Patch Tuesday — March 2025
2025-03-11 · 693 CVEs
CVEs published or modified the week of 2025-03-11, partitioned by vendor.
Microsoft (85 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26645 | High | 8.8 | — | 2025-03-11 | Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
CVE-2025-24056 | High | 8.8 | — | 2025-03-11 | Heap-based buffer overflow in Windows Telephony Server allows an unauthorized attacker to execute code over a network. |
CVE-2025-24051 | High | 8.8 | — | 2025-03-11 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-24084 | High | 8.4 | — | 2025-03-11 | Untrusted pointer dereference in Windows Subsystem for Linux allows an unauthorized attacker to execute code locally. |
CVE-2025-24049 | High | 8.4 | — | 2025-03-11 | Improper neutralization of special elements used in a command ('command injection') in Azure Command Line Integration (CLI) allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-24064 | High | 8.1 | — | 2025-03-11 | Use after free in DNS Server allows an unauthorized attacker to execute code over a network. |
CVE-2025-24045 | High | 8.1 | — | 2025-03-11 | Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. |
CVE-2025-24035 | High | 8.1 | — | 2025-03-11 | Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. |
CVE-2025-27178 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27177 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27175 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27174 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27171 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27169 | High | 7.8 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27168 | High | 7.8 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27167 | High | 7.8 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. |
CVE-2025-27166 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27162 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27161 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2025-27160 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27159 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27158 | High | 7.8 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24453 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24452 | High | 7.8 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-26630 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office Access allows an unauthorized attacker to execute code locally. |
CVE-2025-26629 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-24995 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-24993 | High | 7.8 | KEV | 2025-03-11 | Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. |
CVE-2025-24985 | High | 7.8 | KEV | 2025-03-11 | Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally. |
CVE-2025-24083 | High | 7.8 | — | 2025-03-11 | Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-24082 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-24081 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-24080 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-24079 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-24077 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-24075 | High | 7.8 | — | 2025-03-11 | Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-24072 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Local Security Authority Server (lsasrv) allows an authorized attacker to elevate privileges locally. |
CVE-2025-24067 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-24066 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. |
CVE-2025-24061 | High | 7.8 | — | 2025-03-11 | Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-24059 | High | 7.8 | — | 2025-03-11 | Incorrect conversion between numeric types in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-24057 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-24050 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Role: Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-24048 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Role: Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-24046 | High | 7.8 | — | 2025-03-11 | Use after free in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-24044 | High | 7.8 | — | 2025-03-11 | Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally. |
CVE-2025-21180 | High | 7.8 | — | 2025-03-11 | Heap-based buffer overflow in Windows exFAT File System allows an unauthorized attacker to execute code locally. |
CVE-2025-26634 | High | 7.5 | — | 2025-03-11 | Heap-based buffer overflow in Windows Core Messaging allows an authorized attacker to elevate privileges over a network. |
CVE-2025-24043 | High | 7.5 | — | 2025-03-11 | Improper verification of cryptographic signature in .NET allows an authorized attacker to execute code over a network. |
CVE-2025-26631 | High | 7.3 | — | 2025-03-11 | Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally. |
CVE-2025-25003 | High | 7.3 | — | 2025-03-11 | Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally. |
CVE-2025-24998 | High | 7.3 | — | 2025-03-11 | Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally. |
CVE-2025-24994 | High | 7.3 | — | 2025-03-11 | Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-24076 | High | 7.3 | — | 2025-03-11 | Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-24053 | High | 7.2 | — | 2025-03-13 | Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. |
CVE-2025-23360 | High | 7.1 | — | 2025-03-11 | NVIDIA Nemo Framework contains a vulnerability where a user could cause a relative path traversal issue by arbitrary file write. |
CVE-2025-25008 | High | 7.1 | — | 2025-03-11 | Improper link resolution before file access ('link following') in Microsoft Windows allows an authorized attacker to elevate privileges locally. |
CVE-2025-26633 | High | 7.0 | KEV | 2025-03-11 | Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-26627 | High | 7.0 | — | 2025-03-11 | Improper neutralization of special elements used in a command ('command injection') in Azure Arc allows an authorized attacker to elevate privileges locally. |
CVE-2025-24983 | High | 7.0 | KEV | 2025-03-11 | Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally. |
CVE-2025-24078 | High | 7.0 | — | 2025-03-11 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-24070 | High | 7.0 | — | 2025-03-11 | Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-21199 | Medium | 6.7 | — | 2025-03-11 | Improper privilege management in Azure Agent Installer allows an authorized attacker to elevate privileges locally. |
CVE-2025-24988 | Medium | 6.6 | — | 2025-03-11 | Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack. |
CVE-2025-24987 | Medium | 6.6 | — | 2025-03-11 | Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack. |
CVE-2025-24996 | Medium | 6.5 | — | 2025-03-11 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-24986 | Medium | 6.5 | — | 2025-03-11 | Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network. |
CVE-2025-24071 | Medium | 6.5 | — | 2025-03-11 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-24054 | Medium | 6.5 | KEV | 2025-03-11 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-27179 | Medium | 5.5 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-27176 | Medium | 5.5 | — | 2025-03-11 | InDesign Desktop versions ID20.1, ID19.5.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-27170 | Medium | 5.5 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-27164 | Medium | 5.5 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27163 | Medium | 5.5 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-24449 | Medium | 5.5 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-24448 | Medium | 5.5 | — | 2025-03-11 | Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-24431 | Medium | 5.5 | — | 2025-03-11 | Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-24992 | Medium | 5.5 | — | 2025-03-11 | Buffer over-read in Windows NTFS allows an unauthorized attacker to disclose information locally. |
CVE-2025-24991 | Medium | 5.5 | KEV | 2025-03-11 | Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally. |
CVE-2024-47109 | Medium | 5.3 | — | 2025-03-10 | IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 UI could disclosure the installation path of the server which could aid in further attacks against the system. |
CVE-2025-24984 | Medium | 4.6 | KEV | 2025-03-11 | Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. |
CVE-2025-24997 | Medium | 4.4 | — | 2025-03-11 | Null pointer dereference in Windows Kernel Memory allows an authorized attacker to deny service locally. |
CVE-2025-24055 | Medium | 4.3 | — | 2025-03-11 | Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to disclose information with a physical attack. |
CVE-2025-21247 | Medium | 4.3 | — | 2025-03-11 | Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2024-52905 | Low | 2.7 | — | 2025-03-10 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 could disclose sensitive database information to a privileged user. |
Other vendors (608 CVEs across 261 vendors)
N/a · 57 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29386 | Critical | 9.8 | — | 2025-03-14 | In Tenda AC9 v1.0 V15.03.05.14_multi, the mac parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
CVE-2025-29385 | Critical | 9.8 | — | 2025-03-14 | In Tenda AC9 v1.0 V15.03.05.14_multi, the cloneType parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
CVE-2025-29384 | Critical | 9.8 | — | 2025-03-14 | In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
CVE-2025-29031 | Critical | 9.8 | — | 2025-03-14 | Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the fromAddressNat function. |
CVE-2025-29030 | Critical | 9.8 | — | 2025-03-14 | Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formWifiWpsOOB function. |
CVE-2025-29029 | Critical | 9.8 | — | 2025-03-14 | Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formSetSpeedWan function. |
CVE-2025-25568 | Critical | 9.8 | — | 2025-03-12 | SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function. |
CVE-2025-25567 | Critical | 9.8 | — | 2025-03-12 | SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function. |
CVE-2025-25565 | Critical | 9.8 | — | 2025-03-12 | SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in the Command.c file via the PtMakeCert and PtMakeCert2048 functions. |
CVE-2025-25940 | Critical | 9.8 | — | 2025-03-10 | VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. |
CVE-2025-26260 | High | 8.8 | — | 2025-03-12 | Plenti <= 0.7.16 is vulnerable to code execution. |
CVE-2025-25711 | High | 8.8 | — | 2025-03-12 | An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API endpoint |
CVE-2025-25907 | High | 8.8 | — | 2025-03-10 | tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. |
CVE-2025-25871 | High | 8.0 | — | 2025-03-14 | An issue in Open Panel v.0.3.4 allows a remote attacker to escalate privileges via the Fix Permissions function |
CVE-2025-25928 | High | 8.0 | — | 2025-03-11 | A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. |
CVE-2025-27910 | High | 8.0 | — | 2025-03-10 | tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/upd/status. |
CVE-2024-51321 | High | 7.6 | — | 2025-03-11 | In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to an attacker-controlled website after the authentication. |
CVE-2025-29363 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to buffer overflow via the schedStartTime and schedEndTime parameters at /goform/saveParentControlInfo. |
CVE-2025-29362 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the list parameter at /goform/setPptpUserList. |
CVE-2025-29361 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the list parameter at /goform/SetVirtualServerCfg. |
CVE-2025-29360 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the time and timeZone parameters at /goform/SetSysTimeCfg. |
CVE-2025-29359 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the deviceId parameter at /goform/saveParentControlInfo. |
CVE-2025-29358 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the firewallEn parameter at /goform/SetFirewallCfg. |
CVE-2025-29357 | High | 7.5 | — | 2025-03-13 | Tenda RX3 US_RX3V1.0br_V16.03.13.11_multi_TDE01 is vulnerable to Buffer Overflow via the startIp and endIp parameters at /goform/SetPptpServerCfg. |
CVE-2025-25709 | High | 7.5 | — | 2025-03-12 | An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the addUser and updateUser endpoints |
CVE-2024-51319 | High | 7.3 | — | 2025-03-11 | A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp. |
CVE-2025-2177 | High | 7.3 | — | 2025-03-11 | A vulnerability classified as critical was found in libzvbi up to 0.2.43. |
CVE-2025-2176 | High | 7.3 | — | 2025-03-11 | A vulnerability classified as critical has been found in libzvbi up to 0.2.43. |
CVE-2025-29387 | High | 7.1 | — | 2025-03-14 | In Tenda AC9 v1.0 V15.03.05.14_multi, the wanSpeed parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
CVE-2025-25927 | Medium | 6.8 | — | 2025-03-11 | A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request. |
CVE-2024-57062 | Medium | 6.7 | — | 2025-03-13 | An issue in SoundCloud IOS application v.7.65.2 allows a local attacker to escalate privileges and obtain sensitive information via the session handling component. |
CVE-2025-25363 | Medium | 6.5 | — | 2025-03-13 | An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in c… |
CVE-2025-25774 | Medium | 6.5 | — | 2025-03-12 | An issue was discovered in Open5GS v2.7.2. |
CVE-2024-55060 | Medium | 6.1 | — | 2025-03-13 | A cross-site scripting (XSS) vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2025-28011 | Medium | 6.1 | — | 2025-03-13 | A SQL Injection was found in loginsystem/change-password.php in PHPGurukul User Registration & Login and User Management System v3.3 allows remote attackers to execute arbitrary code via the currentpassword POST request parameter. |
CVE-2024-57348 | Medium | 6.1 | — | 2025-03-13 | Cross Site Scripting vulnerability in PecanProject pecan through v.1.8.0 allows a remote attacker to execute arbitrary code via the crafted payload to the hostname, sitegroupid, lat, lon and sitename parameters. |
CVE-2025-29032 | Medium | 5.9 | — | 2025-03-14 | Tenda AC9 v15.03.05.19(6318) was discovered to contain a buffer overflow via the formWifiWpsOOB function. |
CVE-2025-25683 | Medium | 5.6 | — | 2025-03-12 | AlekSIS-Core is vulnerable to Incorrect Access Control. |
CVE-2025-25566 | Medium | 5.6 | — | 2025-03-12 | Memory Leak vulnerability in SoftEtherVPN 5.02.5187 allows an attacker to cause a denial of service via the UnixMemoryAlloc function. |
CVE-2024-29409 | Medium | 5.5 | — | 2025-03-14 | File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header. |
CVE-2025-25873 | Medium | 5.5 | — | 2025-03-14 | Cross Site Request Forgery vulnerability in Open Panel OpenAdmin v.0.3.4 allows a remote attacker to escalate privileges via the Change Root Password function |
CVE-2025-25872 | Medium | 5.5 | — | 2025-03-14 | An issue in Open Panel v.0.3.4 allows a remote attacker to escalate privileges via the Fix Permissions function |
CVE-2024-57492 | Medium | 5.5 | — | 2025-03-10 | An issue in redoxOS relibc before commit 98aa4ea5 allows a local attacker to cause a denial of service via the round_up_to_page funciton. |
CVE-2025-27915 | Medium | 5.4 | KEV | 2025-03-12 | An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. |
CVE-2025-27914 | Medium | 5.4 | — | 2025-03-12 | An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. |
CVE-2025-25929 | Medium | 5.4 | — | 2025-03-11 | A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload inje… |
CVE-2024-51322 | Medium | 5.4 | — | 2025-03-11 | Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, /jsp/gsmd_container.jsp componen… |
CVE-2024-51320 | Medium | 5.4 | — | 2025-03-11 | Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /servlet/gsdm_fsave_htmltmp, /servlet/gsdm_btlk_openfile components |
CVE-2025-25908 | Medium | 5.4 | — | 2025-03-10 | A stored cross-site scripting (XSS) vulnerability in tianti v2.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the coverImageURL parameter at /article/ajax/save. |
CVE-2025-28015 | Medium | 5.3 | — | 2025-03-13 | A HTML Injection vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. |
CVE-2024-27763 | Medium | 5.3 | — | 2025-03-12 | XPixelGroup BasicSR through 1.4.2 might locally allow code execution in contrived situations where "scontrol show hostname" is executed in the presence of a crafted SLURM_NODELIST environment variable. |
CVE-2025-2174 | Medium | 5.3 | — | 2025-03-11 | A vulnerability was found in libzvbi up to 0.2.43. |
CVE-2025-2173 | Medium | 5.3 | — | 2025-03-11 | A vulnerability was found in libzvbi up to 0.2.43. |
CVE-2025-25925 | Medium | 4.8 | — | 2025-03-11 | A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/short… |
CVE-2024-22880 | Medium | 4.7 | — | 2025-03-13 | Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component. |
CVE-2025-2215 | Medium | 4.7 | — | 2025-03-12 | A vulnerability classified as critical was found in Doufox up to 0.2.0. |
CVE-2025-2175 | Medium | 4.3 | — | 2025-03-11 | A vulnerability was found in libzvbi up to 0.2.43. |
Linux · 28 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58087 | High | 8.1 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue from session lookup and expire Increment the session reference count within the lock for lookup to avoid racy issue with session expire. |
CVE-2025-21863 | High | 7.8 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. |
CVE-2025-21858 | High | 7.8 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). |
CVE-2025-21856 | High | 7.8 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must b… |
CVE-2025-21855 | High | 7.8 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of th… |
CVE-2025-23242 | High | 7.3 | — | 2025-03-11 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. |
CVE-2025-23243 | Medium | 6.5 | — | 2025-03-11 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. |
CVE-2025-21866 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-en… |
CVE-2025-21865 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). |
CVE-2025-21864 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a… |
CVE-2025-21862 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0… |
CVE-2025-21861 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migra… |
CVE-2025-21859 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causi… |
CVE-2025-21857 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded… |
CVE-2025-21854 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_… |
CVE-2025-21853 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable pe… |
CVE-2025-21852 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: net: Add rx_skb of kfree_skb to raw_tp_null_args[]. |
CVE-2025-21850 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix crash when a namespace is disabled The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zer… |
CVE-2025-21849 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Use spin_lock_irqsave() in interruptible context spin_lock/unlock() functions used in interrupt contexts could result in a deadlock, as seen in GitLab issue… |
CVE-2025-21848 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. |
CVE-2025-21847 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offse… |
CVE-2025-21846 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file… |
CVE-2025-21845 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: sst: Fix SST write failure 'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")' introduced a bug where… |
CVE-2025-21844 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_sta… |
CVE-2024-58089 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double accounting race when btrfs_run_delalloc_range() failed [BUG] When running btrfs with block size (4K) smaller than page size (64K, aarch64), there is a… |
CVE-2024-58088 | Medium | 5.5 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]") first introduced d… |
CVE-2025-21860 | Low | 3.3 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: mm/zswap: fix inconsistency when zswap_store_page() fails Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswap entries when… |
CVE-2025-21851 | Low | 3.3 | — | 2025-03-12 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix softlockup in arena_map_free on 64k page kernel On an aarch64 kernel with CONFIG_PAGE_SIZE_64KB=y, arena_htab tests cause a segmentation fault and soft lockup. |
Fortinet · 26 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-46662 | High | 8.8 | — | 2025-03-14 | A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to escalation of privilege via spe… |
CVE-2024-55590 | High | 8.8 | — | 2025-03-11 | Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiIsolator version 2.4.0 through 2.4.5 allows an authenticated attacker with at least read-only adm… |
CVE-2024-52961 | High | 8.8 | — | 2025-03-11 | An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5… |
CVE-2023-37933 | High | 8.8 | — | 2025-03-11 | An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack vi… |
CVE-2023-45588 | High | 8.2 | — | 2025-03-14 | An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configu… |
CVE-2023-40723 | High | 8.1 | — | 2025-03-11 | An exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.4 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 and 6.3.0 through 6.3.3 and 6.2.0 through 6.2.1 and 6.1… |
CVE-2024-45328 | High | 7.8 | — | 2025-03-11 | An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu. |
CVE-2024-26006 | High | 7.5 | — | 2025-03-14 | An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, ve… |
CVE-2023-48790 | High | 7.5 | — | 2025-03-11 | A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized actions via crafted H… |
CVE-2024-54018 | High | 7.2 | — | 2025-03-11 | Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox before 4.4.5 allows a privileged attacker to execute unauthorized commands via crafted requests. |
CVE-2024-45324 | High | 7.2 | — | 2025-03-11 | A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0… |
CVE-2024-46663 | Medium | 6.7 | — | 2025-03-11 | A stack-buffer overflow vulnerability [CWE-121] in Fortinet FortiMail CLI version 7.6.0 through 7.6.1 and before 7.4.3 allows a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands. |
CVE-2024-32123 | Medium | 6.7 | — | 2025-03-11 | Multiple improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14… |
CVE-2024-40585 | Medium | 6.5 | — | 2025-03-14 | An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below and FortiAnalyzer version 7.4… |
CVE-2024-47573 | Medium | 6.5 | — | 2025-03-14 | An improper validation of integrity check value vulnerability [CWE-354] in FortiNDR version 7.4.2 and below, version 7.2.1 and below, version 7.1.1 and below, version 7.0.6 and below may allow an authenticated attacker with at least Read/W… |
CVE-2024-55594 | Medium | 5.6 | — | 2025-03-14 | An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafte… |
CVE-2023-42784 | Medium | 5.6 | — | 2025-03-11 | An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted… |
CVE-2024-55597 | Medium | 5.5 | — | 2025-03-11 | A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiWeb versions 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted requests. |
CVE-2023-33300 | Medium | 5.3 | — | 2025-03-14 | A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via specifically crafted request in inter-s… |
CVE-2023-48785 | Medium | 4.8 | — | 2025-03-14 | An improper certificate validation vulnerability [CWE-295] in FortiNAC-F version 7.2.4 and below may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the HTTPS communication channel between the FortiOS d… |
CVE-2024-40590 | Medium | 4.8 | — | 2025-03-14 | An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMT… |
CVE-2024-54026 | Medium | 4.3 | — | 2025-03-11 | An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox… |
CVE-2024-52960 | Medium | 4.3 | — | 2025-03-11 | A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthori… |
CVE-2024-33501 | Medium | 4.2 | — | 2025-03-11 | Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5, FortiManager version 7.4.0 through 7.4.2 and before 7.2… |
CVE-2024-55592 | Low | 3.8 | — | 2025-03-11 | An incorrect authorization vulnerability [CWE-863] in FortiSIEM 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versi… |
CVE-2022-29059 | Low | 2.7 | — | 2025-03-14 | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execu… |
Siemens · 25 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56336 | Critical | 9.8 | — | 2025-03-11 | A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). |
CVE-2025-27494 | Critical | 9.1 | — | 2025-03-11 | A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). |
CVE-2025-27396 | High | 8.8 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-27493 | High | 8.2 | — | 2025-03-11 | A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). |
CVE-2024-56182 | High | 8.2 | — | 2025-03-11 | A vulnerability has been identified in SIMATIC Field PG M5 (All versions), SIMATIC Field PG M6 (All versions < V26.01.12), SIMATIC IPC BX-21A (All versions < V31.01.07), SIMATIC IPC BX-32A (All versions < V29.01.07), SIMATIC IPC BX-39A (Al… |
CVE-2024-56181 | High | 8.2 | — | 2025-03-11 | A vulnerability has been identified in SIMATIC Field PG M5 (All versions), SIMATIC IPC BX-21A (All versions < V31.01.07), SIMATIC IPC BX-32A (All versions < V29.01.07), SIMATIC IPC BX-39A (All versions < V29.01.07), SIMATIC IPC BX-59A (All… |
CVE-2025-25175 | High | 7.8 | — | 2025-03-13 | A vulnerability has been identified in Simcenter Femap V2401 (All versions < V2401.0003), Simcenter Femap V2406 (All versions < V2406.0002). |
CVE-2025-27438 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23402 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23401 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23400 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23399 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23398 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23397 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-23396 | High | 7.8 | — | 2025-03-11 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualiza… |
CVE-2025-27395 | High | 7.2 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-27394 | High | 7.2 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-27393 | High | 7.2 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-27392 | High | 7.2 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-25266 | Medium | 6.8 | — | 2025-03-11 | A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). |
CVE-2025-25267 | Medium | 6.2 | — | 2025-03-11 | A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). |
CVE-2024-52285 | Medium | 5.3 | — | 2025-03-11 | A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). |
CVE-2025-27397 | Low | 3.8 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
CVE-2025-23384 | Low | 3.7 | — | 2025-03-11 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions… |
CVE-2025-27398 | Low | 2.7 | — | 2025-03-11 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). |
Sap_se · 19 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27434 | High | 8.8 | — | 2025-03-11 | Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. |
CVE-2025-26661 | High | 8.8 | — | 2025-03-11 | Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. |
CVE-2025-26658 | Medium | 6.8 | — | 2025-03-11 | The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. |
CVE-2025-26659 | Medium | 6.1 | — | 2025-03-11 | SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. |
CVE-2025-25242 | Medium | 6.1 | — | 2025-03-11 | SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. |
CVE-2025-25244 | Medium | 5.7 | — | 2025-03-11 | SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. |
CVE-2025-27431 | Medium | 5.4 | — | 2025-03-11 | User management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS). |
CVE-2025-23194 | Medium | 5.3 | — | 2025-03-11 | SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. |
CVE-2025-0071 | Medium | 4.9 | — | 2025-03-11 | SAP Web Dispatcher and Internet Communication Manager allow an attacker with administrative privileges to enable debugging trace mode with a specific parameter value. |
CVE-2025-0062 | Medium | 4.7 | — | 2025-03-11 | SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code in Web Intelligence reports. |
CVE-2025-27436 | Medium | 4.3 | — | 2025-03-11 | The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a… |
CVE-2025-27433 | Medium | 4.3 | — | 2025-03-11 | The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. |
CVE-2025-26660 | Medium | 4.3 | — | 2025-03-11 | SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. |
CVE-2025-26656 | Medium | 4.3 | — | 2025-03-11 | OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. |
CVE-2025-23188 | Medium | 4.3 | — | 2025-03-11 | An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. |
CVE-2025-23185 | Medium | 4.1 | — | 2025-03-11 | Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical details of the application are revealed in exceptions thrown to the user and in stack traces. |
CVE-2025-27430 | Low | 3.5 | — | 2025-03-11 | Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. |
CVE-2025-26655 | Low | 3.1 | — | 2025-03-11 | SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the applicat… |
CVE-2025-27432 | Low | 2.4 | — | 2025-03-11 | The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. |
Adobe · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27181 | High | 7.8 | — | 2025-03-11 | Substance3D - Modeler versions 1.15.0 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27173 | High | 7.8 | — | 2025-03-11 | Substance3D - Modeler versions 1.15.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24451 | High | 7.8 | — | 2025-03-11 | Substance3D - Painter versions 10.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24450 | High | 7.8 | — | 2025-03-11 | Substance3D - Painter versions 10.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24445 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24444 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24443 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24442 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24441 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24440 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-24439 | High | 7.8 | — | 2025-03-11 | Substance3D - Sampler versions 4.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27172 | High | 7.8 | — | 2025-03-11 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21169 | High | 7.8 | — | 2025-03-11 | Substance3D - Designer versions 14.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27180 | Medium | 5.5 | — | 2025-03-11 | Substance3D - Modeler versions 1.15.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-21170 | Medium | 5.5 | — | 2025-03-11 | Substance3D - Modeler versions 1.15.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
Apple · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24201 | Critical | 10.0 | KEV | 2025-03-11 | An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. |
CVE-2022-43454 | High | 7.8 | — | 2025-03-10 | A double free issue was addressed with improved memory management. |
CVE-2024-54546 | High | 7.5 | — | 2025-03-10 | The issue was addressed with improved memory handling. |
CVE-2024-44227 | High | 7.5 | — | 2025-03-10 | The issue was addressed with improved memory handling. |
CVE-2024-54467 | Medium | 6.5 | — | 2025-03-10 | A cookie management issue was addressed with improved state management. |
CVE-2022-48610 | Medium | 5.5 | — | 2025-03-10 | This issue was addressed through improved state management. |
CVE-2024-54560 | Medium | 5.5 | — | 2025-03-10 | A logic issue was addressed with improved checks. |
CVE-2024-54473 | Medium | 5.5 | — | 2025-03-10 | This issue was addressed with improved redaction of sensitive information. |
CVE-2024-54469 | Medium | 5.5 | — | 2025-03-10 | The issue was addressed with improved checks. |
CVE-2024-54463 | Medium | 5.5 | — | 2025-03-10 | This issue was addressed with improved entitlements. |
CVE-2024-44192 | Medium | 5.5 | — | 2025-03-10 | The issue was addressed with improved checks. |
CVE-2024-54558 | Low | 2.8 | — | 2025-03-10 | A clickjacking issue was addressed with improved out-of-process view handling. |
CVE-2024-44179 | Low | 2.4 | — | 2025-03-10 | This issue was addressed by restricting options offered on a locked device. |
Ashlar · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2023 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt LI File Parsing Integer Overflow Remote Code Execution Vulnerability. |
CVE-2025-2022 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VS File Parsing Type Confusion Remote Code Execution Vulnerability. |
CVE-2025-2021 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt XE File Parsing Integer Overflow Remote Code Execution Vulnerability. |
CVE-2025-2020 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. |
CVE-2025-2019 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. |
CVE-2025-2018 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VS File Parsing Type Confusion Remote Code Execution Vulnerability. |
CVE-2025-2017 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt CO File Parsing Buffer Overflow Remote Code Execution Vulnerability. |
CVE-2025-2016 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VC6 File Parsing Type Confusion Remote Code Execution Vulnerability. |
CVE-2025-2015 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VS File Parsing Type Confusion Remote Code Execution Vulnerability. |
CVE-2025-2014 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VS File Parsing Use of Uninitialized Variable Remote Code Execution Vulnerability. |
CVE-2025-2013 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. |
CVE-2025-2012 | High | 7.8 | — | 2025-03-11 | Ashlar-Vellum Cobalt VS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. |
Google · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1550 | Critical | 9.8 | — | 2025-03-11 | The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. |
CVE-2025-2137 | High | 8.8 | — | 2025-03-10 | Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. |
CVE-2025-2136 | High | 8.8 | — | 2025-03-10 | Use after free in Inspector in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2025-2135 | High | 8.8 | — | 2025-03-10 | Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2025-1920 | High | 8.8 | — | 2025-03-10 | Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2024-56191 | High | 8.4 | — | 2025-03-10 | In dhd_process_full_gscan_result of dhd_pno.c, there is a possible EoP due to an integer overflow. |
CVE-2024-56192 | High | 7.8 | — | 2025-03-10 | In wl_notify_gscan_event of wl_cfgscan.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-56187 | Medium | 6.6 | — | 2025-03-10 | In ppcfw_deny_sec_dram_access of ppcfw.c, there is a possible arbitrary read from TEE memory due to a logic error in the code. |
CVE-2024-56188 | Medium | 5.1 | — | 2025-03-10 | there is a possible way to crash the modem due to a missing null check. |
CVE-2024-56186 | Medium | 5.1 | — | 2025-03-10 | In closeChannel of secureelementimpl.cpp, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2024-56185 | Medium | 5.1 | — | 2025-03-10 | In ProtocolUnsolOnSSAdapter::GetServiceClass() of protocolcalladapter.cpp, there is a possible out-of-bounds read due to a missing bounds check. |
CVE-2024-56184 | Medium | 5.1 | — | 2025-03-10 | In static long dev_send of tipc_dev_ql, there is a possible out of bounds read due to an incorrect bounds check. |
Autodesk · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1652 | High | 7.8 | — | 2025-03-13 | A maliciously crafted MODEL file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. |
CVE-2025-1651 | High | 7.8 | — | 2025-03-13 | A maliciously crafted MODEL file, when parsed through Autodesk AutoCAD, can force a Heap-Based Overflow vulnerability. |
CVE-2025-1650 | High | 7.8 | — | 2025-03-13 | A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. |
CVE-2025-1649 | High | 7.8 | — | 2025-03-13 | A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. |
CVE-2025-1433 | High | 7.8 | — | 2025-03-13 | A maliciously crafted MODEL file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. |
CVE-2025-1432 | High | 7.8 | — | 2025-03-13 | A maliciously crafted 3DM file, when parsed through Autodesk AutoCAD, can force a Use-After-Free vulnerability. |
CVE-2025-1431 | High | 7.8 | — | 2025-03-13 | A maliciously crafted SLDPRT file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. |
CVE-2025-1430 | High | 7.8 | — | 2025-03-13 | A maliciously crafted SLDPRT file, when parsed through Autodesk AutoCAD, can force a Memory Corruption vulnerability. |
CVE-2025-1429 | High | 7.8 | — | 2025-03-13 | A maliciously crafted MODEL file, when parsed through Autodesk AutoCAD, can force a Heap-Based Overflow vulnerability. |
CVE-2025-1428 | High | 7.8 | — | 2025-03-13 | A maliciously crafted CATPART file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. |
CVE-2025-1427 | High | 7.8 | — | 2025-03-13 | A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. |
Cisco · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20138 | High | 8.8 | — | 2025-03-12 | A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient v… |
CVE-2025-20146 | High | 8.6 | — | 2025-03-12 | A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unaut… |
CVE-2025-20142 | High | 8.6 | — | 2025-03-12 | A vulnerability in the IPv4 access control list (ACL) feature and quality of service (QoS) policy feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9… |
CVE-2025-20115 | High | 8.6 | — | 2025-03-12 | A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due… |
CVE-2025-20209 | High | 7.5 | — | 2025-03-12 | A vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets. This vul… |
CVE-2025-20141 | High | 7.4 | — | 2025-03-12 | A vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2 could allow an unauthenticated, adjacent attacker to cause control plane traffic to stop worki… |
CVE-2025-20177 | Medium | 6.7 | — | 2025-03-12 | A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR image signature verification and load unverified software on an affected device. |
CVE-2025-20143 | Medium | 6.7 | — | 2025-03-12 | A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Secure Boot functionality and load unverified software on an affected device. |
CVE-2025-20145 | Medium | 5.8 | — | 2025-03-12 | A vulnerability in the access control list (ACL) processing in the egress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability exists because certain packets a… |
CVE-2025-20144 | Medium | 4.0 | — | 2025-03-12 | A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of p… |
Ibm · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2000 | Critical | 9.8 | — | 2025-03-14 | A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. |
CVE-2024-49823 | Medium | 6.5 | — | 2025-03-11 | IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an authenticated user to cause a denial of service in the Hardware Security Module (HSM) using a specially crafted sequence of valid requests. |
CVE-2024-22340 | Medium | 6.5 | — | 2025-03-11 | IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow a remote attacker to obtain sensitive information during the creation of ECDSA signatures to perform a timing-based attack. |
CVE-2024-45643 | Medium | 5.9 | — | 2025-03-14 | IBM Security QRadar 3.12 EDR uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive credential information. |
CVE-2024-56338 | Medium | 4.8 | — | 2025-03-11 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site scripting. |
CVE-2024-52362 | Medium | 4.3 | — | 2025-03-12 | IBM App Connect Enterprise Certified Container 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, and 12.8 could allow an authenticated user to cause a d… |
CVE-2024-45638 | Medium | 4.1 | — | 2025-03-14 | IBM Security QRadar 3.12 EDR stores user credentials in plain text which can be read by a local privileged user. |
CVE-2024-41760 | Low | 3.7 | — | 2025-03-11 | IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an attacker to obtain sensitive information due to a timing attack during certain RSA operations. |
Logicaldoc · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-54449 | High | 8.8 | — | 2025-03-14 | The API used to interact with documents in the application contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system. |
CVE-2024-54448 | High | 7.2 | — | 2025-03-14 | The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. |
CVE-2024-12020 | Medium | 6.1 | — | 2025-03-14 | There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. |
CVE-2024-54447 | — | — | — | 2025-03-14 | Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. |
CVE-2024-54446 | — | — | — | 2025-03-14 | Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. |
CVE-2024-54445 | — | — | — | 2025-03-14 | Login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. |
CVE-2024-12245 | — | — | — | 2025-03-14 | Logout functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. |
CVE-2024-12019 | — | — | — | 2025-03-14 | The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. |
Aitangbao · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2211 | Low | 2.4 | — | 2025-03-11 | A vulnerability was found in aitangbao springboot-manager 3.0 and classified as problematic. |
CVE-2025-2210 | Low | 2.4 | — | 2025-03-11 | A vulnerability has been found in aitangbao springboot-manager 3.0 and classified as problematic. |
CVE-2025-2209 | Low | 2.4 | — | 2025-03-11 | A vulnerability, which was classified as problematic, was found in aitangbao springboot-manager 3.0. |
CVE-2025-2208 | Low | 2.4 | — | 2025-03-11 | A vulnerability, which was classified as problematic, has been found in aitangbao springboot-manager 3.0. |
CVE-2025-2207 | Low | 2.4 | — | 2025-03-11 | A vulnerability classified as problematic was found in aitangbao springboot-manager 3.0. |
CVE-2025-2206 | Low | 2.4 | — | 2025-03-11 | A vulnerability classified as problematic has been found in aitangbao springboot-manager 3.0. |
Gitlab · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1257 | Medium | 6.5 | — | 2025-03-13 | An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. |
CVE-2024-13054 | Medium | 6.5 | — | 2025-03-13 | An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. |
CVE-2024-12380 | Medium | 4.4 | — | 2025-03-13 | An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. |
CVE-2025-0652 | Medium | 4.3 | — | 2025-03-13 | An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access con… |
CVE-2024-8402 | Low | 3.7 | — | 2025-03-13 | An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. |
CVE-2024-7296 | Low | 2.7 | — | 2025-03-13 | An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum… |
Zte · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26704 | Medium | 6.4 | — | 2025-03-11 | Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05. |
CVE-2025-26706 | Medium | 5.4 | — | 2025-03-11 | Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.07. |
CVE-2025-26705 | Medium | 5.3 | — | 2025-03-11 | Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05. |
CVE-2025-26707 | Medium | 5.3 | — | 2025-03-11 | Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05. |
CVE-2025-26702 | Medium | 4.9 | — | 2025-03-11 | Improper Input Validation vulnerability in ZTE GoldenDB allows Input Data Manipulation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.04. |
CVE-2025-26703 | Medium | 4.3 | — | 2025-03-11 | Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.04. |
Apache · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24813 | Critical | 9.8 | KEV | 2025-03-10 | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. |
CVE-2025-27017 | Medium | 6.5 | — | 2025-03-12 | Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. |
CVE-2025-27867 | Medium | 5.6 | — | 2025-03-12 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. |
CVE-2025-29891 | Medium | 4.8 | — | 2025-03-12 | Bypass/Injection vulnerability in Apache Camel. |
CVE-2025-26865 | Low | 3.5 | — | 2025-03-10 | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. |
Chimpgroup · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11286 | Critical | 9.8 | — | 2025-03-14 | The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. |
CVE-2024-11285 | Critical | 9.8 | — | 2025-03-14 | The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. |
CVE-2024-11284 | Critical | 9.8 | — | 2025-03-14 | The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. |
CVE-2024-12810 | High | 8.8 | — | 2025-03-14 | The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7… |
CVE-2024-11283 | High | 7.5 | — | 2025-03-14 | The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. |
Devolutions · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2280 | High | 8.1 | — | 2025-03-13 | Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature. |
CVE-2025-2277 | High | 7.5 | — | 2025-03-13 | Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking. |
CVE-2025-2278 | Medium | 6.5 | — | 2025-03-13 | Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID. |
CVE-2025-1636 | Medium | 6.5 | — | 2025-03-13 | Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials i… |
CVE-2025-1635 | Medium | 6.5 | — | 2025-03-13 | Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to… |
Ge Vernova · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27256 | High | 8.3 | — | 2025-03-10 | Missing Authentication for Critical Function vulnerability in GE Vernova Enervista UR Setup application allows Authentication Bypass due to a missing SSH server authentication. |
CVE-2025-27255 | High | 8.0 | — | 2025-03-10 | Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. |
CVE-2025-27254 | High | 8.0 | — | 2025-03-10 | CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify. |
CVE-2025-27257 | Medium | 6.1 | — | 2025-03-10 | Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware. |
CVE-2025-27253 | Medium | 6.1 | — | 2025-03-10 | A CWE-15 "External Control of System or Configuration Setting" in GE Vernova UR IED family devices from version 7.0 up to 8.60 allows an attacker to provide input that establishes a TCP connection through a port forwarding. |
Mennekes · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22370 | — | — | — | 2025-03-11 | Many fields for the web configuration interface of the firmware for Mennekes Smart / Premium Chargingpoints can be abused to execute arbitrary SQL commands because the values are insufficiently neutralized. |
CVE-2025-22369 | — | — | — | 2025-03-11 | The ReadFile endpoint of the firmware for Mennekes Smart / Premium Chargingpoints can be abused to read arbitrary files from the underlying OS. |
CVE-2025-22368 | — | — | — | 2025-03-11 | The authenticated SCU firmware command of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS commands are improperly neutralized when certain fields are passed to the underlying OS. |
CVE-2025-22367 | — | — | — | 2025-03-11 | The authenticated time setting capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS. |
CVE-2025-22366 | — | — | — | 2025-03-11 | The authenticated firmware update capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS. |
Palo Alto Networks · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0118 | High | 8.0 | — | 2025-03-12 | A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. |
CVE-2025-0114 | High | 7.5 | — | 2025-03-12 | A Denial of Service (DoS) vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software enables an unauthenticated attacker to render the service unavailable by sending a large number of specially crafted packets over a… |
CVE-2025-0117 | — | — | — | 2025-03-12 | A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. |
CVE-2025-0116 | — | — | — | 2025-03-12 | A Denial of Service (DoS) vulnerability in Palo Alto Networks PAN-OS software causes the firewall to unexpectedly reboot when processing a specially crafted LLDP frame sent by an unauthenticated adjacent attacker. |
CVE-2025-0115 | — | — | — | 2025-03-12 | A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files. |
Rising Technosoft · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29998 | — | — | — | 2025-03-13 | This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. |
CVE-2025-29997 | — | — | — | 2025-03-13 | This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. |
CVE-2025-29996 | — | — | — | 2025-03-13 | This vulnerability exists in the CAP back office application due to improper implementation of OTP verification mechanism in its API based login. |
CVE-2025-29995 | — | — | — | 2025-03-13 | This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. |
CVE-2025-29994 | — | — | — | 2025-03-13 | This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. |
Unknown · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13885 | High | 7.1 | — | 2025-03-13 | The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adm… |
CVE-2024-13864 | High | 7.1 | — | 2025-03-11 | The Countdown Timer WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
CVE-2024-13574 | High | 7.1 | — | 2025-03-11 | The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
CVE-2024-13853 | Medium | 6.1 | — | 2025-03-11 | The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
CVE-2024-13580 | Medium | 4.3 | — | 2025-03-11 | The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack |
Zoom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27440 | High | 8.5 | — | 2025-03-11 | Heap overflow in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access. |
CVE-2025-27439 | High | 8.5 | — | 2025-03-11 | Buffer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access. |
CVE-2025-0151 | High | 8.5 | — | 2025-03-11 | Use after free in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access. |
CVE-2025-0150 | High | 7.1 | — | 2025-03-11 | Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-0149 | Medium | 6.5 | — | 2025-03-11 | Insufficient verification of data authenticity in some Zoom Workplace Apps may allow an unprivileged user to conduct a denial of service via network access. |
Changeweb · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25614 | High | 8.8 | — | 2025-03-10 | Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers. |
CVE-2025-25620 | Medium | 5.4 | — | 2025-03-10 | Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function. |
CVE-2025-25616 | Medium | 4.3 | — | 2025-03-10 | Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. |
CVE-2025-25615 | Low | 2.7 | — | 2025-03-10 | Unifiedtransform 2.0 is vulnerable to Incorrect Access Control which allows viewing attendance list for all class sections. |
Hdfgroup · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2310 | Medium | 5.3 | — | 2025-03-14 | A vulnerability was found in HDF5 1.14.6 and classified as critical. |
CVE-2025-2309 | Medium | 5.3 | — | 2025-03-14 | A vulnerability has been found in HDF5 1.14.6 and classified as critical. |
CVE-2025-2308 | Medium | 5.3 | — | 2025-03-14 | A vulnerability, which was classified as critical, was found in HDF5 1.14.6. |
CVE-2025-2153 | Medium | 5.0 | — | 2025-03-10 | A vulnerability, which was classified as critical, was found in HDF5 1.14.6. |
Mrcms · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2193 | Medium | 5.4 | — | 2025-03-11 | A vulnerability has been found in MRCMS 3.1.2 and classified as critical. |
CVE-2025-2196 | Low | 3.5 | — | 2025-03-11 | A vulnerability was found in MRCMS 3.1.2. |
CVE-2025-2195 | Low | 3.5 | — | 2025-03-11 | A vulnerability was found in MRCMS 3.1.2. |
CVE-2025-2194 | Low | 3.5 | — | 2025-03-11 | A vulnerability was found in MRCMS 3.1.2 and classified as problematic. |
Santesoft · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2263 | Critical | 9.8 | — | 2025-03-13 | During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. |
CVE-2025-2265 | High | 7.8 | — | 2025-03-13 | The password of a web user in "Sante PACS Server.exe" is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db. |
CVE-2025-2284 | High | 7.5 | — | 2025-03-13 | A denial-of-service vulnerability exists in the "GetWebLoginCredentials" function in "Sante PACS Server.exe". |
CVE-2025-2264 | High | 7.5 | — | 2025-03-13 | A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". |
Bitdefender · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13871 | High | 8.8 | — | 2025-03-12 | A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). |
CVE-2024-13872 | High | 7.5 | — | 2025-03-12 | Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. |
CVE-2024-13870 | Medium | 5.7 | — | 2025-03-12 | An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdef… |
Dataease · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27138 | Critical | 9.8 | — | 2025-03-13 | DataEase is an open source business intelligence and data visualization tool. |
CVE-2025-27103 | Medium | 6.5 | — | 2025-03-13 | DataEase is an open source business intelligence and data visualization tool. |
CVE-2025-24974 | Medium | 6.5 | — | 2025-03-13 | DataEase is an open source business intelligence and data visualization tool. |
Datalust · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27912 | High | 8.8 | — | 2025-03-11 | An issue was discovered in Datalust Seq before 2024.3.13545. |
CVE-2025-27911 | Medium | 6.5 | — | 2025-03-11 | An issue was discovered in Datalust Seq before 2024.3.13545. |
CVE-2024-58102 | Medium | 5.7 | — | 2025-03-11 | An issue was discovered in Datalust Seq before 2024.3.13545. |
Digitaldruid · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25748 | High | 7.3 | — | 2025-03-11 | A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer va… |
CVE-2025-25749 | High | 7.1 | — | 2025-03-11 | An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies. |
CVE-2025-25747 | Medium | 5.4 | — | 2025-03-11 | Cross Site Scripting vulnerability in DigitalDruid HotelDruid v.3.0.7 allows an attacker to execute arbitrary code and obtain sensitive information via the ripristina_backup parameter in the crea_backup.php endpoint |
Netapp · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25292 | Critical | 9.8 | — | 2025-03-12 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. |
CVE-2025-25291 | Critical | 9.8 | — | 2025-03-12 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. |
CVE-2025-29768 | Medium | 4.4 | — | 2025-03-13 | Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. |
Nintex · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27925 | High | 8.5 | — | 2025-03-10 | Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input. |
CVE-2025-27924 | Medium | 5.4 | — | 2025-03-10 | Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action. |
CVE-2025-27926 | Medium | 4.3 | — | 2025-03-10 | In Nintex Automation 5.6 and 5.7 before 5.8, the K2 SmartForms Designer folder has configuration files (web.config) containing passwords that are readable by unauthorized users. |
Optigo Networks · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2081 | — | — | — | 2025-03-13 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients. |
CVE-2025-2080 | — | — | — | 2025-03-13 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities… |
CVE-2025-2079 | — | — | — | 2025-03-13 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. |
Pagelayer · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2104 | Medium | 4.3 | — | 2025-03-13 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1… |
CVE-2024-13430 | Medium | 4.3 | — | 2025-03-12 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient res… |
CVE-2025-1926 | Medium | 4.3 | — | 2025-03-10 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. |
Schneider Electric · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1960 | Critical | 9.8 | — | 2025-03-12 | CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an attacker to execute unauthorized commands when a system’s default password credentials have not been changed on first use. |
CVE-2025-0813 | Medium | 6.8 | — | 2025-03-12 | CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and inter… |
CVE-2025-2002 | Medium | 6.0 | — | 2025-03-12 | CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and… |
Sick Ag · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27595 | Critical | 9.8 | — | 2025-03-14 | The device uses a weak hashing alghorithm to create the password hash. |
CVE-2025-27593 | Critical | 9.3 | — | 2025-03-14 | The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems. |
CVE-2025-27594 | High | 7.5 | — | 2025-03-14 | The device uses an unencrypted, proprietary protocol for communication. |
Uxper · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13771 | Critical | 9.8 | — | 2025-03-14 | The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. |
CVE-2024-13773 | High | 7.3 | — | 2025-03-14 | The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. |
CVE-2024-13772 | Medium | 5.6 | — | 2025-03-14 | The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. |
Zyxel · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12010 | High | 7.2 | — | 2025-03-11 | A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute ope… |
CVE-2024-12009 | High | 7.2 | — | 2025-03-11 | A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating sys… |
CVE-2024-11253 | High | 7.2 | — | 2025-03-11 | A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator… |
Ami · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-54085 | Critical | 9.8 | KEV | 2025-03-11 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. |
CVE-2024-54084 | High | 7.5 | — | 2025-03-11 | APTIOV contains a vulnerability in BIOS where an attacker may cause a Time-of-check Time-of-use (TOCTOU) Race Condition by local means. |
Andreafarracani · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1487 | High | 7.1 | — | 2025-03-13 | The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
CVE-2025-1486 | High | 7.1 | — | 2025-03-13 | The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
Arielbrailovsky · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2107 | High | 7.5 | — | 2025-03-13 | The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the printResultAndDie() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parame… |
CVE-2025-2106 | High | 7.5 | — | 2025-03-13 | The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied param… |
Assimp · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2152 | Medium | 6.3 | — | 2025-03-10 | A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. |
CVE-2025-2151 | Medium | 6.3 | — | 2025-03-10 | A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. |
Castlenet · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2213 | Low | 2.4 | — | 2025-03-11 | A vulnerability was found in Castlenet CBW383G2N up to 20250301. |
CVE-2025-2212 | Low | 2.4 | — | 2025-03-11 | A vulnerability was found in Castlenet CBW383G2N up to 20250301. |
Celk · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55199 | Medium | 5.4 | — | 2025-03-10 | A Stored Cross Site Scripting (XSS) vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. |
CVE-2024-55198 | Medium | 5.3 | — | 2025-03-13 | User Enumeration via Discrepancies in Error Messages in the Celk Sistemas Celk Saude v.3.1.252.1 password recovery functionality which allows a remote attacker to enumerate users through discrepancies in the responses. |
Cmsol · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26163 | Critical | 9.8 | — | 2025-03-14 | CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter. |
CVE-2025-30022 | Medium | 6.8 | — | 2025-03-14 | CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the DATANASC parameter. |
Davidosipov · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29780 | — | — | — | 2025-03-14 | Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. |
CVE-2025-29779 | — | — | — | 2025-03-14 | Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. |
Debian · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27363 | High | 8.1 | KEV | 2025-03-11 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
CVE-2023-52927 | High | 7.8 | — | 2025-03-14 | In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. |
Gallagher · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-41724 | High | 8.7 | — | 2025-03-10 | Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server. |
CVE-2024-43107 | High | 7.2 | — | 2025-03-10 | Improper Certificate Validation (CWE-295) in the Gallagher Milestone Integration Plugin (MIP) permits unauthenticated messages (e.g. |
Jetbrains · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29904 | Medium | 5.3 | — | 2025-03-12 | In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible |
CVE-2025-29903 | Medium | 5.2 | — | 2025-03-12 | In JetBrains Runtime before 21.0.6b872.80 arbitrary dynamic library execution due to insecure macOS flags was possible |
Jwpegram · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28871 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Stored XSS.This issue affects Block Spam By Math Reloaded: from n… |
CVE-2025-28872 | Medium | 5.3 | — | 2025-03-11 | Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2… |
Kubernetes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1767 | Medium | 6.5 | — | 2025-03-13 | This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. |
CVE-2024-9042 | Medium | 5.9 | — | 2025-03-13 | This CVE affects only Windows worker nodes. |
Laravel · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13919 | High | 8.0 | — | 2025-03-10 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. |
CVE-2024-13918 | High | 8.0 | — | 2025-03-10 | The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. |
Linuxfoundation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2148 | Medium | 5.0 | — | 2025-03-10 | A vulnerability was found in PyTorch 2.6.0+cu124. |
CVE-2025-2149 | Low | 2.5 | — | 2025-03-10 | A vulnerability was found in PyTorch 2.6.0+cu124. |
Lovecards · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2219 | High | 7.3 | — | 2025-03-12 | A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. |
CVE-2025-2218 | Medium | 5.3 | — | 2025-03-12 | A vulnerability has been found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. |
Mmaitre314 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1945 | Critical | 9.8 | — | 2025-03-10 | picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. |
CVE-2025-1944 | Medium | 6.5 | — | 2025-03-10 | picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. |
Mozilla · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26696 | High | 7.0 | — | 2025-03-10 | Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. |
CVE-2025-26695 | Medium | 5.3 | — | 2025-03-10 | When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. |
Node-saml · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29775 | — | — | — | 2025-03-14 | xml-crypto is an XML digital signature and encryption library for Node.js. |
CVE-2025-29774 | — | — | — | 2025-03-14 | xml-crypto is an XML digital signature and encryption library for Node.js. |
Obiba · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27792 | — | — | — | 2025-03-11 | Opal is OBiBa’s core database application for biobanks or epidemiological studies. |
CVE-2025-27101 | — | — | — | 2025-03-11 | Opal is OBiBa’s core database application for biobanks or epidemiological studies. |
Opentext™ · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0884 | — | — | — | 2025-03-12 | Unquoted Search Path or Element vulnerability in OpenText™ Service Manager. The vulnerability could allow a user to gain SYSTEM privileges through Privilege Escalation. |
CVE-2025-0883 | — | — | — | 2025-03-12 | Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText™ Service Manager. The vulnerability could reveal sensitive information retained by the browser. |
Philips · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2230 | High | 7.7 | — | 2025-03-13 | A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass. |
CVE-2025-2229 | High | 7.7 | — | 2025-03-13 | A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations. |
Red Hat · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8176 | High | 7.5 | — | 2025-03-14 | A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. |
CVE-2025-2240 | High | 7.5 | — | 2025-03-12 | A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. |
Rivercitygraphix · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1436 | High | 7.1 | — | 2025-03-13 | The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
CVE-2024-13884 | High | 7.1 | — | 2025-03-13 | The Limit Bio WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
Shanebp · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28874 | Medium | 6.5 | — | 2025-03-11 | Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Email Assign Templa… |
CVE-2025-28875 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Stored XSS.This issue affects BP Email Assign Templates: from n/a thro… |
Themeum · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1508 | Medium | 5.3 | — | 2025-03-12 | The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. |
CVE-2024-13228 | Medium | 4.3 | — | 2025-03-11 | The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. |
Umbraco · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27602 | Medium | 4.9 | — | 2025-03-11 | Umbraco is a free and open source .NET content management system. |
CVE-2025-27601 | Medium | 4.3 | — | 2025-03-11 | Umbraco is a free and open source .NET content management system. |
Xmlsoft · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24855 | High | 7.8 | — | 2025-03-14 | numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. |
CVE-2024-55549 | High | 7.8 | — | 2025-03-14 | xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. |
Zzskzy · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2217 | Medium | 6.3 | — | 2025-03-12 | A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 1.3. |
CVE-2025-2216 | Medium | 6.3 | — | 2025-03-12 | A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. |
1e · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1683 | High | 7.8 | — | 2025-03-12 | Improper link resolution before file access in the Nomad module of the 1E Client, in versions prior to 25.3, enables an attacker with local unprivileged access on a Windows system to delete arbitrary files on the device by exploiting symbo… |
274056675 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2320 | High | 7.3 | — | 2025-03-14 | A vulnerability has been found in 274056675 springboot-openai-chatgpt e84f6f5 and classified as critical. |
A. Chappard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28927 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in A. |
A. Jones · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28918 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. |
A2rocklobster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28892 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in a2rocklobster FTP Sync ftp-sync allows Stored XSS.This issue affects FTP Sync: from n/a through <= 1.1.6. |
Abocms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-37787 | Medium | 6.5 | — | 2025-03-11 | The unprivileged administrative interface in ABO.CMS version 5.8 through v.5.9.3 is affected by a SQL Injection vulnerability via a HTTP POST request to the TinyMCE module |
Aftab Ali Muni · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28913 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Aftab Ali Muni WP Add Active Class To Menu Item wp-add-active-class-to-menu-item allows Cross Site Request Forgery.This issue affects WP Add Active Class To Menu Item: from n/a through <=… |
Agpt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22603 | High | 8.1 | — | 2025-03-10 | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. |
Ajay Sharma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28914 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Sharma wordpress login form to anywhere wp-show-login-form allows Stored XSS.This issue affects wordpress login form to anywhere: fr… |
Akshar Soft Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28896 | Medium | 4.7 | — | 2025-03-11 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Akshar Soft Solutions AS English Admin as-english-admin allows Phishing.This issue affects AS English Admin: from n/a through <= 1.0.0. |
Amentotech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13446 | Critical | 9.8 | — | 2025-03-12 | The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. |
Amocrm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28870 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in amocrm amoCRM WebForm amocrm-webform allows DOM-Based XSS.This issue affects amoCRM WebForm: from n/a through <= 1.1. |
Analyticswp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13321 | High | 7.5 | — | 2025-03-14 | The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function. |
Anps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13376 | High | 8.8 | — | 2025-03-14 | The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and… |
Apppresser · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1561 | High | 7.2 | — | 2025-03-13 | The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. |
Archer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27893 | Low | 1.8 | — | 2025-03-11 | In Archer Platform 6 through 6.14.00202.10024, an authenticated user with record creation privileges can manipulate immutable fields, such as the creation date, by intercepting and modifying a Copy request via a GenericContent/Record.aspx?… |
Areal Sas · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1434 | Medium | 6.1 | — | 2025-03-11 | The Spreadsheet view is vulnerable to a XSS attack, where a remote unauthorised attacker can read a limited amount of values or DoS the affected spreadsheet. |
Arkapravamajumder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28940 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in arkapravamajumder Back To Top backtotop allows Cross Site Request Forgery.This issue affects Back To Top: from n/a through <= 2.0. |
Aumsrini · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28879 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aumsrini Bee Layer Slider bee-layer-slider allows Stored XSS.This issue affects Bee Layer Slider: from n/a through <= 1.1. |
Avid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-26290 | — | — | — | 2025-03-12 | Improper Input Validation vulnerability in Avid Avid NEXIS E-series on Linux, Avid Avid NEXIS F-series on Linux, Avid Avid NEXIS PRO+ on Linux, Avid System Director Appliance (SDA+) on Linux allows code execution on underlying operating sy… |
Babel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27789 | Medium | 6.2 | — | 2025-03-11 | Babel is a compiler for writing next generation JavaScript. |
Bcs Website Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28932 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in BCS Website Solutions Insert Code insert-code allows Stored XSS.This issue affects Insert Code: from n/a through <= 2.4. |
Beeteam368 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0955 | Medium | 5.3 | — | 2025-03-14 | The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. |
Beijing Zhide Intelligent Internet Technology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2147 | Medium | 5.3 | — | 2025-03-10 | A vulnerability was found in Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System 1.0. |
Benjamin Pick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28902 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button contact-form-7-select-box-editor-button allows Cross Site Request Forgery.This issue affects Contact Form 7 Select Box Editor Button… |
Bhzad · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28861 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0. |
Bjoern · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28938 | Medium | 4.3 | — | 2025-03-11 | Missing Authorization vulnerability in Bjoern WP Performance Pack wp-performance-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Performance Pack: from n/a through <= 2.5.3. |
Bmc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-34398 | Medium | 4.2 | — | 2025-03-12 | An issue was discovered in BMC Remedy Mid Tier 7.6.04. |
Brechtvds · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1503 | Medium | 6.4 | — | 2025-03-13 | The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. |
Canvg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25977 | Critical | 9.8 | — | 2025-03-10 | An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement. |
Carlos Minatti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28863 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image delete-original-image allows Cross Site Request Forgery.This issue affects Delete Original Image: from n/a through <= 0.4. |
Chaser324 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28905 | High | 7.1 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaser324 Featured Posts Grid featured-posts-grid allows Stored XSS.This issue affects Featured Posts Grid: from n/a through <= 1.7. |
Claro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2191 | Low | 2.4 | — | 2025-03-11 | A vulnerability, which was classified as problematic, has been found in Claro A7600-A1 RNR4-A72T-2x16_v2110403_CLA_32_160817. |
Clearcodehq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1559 | Medium | 6.4 | — | 2025-03-13 | The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied… |
Cmsmasters · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0952 | High | 8.1 | — | 2025-03-14 | The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX… |
Codename065 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1785 | Medium | 5.4 | — | 2025-03-13 | The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. |
Codevibrant · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28859 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in CodeVibrant Maintenance Notice maintenance-notice allows Cross Site Request Forgery.This issue affects Maintenance Notice: from n/a through <= 1.0.6. |
Concrete Cms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0660 | Medium | 4.8 | — | 2025-03-10 | Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security te… |
Condenast · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28868 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe ziplist-recipe-plugin allows Cross Site Request Forgery.This issue affects ZipList Recipe: from n/a through <= 3.1. |
Creativemindssolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2166 | Medium | 6.1 | — | 2025-03-14 | The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and… |
Croixhaug · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1119 | High | 7.3 | — | 2025-03-13 | The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. |
Cyclopsmc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27107 | — | — | — | 2025-03-13 | Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. |
Dangrossman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28856 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats blog-stats-by-w3counter allows Cross Site Request Forgery.This issue affects W3Counter Free Real-Time Web Stats: from n/a through <= 4.1. |
Dell · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21104 | Medium | 4.3 | — | 2025-03-13 | Dell NetWorker, versions prior to 19.11.0.4 and version 19.12, contains an URL Redirection to Untrusted Site ('Open Redirect') Vulnerability in NetWorker Management Console. |
Demergent-labs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29776 | — | — | — | 2025-03-14 | Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. |
Detheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1526 | Medium | 6.4 | — | 2025-03-14 | The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and out… |
Devitemsllc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1527 | Medium | 6.4 | — | 2025-03-12 | The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown modul… |
Devrix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28931 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in DevriX Hashtags wp-hashtags allows Stored XSS.This issue affects Hashtags: from n/a through <= 0.3.2. |
Djeet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12589 | Medium | 6.4 | — | 2025-03-12 | The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the countdown timer in all versions up to, and including, 2.19.0 due to insufficient input s… |
Duogeek · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2077 | Medium | 6.1 | — | 2025-03-12 | The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. |
Eclipse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10838 | Critical | 9.1 | — | 2025-03-12 | An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. |
Edwardw · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28909 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in edwardw WP No-Bot Question wp-no-bot-question allows Cross Site Request Forgery.This issue affects WP No-Bot Question: from n/a through <= 0.1.7. |
Element · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27606 | Medium | 5.1 | — | 2025-03-14 | Element Android is an Android Matrix Client provided by Element. |
Espressif · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53406 | High | 8.8 | — | 2025-03-13 | Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. |
Evisions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53307 | Medium | 5.4 | — | 2025-03-10 | A reflected cross-site scripting (XSS) vulnerability in the /mw/ endpoint of Evisions MAPS v6.10.2.267 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. |
Facebook · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27591 | Medium | 6.8 | — | 2025-03-11 | A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. |
Fastmover · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28887 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Fastmover Plugins Last Updated Column plugins-last-updated-column allows Cross Site Request Forgery.This issue affects Plugins Last Updated Column: from n/a through <= 0.1.3. |
Flarum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27794 | Medium | 6.8 | — | 2025-03-12 | Flarum is open-source forum software. |
Forsyspress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13836 | High | 7.1 | — | 2025-03-11 | The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
Frazahmed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13413 | Medium | 6.1 | — | 2025-03-11 | The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. |
Freshface · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26936 | Critical | 10.0 | — | 2025-03-10 | Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Fresh Framework fresh-framework allows Code Injection.This issue affects Fresh Framework: from n/a through <= 1.70.0. |
Froxlor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29773 | Medium | 5.8 | — | 2025-03-13 | Froxlor is open-source server administration software. |
Frucomerci · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28894 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a… |
Fs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25625 | Medium | 5.4 | — | 2025-03-13 | A stored cross-site scripting vulnerability exists in FS model S3150-8T2F switches running firmware s3150-8t2f-switch-fsos-220d_118101 and web firmware v2.2.2, which allows an authenticated web interface user to bypass input filtering on u… |
Ftcms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2133 | Low | 2.4 | — | 2025-03-10 | A vulnerability classified as problematic was found in ftcms 2.1. |
Gallagherwebsitedesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0629 | Medium | 4.8 | — | 2025-03-11 | The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the u… |
Gkdv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2078 | Medium | 4.4 | — | 2025-03-12 | The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. |
Glpi-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26626 | Medium | 6.5 | — | 2025-03-14 | The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. |
Gnarf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2076 | Medium | 4.4 | — | 2025-03-12 | The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. |
Go-vela · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27616 | High | 8.5 | — | 2025-03-10 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. |
Golang.org/x/net · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22870 | Medium | 4.4 | — | 2025-03-12 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. |
Gtbabel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11638 | High | 8.8 | — | 2025-03-10 | The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a… |
Hashicorp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1296 | Medium | 6.5 | — | 2025-03-10 | Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. |
Hcl Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-30143 | Medium | 4.3 | — | 2025-03-13 | HCL AppScan Traffic Recorder fails to adequately neutralize special characters within the filename, potentially allowing it to resolve to a location beyond the restricted directory. |
Hgiga · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2150 | Medium | 5.4 | — | 2025-03-10 | The C&Cm@il from HGiga has a Stored Cross-Site Scripting (XSS) vulnerability, allowing remote attackers with regular privileges to send emails containing malicious JavaScript code, which will be executed in the recipient's browser when the… |
Hiddenpearls · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1764 | High | 7.5 | — | 2025-03-14 | The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. |
Hieu Nguyen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28925 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Hieu Nguyen WATI Chat and Notification wati-chat-and-notification allows Stored XSS.This issue affects WATI Chat and Notification: from n/a through <= 1.1.2. |
Hillstone Networks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2239 | Medium | 5.3 | — | 2025-03-12 | Generation of Error Message Containing Sensitive Information vulnerability in Hillstone Networks Hillstone Next Generation FireWall.This issue affects Hillstone Next Generation FireWall: from 5.5R8P1 before 5.5R8P23. |
Hp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2268 | High | 7.5 | — | 2025-03-14 | The HP LaserJet MFP M232-M237 Printer Series may be vulnerable to a denial of service attack when a specially crafted request message is sent via Internet Printing Protocol (IPP). |
Ikm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25382 | High | 7.5 | — | 2025-03-10 | An issue in the Property Tax Payment Portal in Information Kerala Mission SANCHAYA v3.0.4 allows attackers to arbitrarily modify payment amounts via a crafted request. |
Inovalogic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25598 | High | 8.8 | — | 2025-03-13 | Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task. |
Instawp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13913 | High | 8.8 | — | 2025-03-14 | The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. |
Iqonic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26910 | High | 7.1 | — | 2025-03-10 | Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1. |
Irontemplates · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2103 | High | 8.8 | — | 2025-03-14 | The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.1… |
Issuetrak · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2271 | High | 7.7 | — | 2025-03-13 | A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. |
Italtel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28803 | Medium | 6.1 | — | 2025-03-13 | Cross-site scripting (XSS) vulnerability in Italtel S.p.A. |
Ivanti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22454 | High | 7.8 | — | 2025-03-11 | Insufficiently restrictive permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. |
Jazzigor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28891 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in jazzigor price-calc price-calc allows Stored XSS.This issue affects price-calc: from n/a through <= 0.6.3. |
Jitbit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29771 | — | — | — | 2025-03-14 | HtmlSanitizer is a client-side HTML Sanitizer. |
Jogesh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28920 | Medium | 5.3 | — | 2025-03-11 | Missing Authorization vulnerability in Jogesh Responsive Google Map responsive-google-map allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Google Map: from n/a through <= 3.1.5. |
Johndarrel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2056 | High | 7.5 | — | 2025-03-14 | The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. |
Jonschlinkert · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25975 | High | 7.5 | — | 2025-03-12 | An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function |
Joomla! Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22213 | — | — | — | 2025-03-11 | Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions. |
Jouni Malinen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24912 | Low | 3.7 | — | 2025-03-12 | hostapd fails to process crafted RADIUS packets properly. |
Juniper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21590 | Medium | 4.4 | KEV | 2025-03-12 | An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. |
Koha · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22954 | Critical | 10.0 | — | 2025-03-12 | GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. |
Labredescefetrj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29782 | Medium | 5.4 | — | 2025-03-14 | WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_tipo_docs_atendido.php` endpoint in versions of the WeGIA application prior to 3.2.17. |
Lavacode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28937 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search lava-ajax-search allows Stored XSS.This issue affects Lava Ajax Search: from n/a through <= 1.1.9. |
Leica Biosystems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1888 | Medium | 4.6 | — | 2025-03-14 | The Leica Web Viewer within the Aperio Eslide Manager Application is vulnerable to reflected cross-site scripting (XSS). |
Lf-edge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52812 | Medium | 5.4 | — | 2025-03-10 | LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. |
Librasean · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28607 | Low | 2.9 | — | 2025-03-11 | The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value. |
Lsc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25680 | High | 7.7 | — | 2025-03-11 | LSC Smart Connect LSC Indoor PTZ Camera 7.6.32 is contains a RCE vulnerability in the tuya_ipc_direct_connect function of the anyka_ipc process. |
Martin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28883 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Martin WP Compare Tables wp-compare-tables allows Stored XSS.This issue affects WP Compare Tables: from n/a through <= 1.0.5. |
Maxfoundry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28933 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in maxfoundry MaxA/B maxab allows Stored XSS.This issue affects MaxA/B: from n/a through <= 2.2.2. |
Mg12 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28881 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in mg12 Mobile Themes wp-mobile-themes allows Cross Site Request Forgery.This issue affects Mobile Themes: from n/a through <= 1.1.1. |
Microweber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2214 | Low | 3.5 | — | 2025-03-12 | A vulnerability was found in Microweber 2.0.19. |
Misskey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25306 | Critical | 9.3 | — | 2025-03-10 | Misskey is an open source, federated social media platform. |
Mljar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1497 | Critical | 9.8 | — | 2025-03-10 | A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. |
Modx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28010 | Medium | 5.4 | — | 2025-03-13 | A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. |
Mogify Infotech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2189 | — | — | — | 2025-03-11 | This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. |
Mooveagency · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2205 | Medium | 4.4 | — | 2025-03-12 | The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insuffic… |
Muntasir Rahman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28912 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Muntasir Rahman Custom Dashboard Page custom-dashboard-page allows Cross Site Request Forgery.This issue affects Custom Dashboard Page: from n/a through <= 1.0. |
Mylo2h2s · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28943 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mylo2h2s DP ALTerminator - Missing ALT manager dp-alterminator-missing-alt-manager allows Stored XSS.This issue affects DP ALTerminator -… |
Naren · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28901 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Naren Members page only for logged in users members-page-only-for-logged-in-users allows Stored XSS.This issue affects Members page only for logged in users: from n/a through <= 1.4.2. |
Nitin Prakash · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26933 | High | 7.5 | — | 2025-03-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment wc-place-order-without-payment allows PHP Local File Inclusion.This issue… |
Odyssey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2220 | Low | 3.3 | — | 2025-03-12 | A vulnerability was found in Odyssey CMS up to 10.34. |
Ohtan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28941 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in ohtan Spam Byebye spam-byebye allows Cross Site Request Forgery.This issue affects Spam Byebye: from n/a through <= 2.2.4. |
Omniauth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25293 | High | 7.5 | — | 2025-03-12 | ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. |
Omnipressteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13407 | Medium | 4.3 | — | 2025-03-14 | The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. |
Otrs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24387 | Medium | 4.8 | — | 2025-03-10 | A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. |
Owen2345 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2304 | — | — | — | 2025-03-14 | A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. |
Passbolt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27913 | High | 7.5 | — | 2025-03-10 | Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header. |
Pdf-xchange · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0900 | Low | 3.3 | — | 2025-03-11 | PDF-XChange Editor PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. |
Percona · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26701 | Critical | 10.0 | — | 2025-03-11 | An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. |
Perl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1828 | High | 8.8 | — | 2025-03-11 | Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. |
Philippe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28923 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in philippe No Disposable Email no-disposable-email allows Stored XSS.This issue affects No Disposable Email: from n/a through <= 2.5.1. |
Pimcore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27617 | High | 8.8 | — | 2025-03-11 | Pimcore is an open source data and experience management platform. |
Pipdig · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28908 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pipdig pipDisqus pipdisqus allows Stored XSS.This issue affects pipDisqus: from n/a through <= 1.6. |
Pixflow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26916 | Critical | 9.0 | — | 2025-03-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2. |
Planetstudio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28864 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in planetstudio Builder for Contact Form 7 by Webconstruct cf7-builder allows Cross Site Request Forgery.This issue affects Builder for Contact Form 7 by Webconstruct: from n/a through <= 1.2… |
Pluginus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1661 | Critical | 9.8 | — | 2025-03-11 | The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. |
Popeating · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28926 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time post-read-time allows Stored XSS.This issue affects Post Read Time: from n/a through <= 1.2.6. |
Potenzaglobalsolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13824 | Critical | 9.8 | — | 2025-03-14 | The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_co… |
Ppdpurveyor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28860 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator: from n/a through <=… |
Purethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2232 | Critical | 9.8 | — | 2025-03-14 | The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. |
Rack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27610 | High | 7.5 | — | 2025-03-10 | Rack provides an interface for developing web applications in Ruby. |
Rahul Arora · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28907 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahul Arora WP Last Modified wp-last-modified allows Stored XSS.This issue affects WP Last Modified: from n/a through <= 0.1. |
Rajesh Kumar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28884 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Rajesh Kumar WP Bulk Post Duplicator wp-bulk-post-duplicator allows Cross Site Request Forgery.This issue affects WP Bulk Post Duplicator: from n/a through <= 1.2. |
Rankchecker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28857 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in rankchecker Rankchecker.io Integration rankchecker-io-integration allows Stored XSS.This issue affects Rankchecker.io Integration: from n/a through <= 1.0.9. |
Ratify-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27403 | — | — | — | 2025-03-11 | Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. |
Ravinder Khurana · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28910 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Ravinder Khurana WP Hide Admin Bar wp-hide-admin-bar allows Cross Site Request Forgery.This issue affects WP Hide Admin Bar: from n/a through <= 2.0. |
Realmag777 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2169 | High | 7.3 | — | 2025-03-11 | The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. |
Rmosolgo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27407 | Critical | 9.0 | — | 2025-03-12 | graphql-ruby is a Ruby implementation of GraphQL. |
Robothy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27136 | — | — | — | 2025-03-10 | LocalS3 is an Amazon S3 mock service for testing and local development. |
Rodolphe Moulin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28930 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rodolphe MOULIN List Mixcloud list-mixcloud allows Stored XSS.This issue affects List Mixcloud: from n/a through <= 1.4. |
Ruby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27788 | High | 7.5 | — | 2025-03-12 | JSON is a JSON implementation for Ruby. |
S-a · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1401 | High | 7.1 | — | 2025-03-13 | The WP Click Info WordPress plugin through 2.7.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
S3bubble · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13862 | High | 7.1 | — | 2025-03-11 | The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could b… |
Sakurapixel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28936 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar lunar-sell-photos-online allows Stored XSS.This issue affects Lunar: from n/a through <= 1.3.0. |
Samsung · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2233 | High | 8.8 | — | 2025-03-11 | Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. |
Sap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25245 | Medium | 5.4 | — | 2025-03-11 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. |
Scheduler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13891 | High | 7.1 | — | 2025-03-13 | The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
Search & Filter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1528 | Medium | 4.3 | — | 2025-03-14 | The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. |
Sendquick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26312 | — | — | — | 2025-03-14 | SendQuick Entera devices before 11HF5 are vulnerable to CAPTCHA bypass by removing the Captcha parameter. |
Servmask · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10942 | High | 7.5 | — | 2025-03-13 | The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. |
Sharethis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1507 | Medium | 5.3 | — | 2025-03-14 | The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. |
Shellbot · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28919 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display easy-image-display allows Stored XSS.This issue affects Easy Image Display: from n/a through <= 1.2.5. |
Simplesamlphp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27773 | High | 8.6 | — | 2025-03-11 | The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. |
Skrill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28876 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Skrill_Team Skrill Official official-skrill-woocommerce allows Cross Site Request Forgery.This issue affects Skrill Official: from n/a through <= 1.0.66. |
Smartdatasoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1285 | Medium | 5.3 | — | 2025-03-14 | The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. |
Smerriman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28866 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in smerriman Login Logger login-logger allows Cross Site Request Forgery.This issue affects Login Logger: from n/a through <= 1.2.1. |
Sminozzi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2250 | Medium | 4.9 | — | 2025-03-13 | The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on… |
Snowflake · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27496 | Low | 3.3 | — | 2025-03-13 | Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. |
Socialsnap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13615 | Low | 3.5 | — | 2025-03-11 | The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to p… |
Stesvis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28867 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in stesvis Frontpage category filter frontpage-category-filter allows Cross Site Request Forgery.This issue affects Frontpage category filter: from n/a through <= 1.0.2. |
Steveorevo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28897 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Steveorevo Domain Theme domain-theme allows Stored XSS.This issue affects Domain Theme: from n/a through <= 1.3. |
Stoque · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2192 | Medium | 4.3 | — | 2025-03-11 | A vulnerability, which was classified as problematic, was found in Stoque Zeev.it 4.24. |
Str4d · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36843 | Medium | 4.3 | — | 2025-03-13 | The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. |
Strategy11team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13887 | Medium | 5.3 | — | 2025-03-13 | The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function… |
Suman Biswas · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28895 | High | 7.1 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suman Biswas Custom top bar custom-top-bar allows Stored XSS.This issue affects Custom top bar: from n/a through <= 2.1. |
Synaptics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9157 | High | 7.8 | — | 2025-03-11 | ** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation vulnerability in CxUIUSvc64.exe and CxUIUSvc32.exe of Synaptics audio drivers allows a local authorized attacker to load a DLL in a privileged process. |
Tapandsign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12604 | Medium | 6.5 | — | 2025-03-10 | Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misus… |
Techlabpro1 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1707 | High | 8.8 | — | 2025-03-11 | The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. |
Tecno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2190 | High | 8.1 | — | 2025-03-11 | The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks. |
Terence D. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28922 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Terence D. |
Theme Egg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28915 | Critical | 9.1 | — | 2025-03-11 | Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9. |
Thiago S.f. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28906 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thiago S.F. |
Tianocore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2295 | Low | 3.5 | — | 2025-03-14 | EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. |
Umati · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27615 | High | 8.2 | — | 2025-03-10 | umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. |
Uncannyowl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13838 | Medium | 5.5 | — | 2025-03-12 | The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Autom… |
Vcita · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13703 | Medium | 4.3 | — | 2025-03-13 | The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.5. |
Venugopal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28862 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Comment Date and Gravatar remover remove-date-and-gravatar-under-comment allows Cross Site Request Forgery.This issue affects Comment Date and Gravatar remover: from n/a through… |
Vivek Marakana · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28929 | Medium | 6.5 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vivek Marakana Tabbed Login Widget tabbed-login allows Stored XSS.This issue affects Tabbed Login Widget: from n/a through <= 1.1.2. |
Webaways · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13498 | Medium | 5.3 | — | 2025-03-12 | The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing pre… |
Webgarb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28900 | High | 7.1 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in webgarb TabGarb Pro tabgarb allows Stored XSS.This issue affects TabGarb Pro: from n/a through <= 2.6. |
Wedevs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13436 | Medium | 6.1 | — | 2025-03-11 | The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. |
Whyun · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2221 | High | 7.5 | — | 2025-03-14 | The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient p… |
Will Brubaker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28878 | Medium | 5.9 | — | 2025-03-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Will Brubaker Awesome Surveys awesome-surveys allows Stored XSS.This issue affects Awesome Surveys: from n/a through <= 2.0.10. |
Xerox · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1984 | Medium | 5.2 | — | 2025-03-12 | Xerox Desktop Print Experience application contains a Local Privilege Escalation (LPE) vulnerability, which allows a low-privileged user to gain SYSTEM-level access. |
Xjb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28886 | Medium | 4.3 | — | 2025-03-11 | Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.This issue affects REST API TO MiniProgram: from n/a through <= 5.1.2. |
Zozothemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2289 | Medium | 4.3 | — | 2025-03-14 | The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. |