Patch Tuesday — May 2025
2025-05-13 · 1021 CVEs
CVEs published or modified the week of 2025-05-13, partitioned by vendor.
Microsoft (98 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4660 | Critical | 9.8 | — | 2025-05-13 | A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe. |
CVE-2025-30387 | Critical | 9.8 | — | 2025-05-13 | Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-29967 | High | 8.8 | — | 2025-05-13 | Heap-based buffer overflow in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-29966 | High | 8.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Remote Desktop allows an unauthorized attacker to execute code over a network. |
CVE-2025-29964 | High | 8.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. |
CVE-2025-29963 | High | 8.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. |
CVE-2025-29962 | High | 8.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. |
CVE-2025-29840 | High | 8.8 | — | 2025-05-13 | Stack-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. |
CVE-2025-32704 | High | 8.4 | — | 2025-05-13 | Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30386 | High | 8.4 | — | 2025-05-13 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-30377 | High | 8.4 | — | 2025-05-13 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-26646 | High | 8.0 | — | 2025-05-13 | External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. |
CVE-2025-47161 | High | 7.8 | — | 2025-05-15 | Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. |
CVE-2025-43572 | High | 7.8 | — | 2025-05-13 | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43571 | High | 7.8 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43570 | High | 7.8 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43569 | High | 7.8 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43568 | High | 7.8 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43549 | High | 7.8 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43548 | High | 7.8 | — | 2025-05-13 | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43557 | High | 7.8 | — | 2025-05-13 | Animate versions 24.0.8, 23.0.11 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43556 | High | 7.8 | — | 2025-05-13 | Animate versions 24.0.8, 23.0.11 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43555 | High | 7.8 | — | 2025-05-13 | Animate versions 24.0.8, 23.0.11 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43547 | High | 7.8 | — | 2025-05-13 | Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43546 | High | 7.8 | — | 2025-05-13 | Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43545 | High | 7.8 | — | 2025-05-13 | Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30330 | High | 7.8 | — | 2025-05-13 | Illustrator versions 29.3, 28.7.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30328 | High | 7.8 | — | 2025-05-13 | Animate versions 24.0.8, 23.0.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30325 | High | 7.8 | — | 2025-05-13 | Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30324 | High | 7.8 | — | 2025-05-13 | Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-32709 | High | 7.8 | KEV | 2025-05-13 | Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2025-32707 | High | 7.8 | — | 2025-05-13 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-32706 | High | 7.8 | KEV | 2025-05-13 | Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-32705 | High | 7.8 | — | 2025-05-13 | Out-of-bounds read in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. |
CVE-2025-32702 | High | 7.8 | — | 2025-05-13 | Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally. |
CVE-2025-32701 | High | 7.8 | KEV | 2025-05-13 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-30400 | High | 7.8 | KEV | 2025-05-13 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. |
CVE-2025-30393 | High | 7.8 | — | 2025-05-13 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30388 | High | 7.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally. |
CVE-2025-30385 | High | 7.8 | — | 2025-05-13 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-30383 | High | 7.8 | — | 2025-05-13 | Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30382 | High | 7.8 | — | 2025-05-13 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. |
CVE-2025-30381 | High | 7.8 | — | 2025-05-13 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30379 | High | 7.8 | — | 2025-05-13 | Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30376 | High | 7.8 | — | 2025-05-13 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30375 | High | 7.8 | — | 2025-05-13 | Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-30318 | High | 7.8 | — | 2025-05-13 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30310 | High | 7.8 | — | 2025-05-13 | Dreamweaver Desktop versions 21.4 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-29979 | High | 7.8 | — | 2025-05-13 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-29978 | High | 7.8 | — | 2025-05-13 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. |
CVE-2025-29977 | High | 7.8 | — | 2025-05-13 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-29976 | High | 7.8 | — | 2025-05-13 | Improper privilege management in Microsoft Office SharePoint allows an authorized attacker to elevate privileges locally. |
CVE-2025-29975 | High | 7.8 | — | 2025-05-13 | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. |
CVE-2025-29970 | High | 7.8 | — | 2025-05-13 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-24063 | High | 7.8 | — | 2025-05-13 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2025-29833 | High | 7.7 | — | 2025-05-13 | Time-of-check time-of-use (toctou) race condition in Windows Virtual Machine Bus allows an unauthorized attacker to execute code locally. |
CVE-2025-30397 | High | 7.5 | KEV | 2025-05-13 | Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network. |
CVE-2025-29971 | High | 7.5 | — | 2025-05-13 | Out-of-bounds read in Web Threat Defense (WTD.sys) allows an unauthorized attacker to deny service over a network. |
CVE-2025-29969 | High | 7.5 | — | 2025-05-13 | Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network. |
CVE-2025-29842 | High | 7.5 | — | 2025-05-13 | Acceptance of extraneous untrusted data with trusted data in UrlMon allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-29831 | High | 7.5 | — | 2025-05-13 | Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-26677 | High | 7.5 | — | 2025-05-13 | Uncontrolled resource consumption in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-30384 | High | 7.4 | — | 2025-05-13 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. |
CVE-2025-29838 | High | 7.4 | — | 2025-05-13 | Null pointer dereference in Windows Drivers allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-29826 | High | 7.3 | — | 2025-05-13 | Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. |
CVE-2025-35471 | High | 7.3 | — | 2025-05-13 | conda-forge openssl-feedstock before 066e83c (2024-05-20), on Microsoft Windows, configures OpenSSL to use an OPENSSLDIR file path that can be written to by non-privilged local users. |
CVE-2025-21264 | High | 7.1 | — | 2025-05-13 | Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. |
CVE-2025-30378 | High | 7.0 | — | 2025-05-13 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. |
CVE-2025-29973 | High | 7.0 | — | 2025-05-13 | Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. |
CVE-2025-29841 | High | 7.0 | — | 2025-05-13 | Concurrent execution using shared resource with improper synchronization ('race condition') in Universal Print Management Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-27468 | High | 7.0 | — | 2025-05-13 | Improper privilege management in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally. |
CVE-2025-27488 | Medium | 6.7 | — | 2025-05-13 | Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally. |
CVE-2025-26684 | Medium | 6.7 | — | 2025-05-13 | External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. |
CVE-2025-29968 | Medium | 6.5 | — | 2025-05-13 | Improper input validation in Active Directory Certificate Services (AD CS) allows an authorized attacker to deny service over a network. |
CVE-2025-29961 | Medium | 6.5 | — | 2025-05-13 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29960 | Medium | 6.5 | — | 2025-05-13 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29959 | Medium | 6.5 | — | 2025-05-13 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29958 | Medium | 6.5 | — | 2025-05-13 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29836 | Medium | 6.5 | — | 2025-05-13 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29835 | Medium | 6.5 | — | 2025-05-13 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29832 | Medium | 6.5 | — | 2025-05-13 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-29830 | Medium | 6.5 | — | 2025-05-13 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-26685 | Medium | 6.5 | — | 2025-05-13 | Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. |
CVE-2025-29957 | Medium | 6.2 | — | 2025-05-13 | Uncontrolled resource consumption in Windows Deployment Services allows an unauthorized attacker to deny service locally. |
CVE-2025-29955 | Medium | 6.2 | — | 2025-05-13 | Improper input validation in Windows Hyper-V allows an unauthorized attacker to deny service locally. |
CVE-2025-30394 | Medium | 5.9 | — | 2025-05-13 | Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network. |
CVE-2025-29954 | Medium | 5.9 | — | 2025-05-13 | Uncontrolled resource consumption in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network. |
CVE-2025-29974 | Medium | 5.7 | — | 2025-05-13 | Integer underflow (wrap or wraparound) in Windows Kernel allows an unauthorized attacker to disclose information over an adjacent network. |
CVE-2025-43551 | Medium | 5.5 | — | 2025-05-13 | Substance3D - Stager versions 3.1.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-30329 | Medium | 5.5 | — | 2025-05-13 | Animate versions 24.0.8, 23.0.11 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-32703 | Medium | 5.5 | — | 2025-05-13 | Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally. |
CVE-2025-30320 | Medium | 5.5 | — | 2025-05-13 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-30319 | Medium | 5.5 | — | 2025-05-13 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-29837 | Medium | 5.5 | — | 2025-05-13 | Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to disclose information locally. |
CVE-2025-29829 | Medium | 5.5 | — | 2025-05-13 | Use of uninitialized resource in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally. |
CVE-2025-29956 | Medium | 5.4 | — | 2025-05-13 | Buffer over-read in Windows SMB allows an authorized attacker to disclose information over a network. |
CVE-2025-33104 | Medium | 4.4 | — | 2025-05-14 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. |
CVE-2025-29839 | Medium | 4.0 | — | 2025-05-13 | Out-of-bounds read in Windows File Server allows an unauthorized attacker to disclose information locally. |
Other vendors (923 CVEs across 365 vendors)
N/a · 111 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46052 | Critical | 9.8 | — | 2025-05-15 | An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field in a POST request to /StockCounts.php |
CVE-2025-32363 | Critical | 9.8 | — | 2025-05-14 | mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. |
CVE-2025-45863 | Critical | 9.8 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the macstr parameter in the formMapDelDevice interface. |
CVE-2025-45865 | Critical | 9.8 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the dnsaddr parameter in the formDhcpv6s interface. |
CVE-2025-45861 | Critical | 9.8 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the routername parameter in the formDnsv6 interface. |
CVE-2025-45858 | Critical | 9.8 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. |
CVE-2025-28056 | Critical | 9.8 | — | 2025-05-13 | rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component. |
CVE-2025-45779 | Critical | 9.8 | — | 2025-05-12 | Tenda AC10 V1.0re_V15.03.06.46 is vulnerable to Buffer Overflow in the formSetPPTPUserList handler via the list POST parameter. |
CVE-2025-44022 | Critical | 9.8 | — | 2025-05-12 | An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. |
CVE-2025-26846 | Critical | 9.8 | — | 2025-05-12 | An issue was discovered in Znuny before 7.1.4. |
CVE-2025-27891 | Critical | 9.1 | — | 2025-05-14 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2024-56524 | Critical | 9.1 | — | 2025-05-12 | Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request. |
CVE-2024-56523 | Critical | 9.1 | — | 2025-05-12 | Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method. |
CVE-2024-54780 | High | 8.8 | — | 2025-05-14 | Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. |
CVE-2025-20101 | High | 8.4 | — | 2025-05-13 | Out-of-bounds read for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable information disclosure or denial of service via local access. |
CVE-2025-20018 | High | 8.4 | — | 2025-05-13 | Untrusted pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-45067 | High | 8.2 | — | 2025-05-14 | Incorrect default permissions in some Intel(R) Gaudi(R) software installers before version 1.18 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20003 | High | 8.2 | — | 2025-05-13 | Improper link resolution before file access ('Link Following') for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-58101 | High | 8.1 | — | 2025-05-14 | Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode. |
CVE-2025-22843 | High | 7.8 | — | 2025-05-13 | Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20008 | High | 7.7 | — | 2025-05-13 | Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-44879 | High | 7.5 | — | 2025-05-14 | WS-WN572HP3 V230525 was discovered to contain a buffer overflow in the component /www/cgi-bin/upload.cgi. |
CVE-2025-26783 | High | 7.5 | — | 2025-05-14 | An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 2100, 1280, 2200, 1330, 1380, 1480, 2400, W1000, Modem 5300, and Modem 5400. |
CVE-2024-55569 | High | 7.5 | — | 2025-05-14 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2025-26785 | High | 7.5 | — | 2025-05-14 | An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2025-24308 | High | 7.5 | — | 2025-05-13 | Improper input validation in the UEFI firmware error handler for the Intel(R) Server D50DNP and M50FCP may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-21094 | High | 7.5 | — | 2025-05-13 | Improper input validation in the UEFI firmware DXE module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-20100 | High | 7.5 | — | 2025-05-13 | Improper access control in the memory controller configurations for some Intel(R) Xeon(R) 6 processor with E-cores may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-20083 | High | 7.5 | — | 2025-05-13 | Improper authentication in the firmware for the Intel(R) Slim Bootloader may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-20082 | High | 7.5 | — | 2025-05-13 | Time-of-check time-of-use race condition in the UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to enable escalation of privilege via local access. |
CVE-2025-28055 | High | 7.5 | — | 2025-05-13 | upset-gal-web v7.1.0 /api/music/v1/cover.ts contains an arbitrary file read vulnerabilit |
CVE-2025-45835 | High | 7.5 | — | 2025-05-12 | A null pointer dereference vulnerability was discovered in Netis WF2880 v2.1.40207. |
CVE-2025-20104 | High | 7.3 | — | 2025-05-13 | Race condition in some Administrative Tools for some Intel(R) Network Adapters package before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20052 | High | 7.3 | — | 2025-05-13 | Improper access control for some Intel(R) Graphics software may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-45333 | High | 7.3 | — | 2025-05-13 | Improper access control for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-36292 | High | 7.3 | — | 2025-05-13 | Improper buffer restrictions for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-20004 | High | 7.2 | — | 2025-05-13 | Insufficient control flow management in the Alias Checking Trusted Module for some Intel(R) Xeon(R) 6 processor E-Cores firmware may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2025-28057 | High | 7.2 | — | 2025-05-13 | owl-admin v3.2.2~ to v4.10.2 is vulnerable to SQL Injection in /admin-api/system/admin_menus/save_order. |
CVE-2025-21099 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20629 | Medium | 6.7 | — | 2025-05-13 | Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20108 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path element for some Intel(R) Network Adapter Driver installers for Windows 11 before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20095 | Medium | 6.7 | — | 2025-05-13 | Incorrect Default Permissions for some Intel(R) RealSense™ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20043 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) RealSense™ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20041 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) Graphics software for Intel(R) Arc™ graphics and Intel(R) Iris(R) Xe graphics before version 32.0.101.6325/32.0.101.6252 may allow an authenticated user to potentially enable escalation of privile… |
CVE-2025-20015 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path element for some Intel(R) Ethernet Connection software before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-47800 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-47795 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) oneAPI DPC++/C++ Compiler software before version 2025.0.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-47550 | Medium | 6.7 | — | 2025-05-13 | Incorrect default permissions for some Endurance Gaming Mode software installers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-46895 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6083/32.0.101.5736 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-45371 | Medium | 6.7 | — | 2025-05-13 | Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6077 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-39833 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) QAT software before version 2.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-31073 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) oneAPI Level Zero software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-28954 | Medium | 6.7 | — | 2025-05-13 | Incorrect default permissions for some Intel(R) Graphics Driver installers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-40120 | Medium | 6.5 | — | 2025-05-16 | seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go. |
CVE-2024-56427 | Medium | 6.5 | — | 2025-05-14 | An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2025-26784 | Medium | 6.5 | — | 2025-05-14 | An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. |
CVE-2025-22892 | Medium | 6.5 | — | 2025-05-13 | Uncontrolled resource consumption for some OpenVINO™ model server software maintained by Intel(R) before version 2024.4 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20103 | Medium | 6.5 | — | 2025-05-13 | Insufficient resource pool in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-20071 | Medium | 6.5 | — | 2025-05-13 | NULL pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-20054 | Medium | 6.5 | — | 2025-05-13 | Uncaught exception in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-20031 | Medium | 6.5 | — | 2025-05-13 | Improper input validation for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-55466 | Medium | 6.5 | — | 2025-05-12 | An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file. |
CVE-2025-44176 | Medium | 6.5 | — | 2025-05-12 | Tenda FH451 V1.0.0.9 is vulnerable to Remote Code Execution in the formSafeEmailFilter function. |
CVE-2025-44024 | Medium | 6.1 | — | 2025-05-14 | Cross-Site Scripting (XSS) vulnerability was discovered in the Pichome system v2.1.0 and before. |
CVE-2024-45516 | Medium | 6.1 | — | 2025-05-14 | An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. |
CVE-2025-22448 | Medium | 6.1 | — | 2025-05-13 | Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-48869 | Medium | 6.1 | — | 2025-05-13 | Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a… |
CVE-2024-29222 | Medium | 6.1 | — | 2025-05-13 | Out-of-bounds write for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-26841 | Medium | 6.1 | — | 2025-05-12 | Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload. |
CVE-2025-22247 | Medium | 6.1 | — | 2025-05-12 | VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM. |
CVE-2025-32407 | Medium | 5.9 | — | 2025-05-16 | Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. |
CVE-2024-39758 | Medium | 5.9 | — | 2025-05-13 | Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 31.0.101.4032 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-20624 | Medium | 5.7 | — | 2025-05-13 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access. |
CVE-2025-20047 | Medium | 5.7 | — | 2025-05-13 | Improper locking in the Intel(R) Integrated Connectivity I/O interface (CNVi) for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access. |
CVE-2025-20022 | Medium | 5.7 | — | 2025-05-13 | Insufficient control flow management for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow a privileged user to potentially enable information disclosure via adjacent access. |
CVE-2025-24495 | Medium | 5.6 | — | 2025-05-13 | Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2025-20623 | Medium | 5.6 | — | 2025-05-13 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable informatio… |
CVE-2024-45332 | Medium | 5.6 | — | 2025-05-13 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable… |
CVE-2024-43420 | Medium | 5.6 | — | 2025-05-13 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom(R) processors may allow an authenticated user to potentially enable information disclosure via lo… |
CVE-2024-28956 | Medium | 5.6 | — | 2025-05-13 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2024-28036 | Medium | 5.6 | — | 2025-05-13 | Improper conditions check for some Intel(R) Arc™ GPU may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-22895 | Medium | 5.5 | — | 2025-05-13 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2025-20616 | Medium | 5.5 | — | 2025-05-13 | Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2025-20612 | Medium | 5.5 | — | 2025-05-13 | Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2025-20013 | Medium | 5.5 | — | 2025-05-13 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2024-57273 | Medium | 5.4 | — | 2025-05-14 | Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, dele… |
CVE-2024-54779 | Medium | 5.4 | — | 2025-05-14 | Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php. |
CVE-2025-45867 | Medium | 5.4 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the static_dns1 parameter in the formIpv6Setup interface. |
CVE-2025-45866 | Medium | 5.4 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolEnd parameter in the formDhcpv6s interface. |
CVE-2025-45864 | Medium | 5.4 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolStart parameter in the formDhcpv6s interface. |
CVE-2025-45859 | Medium | 5.4 | — | 2025-05-13 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the bandstr parameter in the formMapDelDevice interface. |
CVE-2025-44175 | Medium | 5.4 | — | 2025-05-12 | Tenda AC10 v4 V16.03.10.13 is vulnerable to Buffer Overflow in the GetParentControlInfo function. |
CVE-2025-20034 | Medium | 5.3 | — | 2025-05-13 | Improper input validation in the BackupBiosUpdate UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards before version R01.02.0003 may allow a privileged user to potentially enable information disclosure via loc… |
CVE-2024-43101 | Medium | 5.3 | — | 2025-05-13 | Improper access control for some Intel(R) Data Center GPU Flex Series for Windows driver software before version 31.0.101.4255 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2025-46053 | Medium | 5.1 | — | 2025-05-15 | A SQL Injection vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within a POST request to /reportw… |
CVE-2025-20076 | Medium | 5.0 | — | 2025-05-13 | Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2025-20012 | Medium | 4.9 | — | 2025-05-13 | Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access. |
CVE-2024-56526 | Medium | 4.9 | — | 2025-05-13 | An issue was discovered in OXID eShop before 7. |
CVE-2025-20611 | Medium | 4.7 | — | 2025-05-13 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2025-25370 | Medium | 4.6 | — | 2025-05-14 | An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function. |
CVE-2025-22446 | Medium | 4.6 | — | 2025-05-13 | Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2025-21081 | Medium | 4.5 | — | 2025-05-13 | Protection mechanism failure for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-22844 | Medium | 4.3 | — | 2025-05-13 | Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable information disclosure via adjacent access. |
CVE-2025-21100 | Medium | 4.1 | — | 2025-05-13 | Improper initialization in the UEFI firmware for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable information disclosure via local access. |
CVE-2025-20009 | Medium | 4.1 | — | 2025-05-13 | Improper input validation in the UEFI firmware GenerationSetup module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable information disclosure via local access. |
CVE-2024-31150 | Low | 3.8 | — | 2025-05-13 | Out-of-bounds read for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2025-23233 | Low | 3.5 | — | 2025-05-13 | Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2025-22848 | Low | 3.5 | — | 2025-05-13 | Improper conditions check for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20084 | Low | 3.5 | — | 2025-05-13 | Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20057 | Low | 3.5 | — | 2025-05-13 | Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20030 | Low | 2.6 | — | 2025-05-13 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access. |
Apple · 65 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30448 | Critical | 9.1 | — | 2025-05-12 | This issue was addressed with additional entitlement checks. |
CVE-2025-30436 | Critical | 9.1 | — | 2025-05-12 | This issue was addressed by restricting options offered on a locked device. |
CVE-2025-31246 | High | 8.8 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-31244 | High | 8.8 | — | 2025-05-12 | A file quarantine bypass was addressed with additional checks. |
CVE-2025-31204 | High | 8.8 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-31234 | High | 8.2 | — | 2025-05-12 | The issue was addressed with improved input sanitization. |
CVE-2025-31214 | High | 8.1 | — | 2025-05-12 | This issue was addressed through improved state management. |
CVE-2025-31223 | High | 8.0 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-24223 | High | 8.0 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-31259 | High | 7.8 | — | 2025-05-12 | A privacy issue was addressed with improved checks. |
CVE-2025-31224 | High | 7.8 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31222 | High | 7.8 | — | 2025-05-12 | A correctness issue was addressed with improved checks. |
CVE-2025-30453 | High | 7.8 | — | 2025-05-12 | The issue was addressed with additional permissions checks. |
CVE-2025-30442 | High | 7.8 | — | 2025-05-12 | The issue was addressed with improved input sanitization. |
CVE-2025-24274 | High | 7.8 | — | 2025-05-12 | An input validation issue was addressed by removing the vulnerable code. |
CVE-2025-24258 | High | 7.8 | — | 2025-05-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-1079 | High | 7.8 | — | 2025-05-12 | Client RCE on macOS and Linux via improper symbolic link resolution in Google Web Designer's preview feature |
CVE-2025-31207 | High | 7.7 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31213 | High | 7.6 | — | 2025-05-12 | A logging issue was addressed with improved data redaction. |
CVE-2025-31247 | High | 7.5 | — | 2025-05-12 | A logic issue was addressed with improved state management. |
CVE-2025-31240 | High | 7.5 | — | 2025-05-12 | This issue was addressed with improved checks. |
CVE-2025-31237 | High | 7.5 | — | 2025-05-12 | This issue was addressed with improved checks. |
CVE-2025-31221 | High | 7.5 | — | 2025-05-12 | An integer overflow was addressed with improved input validation. |
CVE-2025-31208 | High | 7.5 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-31238 | High | 7.3 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-31253 | High | 7.1 | — | 2025-05-12 | This issue was addressed through improved state management. |
CVE-2025-31249 | High | 7.1 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31232 | High | 7.1 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31225 | High | 7.1 | — | 2025-05-12 | A privacy issue was addressed by removing sensitive data. |
CVE-2025-31219 | High | 7.1 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-31228 | Medium | 6.8 | — | 2025-05-12 | The issue was addressed with improved authentication. |
CVE-2025-31258 | Medium | 6.5 | — | 2025-05-12 | This issue was addressed by removing the vulnerable code. |
CVE-2025-31235 | Medium | 6.5 | — | 2025-05-12 | A double free issue was addressed with improved memory management. |
CVE-2025-31217 | Medium | 6.5 | — | 2025-05-12 | The issue was addressed with improved input validation. |
CVE-2025-31215 | Medium | 6.5 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-31210 | Medium | 6.5 | — | 2025-05-12 | The issue was addressed with improved UI. |
CVE-2025-31205 | Medium | 6.5 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-24225 | Medium | 6.5 | — | 2025-05-12 | An injection issue was addressed with improved input validation. |
CVE-2025-24222 | Medium | 6.5 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-31233 | Medium | 6.3 | — | 2025-05-12 | The issue was addressed with improved input sanitization. |
CVE-2025-31209 | Medium | 6.3 | — | 2025-05-12 | An out-of-bounds read was addressed with improved bounds checking. |
CVE-2025-31195 | Medium | 6.3 | — | 2025-05-12 | The issue was addressed by adding additional logic. |
CVE-2025-31218 | Medium | 6.2 | — | 2025-05-12 | This issue was addressed by removing the vulnerable code. |
CVE-2025-31260 | Medium | 5.5 | — | 2025-05-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-31256 | Medium | 5.5 | — | 2025-05-12 | The issue was addressed with improved handling of caches. |
CVE-2025-31251 | Medium | 5.5 | — | 2025-05-12 | The issue was addressed with improved input sanitization. |
CVE-2025-31250 | Medium | 5.5 | — | 2025-05-12 | An information disclosure issue was addressed with improved privacy controls. |
CVE-2025-31245 | Medium | 5.5 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-31242 | Medium | 5.5 | — | 2025-05-12 | A privacy issue was addressed with improved private data redaction for log entries. |
CVE-2025-31236 | Medium | 5.5 | — | 2025-05-12 | An information disclosure issue was addressed with improved privacy controls. |
CVE-2025-31226 | Medium | 5.5 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31220 | Medium | 5.5 | — | 2025-05-12 | A privacy issue was addressed by removing sensitive data. |
CVE-2025-31212 | Medium | 5.5 | — | 2025-05-12 | This issue was addressed through improved state management. |
CVE-2025-31196 | Medium | 5.5 | — | 2025-05-12 | An out-of-bounds read was addressed with improved input validation. |
CVE-2025-30440 | Medium | 5.5 | — | 2025-05-12 | The issue was addressed with improved checks. |
CVE-2025-24220 | Medium | 5.5 | — | 2025-05-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-24155 | Medium | 5.5 | — | 2025-05-12 | The issue was addressed with improved memory handling. |
CVE-2025-24144 | Medium | 5.5 | — | 2025-05-12 | An information disclosure issue was addressed by removing the vulnerable code. |
CVE-2025-24142 | Medium | 5.5 | — | 2025-05-12 | A privacy issue was addressed with improved private data redaction for log entries. |
CVE-2025-24111 | Medium | 5.5 | — | 2025-05-12 | A memory corruption issue was addressed with improved state management. |
CVE-2025-31241 | Medium | 5.3 | — | 2025-05-12 | A double free issue was addressed with improved memory management. |
CVE-2025-31257 | Medium | 4.7 | — | 2025-05-12 | This issue was addressed with improved memory handling. |
CVE-2025-31227 | Medium | 4.6 | — | 2025-05-12 | A logic issue was addressed with improved checks. |
CVE-2025-31239 | Medium | 4.3 | — | 2025-05-12 | A use-after-free issue was addressed with improved memory management. |
CVE-2025-31206 | Medium | 4.3 | — | 2025-05-12 | A type confusion issue was addressed with improved state handling. |
Siemens · 36 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26389 | Critical | 10.0 | — | 2025-05-13 | A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). |
CVE-2025-33025 | Critical | 9.9 | — | 2025-05-13 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM… |
CVE-2025-33024 | Critical | 9.9 | — | 2025-05-13 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM… |
CVE-2025-32469 | Critical | 9.9 | — | 2025-05-13 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM… |
CVE-2025-26390 | Critical | 9.8 | — | 2025-05-13 | A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). |
CVE-2025-40566 | High | 8.8 | — | 2025-05-13 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). |
CVE-2025-31930 | High | 8.8 | — | 2025-05-13 | A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-… |
CVE-2025-40582 | High | 7.8 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). |
CVE-2025-40574 | High | 7.8 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-32454 | High | 7.8 | — | 2025-05-13 | A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.14), Teamcenter Visualization V2312 (All versions < V2312.0010), Teamcenter Visualization V2406 (All versions < V2406.0008), Teamcenter Visualiza… |
CVE-2025-30176 | High | 7.5 | — | 2025-05-13 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (… |
CVE-2025-30175 | High | 7.5 | — | 2025-05-13 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (… |
CVE-2025-30174 | High | 7.5 | — | 2025-05-13 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (… |
CVE-2025-24007 | High | 7.5 | — | 2025-05-13 | A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). |
CVE-2024-23815 | High | 7.5 | — | 2025-05-13 | A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to D… |
CVE-2025-40581 | High | 7.1 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). |
CVE-2025-40580 | Medium | 6.7 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-40579 | Medium | 6.7 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-40556 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions). |
CVE-2025-24510 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in MS/TP Point Pickup Module (All versions). |
CVE-2025-24008 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). |
CVE-2024-51446 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). |
CVE-2024-51445 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). |
CVE-2024-51444 | Medium | 6.5 | — | 2025-05-13 | A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). |
CVE-2025-24009 | Medium | 5.9 | — | 2025-05-13 | A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). |
CVE-2025-40572 | Medium | 5.5 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2024-51447 | Medium | 5.3 | — | 2025-05-13 | A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). |
CVE-2025-40555 | Medium | 4.7 | — | 2025-05-13 | A vulnerability has been identified in APOGEE PXC+TALON TC Series (BACnet) (All versions). |
CVE-2025-40583 | Medium | 4.4 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). |
CVE-2025-40573 | Medium | 4.4 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-40578 | Medium | 4.3 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). |
CVE-2025-40577 | Medium | 4.3 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-40576 | Medium | 4.3 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-40575 | Medium | 4.3 | — | 2025-05-13 | A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0). |
CVE-2025-31929 | Medium | 4.2 | — | 2025-05-13 | A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0) (All versions), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0) (All versions), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1) (All version… |
CVE-2025-40571 | Low | 2.2 | — | 2025-05-13 | A vulnerability has been identified in Mendix OIDC SSO (Mendix 10.12 compatible) (All versions < V4.0.1), Mendix OIDC SSO (Mendix 9 compatible) (All versions < V3.3.1), Mendix OIDC SSO V4.2 (Mendix 10 compatible) (All versions < V4.2.1), M… |
Phpgurukul · 29 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4813 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. |
CVE-2025-4812 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. |
CVE-2025-4794 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Online Course Registration 3.1. |
CVE-2025-4793 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Online Course Registration 3.1. |
CVE-2025-4785 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Daily Expense Tracker System 1.1. |
CVE-2025-4773 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Online Course Registration 3.1 and classified as critical. |
CVE-2025-4772 | High | 7.3 | — | 2025-05-16 | A vulnerability has been found in PHPGurukul Online Course Registration 3.1 and classified as critical. |
CVE-2025-4771 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, was found in PHPGurukul Online Course Registration 3.1. |
CVE-2025-4766 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-4765 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-4761 | High | 7.3 | — | 2025-05-16 | A vulnerability has been found in PHPGurukul Complaint Management System 2.0 and classified as critical. |
CVE-2025-4758 | High | 7.3 | — | 2025-05-16 | A vulnerability classified as critical has been found in PHPGurukul Beauty Parlour Management System 1.1. |
CVE-2025-4757 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1. |
CVE-2025-4717 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, was found in PHPGurukul Company Visitor Management System 2.0. |
CVE-2025-4705 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. |
CVE-2025-4704 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. |
CVE-2025-4703 | High | 7.3 | — | 2025-05-15 | A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. |
CVE-2025-4702 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, was found in PHPGurukul Vehicle Parking Management System 1.13. |
CVE-2025-4699 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical was found in PHPGurukul Apartment Visitors Management System 1.0. |
CVE-2025-4698 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical has been found in PHPGurukul Directory Management System 2.0. |
CVE-2025-4697 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in PHPGurukul Directory Management System 2.0. |
CVE-2025-4554 | High | 7.3 | — | 2025-05-12 | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. |
CVE-2025-4553 | High | 7.3 | — | 2025-05-12 | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as critical. |
CVE-2025-4808 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0 and classified as critical. |
CVE-2025-4781 | Medium | 6.3 | — | 2025-05-16 | A vulnerability classified as critical has been found in PHPGurukul Park Ticketing Management System 2.0. |
CVE-2025-4780 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0. |
CVE-2025-4778 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0. |
CVE-2025-4777 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0. |
CVE-2025-4770 | Medium | 6.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, has been found in PHPGurukul Park Ticketing Management System 2.0. |
Unknown · 28 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8673 | Critical | 9.1 | — | 2025-05-15 | The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript. |
CVE-2024-6719 | High | 8.1 | — | 2025-05-15 | The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack |
CVE-2024-12812 | High | 7.5 | — | 2025-05-15 | The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employe… |
CVE-2024-8699 | High | 7.2 | — | 2025-05-15 | The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite… |
CVE-2024-3901 | Medium | 6.8 | — | 2025-05-15 | The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS a… |
CVE-2024-8286 | Medium | 6.5 | — | 2025-05-15 | The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks |
CVE-2024-8031 | Medium | 6.5 | — | 2025-05-15 | The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. |
CVE-2024-8703 | Medium | 6.1 | — | 2025-05-15 | The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs. |
CVE-2024-6690 | Medium | 6.1 | — | 2025-05-15 | The wccp-pro WordPress plugin before 15.3 contains an open-redirect flaw via the referrer parameter, allowing redirection of users to external sites |
CVE-2024-13823 | Medium | 6.1 | — | 2025-05-15 | The 360 Product Rotation WordPress plugin through 1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. |
CVE-2023-6541 | Medium | 6.1 | — | 2025-05-15 | The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. |
CVE-2024-8397 | Medium | 5.4 | — | 2025-05-15 | The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. |
CVE-2024-6668 | Medium | 5.4 | — | 2025-05-15 | The ProfilePro WordPress plugin through 1.3 does not sanitise and escape some parameters and lacks proper access controls, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks |
CVE-2024-11502 | Medium | 5.4 | — | 2025-05-15 | The Planning Center Online Giving WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contri… |
CVE-2024-10818 | Medium | 5.4 | — | 2025-05-15 | The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role a… |
CVE-2024-9182 | Medium | 4.8 | — | 2025-05-15 | The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. |
CVE-2024-8702 | Medium | 4.8 | — | 2025-05-15 | The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit… |
CVE-2024-8619 | Medium | 4.8 | — | 2025-05-15 | The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab… |
CVE-2024-8542 | Medium | 4.8 | — | 2025-05-15 | The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
CVE-2024-8492 | Medium | 4.8 | — | 2025-05-15 | The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed |
CVE-2024-8284 | Medium | 4.8 | — | 2025-05-15 | The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed |
CVE-2024-6693 | Medium | 4.8 | — | 2025-05-15 | The wccp-pro WordPress plugin before 15.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is di… |
CVE-2024-13616 | Medium | 4.8 | — | 2025-05-15 | The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the un… |
CVE-2024-12808 | Medium | 4.8 | — | 2025-05-15 | The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perf… |
CVE-2024-12716 | Medium | 4.8 | — | 2025-05-15 | The Simple Basic Contact Form WordPress plugin before 20250114 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_… |
CVE-2023-6783 | Medium | 4.8 | — | 2025-05-15 | The WolfNet IDX for WordPress plugin through 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabi… |
CVE-2024-6711 | Low | 3.5 | — | 2025-05-15 | The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks |
CVE-2024-11140 | Low | 3.5 | — | 2025-05-15 | The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w… |
Campcodes · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4746 | High | 7.3 | — | 2025-05-16 | A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4741 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4734 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4719 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4718 | High | 7.3 | — | 2025-05-15 | A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4716 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4715 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4714 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4713 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4712 | High | 7.3 | — | 2025-05-15 | A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4711 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4710 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, has been found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4709 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4708 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4707 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in Campcodes Sales and Inventory System 1.0. |
CVE-2025-4735 | Medium | 6.3 | — | 2025-05-16 | A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-4696 | Medium | 6.3 | — | 2025-05-15 | A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0. |
CVE-2025-4695 | Medium | 6.3 | — | 2025-05-15 | A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0. |
Adobe · 17 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43567 | Critical | 9.3 | — | 2025-05-13 | Adobe Connect versions 12.8 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-43564 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. |
CVE-2025-43563 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. |
CVE-2025-43562 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the conte… |
CVE-2025-43561 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43560 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43559 | Critical | 9.1 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43565 | High | 8.4 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. |
CVE-2025-43554 | High | 7.8 | — | 2025-05-13 | Substance3D - Modeler versions 1.21.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43553 | High | 7.8 | — | 2025-05-13 | Substance3D - Modeler versions 1.21.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30326 | High | 7.8 | — | 2025-05-13 | Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30322 | High | 7.8 | — | 2025-05-13 | Substance3D - Painter versions 11.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-27197 | High | 7.8 | — | 2025-05-13 | Lightroom Desktop versions 8.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43566 | Medium | 6.8 | — | 2025-05-13 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. |
CVE-2025-30315 | Medium | 6.1 | — | 2025-05-13 | Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-30314 | Medium | 6.1 | — | 2025-05-13 | Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-30316 | Medium | 5.4 | — | 2025-05-13 | Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
Sap_se · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43010 | High | 8.3 | — | 2025-05-13 | SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP… |
CVE-2025-43000 | High | 7.9 | — | 2025-05-13 | Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the applicatio… |
CVE-2025-43011 | High | 7.7 | — | 2025-05-13 | Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. |
CVE-2025-42997 | Medium | 6.6 | — | 2025-05-13 | Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application. |
CVE-2025-43003 | Medium | 6.4 | — | 2025-05-13 | SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. |
CVE-2025-43009 | Medium | 6.3 | — | 2025-05-13 | SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. |
CVE-2025-43007 | Medium | 6.3 | — | 2025-05-13 | SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. |
CVE-2025-31329 | Medium | 6.2 | — | 2025-05-13 | SAP NetWeaver is vulnerable to an Information Disclosure vulnerability caused by the injection of malicious instructions into user configuration settings. |
CVE-2025-43006 | Medium | 6.1 | — | 2025-05-13 | SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. |
CVE-2025-43008 | Medium | 5.8 | — | 2025-05-13 | Due to missing authorization check, an unauthorized user can view the files of other company. |
CVE-2025-43004 | Medium | 5.3 | — | 2025-05-13 | Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. |
CVE-2025-26662 | Medium | 4.4 | — | 2025-05-13 | The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. |
CVE-2025-43005 | Medium | 4.3 | — | 2025-05-13 | SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. |
CVE-2025-43002 | Medium | 4.3 | — | 2025-05-13 | SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. |
Schweitzer Engineering Laboratories · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46739 | High | 8.1 | — | 2025-05-12 | An unauthenticated user could discover account credentials via a brute-force attack without rate limiting |
CVE-2025-46740 | High | 7.5 | — | 2025-05-12 | An authenticated user without user administrative permissions could change the administrator Account Name. |
CVE-2025-46737 | High | 7.4 | — | 2025-05-12 | SEL-5037 Grid Configurator contains an overly permissive Cross Origin Resource Sharing (CORS) configuration for a data gateway service in the application. |
CVE-2025-46738 | Medium | 6.6 | — | 2025-05-12 | An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code. |
CVE-2025-46745 | Medium | 6.5 | — | 2025-05-12 | An authenticated user without user-management permissions could view other users account information. |
CVE-2025-46743 | Medium | 6.3 | — | 2025-05-12 | An authenticated user's token could be used by another source after the user had logged out prior to the token expiring. |
CVE-2025-46746 | Medium | 5.8 | — | 2025-05-12 | An administrator could discover another account's credentials. |
CVE-2025-46747 | Medium | 5.7 | — | 2025-05-12 | An authenticated user without user-management permissions could identify other user accounts. |
CVE-2025-46741 | Medium | 5.7 | — | 2025-05-12 | A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred. |
CVE-2025-46750 | Medium | 4.4 | — | 2025-05-12 | SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set. |
CVE-2025-46749 | Medium | 4.3 | — | 2025-05-12 | An authenticated user could submit scripting to fields that lack proper input and output sanitization leading to subsequent client-side script execution. |
CVE-2025-46742 | Medium | 4.3 | — | 2025-05-12 | Users who were required to change their password could still access system information before changing their password |
CVE-2025-46748 | Low | 2.7 | — | 2025-05-12 | An authenticated user attempting to change their password could do so without using the current password. |
CVE-2025-46744 | Low | 2.7 | — | 2025-05-12 | An authenticated administrator could modify the Created By username for a user account |
Lambertgroup · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32307 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Chameleon HTML5 Audio Player With/Without Playlist lbg-audio1-html5 allows SQL Injection.This issue affects Chameleon HTML5… |
CVE-2025-32306 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Radio Player Shoutcast & Icecast WordPress Plugin audio4-html5 allows Blind SQL Injection.This issue affects Radio Player Sh… |
CVE-2025-32301 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin circular_countdown allows SQL Injection.This issue affects CountDown Pro WP Plugin: from n/a through… |
CVE-2025-32290 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky HTML5 Music Player lbg-audio3-html5 allows SQL Injection.This issue affects Sticky HTML5 Music Player: from n/a throu… |
CVE-2025-32287 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Responsive HTML5 Audio Player PRO With Playlist lbg-audio2-html5 allows SQL Injection.This issue affects Responsive HTML5 Au… |
CVE-2025-31928 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Multimedia Responsive Carousel with Image Video Audio Support multimedia-carousel allows SQL Injection.This issue affects Mu… |
CVE-2025-31926 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky Radio Player lbg-audio5-html5-shoutcast_sticky allows SQL Injection.This issue affects Sticky Radio Player: from n/a… |
CVE-2025-31641 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup UberSlider uber-classic allows SQL Injection.This issue affects UberSlider: from n/a through < 2.6. |
CVE-2025-31640 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic-carousel allows SQL Injection.This issue affects Magic Responsive Slide… |
CVE-2025-31637 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup SHOUT lbg-audio8-html5-radio_ads allows SQL Injection.This issue affects SHOUT: from n/a through <= 3.5.3. |
CVE-2025-47567 | High | 7.6 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Video Player & FullScreen Video Background universal-video-player-and-bg allows Blind SQL Injection.This issue affects Video… |
Drupal · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47708 | High | 8.8 | — | 2025-05-14 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. |
CVE-2025-47701 | High | 8.8 | — | 2025-05-14 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0. |
CVE-2025-47707 | High | 7.5 | — | 2025-05-14 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5… |
CVE-2025-47710 | High | 7.4 | — | 2025-05-14 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5… |
CVE-2025-47709 | Medium | 6.5 | — | 2025-05-14 | Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. |
CVE-2025-47705 | Medium | 6.1 | — | 2025-05-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 2.0.0 before 2.0.5, from 7.X-… |
CVE-2025-47704 | Medium | 6.1 | — | 2025-05-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0… |
CVE-2025-47702 | Medium | 6.1 | — | 2025-05-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2. |
CVE-2025-47706 | Medium | 4.8 | — | 2025-05-14 | Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5… |
Intel · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20046 | High | 8.0 | — | 2025-05-13 | Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20618 | High | 7.9 | — | 2025-05-13 | Stack-based buffer overflow for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access. |
CVE-2025-20032 | High | 7.9 | — | 2025-05-13 | Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access. |
CVE-2025-20006 | High | 7.4 | — | 2025-05-13 | Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20079 | Medium | 6.7 | — | 2025-05-13 | Uncontrolled search path for some Intel(R) Advisor software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2025-20039 | Medium | 6.6 | — | 2025-05-13 | Race condition for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20062 | Medium | 6.1 | — | 2025-05-13 | Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2025-20026 | Medium | 6.1 | — | 2025-05-13 | Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
Palo Alto Networks · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0130 | High | 7.5 | — | 2025-05-14 | A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and event… |
CVE-2025-0135 | Low | 3.3 | — | 2025-05-14 | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app. |
CVE-2025-0138 | — | — | — | 2025-05-14 | Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. |
CVE-2025-0137 | — | — | — | 2025-05-14 | An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS adm… |
CVE-2025-0136 | — | — | — | 2025-05-14 | Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PA… |
CVE-2025-0134 | — | — | — | 2025-05-14 | A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM. |
CVE-2025-0133 | — | — | — | 2025-05-14 | A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user'… |
CVE-2025-0132 | — | — | — | 2025-05-14 | A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM. The attacker must have network access to the Broker VM to exploit th… |
Zoom · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30663 | High | 8.8 | — | 2025-05-14 | Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access. |
CVE-2025-30664 | Medium | 6.6 | — | 2025-05-14 | Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access. |
CVE-2025-46785 | Medium | 6.5 | — | 2025-05-14 | Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-30668 | Medium | 6.5 | — | 2025-05-14 | Integer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-30667 | Medium | 6.5 | — | 2025-05-14 | NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-30666 | Medium | 6.5 | — | 2025-05-14 | NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-30665 | Medium | 6.5 | — | 2025-05-14 | NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-46786 | Medium | 4.3 | — | 2025-05-14 | Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. |
Amd · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-31359 | High | 7.3 | — | 2025-05-13 | Incorrect default permissions in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. |
CVE-2023-31358 | High | 7.3 | — | 2025-05-13 | A DLL hijacking vulnerability in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. |
CVE-2025-0035 | High | 7.3 | — | 2025-05-13 | Unquoted search path within AMD Cloud Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution. |
CVE-2024-36339 | High | 7.3 | — | 2025-05-13 | A DLL hijacking vulnerability in the AMD Optimizing CPU Libraries could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. |
CVE-2024-36321 | High | 7.3 | — | 2025-05-13 | Unquoted search path within AIM-T Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution. |
CVE-2024-21960 | High | 7.3 | — | 2025-05-13 | Incorrect default permissions in the AMD Optimizing CPU Libraries (AOCL) installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-36340 | Medium | 6.6 | — | 2025-05-13 | A junction point vulnerability within AMD uProf can allow a local low-privileged attacker to create junction points, potentially resulting in arbitrary file deletion or disclosure. |
Combodo · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24022 | High | 8.5 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2024-52601 | Medium | 6.5 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2024-56157 | Medium | 6.3 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2025-24026 | Medium | 5.3 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2025-24969 | Medium | 5.0 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2025-24021 | Medium | 5.0 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
CVE-2025-24785 | Medium | 4.3 | — | 2025-05-14 | iTop is an web based IT Service Management tool. |
D-link · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4749 | High | 7.5 | — | 2025-05-16 | A vulnerability classified as critical was found in D-Link DI-7003GV2 24.04.18D1 R(68125). |
CVE-2025-4755 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125). |
CVE-2025-4756 | Medium | 5.3 | — | 2025-05-16 | A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125). |
CVE-2025-4753 | Medium | 5.3 | — | 2025-05-16 | A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. |
CVE-2025-4752 | Medium | 5.3 | — | 2025-05-16 | A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. |
CVE-2025-4751 | Medium | 5.3 | — | 2025-05-16 | A vulnerability, which was classified as problematic, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). |
CVE-2025-4750 | Medium | 5.3 | — | 2025-05-16 | A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). |
Hitachi · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27523 | High | 8.7 | — | 2025-05-15 | XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 1… |
CVE-2025-1531 | Medium | 6.5 | — | 2025-05-16 | Authentication credentials leakage vulnerability in Hitachi Ops Center Analyzer viewpoint.This issue affects Hitachi Ops Center Analyzer viewpoint: from 10.0.0-00 before 11.0.4-00. |
CVE-2025-1245 | Medium | 6.5 | — | 2025-05-16 | Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastr… |
CVE-2024-8201 | Medium | 5.4 | — | 2025-05-16 | Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-0… |
CVE-2025-27524 | Medium | 5.3 | — | 2025-05-15 | Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-… |
CVE-2025-3624 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00. |
CVE-2025-27525 | Low | 3.9 | — | 2025-05-15 | Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, fro… |
Angeljudesuarez · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4726 | High | 7.3 | — | 2025-05-15 | A vulnerability has been found in itsourcecode Placement Management System 1.0 and classified as critical. |
CVE-2025-4725 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, was found in itsourcecode Placement Management System 1.0. |
CVE-2025-4724 | High | 7.3 | — | 2025-05-15 | A vulnerability, which was classified as critical, has been found in itsourcecode Placement Management System 1.0. |
CVE-2025-4723 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical was found in itsourcecode Placement Management System 1.0. |
CVE-2025-4722 | High | 7.3 | — | 2025-05-15 | A vulnerability classified as critical has been found in itsourcecode Placement Management System 1.0. |
CVE-2025-4721 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in itsourcecode Placement Management System 1.0. |
Automattic · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6584 | Critical | 9.1 | — | 2025-05-15 | The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. |
CVE-2024-10076 | Medium | 5.9 | — | 2025-05-15 | The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. |
CVE-2024-10075 | Medium | 5.6 | — | 2025-05-15 | The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block. |
CVE-2024-56006 | Medium | 5.3 | — | 2025-05-15 | Missing Authorization vulnerability in Automattic Jetpack Debug Tools.This issue affects Jetpack Debug Tools: from n/a before 2.0.1. |
CVE-2024-12743 | Medium | 4.8 | — | 2025-05-15 | The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
CVE-2024-8009 | Medium | 4.3 | — | 2025-05-15 | The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page |
Jenkins · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47889 | Critical | 9.8 | — | 2025-05-14 | In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any usernam… |
CVE-2025-47884 | Critical | 9.1 | — | 2025-05-14 | In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to conf… |
CVE-2025-47885 | High | 8.8 | — | 2025-05-14 | Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to con… |
CVE-2025-47888 | Medium | 5.9 | — | 2025-05-14 | Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. |
CVE-2025-47887 | Medium | 4.3 | — | 2025-05-14 | Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. |
CVE-2025-47886 | Medium | 4.3 | — | 2025-05-14 | A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. |
Sap · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30012 | Critical | 10.0 | — | 2025-05-13 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. |
CVE-2025-42999 | Critical | 9.1 | KEV | 2025-05-13 | SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability… |
CVE-2025-30018 | High | 8.6 | — | 2025-05-13 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files an… |
CVE-2025-30010 | Medium | 6.1 | — | 2025-05-13 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a vic… |
CVE-2025-30009 | Medium | 6.1 | — | 2025-05-13 | he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. |
CVE-2025-30011 | Medium | 5.3 | — | 2025-05-13 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which… |
Themeton · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31630 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in themeton The Business allows Exploiting Incorrectly Configured Access Control Security Levels. |
CVE-2025-31071 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Exploiting Incorrectly Configured Access Control Security Levels. |
CVE-2025-31066 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in themeton Acerola acerola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Acerola: from n/a through <= 1.6.5. |
CVE-2025-31065 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in themeton Rozario allows Exploiting Incorrectly Configured Access Control Security Levels. |
CVE-2025-31639 | Medium | 4.3 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in themeton Spare allows Cross Site Request Forgery. |
CVE-2025-31068 | Medium | 4.3 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in themeton Seven Stars allows Cross Site Request Forgery. |
Anujk305 · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4736 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in PHPGurukul Daily Expense Tracker 1.1 and classified as critical. |
CVE-2025-44183 | Medium | 6.1 | — | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the name, email, and mobile parameters. |
CVE-2025-44182 | Medium | 6.1 | — | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, enginenumber' in the /admin/edit-vehicle.php component. |
CVE-2025-44181 | Medium | 6.1 | — | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/add-brand.php via the brandname parameter. |
CVE-2025-44180 | Medium | 6.1 | — | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit-brand.php?bid={brandId}. |
Apache · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47436 | Critical | 9.8 | — | 2025-05-14 | Heap-based Buffer Overflow vulnerability in Apache ORC. |
CVE-2024-24780 | Critical | 9.8 | — | 2025-05-14 | Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. |
CVE-2025-27696 | High | 8.8 | — | 2025-05-13 | Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. |
CVE-2025-26864 | High | 7.5 | — | 2025-05-14 | Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. |
CVE-2025-26795 | High | 7.5 | — | 2025-05-14 | Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. |
Freefloat · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4792 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical. |
CVE-2025-4791 | High | 7.3 | — | 2025-05-16 | A vulnerability has been found in FreeFloat FTP Server 1.0 and classified as critical. |
CVE-2025-4790 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. |
CVE-2025-4789 | High | 7.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, has been found in FreeFloat FTP Server 1.0. |
CVE-2025-4788 | High | 7.3 | — | 2025-05-16 | A vulnerability classified as critical was found in FreeFloat FTP Server 1.0. |
Hailey888 · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29691 | Medium | 6.1 | — | 2025-05-14 | A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the userName parameter at /login/LoginsController.java. |
CVE-2025-29690 | Medium | 6.1 | — | 2025-05-14 | A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the outtype parameter at /address/AddrController.java. |
CVE-2025-29689 | Medium | 6.1 | — | 2025-05-14 | A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at /mail/MailController.java. |
CVE-2025-29688 | Medium | 6.1 | — | 2025-05-14 | A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /daymanager/daymanageabilitycontroller.java. |
CVE-2025-29686 | Medium | 6.1 | — | 2025-05-14 | A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /inform/InformManageController.java. |
Ibm · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2900 | High | 7.5 | — | 2025-05-14 | IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect i… |
CVE-2025-3632 | High | 7.5 | — | 2025-05-12 | IBM 4769 Developers Toolkit 7.0.0 through 7.5.52 could allow a remote attacker to cause a denial of service in the Hardware Security Module (HSM) due to improper memory allocation of an excessive size. |
CVE-2025-3440 | Medium | 5.5 | — | 2025-05-15 | IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting. |
CVE-2024-51475 | Medium | 5.4 | — | 2025-05-16 | IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. |
CVE-2025-1138 | Medium | 4.3 | — | 2025-05-15 | IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing. |
Nextcloud · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47790 | Medium | 6.4 | — | 2025-05-16 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2025-47792 | Medium | 5.0 | — | 2025-05-16 | Nextcloud Desktop is the desktop sync client for Nextcloud. |
CVE-2025-47793 | Medium | 4.3 | — | 2025-05-16 | Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. |
CVE-2025-47791 | Medium | 4.3 | — | 2025-05-16 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2025-47794 | Low | 2.6 | — | 2025-05-16 | Nextcloud Server is a self hosted personal cloud system. |
Ni · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30421 | High | 7.8 | — | 2025-05-15 | There is a memory corruption vulnerability due to a stack-based buffer overflow in DrObjectStorage::XML_Serialize() when using the SymbolEditor in NI Circuit Design Suite. |
CVE-2025-30420 | High | 7.8 | — | 2025-05-15 | There is a memory corruption vulnerability due to an out of bounds read in Bitmap::InternalDraw() when using the SymbolEditor in NI Circuit Design Suite. |
CVE-2025-30419 | High | 7.8 | — | 2025-05-15 | There is a memory corruption vulnerability due to an out of bounds read in GetSymbolBorderRectSize() when using the SymbolEditor in NI Circuit Design Suite. |
CVE-2025-30418 | High | 7.8 | — | 2025-05-15 | There is a memory corruption vulnerability due to an out of bounds write in CheckPins() when using the SymbolEditor in NI Circuit Design Suite. |
CVE-2025-30417 | High | 7.8 | — | 2025-05-15 | There is a memory corruption vulnerability due to an out of bounds write in Library!DecodeBase64() when using the SymbolEditor in NI Circuit Design Suite. |
Totolink · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4733 | High | 8.8 | — | 2025-05-16 | A vulnerability, which was classified as critical, has been found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. |
CVE-2025-4732 | High | 8.8 | — | 2025-05-16 | A vulnerability classified as critical was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. |
CVE-2025-4731 | High | 8.8 | — | 2025-05-16 | A vulnerability classified as critical has been found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. |
CVE-2025-4730 | High | 8.8 | — | 2025-05-16 | A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. |
CVE-2025-4729 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. |
Centreon · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4648 | High | 8.4 | — | 2025-05-13 | The content of a SVG file, received as input in Centreon web, was not properly checked. |
CVE-2025-4647 | High | 8.4 | — | 2025-05-13 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS. |
CVE-2025-4646 | High | 7.2 | — | 2025-05-13 | Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. |
CVE-2025-4649 | Medium | 4.9 | — | 2025-05-13 | Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation. |
Emlog · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47787 | Critical | 9.8 | — | 2025-05-15 | Emlog is an open source website building system. |
CVE-2025-47784 | Critical | 9.8 | — | 2025-05-15 | Emlog is an open source website building system. |
CVE-2025-47785 | High | 8.3 | — | 2025-05-15 | Emlog is an open source website building system. |
CVE-2025-47786 | Medium | 4.8 | — | 2025-05-15 | Emlog is an open source website building system. |
Evanliewer · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7231 | High | 7.3 | — | 2025-05-15 | The illi Link Party! |
CVE-2023-7230 | Medium | 6.1 | — | 2025-05-15 | The illi Link Party! |
CVE-2023-7228 | Medium | 6.1 | — | 2025-05-15 | The illi Link Party! |
CVE-2023-7229 | Medium | 5.5 | — | 2025-05-15 | The illi Link Party! |
Insyde · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52880 | High | 7.9 | — | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7… |
CVE-2024-52879 | High | 7.5 | — | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7… |
CVE-2024-52878 | High | 7.5 | — | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7… |
CVE-2024-52877 | High | 7.5 | — | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7… |
Ivanti · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22462 | Critical | 9.8 | — | 2025-05-13 | An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system. |
CVE-2025-22460 | High | 7.8 | — | 2025-05-13 | Default credentials in Ivanti Cloud Services Application before version 5.0.5 allows a local authenticated attacker to escalate their privileges. |
CVE-2025-4428 | High | 7.2 | KEV | 2025-05-13 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. |
CVE-2025-4427 | Medium | 5.3 | KEV | 2025-05-13 | An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. |
Mattermost · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31947 | Medium | 5.8 | — | 2025-05-15 | Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures… |
CVE-2025-2527 | Medium | 4.3 | — | 2025-05-15 | Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. |
CVE-2025-3446 | Medium | 4.3 | — | 2025-05-15 | Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest us… |
CVE-2025-2570 | Low | 2.7 | — | 2025-05-15 | Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmi… |
Mayurik · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4728 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in SourceCodester Best Online News Portal 1.0. |
CVE-2025-44185 | Medium | 5.4 | — | 2025-05-15 | SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/change_pass.php via the password parameter. |
CVE-2025-44186 | Medium | 5.4 | — | 2025-05-14 | SourceCodester Best Employee Management System 1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/Operation/User.php page. |
CVE-2025-44184 | Medium | 4.8 | — | 2025-05-14 | SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the website_image, fname, lname, contact, username, and address parameters. |
Oretnom23 · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4806 | Medium | 6.3 | — | 2025-05-16 | A vulnerability, which was classified as critical, has been found in SourceCodester/oretnom23 Stock Management System 1.0. |
CVE-2025-4787 | Medium | 6.3 | — | 2025-05-16 | A vulnerability classified as critical has been found in SourceCodester/oretnom23 Stock Management System 1.0. |
CVE-2025-4786 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in SourceCodester/oretnom23 Stock Management System 1.0. |
CVE-2025-4782 | Medium | 6.3 | — | 2025-05-16 | A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as critical. |
Romancode · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47557 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg allows Stored XSS.This issue affects MapSVG: from n/a through <= 8.5.31. |
CVE-2025-48120 | Medium | 5.3 | — | 2025-05-16 | Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Code Injection.This issue affects MapSVG: from n/a through <= 8.6.9. |
CVE-2025-47562 | Medium | 5.3 | — | 2025-05-16 | Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34. |
CVE-2025-47560 | Medium | 5.0 | — | 2025-05-16 | Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through < 8.6.13. |
Code-projects · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4743 | Medium | 6.3 | — | 2025-05-16 | A vulnerability classified as critical was found in code-projects Employee Record System 1.0. |
CVE-2025-4745 | Low | 3.5 | — | 2025-05-16 | A vulnerability, which was classified as problematic, was found in code-projects Employee Record System 1.0. |
CVE-2025-4744 | Low | 3.5 | — | 2025-05-16 | A vulnerability, which was classified as problematic, has been found in code-projects Employee Record System 1.0. |
Codepeople · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8854 | Medium | 5.4 | — | 2025-05-15 | The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit… |
CVE-2024-8851 | Medium | 5.4 | — | 2025-05-15 | The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit… |
CVE-2024-13382 | Medium | 4.8 | — | 2025-05-15 | The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html… |
Dell · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30475 | High | 8.1 | — | 2025-05-15 | Dell PowerScale InsightIQ, versions 5.0 through 5.2, contains an improper privilege management vulnerability. |
CVE-2025-26481 | High | 7.5 | — | 2025-05-15 | Dell PowerScale OneFS, versions 9.4.0.0 through 9.9.0.0, contains an uncontrolled resource consumption vulnerability. |
CVE-2025-30476 | Medium | 5.3 | — | 2025-05-15 | Dell PowerScale InsightIQ, version 5.2, contains an uncontrolled resource consumption vulnerability. |
Dyadyalesha · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6798 | Medium | 4.8 | — | 2025-05-15 | The DL Verification WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit… |
CVE-2024-6797 | Medium | 4.8 | — | 2025-05-15 | The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
CVE-2024-6462 | Medium | 4.8 | — | 2025-05-15 | The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Fortinet · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32756 | Critical | 9.8 | KEV | 2025-05-13 | A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, Fort… |
CVE-2025-22859 | Medium | 5.3 | — | 2025-05-13 | A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upl… |
CVE-2024-35281 | Low | 2.5 | — | 2025-05-13 | An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClientMac version 7.4.2 and below, version 7.2.8 and below, 7.0 all versions and FortiVoiceUCDesktop 3.0 all versions desktop application may allow an authentica… |
Getkirby · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31493 | Critical | 9.1 | — | 2025-05-13 | Kirby is an open-source content management system. |
CVE-2025-30159 | Critical | 9.1 | — | 2025-05-13 | Kirby is an open-source content management system. |
CVE-2025-30207 | High | 7.5 | — | 2025-05-13 | Kirby is an open-source content management system. |
Icewarp · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40632 | Medium | 6.1 | — | 2025-05-16 | Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. |
CVE-2025-40631 | Medium | 6.1 | — | 2025-05-16 | HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. |
CVE-2025-40630 | Medium | 6.1 | — | 2025-05-16 | Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. |
Lukashuser · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9765 | Medium | 6.5 | — | 2025-05-15 | The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory |
CVE-2024-9711 | Medium | 5.4 | — | 2025-05-15 | The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
CVE-2024-9709 | Medium | 5.4 | — | 2025-05-15 | The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Metagauss · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4665 | Medium | 6.4 | — | 2025-05-15 | The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. |
CVE-2024-9390 | Medium | 4.8 | — | 2025-05-15 | The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html cap… |
CVE-2025-48079 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid : from n/a through <= 5.9… |
Mozilla · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3909 | High | 8.1 | — | 2025-05-14 | Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. |
CVE-2025-3875 | High | 7.5 | — | 2025-05-14 | Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. |
CVE-2025-3932 | Medium | 6.5 | — | 2025-05-14 | It was possible to craft an email that showed a tracking link as an attachment. |
Quanticalabs · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31922 | High | 7.1 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Stored XSS.This issue affects CSS3 Accordions for WordPress: from n/a through <= 3.0. |
CVE-2025-47556 | Medium | 5.4 | — | 2025-05-16 | Missing Authorization vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress css3_web_pricing_tables_grids allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CSS3 Compare Pricing Tab… |
CVE-2025-31923 | Medium | 5.4 | — | 2025-05-16 | Missing Authorization vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CSS3 Accordions for WordPress: from n/a through <=… |
Quantumcloud · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6809 | Critical | 9.8 | — | 2025-05-15 | The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. |
CVE-2025-32296 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through < 14.8.1. |
CVE-2025-0329 | Medium | 4.8 | — | 2025-05-15 | The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm… |
Red Hat · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3931 | High | 7.8 | — | 2025-05-14 | A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. |
CVE-2025-4574 | Medium | 6.5 | — | 2025-05-13 | In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption. |
CVE-2025-4476 | Medium | 4.3 | — | 2025-05-16 | A denial-of-service vulnerability has been identified in the libsoup HTTP client library. |
Shapedplugin · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48134 | High | 7.2 | — | 2025-05-16 | Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12. |
CVE-2024-8187 | Medium | 4.8 | — | 2025-05-15 | The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
CVE-2024-3996 | Low | 3.5 | — | 2025-05-15 | The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabi… |
Valvepress · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47534 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in ValvePress Wordpress Auto Spinner wp-auto-spinner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wordpress Auto Spinner: from n/a through <= 3.25.0. |
CVE-2025-39511 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in ValvePress Pinterest Automatic Pin wp-pinterest-automatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinterest Automatic Pin: from n/a through <= 4.19.0. |
CVE-2025-39493 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in ValvePress Rankie valvepress-rankie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rankie: from n/a through < 1.8.2. |
Zong Yu · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4556 | Critical | 9.8 | — | 2025-05-12 | The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code… |
CVE-2025-4555 | Critical | 9.8 | — | 2025-05-12 | The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. |
CVE-2025-4557 | Critical | 9.1 | — | 2025-05-12 | The specific APIs of Parking Management System from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific APIs and operate system functions. |
10web · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8670 | Medium | 4.8 | — | 2025-05-15 | The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html… |
CVE-2024-13053 | Medium | 4.8 | — | 2025-05-15 | The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c… |
Abantecart · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40627 | Medium | 6.1 | — | 2025-05-12 | Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. |
CVE-2025-40626 | Medium | 6.1 | — | 2025-05-12 | Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. |
Aomedia · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48175 | Medium | 4.5 | — | 2025-05-16 | In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes. |
CVE-2025-48174 | Medium | 4.5 | — | 2025-05-16 | In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. |
Artec-it · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46610 | High | 8.8 | — | 2025-05-12 | ARTEC EMA Mail 6.92 allows CSRF. |
CVE-2025-46611 | Medium | 6.1 | — | 2025-05-12 | Cross Site Scripting vulnerability in ARTEC EMA Mail v6.92 allows an attacker to execute arbitrary code via a crafted script. |
Ays-pro · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9599 | Medium | 5.4 | — | 2025-05-15 | The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
CVE-2024-8617 | Medium | 4.8 | — | 2025-05-15 | The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Codexthemes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4317 | High | 8.8 | — | 2025-05-13 | The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. |
CVE-2025-4339 | Medium | 4.3 | — | 2025-05-13 | The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. |
Coffee-code · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1303 | Medium | 6.1 | — | 2025-05-15 | The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. |
CVE-2025-1289 | Medium | 4.8 | — | 2025-05-15 | The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Couleurcitron · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11719 | Medium | 6.1 | — | 2025-05-15 | The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
CVE-2024-11718 | Medium | 5.4 | — | 2025-05-15 | The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. |
Cr1000 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12733 | Medium | 6.1 | — | 2025-05-15 | The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adm… |
CVE-2024-12732 | Medium | 6.1 | — | 2025-05-15 | The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adm… |
Danielpowney · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13828 | Medium | 6.1 | — | 2025-05-15 | The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
CVE-2025-1033 | Medium | 4.8 | — | 2025-05-15 | The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i… |
Data443 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6335 | Medium | 4.8 | — | 2025-05-15 | The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html ca… |
CVE-2024-13621 | Medium | 4.8 | — | 2025-05-15 | The GDPR Framework By Data443 WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm… |
Debian · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-37890 | High | 7.8 | — | 2025-05-16 | In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child… |
CVE-2025-47287 | High | 7.5 | — | 2025-05-15 | Tornado is a Python web framework and asynchronous networking library. |
Engineercms_project · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-44831 | Critical | 9.8 | — | 2025-05-13 | EngineerCMS v1.02 through v2.0.5 has a SQL injection vulnerability in the /project/addproject interface. |
CVE-2025-44830 | Critical | 9.8 | — | 2025-05-12 | EngineerCMS v1.02 through v.2.0.5 has a SQL injection vulnerability in the /project/addprojtemplet interface. |
Floriansimunek · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11372 | High | 7.2 | — | 2025-05-15 | The Connexion Logs WordPress plugin through 3.0.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
CVE-2024-11373 | Medium | 4.3 | — | 2025-05-15 | The Connexion Logs WordPress plugin through 3.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Freebiesdownload · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6718 | Medium | 5.4 | — | 2025-05-15 | The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and… |
CVE-2024-6713 | Medium | 4.8 | — | 2025-05-15 | The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili… |
Gnu · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4802 | High | 7.8 | — | 2025-05-16 | Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including inte… |
CVE-2025-48188 | Low | 2.9 | — | 2025-05-16 | libpspp-core.a in GNU PSPP through 2.0.1 has an incorrect call from fill_buffer (in data/encrypted-file.c) to the Gnulib rijndaelDecrypt function, leading to a heap-based buffer over-read. |
Google · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4600 | High | 7.5 | — | 2025-05-16 | A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. |
CVE-2025-4664 | Medium | 4.3 | — | 2025-05-14 | Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
I-o Data Device, Inc. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32002 | Critical | 9.8 | — | 2025-05-15 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. |
CVE-2025-32738 | Medium | 5.3 | — | 2025-05-15 | Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. |
Icegram · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13486 | Medium | 4.8 | — | 2025-05-15 | The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
CVE-2024-13482 | Medium | 4.8 | — | 2025-05-15 | The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Imithemes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39481 | Critical | 9.3 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4. |
CVE-2025-39482 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventer: from n/a through < 3.11.4. |
Joomlaserviceprovider · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11267 | High | 8.8 | — | 2025-05-15 | The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks. |
CVE-2024-12301 | Medium | 6.5 | — | 2025-05-15 | The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. |
Justintadlock · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8090 | Medium | 6.1 | — | 2025-05-15 | The JavaScript Logic WordPress plugin through 0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
CVE-2024-8082 | Medium | 4.3 | — | 2025-05-15 | The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Manageengine · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3834 | High | 8.1 | — | 2025-05-14 | Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report. |
CVE-2025-3833 | High | 8.1 | — | 2025-05-14 | Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports. |
Mantus667 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2248 | Medium | 5.4 | — | 2025-05-15 | The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
CVE-2025-2247 | Medium | 5.4 | — | 2025-05-15 | The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Melapress · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9879 | Medium | 5.4 | — | 2025-05-15 | The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
CVE-2024-10009 | Medium | 4.1 | — | 2025-05-15 | The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
Mohsinrasool · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12722 | Medium | 5.4 | — | 2025-05-15 | The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow us… |
CVE-2024-11221 | Medium | 4.8 | — | 2025-05-15 | The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when… |
Mynamedia · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0688 | Medium | 6.1 | — | 2025-05-15 | The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agai… |
CVE-2025-0687 | Medium | 6.1 | — | 2025-05-15 | The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agai… |
Netalertx · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-46506 | Critical | 10.0 | — | 2025-05-13 | NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. |
CVE-2024-48766 | High | 8.6 | — | 2025-05-13 | NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. |
Netvision · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4559 | Critical | 9.8 | — | 2025-05-12 | The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. |
CVE-2025-4560 | Medium | 6.5 | — | 2025-05-12 | The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. |
Niceit · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12735 | High | 7.2 | — | 2025-05-15 | The Advance Post Prefix WordPress plugin through 1.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins and above to perform SQL injection attacks |
CVE-2024-12734 | Medium | 6.1 | — | 2025-05-15 | The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which co… |
Nokautpl · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10632 | Medium | 4.8 | — | 2025-05-15 | The Nokaut Offers Box WordPress plugin through 1.4.0 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab… |
CVE-2024-10634 | Medium | 4.3 | — | 2025-05-15 | The Nokaut Offers Box WordPress plugin through 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset the Nokaut Offers Box WordPress plugin through 1.4.0 via a CSRF… |
Openpubkey · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4658 | Critical | 9.8 | — | 2025-05-13 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. |
CVE-2025-3757 | Critical | 9.8 | — | 2025-05-13 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. |
Opentext · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10865 | — | — | — | 2025-05-14 | Improper Input validation leads to XSS or Cross-site Scripting vulnerability in OpenText Advanced Authentication. |
CVE-2024-10864 | — | — | — | 2025-05-14 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenText Advanced Authentication. This issue affects Advanced Authentication versions before 6.5 |
Optimalaccess · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6667 | Medium | 6.1 | — | 2025-05-15 | The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin. |
CVE-2024-6665 | Medium | 4.8 | — | 2025-05-15 | The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilte… |
Pagelayer · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8618 | Medium | 4.8 | — | 2025-05-15 | The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html… |
CVE-2024-8426 | Medium | 4.8 | — | 2025-05-15 | The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallo… |
Podlove · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13730 | Medium | 4.8 | — | 2025-05-15 | The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm… |
CVE-2024-13729 | Medium | 4.8 | — | 2025-05-15 | The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht… |
Pointcloudlibrary · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4638 | Critical | 9.8 | — | 2025-05-14 | A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). |
CVE-2025-4640 | — | — | — | 2025-05-14 | Out-of-bounds Write vulnerability in PointCloudLibrary pcl allows Overflow Buffers. |
Presstigers · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7761 | Medium | 6.1 | — | 2025-05-15 | In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor |
CVE-2024-7762 | Low | 3.7 | — | 2025-05-15 | The Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes |
Prisna · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12680 | Medium | 4.8 | — | 2025-05-15 | The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
CVE-2024-12679 | Medium | 4.8 | — | 2025-05-15 | The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Projectworlds · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4739 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in projectworlds Hospital Database Management System 1.0. |
CVE-2025-4706 | High | 7.3 | — | 2025-05-15 | A vulnerability was found in projectworlds Online Examination System 1.0. |
Redhat · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4982 | High | 7.6 | — | 2025-05-12 | A directory traversal vulnerability was discovered in Pagure server. |
CVE-2024-4981 | High | 7.6 | — | 2025-05-12 | A vulnerability was discovered in Pagure server. |
Redqteam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31063 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in redqteam Wishlist wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wishlist: from n/a through <= 2.1.0. |
CVE-2025-31062 | Medium | 4.3 | — | 2025-05-16 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist wishlist allows Retrieve Embedded Sensitive Data.This issue affects Wishlist: from n/a through <= 2.1.0. |
Reputeinfosystems · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10504 | Medium | 5.4 | — | 2025-05-15 | The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attac… |
CVE-2024-11189 | Medium | 4.8 | — | 2025-05-15 | The Social Share And Social Locker WordPress plugin before 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilter… |
Robosoft · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13384 | Medium | 4.8 | — | 2025-05-15 | The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks ev… |
CVE-2024-10144 | Medium | 4.8 | — | 2025-05-15 | The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting atta… |
Schneider Electric · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2875 | High | 7.5 | — | 2025-05-14 | CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to access resources. |
CVE-2025-3916 | — | — | — | 2025-05-13 | CWE-121: Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by th… |
Syncpilot · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2305 | High | 8.6 | — | 2025-05-16 | A Path traversal vulnerability in the file download functionality was identified. |
CVE-2025-2306 | Medium | 5.9 | — | 2025-05-16 | An Improper Access Control vulnerability was identified in the file download functionality. |
Tenda · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4810 | High | 8.8 | — | 2025-05-16 | A vulnerability was found in Tenda AC7 15.03.06.44. |
CVE-2025-4809 | High | 8.8 | — | 2025-05-16 | A vulnerability was found in Tenda AC7 15.03.06.44. |
Thimpress · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13128 | Medium | 4.8 | — | 2025-05-15 | The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili… |
CVE-2024-13127 | Medium | 4.8 | — | 2025-05-15 | The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili… |
Toolstack · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9663 | Medium | 5.4 | — | 2025-05-15 | The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i… |
CVE-2024-9662 | Medium | 5.4 | — | 2025-05-15 | The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i… |
Travelpayouts · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-5934 | High | 7.3 | — | 2025-05-15 | The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF a… |
CVE-2023-5932 | Medium | 4.8 | — | 2025-05-15 | The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high p… |
Trifectatech · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46718 | Low | 3.3 | — | 2025-05-12 | sudo-rs is a memory safe implementation of sudo and su written in Rust. |
CVE-2025-46717 | Low | 3.3 | — | 2025-05-12 | sudo-rs is a memory safe implementation of sudo and su written in Rust. |
Uncannyowl · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3623 | Critical | 9.1 | — | 2025-05-14 | The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. |
CVE-2025-4520 | Medium | 5.4 | — | 2025-05-14 | The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. |
Vinoth06 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4474 | High | 8.8 | — | 2025-05-13 | The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. |
CVE-2025-4473 | High | 8.8 | — | 2025-05-13 | The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. |
Vyperlang · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47774 | — | — | — | 2025-05-15 | Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. |
CVE-2025-47285 | — | — | — | 2025-05-15 | Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. |
Watchguard · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4805 | — | — | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS. |
CVE-2025-4804 | — | — | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the spamBlocker module. |
Whmpress · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39491 | High | 8.1 | — | 2025-05-16 | Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. |
CVE-2025-39492 | High | 7.5 | — | 2025-05-16 | Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal. |
5ire · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47777 | Critical | 9.6 | — | 2025-05-14 | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. |
Abitgone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7174 | High | 7.1 | — | 2025-05-15 | The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
Ablyperu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7086 | Medium | 5.4 | — | 2025-05-15 | The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. |
Absolute · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6364 | Medium | 6.4 | — | 2025-05-13 | A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. |
Acugis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6712 | Medium | 6.1 | — | 2025-05-15 | The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack |
Admintwentytwenty · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3053 | High | 8.8 | — | 2025-05-15 | The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. |
Alchemyplatform · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46834 | — | — | — | 2025-05-15 | Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. |
Ami · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-42446 | High | 7.5 | — | 2025-05-13 | APTIOV contains a vulnerability in BIOS where an attacker may cause a Time-of-check Time-of-use (TOCTOU) Race Condition by local means. |
Ani2life · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7195 | Medium | 4.3 | — | 2025-05-15 | The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. |
Annabansaghi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12739 | Medium | 4.8 | — | 2025-05-15 | The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab… |
Antonpug · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7168 | Medium | 4.8 | — | 2025-05-15 | The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilter… |
App Cheap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48127 | Medium | 6.5 | — | 2025-05-16 | Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app push-notification-mobile-and-web-app allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Push notification for… |
Aptivada · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48135 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aptivadadev Aptivada for WP aptivada-for-wp allows DOM-Based XSS.This issue affects Aptivada for WP: from n/a through <= 2.0.0. |
Archetyped · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3516 | Medium | 5.9 | — | 2025-05-16 | The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scri… |
Arraytics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47445 | High | 7.5 | — | 2025-05-14 | Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26. |
Ashan Perera · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48116 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in Ashan Perera EventON eventon-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 2.4.4. |
Ashanjay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47564 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in ashanjay EventON eventon allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 4.9.8. |
Asus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1533 | — | — | — | 2025-05-12 | A stack buffer overflow has been identified in the AsIO3.sys driver. |
Atheos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47788 | — | — | — | 2025-05-15 | Atheos is a self-hosted browser-based cloud IDE. |
Auma Riester · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3496 | High | 7.5 | — | 2025-05-12 | An unauthenticated remote attacker can cause a buffer overflow which could lead to unexpected behaviour or DoS via Bluetooth or RS-232 interface. |
Auth0 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47275 | Critical | 9.1 | — | 2025-05-15 | Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. |
Aweber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13313 | Medium | 4.8 | — | 2025-05-15 | The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
Bdwm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4091 | Low | 3.5 | — | 2025-05-15 | The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallo… |
Beamctrl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4740 | Medium | 5.3 | — | 2025-05-16 | A vulnerability was found in BeamCtrl Airiana up to 11.0. |
Bertha · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48138 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13. |
Blaze Concepts · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39537 | High | 7.1 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blaze Concepts Better Customer List for WooCommerce woo-better-customer-list allows Reflected XSS.This issue affects Better Customer List… |
Blubrry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9227 | Medium | 4.8 | — | 2025-05-15 | The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the… |
Bluetrait · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10677 | Medium | 4.3 | — | 2025-05-15 | The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Bluewave · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48024 | Medium | 5.0 | — | 2025-05-15 | In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint. |
Bohua · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4747 | Medium | 6.3 | — | 2025-05-16 | A vulnerability was found in Bohua NetDragon Firewall 1.0 and classified as critical. |
Bonigarcia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4641 | — | — | — | 2025-05-14 | Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. |
Bootstrap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1647 | Medium | 5.6 | — | 2025-05-15 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0. |
Bracketspace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4004 | Low | 3.5 | — | 2025-05-15 | The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c… |
Brijeshk89 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12800 | Medium | 4.8 | — | 2025-05-15 | The IP Based Login WordPress plugin before 2.4.1 does not sanitise values when importing, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal… |
Broadcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22248 | High | 7.5 | — | 2025-05-13 | The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user t… |
Broadstreet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48113 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet Broadstreet Ads broadstreet allows Stored XSS.This issue affects Broadstreet Ads: from n/a through <= 1.51.2. |
Buddyboss · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12767 | Low | 3.5 | — | 2025-05-15 | The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts |
Bulktheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1288 | Medium | 6.1 | — | 2025-05-15 | The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack. |
Bullfrogsec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47775 | Medium | 6.2 | — | 2025-05-14 | Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows. |
Bytecodealliance · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43853 | Medium | 5.5 | — | 2025-05-15 | The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. |
Cap-collectif · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47292 | — | — | — | 2025-05-14 | Cap Collectif is an online decision making platform that integrates several tools. |
Cbewin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4769 | High | 7.0 | — | 2025-05-16 | A vulnerability classified as critical was found in CBEWIN Anytxt Searcher 1.3.1128.0. |
Cedcommerce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-4363 | Medium | 6.5 | — | 2025-05-16 | The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via… |
Chaser324 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32245 | Medium | 6.5 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll featured-posts-scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through <= 1.25. |
Checkmk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32917 | High | 8.8 | — | 2025-05-13 | Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate privileges. |
Chewkeanho · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47276 | High | 7.5 | — | 2025-05-13 | Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). |
Clicksold · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7769 | Medium | 4.8 | — | 2025-05-15 | The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Cloud Foundry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22246 | Low | 3.0 | — | 2025-05-13 | Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs. |
Cm-wp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10149 | Medium | 4.8 | — | 2025-05-15 | The Social Slider Feed WordPress plugin before 2.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab… |
Cminds · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5026 | Medium | 4.8 | — | 2025-05-15 | The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capa… |
Codeastro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4811 | High | 7.3 | — | 2025-05-16 | A vulnerability was found in CodeAstro Pharmacy Management System 1.0. |
Codeflock · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12724 | Medium | 6.1 | — | 2025-05-15 | The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
Comesio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4396 | High | 7.5 | — | 2025-05-13 | The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 (Free) and <= 2.27.5 (Premium) due to insufficient escaping… |
Continew · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4552 | Medium | 5.4 | — | 2025-05-12 | A vulnerability has been found in ContiNew Admin up to 3.6.0 and classified as problematic. |
Contrid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3107 | Medium | 6.5 | — | 2025-05-13 | The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient pre… |
Cookies_consent_manager_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47703 | Medium | 6.1 | — | 2025-05-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2… |
Corbyboy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7197 | High | 7.1 | — | 2025-05-15 | The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack |
Cozmoslabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6708 | Medium | 4.8 | — | 2025-05-15 | The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks. |
Cozy Vision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47682 | Critical | 9.3 | — | 2025-05-12 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a throu… |
Cpplusworld · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-44039 | Medium | 5.1 | — | 2025-05-13 | CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. |
Cure53 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48050 | High | 7.5 | — | 2025-05-15 | In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. |
Davidstutz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47204 | Medium | 6.1 | — | 2025-05-13 | An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. |
Davisking · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4637 | — | — | — | 2025-05-14 | Divide By Zero vulnerability in davisking dlib allows remote attackers to cause a denial of service via a crafted file. |
Defog-ai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4767 | Medium | 5.3 | — | 2025-05-16 | A vulnerability was found in defog-ai introspect up to 0.1.4. |
Deluxeblogtips · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10143 | Medium | 4.8 | — | 2025-05-15 | The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the… |
Deryckoe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6030 | Medium | 5.4 | — | 2025-05-15 | The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request… |
Dev4press · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0852 | High | 8.8 | — | 2025-05-15 | The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users… |
Devpups · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10145 | Medium | 4.8 | — | 2025-05-15 | The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Dfactory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3742 | Medium | 6.8 | — | 2025-05-15 | The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored C… |
Digi International · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3659 | — | — | — | 2025-05-12 | Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP I… |
Domainspro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40628 | — | — | — | 2025-05-13 | SQL injection vulnerability in DomainsPRO 1.2. |
Dpgaspar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32962 | Medium | 4.3 | — | 2025-05-16 | Flask-AppBuilder is an application development framework built on top of Flask. |
Dumbwareio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47929 | — | — | — | 2025-05-15 | DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. |
Dyland · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4579 | High | 7.2 | — | 2025-05-15 | The WP Content Security Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters in all versions up to, and including, 2.3 due to insufficient input sanitization and o… |
Ecki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46836 | Medium | 6.6 | — | 2025-05-14 | net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. |
Edimax · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-45857 | Critical | 9.8 | — | 2025-05-13 | EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function. |
Edward Caissie · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47578 | Medium | 6.5 | — | 2025-05-12 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Edward Caissie BNS Twitter Follow Button bns-twitter-follow-button allows DOM-Based XSS.This issue affects BNS Twitter Follow Button: fro… |
Emmanuelg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4126 | Medium | 6.4 | — | 2025-05-15 | The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied att… |
Ericsson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-53827 | High | 7.5 | — | 2025-05-16 | Ericsson Packet Core Controller (PCC) contains a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation |
Espocrm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32390 | High | 8.5 | — | 2025-05-12 | EspoCRM is a free, open-source customer relationship management platform. |
Estatik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48136 | High | 7.5 | — | 2025-05-16 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik estatik-mortgage-calculator allows PHP Local File Inclusion.This issue affects Mor… |
Ether · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40907 | Medium | 5.3 | — | 2025-05-16 | FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. |
Etoilewebdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47580 | Medium | 5.4 | — | 2025-05-15 | Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Front End Users: from n/a through <= 3.2.35. |
F1logic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12873 | Medium | 6.1 | — | 2025-05-15 | The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admi… |
Facturaone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4564 | Critical | 9.8 | — | 2025-05-15 | The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. |
Feng_ha_ha · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4768 | Medium | 6.3 | — | 2025-05-16 | A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. |
Firelightwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3597 | Medium | 5.9 | — | 2025-05-12 | The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. |
Flamescorpion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9838 | Medium | 5.4 | — | 2025-05-15 | The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
Flickdevs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10631 | Medium | 6.5 | — | 2025-05-15 | The Countdown Timer for WordPress Block Editor WordPress plugin through 1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the cont… |
Fluxbb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-44110 | Medium | 5.4 | — | 2025-05-15 | FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php. |
Flytxt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-34732 | Medium | 5.4 | — | 2025-05-12 | An issue in the userId parameter in the change password function of Flytxt NEON-dX v0.0.1-SNAPSHOT-6.9-qa-2-9-g5502a0c allows attackers to execute brute force attacks to discover user passwords. |
Freerdp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4478 | Medium | 6.5 | — | 2025-05-16 | A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. |
Funnelkit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2203 | Medium | 6.1 | — | 2025-05-15 | The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
Gamipress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8245 | Medium | 4.3 | — | 2025-05-15 | The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Gongfuxiang · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4795 | Medium | 4.7 | — | 2025-05-16 | A vulnerability classified as critical has been found in gongfuxiang schoolcms 2.3.1. |
Grandplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9238 | Medium | 5.4 | — | 2025-05-15 | The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. |
Gsheetconnector · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-2334 | Medium | 5.4 | — | 2025-05-15 | The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged… |
Gsplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9233 | Medium | 4.3 | — | 2025-05-15 | The Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Happyforms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10054 | Medium | 4.8 | — | 2025-05-15 | The Happyforms WordPress plugin before 1.26.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Harmonicdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13383 | Medium | 4.8 | — | 2025-05-15 | The HD Quiz WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is di… |
Hashicorp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3744 | High | 7.6 | — | 2025-05-13 | Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. |
Hijiriworld · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0249 | High | 7.1 | — | 2025-05-15 | The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as… |
Hkdigit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6786 | Medium | 6.1 | — | 2025-05-15 | The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue |
Horilla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47789 | Medium | 6.1 | — | 2025-05-15 | Horilla is a free and open source Human Resource Management System (HRMS). |
Humansignal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47783 | Medium | 6.1 | — | 2025-05-14 | Label Studio is a multi-type data labeling and annotation tool. |
If-so · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5440 | Medium | 5.4 | — | 2025-05-15 | The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with t… |
Inisev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10362 | Medium | 4.8 | — | 2025-05-15 | The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.9.1 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even… |
Inventivo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7088 | Medium | 5.4 | — | 2025-05-15 | The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. |
Invisioncommunity · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47916 | Critical | 10.0 | — | 2025-05-16 | Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. |
Ionutstaicu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8094 | Medium | 6.5 | — | 2025-05-15 | The Ntz Antispam WordPress plugin through 2.0e does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Javier Revilla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48115 | Medium | 4.3 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in Javier Revilla ValidateCertify validar-certificados-de-cursos allows Cross Site Request Forgery.This issue affects ValidateCertify: from n/a through <= 1.6.4. |
Jeroensormani · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7239 | High | 7.5 | — | 2025-05-15 | The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. |
Jfarthing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8050 | Medium | 4.3 | — | 2025-05-15 | The Custom Author Base WordPress plugin through 1.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Jidaikobo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11190 | Medium | 4.8 | — | 2025-05-15 | The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
Jonkemp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7196 | Medium | 4.3 | — | 2025-05-15 | The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Jontasc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11141 | Medium | 6.1 | — | 2025-05-15 | The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht… |
Julmud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46729 | — | — | — | 2025-05-12 | julmud/phpDVDProfiler is an adoption of the defunct phpDVDProfiler project, which allows users to display on the web their DVD collections maintained with Invelos's DVDProfiler software. |
Justinas · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46721 | Medium | 6.1 | — | 2025-05-13 | nosurf is cross-site request forgery (CSRF) protection middleware for Go. |
Kaliforms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3201 | Medium | 5.9 | — | 2025-05-16 | The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting at… |
Kamleshyadav · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31915 | Medium | 5.4 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: f… |
Kanboard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46825 | Medium | 5.4 | — | 2025-05-12 | Kanboard is project management software that focuses on the Kanban methodology. |
Karimmughal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48112 | High | 7.1 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages dot-htmlphpxml-etc-pages allows Reflected XSS.This issue affects Dot html,php,xml etc pages: from… |
Kashipara Group · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-49641 | Critical | 9.8 | — | 2025-05-13 | Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. |
Kelerkgibo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3917 | Critical | 9.8 | — | 2025-05-15 | The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. |
Kilbot · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48117 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in kilbot WooCommerce POS woocommerce-pos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce POS: from n/a through <= 1.7.8. |
Kinfor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4561 | High | 8.8 | — | 2025-05-12 | The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. |
Kingsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-57096 | Medium | 5.5 | — | 2025-05-14 | An issue in wps office before v.19302 allows a local attacker to obtain sensitive information via a crafted file. |
Klarned · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10639 | Medium | 4.8 | — | 2025-05-15 | The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Konica Minolta Japan, Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41393 | Medium | 6.1 | — | 2025-05-12 | Reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. |
Kylephillips · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8759 | Medium | 4.8 | — | 2025-05-15 | The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Latepoint · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3769 | Medium | 5.3 | — | 2025-05-14 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missi… |
Lf-edge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52290 | Medium | 6.3 | — | 2025-05-14 | LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. |
Lichess · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48051 | Medium | 4.7 | — | 2025-05-15 | powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML. |
Lifterlms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13619 | Medium | 6.1 | — | 2025-05-15 | The LifterLMS WordPress plugin before 8.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
Lightpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3649 | Medium | 6.8 | — | 2025-05-12 | The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks. |
Linux · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-53146 | Medium | 5.5 | — | 2025-05-14 | In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. |
Lirantal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4759 | High | 8.3 | — | 2025-05-16 | Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an at… |
Ljapps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11109 | Medium | 4.8 | — | 2025-05-15 | The WP Google Review Slider WordPress plugin before 15.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c… |
Lleidanet Pki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4762 | — | — | — | 2025-05-15 | Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation… |
Loopus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31921 | Medium | 4.3 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder WP_UltimateToursBuilder allows Cross Site Request Forgery.This issue affects WP Ultimate Tours Builder: from n/a through <= 1.055. |
Lukevella · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47781 | Critical | 9.8 | — | 2025-05-14 | Rallly is an open-source scheduling and collaboration tool. |
Lupsonline · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48146 | High | 7.1 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in Michael Lups SEO Flow by LupsOnline lupsonline-link-netwerk allows Stored XSS.This issue affects SEO Flow by LupsOnline: from n/a through <= 2.2.1. |
Magazine3 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7759 | Medium | 4.8 | — | 2025-05-15 | The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Mappresspro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8620 | Medium | 4.8 | — | 2025-05-15 | The MapPress Maps for WordPress plugin before 2.93 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Memberspace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13727 | Medium | 6.1 | — | 2025-05-15 | The MemberSpace WordPress plugin before 2.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. |
Metaphorcreations · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13357 | Medium | 4.8 | — | 2025-05-15 | The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is d… |
Meteor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4727 | Low | 3.7 | — | 2025-05-15 | A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. |
Missionmike · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7556 | Medium | 4.8 | — | 2025-05-15 | The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Mitchelllevy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11269 | High | 7.2 | — | 2025-05-15 | The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks. |
Mitsubishi Electric Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0921 | Medium | 6.5 | — | 2025-05-15 | Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.9… |
Mojofywp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32180 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojofywp Product Carousel For WooCommerce – WoorouSell woorousell allows Stored XSS.This issue affects Product Carousel For WooCommerce –… |
Mojoomla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32643 | Critical | 9.3 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. |
Mongodb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40906 | Critical | 9.8 | — | 2025-05-16 | BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. |
Mooveagency · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0970 | Medium | 5.3 | — | 2025-05-15 | This User Activity Tracking and Log WordPress plugin before 4.1.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. |
Motioneye-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47782 | — | — | — | 2025-05-14 | motionEye is an online interface for the software motion, a video surveillance program with motion detection. |
Munyweki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4720 | Medium | 5.4 | — | 2025-05-15 | A vulnerability was found in SourceCodester Student Result Management System 1.0. |
Mutonufoai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48027 | Medium | 5.4 | — | 2025-05-15 | The HttpAuth plugin in pGina.Fork through 3.9.9.12 allows authentication bypass when an adversary controls DNS resolution for pginaloginserver. |
Nackle2k10 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4589 | Medium | 6.4 | — | 2025-05-15 | The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied a… |
Nasatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39507 | High | 7.5 | — | 2025-05-16 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4. |
Naukowa I Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4430 | — | — | — | 2025-05-14 | Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024). |
Nimiq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47270 | High | 7.5 | — | 2025-05-12 | nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. |
Ninja Forms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13940 | Medium | 5.5 | — | 2025-05-14 | The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. |
Ninja_pages_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1454 | Medium | 5.4 | — | 2025-05-15 | The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability… |
Nodejs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47279 | Low | 3.1 | — | 2025-05-15 | Undici is an HTTP/1.1 client for Node.js. |
Ollama · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1975 | High | 7.5 | — | 2025-05-16 | A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. |
Opswat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0131 | — | — | — | 2025-05-14 | An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated non-administrative Windows user to escalat… |
Orangelab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6486 | High | 7.2 | — | 2025-05-15 | The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. |
Ozi-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47271 | — | — | — | 2025-05-12 | The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. |
Pagevisitcounter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-5529 | Medium | 4.8 | — | 2025-05-15 | The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_… |
Pallets · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47278 | — | — | — | 2025-05-13 | Flask is a web server gateway interface (WSGI) web application framework. |
Pdfcrowd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-3062 | Medium | 4.8 | — | 2025-05-15 | The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilte… |
Peepso · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8988 | Medium | 5.3 | — | 2025-05-14 | The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. |
Peergos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4639 | — | — | — | 2025-05-14 | CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos. |
Pencilwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48132 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Stored XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.1… |
Philipwalton · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8398 | Medium | 4.3 | — | 2025-05-15 | The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Phoenix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12533 | Low | 3.3 | — | 2025-05-13 | Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore Technology 4 allows Input Data Manipulation.This issue affects SecureCore Technology 4: from 4.0.1.0 before 4.0.1.1018, from 4.1.0.1 before 4.1.0.573… |
Pickplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9645 | Medium | 5.4 | — | 2025-05-15 | The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could a… |
Pixeljar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11266 | Medium | 4.8 | — | 2025-05-15 | The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm… |
Pnetlab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40629 | — | — | — | 2025-05-16 | PNETLab 4.2.10 does not properly sanitize user inputs in its file access mechanisms. |
Pnfpb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6159 | Critical | 9.8 | — | 2025-05-15 | The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL inject… |
Premio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2643 | Medium | 4.8 | — | 2025-05-15 | The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to… |
Progress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3600 | High | 7.5 | — | 2025-05-14 | In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service. |
Projectpanorama · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11843 | Medium | 4.8 | — | 2025-05-15 | The Panorama WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
Proxymis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48137 | High | 8.5 | — | 2025-05-16 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in proxymis Interview interview allows SQL Injection.This issue affects Interview: from n/a through <= 1.01. |
Python Software Foundation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4516 | — | — | — | 2025-05-15 | There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. |
Radiustheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9236 | Medium | 4.8 | — | 2025-05-15 | The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disa… |
Raiserweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12750 | Medium | 4.3 | — | 2025-05-15 | The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Realestateconnected · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2869 | Medium | 4.8 | — | 2025-05-15 | The Easy Property Listings WordPress plugin before 3.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c… |
Reneade · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7297 | Low | 3.5 | — | 2025-05-15 | The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Roninwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47693 | High | 7.5 | — | 2025-05-16 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking fat-services-booking allows PHP Local File Inclusion.This issue affects FAT Services Book… |
Rs Wp Themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48119 | Medium | 5.3 | — | 2025-05-16 | Improper Control of Generation of Code ('Code Injection') vulnerability in RS WP THEMES RS WP Book Showcase rs-wp-books-showcase allows Code Injection.This issue affects RS WP Book Showcase: from n/a through <= 6.7.59. |
Ryanchristenson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8095 | Medium | 6.1 | — | 2025-05-15 | The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
S3bubble · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13865 | Medium | 6.1 | — | 2025-05-15 | The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. |
Saiful Islam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48131 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite ultraaddons-elementor-lite allows Stored XSS.This issue affects UltraAddons Elementor Lite: from… |
Saleswonder Team: Tobias · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32922 | High | 7.1 | — | 2025-05-15 | Cross-Site Request Forgery (CSRF) vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Stored XSS.This issue affects WP2LEADS: from n/a through <= 3.5.0. |
Salonbookingsystem · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9882 | Medium | 4.8 | — | 2025-05-15 | The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cr… |
Samsung · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4632 | Critical | 9.8 | KEV | 2025-05-13 | Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. |
Scripteo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46464 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Stored XSS.This issue affects Ads Pro: from n/a through <= 5.0. |
Seedprod · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10107 | Medium | 4.8 | — | 2025-05-15 | The Giveaways and Contests by RafflePress WordPress plugin before 1.12.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the… |
Senior-walter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4807 | Medium | 5.3 | — | 2025-05-16 | A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. |
Sfarbota · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1286 | Medium | 6.1 | — | 2025-05-15 | The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such… |
Sharespine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48128 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in Sharespine Sharespine Woocommerce Connector sharespine-woocommerce-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sharespine Woocommerce Connector… |
Shayan Farhang Pazhooh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48114 | High | 7.1 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in Shayan Farhang Pazhooh ShayanWeb Admin FontChanger shayanweb-admin-fontchanger allows Stored XSS.This issue affects ShayanWeb Admin FontChanger: from n/a through <= 1.9.1. |
Sidngr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48144 | High | 7.1 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in sidngr Import Export For WooCommerce import-export-for-woocommerce allows Stored XSS.This issue affects Import Export For WooCommerce: from n/a through <= 1.6.2. |
Sma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41645 | High | 8.6 | — | 2025-05-13 | An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake. |
Smartdatasoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12725 | Medium | 6.1 | — | 2025-05-15 | The Clasify Classified Listing WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such… |
Smyx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12282 | Medium | 6.1 | — | 2025-05-15 | The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
Snumb130 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8701 | Medium | 4.8 | — | 2025-05-15 | The events-calendar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil… |
Solidcode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8085 | Medium | 6.1 | — | 2025-05-15 | The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. |
Sonicwall · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40595 | High | 7.2 | — | 2025-05-14 | A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. |
Spiderteams · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10098 | Low | 2.7 | — | 2025-05-15 | The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain |
Spotipy-dev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47928 | Critical | 9.1 | — | 2025-05-15 | Spotipy is a Python library for the Spotify Web API. |
Spring · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22233 | Low | 3.1 | — | 2025-05-16 | CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. |
Stacklok · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47274 | — | — | — | 2025-05-12 | ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. |
Stellarwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8493 | Medium | 4.8 | — | 2025-05-15 | The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili… |
Steve Puddick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48121 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Puddick WP Notes Widget wp-notes-widget allows DOM-Based XSS.This issue affects WP Notes Widget: from n/a through <= 1.0.6. |
Stylishpricelist · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7758 | Medium | 4.8 | — | 2025-05-15 | The Stylish Price List WordPress plugin before 7.1.8 does not sanitise and escape some of its settings, which could allow high privilege users of contributor and above to perform Stored Cross-Site Scripting attacks even when the unfiltere… |
Sulu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47778 | — | — | — | 2025-05-14 | Sulu is an open-source PHP content management system based on the Symfony framework. |
Synology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4679 | Medium | 6.5 | — | 2025-05-16 | A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. |
Syntacticsinc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9450 | Medium | 6.5 | — | 2025-05-15 | The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF… |
Takien · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12726 | Medium | 6.1 | — | 2025-05-15 | The ClipArt WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
Taskbuilder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9831 | High | 7.2 | — | 2025-05-15 | The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks |
Techearty · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4002 | Low | 3.5 | — | 2025-05-15 | The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when th… |
Technowich · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12770 | Medium | 4.8 | — | 2025-05-15 | The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is… |
Tecno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4737 | Medium | 6.2 | — | 2025-05-15 | Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage. |
Texttheater · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1663 | Medium | 4.8 | — | 2025-05-15 | The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilt… |
The Qt Company · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4211 | — | — | — | 2025-05-16 | Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious Files. |
Themehunk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10475 | Medium | 4.8 | — | 2025-05-15 | The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac… |
Thememove · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32310 | High | 8.8 | — | 2025-05-16 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a thro… |
Themencode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39509 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode TNC FlipBook pdf-viewer-for-wordpress allows Stored XSS.This issue affects TNC FlipBook: from n/a through <= 12.1.0. |
Themovation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32299 | Medium | 4.3 | — | 2025-05-16 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Ap… |
Thisfunctional · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-6478 | Medium | 4.8 | — | 2025-05-15 | The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltere… |
Top_comments_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-12874 | Medium | 4.8 | — | 2025-05-15 | The Top Comments WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i… |
Tosin Oguntuyi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51666 | Medium | 4.3 | — | 2025-05-15 | Missing Authorization vulnerability in Tosin Oguntuyi Tours tours.This issue affects Tours: from n/a through <= 1.0.0. |
Total-soft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8700 | High | 7.5 | — | 2025-05-15 | The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars. |
Ulfbenjaminsson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8032 | Medium | 6.1 | — | 2025-05-15 | The Smooth Gallery Replacement WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF at… |
Ultimatewpsms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7984 | Medium | 4.3 | — | 2025-05-15 | The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack |
Umbraco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47280 | Medium | 6.1 | — | 2025-05-13 | Umbraco Forms is a form builder that integrates with the Umbraco content management system. |
Uncanny Owl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48080 | Medium | 6.5 | — | 2025-05-16 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash uncanny-learndash-toolkit allows Stored XSS.This issue affects Uncanny Toolkit for LearnDash: f… |
Urkekg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4169 | Medium | 6.4 | — | 2025-05-16 | The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on us… |
Varnish-software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47905 | Medium | 5.4 | — | 2025-05-13 | Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries. |
Vercel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32421 | Low | 3.7 | — | 2025-05-14 | Next.js is a React framework for building full-stack web applications. |
Villatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47563 | Medium | 5.3 | — | 2025-05-16 | Missing Authorization vulnerability in villatheme CURCY woocommerce-multi-currency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CURCY: from n/a through <= 2.3.7. |
Vita-mllm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4701 | Medium | 5.3 | — | 2025-05-15 | A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. |
Vmware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-22249 | High | 8.2 | — | 2025-05-13 | VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clic… |
Welukame · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4591 | Medium | 6.4 | — | 2025-05-15 | The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user suppli… |
Wibu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47809 | High | 8.2 | — | 2025-05-16 | Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). |
Wordpresschef · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32295 | Medium | 4.3 | — | 2025-05-16 | Missing Authorization vulnerability in wordpresschef Salon Booking Pro salon-booking-plugin-pro-cc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon Booking Pro: from n/a through <= 10.10.2. |
Wormhole Tech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4558 | Critical | 9.8 | — | 2025-05-12 | The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system. |
Wp Experts · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-13914 | High | 7.2 | — | 2025-05-15 | The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the 'file_manag… |
Xu-yijie · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4742 | Medium | 5.3 | — | 2025-05-16 | A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. |
Zkteco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-45746 | Medium | 6.5 | — | 2025-05-13 | In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. |
Zulip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47930 | Medium | 5.3 | — | 2025-05-16 | Zulip is an open-source team chat application. |