11497High8.82025-01-14An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.

Pickplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9636Critical9.82025-01-15The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3.

Piotnetdotcom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10775Medium4.32025-01-15The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included.

Plumwd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23560High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in plumwd Web Testimonials web-testimonials allows Stored XSS.This issue affects Web Testimonials: from n/a through <= 1.2.

Poco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23689High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Poco Blogger Image Import allows Stored XSS.This issue affects Blogger Image Import: from 2.1 through n/a.

Powiet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23641Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PowieT Powie's pLinks PagePeeker plinks allows DOM-Based XSS.This issue affects Powie's pLinks PagePeeker: from n/a through <= 1.0.2.

Pravin Durugkar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23778Medium5.42025-01-16Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign registered-user-sync-activecampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n…

Pressfore · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23865Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pressfore Winning Portfolio winning-portfolio allows Stored XSS.This issue affects Winning Portfolio: from n/a through <= 1.1.

Progpars.net · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23749High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS.This issue affects mybb Last Topics: from n/a through <= 1.0.

Project-zot · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23208High7.32025-01-17zot is a production-ready vendor-neutral OCI image registry.

Pyko · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23818High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in pyko More Link Modifier more-link-modifier allows Stored XSS.This issue affects More Link Modifier: from n/a through <= 1.0.3.

Rami Yushuvaev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23908Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rami Yushuvaev Pastebin pastebin-embed allows Stored XSS.This issue affects Pastebin: from n/a through <= 1.5.

Raminmt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23833Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RaminMT Links/Problem Reporter report-broken-links allows DOM-Based XSS.This issue affects Links/Problem Reporter: from n/a through <= 2…

Rasahq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-49375Critical9.02025-01-14Open source machine learning framework.

Ravi Kumar Vanukuru · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23665High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Ravi Kumar Vanukuru RSV GMaps rsv-google-maps allows Stored XSS.This issue affects RSV GMaps: from n/a through <= 1.5.

Raymonddesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23715High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in RaymondDesign Post & Page Notes post-page-notes allows Stored XSS.This issue affects Post & Page Notes: from n/a through <= 0.1.1.

Real Seguro Viagem · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23664High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Real Seguro Viagem Real Seguro Viagem seguro-viagem allows Stored XSS.This issue affects Real Seguro Viagem: from n/a through <= 2.0.5.

Realwebcare · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12403Medium6.12025-01-15The Image Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'awsmgallery' parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output…

Regios · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23532High8.82025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Regios MyAnime Widget myanime-widget allows Privilege Escalation.This issue affects MyAnime Widget: from n/a through <= 1.0.

Revoxis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23767Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revoxis Marmoset Viewer marmoset-viewer allows Stored XSS.This issue affects Marmoset Viewer: from n/a through <= 1.9.3.

Robdavenport · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12818Medium6.42025-01-15The WP Smart TV plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tv-video-player' shortcode in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user s…

Roche Diagnostics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-130262025-01-17A vulnerability exists in Algo Edge up to 2.1.1 - a previously used (legacy) component of navify® Algorithm Suite.

Roninwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23915High7.52025-01-16Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a thro…

Royal-elementor-addons · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0393Medium6.12025-01-14The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006.

Sabaoh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23863Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sabaoh Rollover Tab rollover-tab allows Stored XSS.This issue affects Rollover Tab: from n/a through <= 1.3.2.

Saleswonder Team: Tobias · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56065High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.4.2.

Sam Brodie · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23934Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sam Brodie Giveaways and Contests by PromoSimple giveaways-contests-by-promosimple allows Stored XSS.This issue affects Giveaways and Con…

Sammyb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23573High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in sammyb WP Background Tile wp-background-tile allows Stored XSS.This issue affects WP Background Tile: from n/a through <= 1.0.

Sana Ullah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23675High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Sana Ullah Import Users to MailChimp import-users-to-mailchimp allows Stored XSS.This issue affects Import Users to MailChimp: from n/a through <= 1.0.

Sanjay Prasad · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23514Medium5.32025-01-16Missing Authorization vulnerability in Sanjay Prasad Loginplus loginplus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Loginplus: from n/a through <= 1.2.

Schalk Burger · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23702High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Schalk Burger Anonymize Links anonymize-links allows Stored XSS.This issue affects Anonymize Links: from n/a through <= 1.1.

Scott Reilly · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23878Medium5.92025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Post-to-Post Links easy-post-to-post-links allows Stored XSS.This issue affects Post-to-Post Links: from n/a through <= 4.2.

Scottpaterson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12423Medium6.12025-01-15The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escapi…

Scottswezey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23445High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in scottswezey Easy Tynt easy-tynt allows Cross Site Request Forgery.This issue affects Easy Tynt: from n/a through <= 0.2.5.1.

Scottwallick · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23887Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottwallick Blog Summary blog-summary allows Stored XSS.This issue affects Blog Summary: from n/a through <= 0.1.2 β.

Scribit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12466Medium6.12025-01-17The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping.

Scriptsbundle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0170Medium6.12025-01-16The DWT - Directory & Listing WordPress Theme is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping on the 'sort_by' and 'token' parameters.

Seodev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22744Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seodev S-DEV SEO s-dev-seo allows Stored XSS.This issue affects S-DEV SEO: from n/a through <= 1.88.

Setmore · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22748Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Setmore SetMore Theme – Custom Post Types service-provider-profile-cpt allows Stored XSS.This issue affects SetMore Theme – Custom Post T…

Shabboscommerce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23694High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in shabboscommerce Shabbos and Yom Tov shabbos-and-yom-tov allows Stored XSS.This issue affects Shabbos and Yom Tov: from n/a through <= 1.9.

Shawfactor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23547High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shawfactor LH Login Page lh-login-page allows Reflected XSS.This issue affects LH Login Page: from n/a through <= 2.14.

Shibulijack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23869High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Custom Content cj-custom-content allows Stored XSS.This issue affects CJ Custom Content: from n/a through <= 2.0.

Shiv Prakash Tiwari · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23804High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Shiv Prakash Tiwari WP Service Payment Form With Authorize.net wp-service-payment-form-with-authorizenet allows Reflected XSS.This issue affects WP Service Payment Form With Authorize.net…

Silverplugins217 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22731Medium4.32025-01-15Cross-Site Request Forgery (CSRF) vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Cross Site Request Forgery.This issue affects Build Private Store For Woocommerce: from n/a…

Sindhi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23828High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sindhi WordPress Data Guard wordpress-data-guards allows Stored XSS.This issue affects WordPress Data Guard: from n/a through <= 8.

Sismics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22963High7.52025-01-13Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.

Smackcoders Inc., · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23423Medium4.32025-01-16Missing Authorization vulnerability in Smackcoders Inc., SendGrid for WordPress wp-sendgrid-mailer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SendGrid for WordPress: from n/a through <= 1.4.

Smart Agenda · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22506High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda smart-agenda-prise-de-rendez-vous-en-ligne allows Stored XSS.This issue affects Smart Agenda: from n/a through…

Solidres · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23911High8.52025-01-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in solidres Solidres – Hotel booking plugin solidres allows SQL Injection.This issue affects Solidres – Hotel booking plugin: from n/a throu…

Sourov Amin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23577High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3.

Sprucejoy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23501High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in SpruceJoy Cookie Consent & Autoblock for GDPR/CCPA cookie-consent-autoblock allows Stored XSS.This issue affects Cookie Consent & Autoblock for GDPR/CCPA: from n/a through <= 1.0.1.

Stargazer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23511High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Stargazer WP-BlackCheck wp-blackcheck allows Stored XSS.This issue affects WP-BlackCheck: from n/a through <= 2.7.2.

Starise · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23618High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in starise Twitter Shortcode twitter-shortcode allows Stored XSS.This issue affects Twitter Shortcode: from n/a through <= 0.9.

Stepan Stepasyuk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23559High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Stepan Stepasyuk MemeOne allows Stored XSS.This issue affects MemeOne: from n/a through 2.0.5.

Stevesoehl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23802Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SteveSoehl WP-Revive Adserver wp-revive-adserver allows Stored XSS.This issue affects WP-Revive Adserver: from n/a through <= 2.2.1.

Straps · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23827High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in straps Strx Magic Floating Sidebar Maker strx-magic-floating-sidebar-maker allows Stored XSS.This issue affects Strx Magic Floating Sideb…

Stylemix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10970Medium5.42025-01-16The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43.

Surdotly · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23957Medium4.32025-01-16Missing Authorization vulnerability in surdotly Sur.ly surly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sur.ly: from n/a through <= 3.0.3.

Swarminteractive · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13394Medium6.42025-01-15The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.18 due to insufficient input sanitization and output escaping on user supp…

Swedish Boy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22784High8.62025-01-15Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Background Control background-control allows Path Traversal.This issue affects Background Control: from n/a through <= 1.0.5.

Swift Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0343High7.52025-01-15Swift ASN.1 can be caused to crash when parsing certain BER/DER constructions.

Syedamirhussain91 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23566High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in syedamirhussain91 Custom Post custom-post-type-gui allows Stored XSS.This issue affects Custom Post: from n/a through <= 1.0.

Szmake · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23862Medium5.32025-01-16Missing Authorization vulnerability in SzMake Contact Form 7 Anti Spambot contact-form-7-anti-spambot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form 7 Anti Spambot: from n/a through…

Tamer Ziady · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23567High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Tamer Ziady GDReseller gdreseller allows Stored XSS.This issue affects GDReseller: from n/a through <= 1.6.

Taras Dashkevych · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23902High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification error-notification allows Cross Site Request Forgery.This issue affects Error Notification: from n/a through <= 0.2.7.

Tc.k · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23926Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TC.K Ajax WP Query Search Filter ajax-wp-query-search-filter allows Stored XSS.This issue affects Ajax WP Query Search Filter: from n/a t…

Techmix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23699High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Event Countdown Timer Plugin by TechMix event-countdown-timer allows Reflected XSS.This issue affects Event Countdown Timer Plugi…

Tenda · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0528High7.22025-01-17A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20.

Thapa.laxman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23820High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in thapa.laxman Content Security Policy Pro content-security-policy-pro allows Cross Site Request Forgery.This issue affects Content Security Policy Pro: from n/a through <= 1.3.5.

The Dimensional Gate Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-55577High7.02025-01-15Stack-based buffer overflow vulnerability exists in Linux Ratfor 1.06 and earlier.

Themescraft.co · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22749Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemesCraft.co Social Media Engine social-media-engine allows Stored XSS.This issue affects Social Media Engine: from n/a through <= 1.0…

Theverylastperson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13334Medium6.12025-01-15The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_condition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping.

Thimpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12370Medium5.32025-01-17The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5.

Thom4 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23896Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thom4 Mindmeister Shortcode mindmeister-shortcode allows DOM-Based XSS.This issue affects Mindmeister Shortcode: from n/a through <= 1.0.

Timmcdaniels · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22344High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in timmcdaniels Media Category Library media-category-library allows Reflected XSS.This issue affects Media Category Library: from n/a throu…

Tobig · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13386Medium6.42025-01-17The quote-posttype-plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Author field in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping.

Tom Ewer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23890Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tom Ewer Easy Tweet Embed easy-tweet-embed allows DOM-Based XSS.This issue affects Easy Tweet Embed: from n/a through <= 1.7.

Tormorten · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22747Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten Foundation Columns foundation-columns allows Stored XSS.This issue affects Foundation Columns: from n/a through <= 0.8.

Trainingbusinesspros · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0394High8.82025-01-14The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_big_file_upload() function in all versions…

Trof · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23620High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trof Captchelfie – Captcha by Selfie captchelfie-captcha-by-selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfi…

Trustist · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22567High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trustist TRUSTist REVIEWer trustist-reviewer allows Reflected XSS.This issue affects TRUSTist REVIEWer: from n/a through <= 2.0.

Turbosmtp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22753High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in turboSMTP turboSMTP turbosmtp allows Reflected XSS.This issue affects turboSMTP: from n/a through <= 4.6.

Tushar Patel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23796Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tushar Patel Easy Portfolio easy-portfolio allows Stored XSS.This issue affects Easy Portfolio: from n/a through <= 1.3.

Tussendoor B.v. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23745High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Tussendoor B.V.

Ujjavaljani · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23764Medium5.32025-01-16Missing Authorization vulnerability in ujjavaljani Copy Move Posts copy-move-posts.This issue affects Copy Move Posts: from n/a through <= 1.6.

Umbraco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23041Medium5.82025-01-14Umbraco.Forms is a web form framework written for the nuget ecosystem.

Uosiu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23693High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in uosiu Secure CAPTCHA secure-captcha allows Stored XSS.This issue affects Secure CAPTCHA: from n/a through <= 1.2.

Vcita · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11870Medium6.42025-01-15The Event Registration Calendar By vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping o…

Veeam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23082High7.22025-01-14Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF).

Vertim · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22799High8.52025-01-15Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/…

Viher3 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23434Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in viher3 Easy EU Cookie law easy-eu-cookie-law allows Stored XSS.This issue affects Easy EU Cookie law: from n/a through <= 1.3.3.1.

Vimal.ghorecha · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23467High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in vimal.ghorecha RSS News Scroller rss-news-scroller allows Stored XSS.This issue affects RSS News Scroller: from n/a through <= 2.0.0.

Vincent Loy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23891Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Loy Yet Another Countdown yacp allows DOM-Based XSS.This issue affects Yet Another Countdown: from n/a through <= 1.0.1.

Vincent Mimoun-prat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23438High7.12025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Mimoun-Prat WP PT-Viewer wp-ptviewer allows Reflected XSS.This issue affects WP PT-Viewer: from n/a through <= 2.0.2.

Vipul Jariwala · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22764High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vipul Jariwala WP Post Corrector wp-post-corrector allows Reflected XSS.This issue affects WP Post Corrector: from n/a through <= 1.0.2.

Virtual Computer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0458Medium4.32025-01-14A vulnerability classified as problematic was found in Virtual Computer Vysual RH Solution 2024.12.1.

Vyperlang · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-21607High7.52025-01-14Vyper is a Pythonic Smart Contract Language for the EVM.

W3speedster · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23765Medium4.32025-01-16Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp allows Cross Site Request Forgery.This issue affects W3SPEEDSTER: from n/a through <= 7.33.

Wago · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2018-25108High7.52025-01-16An unauthenticated remote attacker can cause a DoS in the controller due to uncontrolled resource consumption.

Waltercerrudo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23660High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in waltercerrudo MFPlugin mfplugin allows Stored XSS.This issue affects MFPlugin: from n/a through <= 1.3.

Web Ready Now · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22782Critical9.92025-01-15Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Wooco…

Web-mv · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23779High7.62025-01-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in web-mv ResAds resads allows SQL Injection.This issue affects ResAds: from n/a through <= 2.0.5.

Webtechstreet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13215Medium4.32025-01-15The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php.

Weiluri · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22765High7.12025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weiluri WP Order By wp-order-by allows Reflected XSS.This issue affects WP Order By: from n/a through <= 1.4.2.

Willowsconsulting · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23777Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willowsconsulting GDPR Personal Data Reports gdpr-personal-data-reports allows Stored XSS.This issue affects GDPR Personal Data Reports…

Wishfulthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23929Medium4.32025-01-16Missing Authorization vulnerability in wishfulthemes Email Capture & Lead Generation email-capture-lead-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email Capture & Lead Generation…

Wp Chill · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22773Medium5.32025-01-15Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects…

Wp Scripts · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22314High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup food-store allows Reflected XSS.This issue affects Food Store – Online Food Deliver…

Wpbookingcalendar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13323Medium6.42025-01-14The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user…

Wpeventmanager · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10789Medium4.32025-01-16The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5.

Wpfreeware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23933Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpfreeware WpF Ultimate Carousel wpf-ultimate-carousel allows Stored XSS.This issue affects WpF Ultimate Carousel: from n/a through <= 1…

Wptasker · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23961Medium5.42025-01-16Missing Authorization vulnerability in wptasker WordPress Graphs & Charts graph-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through <= 2.0.8.

Wwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23775Medium6.52025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WWP GMAPS for WPBakery Page Builder Free gmaps-for-visual-composer-free allows Stored XSS.This issue affects GMAPS for WPBakery Page Buil…

Wygk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23870High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in wygk Copyright Safeguard Footer Notice copyright-safeguard-footer-notice allows Stored XSS.This issue affects Copyright Safeguard Footer Notice: from n/a through <= 3.0.

Xavsio4 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23470High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in xavsio4 Visit Site Link enhanced visit-site-link-enhanced allows Stored XSS.This issue affects Visit Site Link enhanced: from n/a through <= 1.0.

Xola · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23955Medium4.32025-01-16Missing Authorization vulnerability in xola Xola xola-bookings-for-tours-activities allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xola: from n/a through <= 1.6.

Xwiki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23025Critical9.02025-01-14XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

Yamna Khawaja · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22514High7.12025-01-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Khawaja KNR Author List Widget knr-author-list-widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a thro…

Yesstreamingdev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23854Medium5.92025-01-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yesstreamingdev Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com shoutcast-and-icecast-html5-web-radio-player-by-yesstrea…

Yonisink · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23530High8.82025-01-16Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Lockdown custom-post-type-lockdown allows Privilege Escalation.This issue affects Custom Post Type Lockdown: from n/a through <= 1.11.

Yubico · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-230132025-01-15In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur.

Zack Katz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23861High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in Zack Katz Debt Calculator debt-calculator allows Cross Site Request Forgery.This issue affects Debt Calculator: from n/a through <= 1.0.1.

Zartis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22746Medium6.52025-01-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zartis HireHive Job Plugin zartis-job-plugin allows Stored XSS.This issue affects HireHive Job Plugin: from n/a through <= 2.9.0.

Zetxek · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23533High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in zetxek WP Lyrics wplyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through <= 0.4.1.

Zookatron · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12598Medium6.42025-01-17The MyBookProgress by Stormhill Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘book’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping.

Zulip · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56136Medium5.32025-01-16Zulip server provides an open-source team chat that helps teams stay productive and focused.

Zyxel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12398High8.82025-01-14An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited pri…

קידום ובניית אתרים · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23537High7.12025-01-16Cross-Site Request Forgery (CSRF) vulnerability in קידום ובניית אתרים add custom google tag manager add-custom-google-tag-manager allows Stored XSS.This issue affects add custom google tag manager: from n/a through <= 1.0.3.