Patch Tuesday — May 2025

2025-05-13 · 1021 CVEs

CVEs published or modified the week of 2025-05-13, partitioned by vendor.

Microsoft (98 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4660Critical9.82025-05-13A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe.
CVE-2025-30387Critical9.82025-05-13Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-29967High8.82025-05-13Heap-based buffer overflow in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.
CVE-2025-29966High8.82025-05-13Heap-based buffer overflow in Windows Remote Desktop allows an unauthorized attacker to execute code over a network.
CVE-2025-29964High8.82025-05-13Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.
CVE-2025-29963High8.82025-05-13Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.
CVE-2025-29962High8.82025-05-13Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.
CVE-2025-29840High8.82025-05-13Stack-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.
CVE-2025-32704High8.42025-05-13Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30386High8.42025-05-13Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-30377High8.42025-05-13Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-26646High8.02025-05-13External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
CVE-2025-47161High7.82025-05-15Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
CVE-2025-43572High7.82025-05-13Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43571High7.82025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43570High7.82025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43569High7.82025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43568High7.82025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43549High7.82025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43548High7.82025-05-13Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43557High7.82025-05-13Animate versions 24.0.8, 23.0.11 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43556High7.82025-05-13Animate versions 24.0.8, 23.0.11 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43555High7.82025-05-13Animate versions 24.0.8, 23.0.11 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43547High7.82025-05-13Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43546High7.82025-05-13Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43545High7.82025-05-13Bridge versions 15.0.3, 14.1.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30330High7.82025-05-13Illustrator versions 29.3, 28.7.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30328High7.82025-05-13Animate versions 24.0.8, 23.0.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30325High7.82025-05-13Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30324High7.82025-05-13Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-32709High7.8KEV2025-05-13Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-32707High7.82025-05-13Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally.
CVE-2025-32706High7.8KEV2025-05-13Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-32705High7.82025-05-13Out-of-bounds read in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
CVE-2025-32702High7.82025-05-13Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally.
CVE-2025-32701High7.8KEV2025-05-13Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-30400High7.8KEV2025-05-13Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.
CVE-2025-30393High7.82025-05-13Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30388High7.82025-05-13Heap-based buffer overflow in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
CVE-2025-30385High7.82025-05-13Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-30383High7.82025-05-13Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30382High7.82025-05-13Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
CVE-2025-30381High7.82025-05-13Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30379High7.82025-05-13Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30376High7.82025-05-13Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30375High7.82025-05-13Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-30318High7.82025-05-13InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30310High7.82025-05-13Dreamweaver Desktop versions 21.4 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-29979High7.82025-05-13Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-29978High7.82025-05-13Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
CVE-2025-29977High7.82025-05-13Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-29976High7.82025-05-13Improper privilege management in Microsoft Office SharePoint allows an authorized attacker to elevate privileges locally.
CVE-2025-29975High7.82025-05-13Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-29970High7.82025-05-13Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2025-24063High7.82025-05-13Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2025-29833High7.72025-05-13Time-of-check time-of-use (toctou) race condition in Windows Virtual Machine Bus allows an unauthorized attacker to execute code locally.
CVE-2025-30397High7.5KEV2025-05-13Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.
CVE-2025-29971High7.52025-05-13Out-of-bounds read in Web Threat Defense (WTD.sys) allows an unauthorized attacker to deny service over a network.
CVE-2025-29969High7.52025-05-13Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network.
CVE-2025-29842High7.52025-05-13Acceptance of extraneous untrusted data with trusted data in UrlMon allows an unauthorized attacker to bypass a security feature over a network.
CVE-2025-29831High7.52025-05-13Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.
CVE-2025-26677High7.52025-05-13Uncontrolled resource consumption in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network.
CVE-2025-30384High7.42025-05-13Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
CVE-2025-29838High7.42025-05-13Null pointer dereference in Windows Drivers allows an unauthorized attacker to elevate privileges locally.
CVE-2025-29826High7.32025-05-13Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
CVE-2025-35471High7.32025-05-13conda-forge openssl-feedstock before 066e83c (2024-05-20), on Microsoft Windows, configures OpenSSL to use an OPENSSLDIR file path that can be written to by non-privilged local users.
CVE-2025-21264High7.12025-05-13Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVE-2025-30378High7.02025-05-13Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
CVE-2025-29973High7.02025-05-13Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.
CVE-2025-29841High7.02025-05-13Concurrent execution using shared resource with improper synchronization ('race condition') in Universal Print Management Service allows an authorized attacker to elevate privileges locally.
CVE-2025-27468High7.02025-05-13Improper privilege management in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally.
CVE-2025-27488Medium6.72025-05-13Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.
CVE-2025-26684Medium6.72025-05-13External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
CVE-2025-29968Medium6.52025-05-13Improper input validation in Active Directory Certificate Services (AD CS) allows an authorized attacker to deny service over a network.
CVE-2025-29961Medium6.52025-05-13Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29960Medium6.52025-05-13Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29959Medium6.52025-05-13Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29958Medium6.52025-05-13Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29836Medium6.52025-05-13Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29835Medium6.52025-05-13Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29832Medium6.52025-05-13Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-29830Medium6.52025-05-13Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-26685Medium6.52025-05-13Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network.
CVE-2025-29957Medium6.22025-05-13Uncontrolled resource consumption in Windows Deployment Services allows an unauthorized attacker to deny service locally.
CVE-2025-29955Medium6.22025-05-13Improper input validation in Windows Hyper-V allows an unauthorized attacker to deny service locally.
CVE-2025-30394Medium5.92025-05-13Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network.
CVE-2025-29954Medium5.92025-05-13Uncontrolled resource consumption in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network.
CVE-2025-29974Medium5.72025-05-13Integer underflow (wrap or wraparound) in Windows Kernel allows an unauthorized attacker to disclose information over an adjacent network.
CVE-2025-43551Medium5.52025-05-13Substance3D - Stager versions 3.1.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
CVE-2025-30329Medium5.52025-05-13Animate versions 24.0.8, 23.0.11 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
CVE-2025-32703Medium5.52025-05-13Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally.
CVE-2025-30320Medium5.52025-05-13InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
CVE-2025-30319Medium5.52025-05-13InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service.
CVE-2025-29837Medium5.52025-05-13Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to disclose information locally.
CVE-2025-29829Medium5.52025-05-13Use of uninitialized resource in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
CVE-2025-29956Medium5.42025-05-13Buffer over-read in Windows SMB allows an authorized attacker to disclose information over a network.
CVE-2025-33104Medium4.42025-05-14IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting.
CVE-2025-29839Medium4.02025-05-13Out-of-bounds read in Windows File Server allows an unauthorized attacker to disclose information locally.

Other vendors (923 CVEs across 365 vendors)

N/a · 111 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46052Critical9.82025-05-15An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field in a POST request to /StockCounts.php
CVE-2025-32363Critical9.82025-05-14mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data.
CVE-2025-45863Critical9.82025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the macstr parameter in the formMapDelDevice interface.
CVE-2025-45865Critical9.82025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the dnsaddr parameter in the formDhcpv6s interface.
CVE-2025-45861Critical9.82025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the routername parameter in the formDnsv6 interface.
CVE-2025-45858Critical9.82025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.
CVE-2025-28056Critical9.82025-05-13rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component.
CVE-2025-45779Critical9.82025-05-12Tenda AC10 V1.0re_V15.03.06.46 is vulnerable to Buffer Overflow in the formSetPPTPUserList handler via the list POST parameter.
CVE-2025-44022Critical9.82025-05-12An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism.
CVE-2025-26846Critical9.82025-05-12An issue was discovered in Znuny before 7.1.4.
CVE-2025-27891Critical9.12025-05-14An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2024-56524Critical9.12025-05-12Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request.
CVE-2024-56523Critical9.12025-05-12Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by placing random data in the HTTP request body when using the HTTP GET method.
CVE-2024-54780High8.82025-05-14Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface.
CVE-2025-20101High8.42025-05-13Out-of-bounds read for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable information disclosure or denial of service via local access.
CVE-2025-20018High8.42025-05-13Untrusted pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-45067High8.22025-05-14Incorrect default permissions in some Intel(R) Gaudi(R) software installers before version 1.18 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20003High8.22025-05-13Improper link resolution before file access ('Link Following') for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-58101High8.12025-05-14Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode.
CVE-2025-22843High7.82025-05-13Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20008High7.72025-05-13Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-44879High7.52025-05-14WS-WN572HP3 V230525 was discovered to contain a buffer overflow in the component /www/cgi-bin/upload.cgi.
CVE-2025-26783High7.52025-05-14An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 2100, 1280, 2200, 1330, 1380, 1480, 2400, W1000, Modem 5300, and Modem 5400.
CVE-2024-55569High7.52025-05-14An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2025-26785High7.52025-05-14An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2025-24308High7.52025-05-13Improper input validation in the UEFI firmware error handler for the Intel(R) Server D50DNP and M50FCP may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-21094High7.52025-05-13Improper input validation in the UEFI firmware DXE module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-20100High7.52025-05-13Improper access control in the memory controller configurations for some Intel(R) Xeon(R) 6 processor with E-cores may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-20083High7.52025-05-13Improper authentication in the firmware for the Intel(R) Slim Bootloader may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-20082High7.52025-05-13Time-of-check time-of-use race condition in the UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to enable escalation of privilege via local access.
CVE-2025-28055High7.52025-05-13upset-gal-web v7.1.0 /api/music/v1/cover.ts contains an arbitrary file read vulnerabilit
CVE-2025-45835High7.52025-05-12A null pointer dereference vulnerability was discovered in Netis WF2880 v2.1.40207.
CVE-2025-20104High7.32025-05-13Race condition in some Administrative Tools for some Intel(R) Network Adapters package before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20052High7.32025-05-13Improper access control for some Intel(R) Graphics software may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-45333High7.32025-05-13Improper access control for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-36292High7.32025-05-13Improper buffer restrictions for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-20004High7.22025-05-13Insufficient control flow management in the Alias Checking Trusted Module for some Intel(R) Xeon(R) 6 processor E-Cores firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-28057High7.22025-05-13owl-admin v3.2.2~ to v4.10.2 is vulnerable to SQL Injection in /admin-api/system/admin_menus/save_order.
CVE-2025-21099Medium6.72025-05-13Uncontrolled search path for some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20629Medium6.72025-05-13Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20108Medium6.72025-05-13Uncontrolled search path element for some Intel(R) Network Adapter Driver installers for Windows 11 before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20095Medium6.72025-05-13Incorrect Default Permissions for some Intel(R) RealSense™ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20043Medium6.72025-05-13Uncontrolled search path for some Intel(R) RealSense™ SDK software before version 2.56.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20041Medium6.72025-05-13Uncontrolled search path for some Intel(R) Graphics software for Intel(R) Arc™ graphics and Intel(R) Iris(R) Xe graphics before version 32.0.101.6325/32.0.101.6252 may allow an authenticated user to potentially enable escalation of privile…
CVE-2025-20015Medium6.72025-05-13Uncontrolled search path element for some Intel(R) Ethernet Connection software before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-47800Medium6.72025-05-13Uncontrolled search path for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-47795Medium6.72025-05-13Uncontrolled search path for some Intel(R) oneAPI DPC++/C++ Compiler software before version 2025.0.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-47550Medium6.72025-05-13Incorrect default permissions for some Endurance Gaming Mode software installers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-46895Medium6.72025-05-13Uncontrolled search path for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6083/32.0.101.5736 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-45371Medium6.72025-05-13Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6077 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-39833Medium6.72025-05-13Uncontrolled search path for some Intel(R) QAT software before version 2.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-31073Medium6.72025-05-13Uncontrolled search path for some Intel(R) oneAPI Level Zero software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-28954Medium6.72025-05-13Incorrect default permissions for some Intel(R) Graphics Driver installers may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-40120Medium6.52025-05-16seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go.
CVE-2024-56427Medium6.52025-05-14An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2025-26784Medium6.52025-05-14An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400.
CVE-2025-22892Medium6.52025-05-13Uncontrolled resource consumption for some OpenVINO™ model server software maintained by Intel(R) before version 2024.4 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20103Medium6.52025-05-13Insufficient resource pool in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-20071Medium6.52025-05-13NULL pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-20054Medium6.52025-05-13Uncaught exception in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-20031Medium6.52025-05-13Improper input validation for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-55466Medium6.52025-05-12An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2025-44176Medium6.52025-05-12Tenda FH451 V1.0.0.9 is vulnerable to Remote Code Execution in the formSafeEmailFilter function.
CVE-2025-44024Medium6.12025-05-14Cross-Site Scripting (XSS) vulnerability was discovered in the Pichome system v2.1.0 and before.
CVE-2024-45516Medium6.12025-05-14An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47.
CVE-2025-22448Medium6.12025-05-13Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-48869Medium6.12025-05-13Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a…
CVE-2024-29222Medium6.12025-05-13Out-of-bounds write for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-26841Medium6.12025-05-12Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.
CVE-2025-22247Medium6.12025-05-12VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.
CVE-2025-32407Medium5.92025-05-16Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user.
CVE-2024-39758Medium5.92025-05-13Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 31.0.101.4032 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-20624Medium5.72025-05-13Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access.
CVE-2025-20047Medium5.72025-05-13Improper locking in the Intel(R) Integrated Connectivity I/O interface (CNVi) for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
CVE-2025-20022Medium5.72025-05-13Insufficient control flow management for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow a privileged user to potentially enable information disclosure via adjacent access.
CVE-2025-24495Medium5.62025-05-13Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2025-20623Medium5.62025-05-13Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable informatio…
CVE-2024-45332Medium5.62025-05-13Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable…
CVE-2024-43420Medium5.62025-05-13Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom(R) processors may allow an authenticated user to potentially enable information disclosure via lo…
CVE-2024-28956Medium5.62025-05-13Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2024-28036Medium5.62025-05-13Improper conditions check for some Intel(R) Arc™ GPU may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-22895Medium5.52025-05-13Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2025-20616Medium5.52025-05-13Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2025-20612Medium5.52025-05-13Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2025-20013Medium5.52025-05-13Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2024-57273Medium5.42025-05-14Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, dele…
CVE-2024-54779Medium5.42025-05-14Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.
CVE-2025-45867Medium5.42025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the static_dns1 parameter in the formIpv6Setup interface.
CVE-2025-45866Medium5.42025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolEnd parameter in the formDhcpv6s interface.
CVE-2025-45864Medium5.42025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolStart parameter in the formDhcpv6s interface.
CVE-2025-45859Medium5.42025-05-13TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the bandstr parameter in the formMapDelDevice interface.
CVE-2025-44175Medium5.42025-05-12Tenda AC10 v4 V16.03.10.13 is vulnerable to Buffer Overflow in the GetParentControlInfo function.
CVE-2025-20034Medium5.32025-05-13Improper input validation in the BackupBiosUpdate UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards before version R01.02.0003 may allow a privileged user to potentially enable information disclosure via loc…
CVE-2024-43101Medium5.32025-05-13Improper access control for some Intel(R) Data Center GPU Flex Series for Windows driver software before version 31.0.101.4255 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2025-46053Medium5.12025-05-15A SQL Injection vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within a POST request to /reportw…
CVE-2025-20076Medium5.02025-05-13Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2025-20012Medium4.92025-05-13Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
CVE-2024-56526Medium4.92025-05-13An issue was discovered in OXID eShop before 7.
CVE-2025-20611Medium4.72025-05-13Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2025-25370Medium4.62025-05-14An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function.
CVE-2025-22446Medium4.62025-05-13Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2025-21081Medium4.52025-05-13Protection mechanism failure for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-22844Medium4.32025-05-13Improper access control for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVE-2025-21100Medium4.12025-05-13Improper initialization in the UEFI firmware for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable information disclosure via local access.
CVE-2025-20009Medium4.12025-05-13Improper input validation in the UEFI firmware GenerationSetup module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable information disclosure via local access.
CVE-2024-31150Low3.82025-05-13Out-of-bounds read for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2025-23233Low3.52025-05-13Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2025-22848Low3.52025-05-13Improper conditions check for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20084Low3.52025-05-13Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20057Low3.52025-05-13Uncontrolled resource consumption for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20030Low2.62025-05-13Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access.

Apple · 65 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30448Critical9.12025-05-12This issue was addressed with additional entitlement checks.
CVE-2025-30436Critical9.12025-05-12This issue was addressed by restricting options offered on a locked device.
CVE-2025-31246High8.82025-05-12The issue was addressed with improved memory handling.
CVE-2025-31244High8.82025-05-12A file quarantine bypass was addressed with additional checks.
CVE-2025-31204High8.82025-05-12The issue was addressed with improved memory handling.
CVE-2025-31234High8.22025-05-12The issue was addressed with improved input sanitization.
CVE-2025-31214High8.12025-05-12This issue was addressed through improved state management.
CVE-2025-31223High8.02025-05-12The issue was addressed with improved checks.
CVE-2025-24223High8.02025-05-12The issue was addressed with improved memory handling.
CVE-2025-31259High7.82025-05-12A privacy issue was addressed with improved checks.
CVE-2025-31224High7.82025-05-12A logic issue was addressed with improved checks.
CVE-2025-31222High7.82025-05-12A correctness issue was addressed with improved checks.
CVE-2025-30453High7.82025-05-12The issue was addressed with additional permissions checks.
CVE-2025-30442High7.82025-05-12The issue was addressed with improved input sanitization.
CVE-2025-24274High7.82025-05-12An input validation issue was addressed by removing the vulnerable code.
CVE-2025-24258High7.82025-05-12A permissions issue was addressed with additional restrictions.
CVE-2025-1079High7.82025-05-12Client RCE on macOS and Linux via improper symbolic link resolution in Google Web Designer's preview feature
CVE-2025-31207High7.72025-05-12A logic issue was addressed with improved checks.
CVE-2025-31213High7.62025-05-12A logging issue was addressed with improved data redaction.
CVE-2025-31247High7.52025-05-12A logic issue was addressed with improved state management.
CVE-2025-31240High7.52025-05-12This issue was addressed with improved checks.
CVE-2025-31237High7.52025-05-12This issue was addressed with improved checks.
CVE-2025-31221High7.52025-05-12An integer overflow was addressed with improved input validation.
CVE-2025-31208High7.52025-05-12The issue was addressed with improved checks.
CVE-2025-31238High7.32025-05-12The issue was addressed with improved checks.
CVE-2025-31253High7.12025-05-12This issue was addressed through improved state management.
CVE-2025-31249High7.12025-05-12A logic issue was addressed with improved checks.
CVE-2025-31232High7.12025-05-12A logic issue was addressed with improved checks.
CVE-2025-31225High7.12025-05-12A privacy issue was addressed by removing sensitive data.
CVE-2025-31219High7.12025-05-12The issue was addressed with improved memory handling.
CVE-2025-31228Medium6.82025-05-12The issue was addressed with improved authentication.
CVE-2025-31258Medium6.52025-05-12This issue was addressed by removing the vulnerable code.
CVE-2025-31235Medium6.52025-05-12A double free issue was addressed with improved memory management.
CVE-2025-31217Medium6.52025-05-12The issue was addressed with improved input validation.
CVE-2025-31215Medium6.52025-05-12The issue was addressed with improved checks.
CVE-2025-31210Medium6.52025-05-12The issue was addressed with improved UI.
CVE-2025-31205Medium6.52025-05-12The issue was addressed with improved checks.
CVE-2025-24225Medium6.52025-05-12An injection issue was addressed with improved input validation.
CVE-2025-24222Medium6.52025-05-12The issue was addressed with improved memory handling.
CVE-2025-31233Medium6.32025-05-12The issue was addressed with improved input sanitization.
CVE-2025-31209Medium6.32025-05-12An out-of-bounds read was addressed with improved bounds checking.
CVE-2025-31195Medium6.32025-05-12The issue was addressed by adding additional logic.
CVE-2025-31218Medium6.22025-05-12This issue was addressed by removing the vulnerable code.
CVE-2025-31260Medium5.52025-05-12A permissions issue was addressed with additional restrictions.
CVE-2025-31256Medium5.52025-05-12The issue was addressed with improved handling of caches.
CVE-2025-31251Medium5.52025-05-12The issue was addressed with improved input sanitization.
CVE-2025-31250Medium5.52025-05-12An information disclosure issue was addressed with improved privacy controls.
CVE-2025-31245Medium5.52025-05-12The issue was addressed with improved checks.
CVE-2025-31242Medium5.52025-05-12A privacy issue was addressed with improved private data redaction for log entries.
CVE-2025-31236Medium5.52025-05-12An information disclosure issue was addressed with improved privacy controls.
CVE-2025-31226Medium5.52025-05-12A logic issue was addressed with improved checks.
CVE-2025-31220Medium5.52025-05-12A privacy issue was addressed by removing sensitive data.
CVE-2025-31212Medium5.52025-05-12This issue was addressed through improved state management.
CVE-2025-31196Medium5.52025-05-12An out-of-bounds read was addressed with improved input validation.
CVE-2025-30440Medium5.52025-05-12The issue was addressed with improved checks.
CVE-2025-24220Medium5.52025-05-12A permissions issue was addressed with additional restrictions.
CVE-2025-24155Medium5.52025-05-12The issue was addressed with improved memory handling.
CVE-2025-24144Medium5.52025-05-12An information disclosure issue was addressed by removing the vulnerable code.
CVE-2025-24142Medium5.52025-05-12A privacy issue was addressed with improved private data redaction for log entries.
CVE-2025-24111Medium5.52025-05-12A memory corruption issue was addressed with improved state management.
CVE-2025-31241Medium5.32025-05-12A double free issue was addressed with improved memory management.
CVE-2025-31257Medium4.72025-05-12This issue was addressed with improved memory handling.
CVE-2025-31227Medium4.62025-05-12A logic issue was addressed with improved checks.
CVE-2025-31239Medium4.32025-05-12A use-after-free issue was addressed with improved memory management.
CVE-2025-31206Medium4.32025-05-12A type confusion issue was addressed with improved state handling.

Siemens · 36 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-26389Critical10.02025-05-13A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0).
CVE-2025-33025Critical9.92025-05-13A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM…
CVE-2025-33024Critical9.92025-05-13A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM…
CVE-2025-32469Critical9.92025-05-13A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM…
CVE-2025-26390Critical9.82025-05-13A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0).
CVE-2025-40566High8.82025-05-13A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1).
CVE-2025-31930High8.82025-05-13A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-…
CVE-2025-40582High7.82025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed).
CVE-2025-40574High7.82025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-32454High7.82025-05-13A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.14), Teamcenter Visualization V2312 (All versions < V2312.0010), Teamcenter Visualization V2406 (All versions < V2406.0008), Teamcenter Visualiza…
CVE-2025-30176High7.52025-05-13A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (…
CVE-2025-30175High7.52025-05-13A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (…
CVE-2025-30174High7.52025-05-13A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SINEC NMS (All versions < V4.0), SINEMA Remote Connect (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (…
CVE-2025-24007High7.52025-05-13A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions).
CVE-2024-23815High7.52025-05-13A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to D…
CVE-2025-40581High7.12025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed).
CVE-2025-40580Medium6.72025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-40579Medium6.72025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-40556Medium6.52025-05-13A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions).
CVE-2025-24510Medium6.52025-05-13A vulnerability has been identified in MS/TP Point Pickup Module (All versions).
CVE-2025-24008Medium6.52025-05-13A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions).
CVE-2024-51446Medium6.52025-05-13A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4).
CVE-2024-51445Medium6.52025-05-13A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4).
CVE-2024-51444Medium6.52025-05-13A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4).
CVE-2025-24009Medium5.92025-05-13A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions).
CVE-2025-40572Medium5.52025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2024-51447Medium5.32025-05-13A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2).
CVE-2025-40555Medium4.72025-05-13A vulnerability has been identified in APOGEE PXC+TALON TC Series (BACnet) (All versions).
CVE-2025-40583Medium4.42025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed).
CVE-2025-40573Medium4.42025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-40578Medium4.32025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions).
CVE-2025-40577Medium4.32025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-40576Medium4.32025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-40575Medium4.32025-05-13A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0 HF0).
CVE-2025-31929Medium4.22025-05-13A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0) (All versions), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0) (All versions), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1) (All version…
CVE-2025-40571Low2.22025-05-13A vulnerability has been identified in Mendix OIDC SSO (Mendix 10.12 compatible) (All versions < V4.0.1), Mendix OIDC SSO (Mendix 9 compatible) (All versions < V3.3.1), Mendix OIDC SSO V4.2 (Mendix 10 compatible) (All versions < V4.2.1), M…

Phpgurukul · 29 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4813High7.32025-05-16A vulnerability, which was classified as critical, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0.
CVE-2025-4812High7.32025-05-16A vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0.
CVE-2025-4794High7.32025-05-16A vulnerability was found in PHPGurukul Online Course Registration 3.1.
CVE-2025-4793High7.32025-05-16A vulnerability was found in PHPGurukul Online Course Registration 3.1.
CVE-2025-4785High7.32025-05-16A vulnerability was found in PHPGurukul Daily Expense Tracker System 1.1.
CVE-2025-4773High7.32025-05-16A vulnerability was found in PHPGurukul Online Course Registration 3.1 and classified as critical.
CVE-2025-4772High7.32025-05-16A vulnerability has been found in PHPGurukul Online Course Registration 3.1 and classified as critical.
CVE-2025-4771High7.32025-05-16A vulnerability, which was classified as critical, was found in PHPGurukul Online Course Registration 3.1.
CVE-2025-4766High7.32025-05-16A vulnerability was found in PHPGurukul Zoo Management System 2.1.
CVE-2025-4765High7.32025-05-16A vulnerability was found in PHPGurukul Zoo Management System 2.1.
CVE-2025-4761High7.32025-05-16A vulnerability has been found in PHPGurukul Complaint Management System 2.0 and classified as critical.
CVE-2025-4758High7.32025-05-16A vulnerability classified as critical has been found in PHPGurukul Beauty Parlour Management System 1.1.
CVE-2025-4757High7.32025-05-16A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1.
CVE-2025-4717High7.32025-05-15A vulnerability, which was classified as critical, was found in PHPGurukul Company Visitor Management System 2.0.
CVE-2025-4705High7.32025-05-15A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13.
CVE-2025-4704High7.32025-05-15A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical.
CVE-2025-4703High7.32025-05-15A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical.
CVE-2025-4702High7.32025-05-15A vulnerability, which was classified as critical, was found in PHPGurukul Vehicle Parking Management System 1.13.
CVE-2025-4699High7.32025-05-15A vulnerability classified as critical was found in PHPGurukul Apartment Visitors Management System 1.0.
CVE-2025-4698High7.32025-05-15A vulnerability classified as critical has been found in PHPGurukul Directory Management System 2.0.
CVE-2025-4697High7.32025-05-15A vulnerability was found in PHPGurukul Directory Management System 2.0.
CVE-2025-4554High7.32025-05-12A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0.
CVE-2025-4553High7.32025-05-12A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as critical.
CVE-2025-4808Medium6.32025-05-16A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0 and classified as critical.
CVE-2025-4781Medium6.32025-05-16A vulnerability classified as critical has been found in PHPGurukul Park Ticketing Management System 2.0.
CVE-2025-4780Medium6.32025-05-16A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0.
CVE-2025-4778Medium6.32025-05-16A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0.
CVE-2025-4777Medium6.32025-05-16A vulnerability was found in PHPGurukul Park Ticketing Management System 2.0.
CVE-2025-4770Medium6.32025-05-16A vulnerability, which was classified as critical, has been found in PHPGurukul Park Ticketing Management System 2.0.

Unknown · 28 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8673Critical9.12025-05-15The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
CVE-2024-6719High8.12025-05-15The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack
CVE-2024-12812High7.52025-05-15The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employe…
CVE-2024-8699High7.22025-05-15The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite…
CVE-2024-3901Medium6.82025-05-15The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS a…
CVE-2024-8286Medium6.52025-05-15The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks
CVE-2024-8031Medium6.52025-05-15The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded.
CVE-2024-8703Medium6.12025-05-15The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs.
CVE-2024-6690Medium6.12025-05-15The wccp-pro WordPress plugin before 15.3 contains an open-redirect flaw via the referrer parameter, allowing redirection of users to external sites
CVE-2024-13823Medium6.12025-05-15The 360 Product Rotation WordPress plugin through 1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
CVE-2023-6541Medium6.12025-05-15The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
CVE-2024-8397Medium5.42025-05-15The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks.
CVE-2024-6668Medium5.42025-05-15The ProfilePro WordPress plugin through 1.3 does not sanitise and escape some parameters and lacks proper access controls, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks
CVE-2024-11502Medium5.42025-05-15The Planning Center Online Giving WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contri…
CVE-2024-10818Medium5.42025-05-15The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role a…
CVE-2024-9182Medium4.82025-05-15The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
CVE-2024-8702Medium4.82025-05-15The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit…
CVE-2024-8619Medium4.82025-05-15The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab…
CVE-2024-8542Medium4.82025-05-15The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…
CVE-2024-8492Medium4.82025-05-15The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2024-8284Medium4.82025-05-15The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2024-6693Medium4.82025-05-15The wccp-pro WordPress plugin before 15.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is di…
CVE-2024-13616Medium4.82025-05-15The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the un…
CVE-2024-12808Medium4.82025-05-15The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perf…
CVE-2024-12716Medium4.82025-05-15The Simple Basic Contact Form WordPress plugin before 20250114 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_…
CVE-2023-6783Medium4.82025-05-15The WolfNet IDX for WordPress plugin through 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabi…
CVE-2024-6711Low3.52025-05-15The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
CVE-2024-11140Low3.52025-05-15The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w…

Campcodes · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4746High7.32025-05-16A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4741High7.32025-05-16A vulnerability was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4734High7.32025-05-16A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4719High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4718High7.32025-05-15A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4716High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4715High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4714High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4713High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4712High7.32025-05-15A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4711High7.32025-05-15A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4710High7.32025-05-15A vulnerability, which was classified as critical, has been found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4709High7.32025-05-15A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4708High7.32025-05-15A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4707High7.32025-05-15A vulnerability was found in Campcodes Sales and Inventory System 1.0.
CVE-2025-4735Medium6.32025-05-16A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical.
CVE-2025-4696Medium6.32025-05-15A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0.
CVE-2025-4695Medium6.32025-05-15A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0.

Adobe · 17 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43567Critical9.32025-05-13Adobe Connect versions 12.8 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-43564Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read.
CVE-2025-43563Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read.
CVE-2025-43562Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the conte…
CVE-2025-43561Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43560Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43559Critical9.12025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43565High8.42025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user.
CVE-2025-43554High7.82025-05-13Substance3D - Modeler versions 1.21.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43553High7.82025-05-13Substance3D - Modeler versions 1.21.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30326High7.82025-05-13Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-30322High7.82025-05-13Substance3D - Painter versions 11.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-27197High7.82025-05-13Lightroom Desktop versions 8.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-43566Medium6.82025-05-13ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read.
CVE-2025-30315Medium6.12025-05-13Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-30314Medium6.12025-05-13Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-30316Medium5.42025-05-13Adobe Connect versions 12.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.

Sap_se · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43010High8.32025-05-13SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP…
CVE-2025-43000High7.92025-05-13Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the applicatio…
CVE-2025-43011High7.72025-05-13Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data.
CVE-2025-42997Medium6.62025-05-13Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application.
CVE-2025-43003Medium6.42025-05-13SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field.
CVE-2025-43009Medium6.32025-05-13SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges.
CVE-2025-43007Medium6.32025-05-13SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges.
CVE-2025-31329Medium6.22025-05-13SAP NetWeaver is vulnerable to an Information Disclosure vulnerability caused by the injection of malicious instructions into user configuration settings.
CVE-2025-43006Medium6.12025-05-13SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability.
CVE-2025-43008Medium5.82025-05-13Due to missing authorization check, an unauthorized user can view the files of other company.
CVE-2025-43004Medium5.32025-05-13Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards.
CVE-2025-26662Medium4.42025-05-13The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script.
CVE-2025-43005Medium4.32025-05-13SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials.
CVE-2025-43002Medium4.32025-05-13SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check.

Schweitzer Engineering Laboratories · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46739High8.12025-05-12An unauthenticated user could discover account credentials via a brute-force attack without rate limiting
CVE-2025-46740High7.52025-05-12An authenticated user without user administrative permissions could change the administrator Account Name.
CVE-2025-46737High7.42025-05-12SEL-5037 Grid Configurator contains an overly permissive Cross Origin Resource Sharing (CORS) configuration for a data gateway service in the application.
CVE-2025-46738Medium6.62025-05-12An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code.
CVE-2025-46745Medium6.52025-05-12An authenticated user without user-management permissions could view other users account information.
CVE-2025-46743Medium6.32025-05-12An authenticated user's token could be used by another source after the user had logged out prior to the token expiring.
CVE-2025-46746Medium5.82025-05-12An administrator could discover another account's credentials.
CVE-2025-46747Medium5.72025-05-12An authenticated user without user-management permissions could identify other user accounts.
CVE-2025-46741Medium5.72025-05-12A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred.
CVE-2025-46750Medium4.42025-05-12SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set.
CVE-2025-46749Medium4.32025-05-12An authenticated user could submit scripting to fields that lack proper input and output sanitization leading to subsequent client-side script execution.
CVE-2025-46742Medium4.32025-05-12Users who were required to change their password could still access system information before changing their password
CVE-2025-46748Low2.72025-05-12An authenticated user attempting to change their password could do so without using the current password.
CVE-2025-46744Low2.72025-05-12An authenticated administrator could modify the Created By username for a user account

Lambertgroup · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32307High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Chameleon HTML5 Audio Player With/Without Playlist lbg-audio1-html5 allows SQL Injection.This issue affects Chameleon HTML5…
CVE-2025-32306High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Radio Player Shoutcast & Icecast WordPress Plugin audio4-html5 allows Blind SQL Injection.This issue affects Radio Player Sh…
CVE-2025-32301High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin circular_countdown allows SQL Injection.This issue affects CountDown Pro WP Plugin: from n/a through…
CVE-2025-32290High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky HTML5 Music Player lbg-audio3-html5 allows SQL Injection.This issue affects Sticky HTML5 Music Player: from n/a throu…
CVE-2025-32287High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Responsive HTML5 Audio Player PRO With Playlist lbg-audio2-html5 allows SQL Injection.This issue affects Responsive HTML5 Au…
CVE-2025-31928High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Multimedia Responsive Carousel with Image Video Audio Support multimedia-carousel allows SQL Injection.This issue affects Mu…
CVE-2025-31926High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky Radio Player lbg-audio5-html5-shoutcast_sticky allows SQL Injection.This issue affects Sticky Radio Player: from n/a…
CVE-2025-31641High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup UberSlider uber-classic allows SQL Injection.This issue affects UberSlider: from n/a through < 2.6.
CVE-2025-31640High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic-carousel allows SQL Injection.This issue affects Magic Responsive Slide…
CVE-2025-31637High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup SHOUT lbg-audio8-html5-radio_ads allows SQL Injection.This issue affects SHOUT: from n/a through <= 3.5.3.
CVE-2025-47567High7.62025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Video Player & FullScreen Video Background universal-video-player-and-bg allows Blind SQL Injection.This issue affects Video…

Drupal · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47708High8.82025-05-14Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
CVE-2025-47701High8.82025-05-14Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0.
CVE-2025-47707High7.52025-05-14Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5…
CVE-2025-47710High7.42025-05-14Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5…
CVE-2025-47709Medium6.52025-05-14Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
CVE-2025-47705Medium6.12025-05-14Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 2.0.0 before 2.0.5, from 7.X-…
CVE-2025-47704Medium6.12025-05-14Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0…
CVE-2025-47702Medium6.12025-05-14Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2.
CVE-2025-47706Medium4.82025-05-14Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5…

Intel · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20046High8.02025-05-13Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20618High7.92025-05-13Stack-based buffer overflow for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access.
CVE-2025-20032High7.92025-05-13Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access.
CVE-2025-20006High7.42025-05-13Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20079Medium6.72025-05-13Uncontrolled search path for some Intel(R) Advisor software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-20039Medium6.62025-05-13Race condition for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20062Medium6.12025-05-13Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2025-20026Medium6.12025-05-13Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

Palo Alto Networks · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0130High7.52025-05-14A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and event…
CVE-2025-0135Low3.32025-05-14An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app.
CVE-2025-01382025-05-14Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access.
CVE-2025-01372025-05-14An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS adm…
CVE-2025-01362025-05-14Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PA…
CVE-2025-01342025-05-14A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM.
CVE-2025-01332025-05-14A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user'…
CVE-2025-01322025-05-14A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM.  The attacker must have network access to the Broker VM to exploit th…

Zoom · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30663High8.82025-05-14Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2025-30664Medium6.62025-05-14Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2025-46785Medium6.52025-05-14Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-30668Medium6.52025-05-14Integer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-30667Medium6.52025-05-14NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-30666Medium6.52025-05-14NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-30665Medium6.52025-05-14NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-46786Medium4.32025-05-14Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access.

Amd · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2023-31359High7.32025-05-13Incorrect default permissions in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2023-31358High7.32025-05-13A DLL hijacking vulnerability in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2025-0035High7.32025-05-13Unquoted search path within AMD Cloud Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.
CVE-2024-36339High7.32025-05-13A DLL hijacking vulnerability in the AMD Optimizing CPU Libraries could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2024-36321High7.32025-05-13Unquoted search path within AIM-T Manageability Service can allow a local attacker to escalate privileges, potentially resulting in arbitrary code execution.
CVE-2024-21960High7.32025-05-13Incorrect default permissions in the AMD Optimizing CPU Libraries (AOCL) installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
CVE-2024-36340Medium6.62025-05-13A junction point vulnerability within AMD uProf can allow a local low-privileged attacker to create junction points, potentially resulting in arbitrary file deletion or disclosure.

Combodo · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-24022High8.52025-05-14iTop is an web based IT Service Management tool.
CVE-2024-52601Medium6.52025-05-14iTop is an web based IT Service Management tool.
CVE-2024-56157Medium6.32025-05-14iTop is an web based IT Service Management tool.
CVE-2025-24026Medium5.32025-05-14iTop is an web based IT Service Management tool.
CVE-2025-24969Medium5.02025-05-14iTop is an web based IT Service Management tool.
CVE-2025-24021Medium5.02025-05-14iTop is an web based IT Service Management tool.
CVE-2025-24785Medium4.32025-05-14iTop is an web based IT Service Management tool.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-4749High7.52025-05-16A vulnerability classified as critical was found in D-Link DI-7003GV2 24.04.18D1 R(68125).
CVE-2025-4755High7.32025-05-16A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125).
CVE-2025-4756Medium5.32025-05-16A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125).
CVE-2025-4753Medium5.32025-05-16A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic.
CVE-2025-4752Medium5.32025-05-16A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic.
CVE-2025-4751Medium5.32025-05-16A vulnerability, which was classified as problematic, was found in D-Link DI-7003GV2 24.04.18D1 R(68125).
CVE-2025-4750Medium5.32025-05-16A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125).

Hitachi · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-27523High8.72025-05-15XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 1…
CVE-2025-1531Medium6.52025-05-16Authentication credentials leakage vulnerability in Hitachi Ops Center Analyzer viewpoint.This issue affects Hitachi Ops Center Analyzer viewpoint: from 10.0.0-00 before 11.0.4-00.
CVE-2025-1245Medium6.52025-05-16Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer  (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastr…
CVE-2024-8201Medium5.42025-05-16Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-0…
CVE-2025-27524Medium5.32025-05-15Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-…
CVE-2025-3624Medium4.32025-05-16Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.
CVE-2025-27525Low3.92025-05-15Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, fro…

Angeljudesuarez · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4726High7.32025-05-15A vulnerability has been found in itsourcecode Placement Management System 1.0 and classified as critical.
CVE-2025-4725High7.32025-05-15A vulnerability, which was classified as critical, was found in itsourcecode Placement Management System 1.0.
CVE-2025-4724High7.32025-05-15A vulnerability, which was classified as critical, has been found in itsourcecode Placement Management System 1.0.
CVE-2025-4723High7.32025-05-15A vulnerability classified as critical was found in itsourcecode Placement Management System 1.0.
CVE-2025-4722High7.32025-05-15A vulnerability classified as critical has been found in itsourcecode Placement Management System 1.0.
CVE-2025-4721High7.32025-05-15A vulnerability was found in itsourcecode Placement Management System 1.0.

Automattic · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6584Critical9.12025-05-15The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
CVE-2024-10076Medium5.92025-05-15The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart.
CVE-2024-10075Medium5.62025-05-15The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.
CVE-2024-56006Medium5.32025-05-15Missing Authorization vulnerability in Automattic Jetpack Debug Tools.This issue affects Jetpack Debug Tools: from n/a before 2.0.1.
CVE-2024-12743Medium4.82025-05-15The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…
CVE-2024-8009Medium4.32025-05-15The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page

Jenkins · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47889Critical9.82025-05-14In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any usernam…
CVE-2025-47884Critical9.12025-05-14In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to conf…
CVE-2025-47885High8.82025-05-14Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to con…
CVE-2025-47888Medium5.92025-05-14Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.
CVE-2025-47887Medium4.32025-05-14Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
CVE-2025-47886Medium4.32025-05-14A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

Sap · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30012Critical10.02025-05-13The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format.
CVE-2025-42999Critical9.1KEV2025-05-13SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability…
CVE-2025-30018High8.62025-05-13The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files an…
CVE-2025-30010Medium6.12025-05-13The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a vic…
CVE-2025-30009Medium6.12025-05-13he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser.
CVE-2025-30011Medium5.32025-05-13The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which…

Themeton · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31630Medium5.32025-05-16Missing Authorization vulnerability in themeton The Business allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2025-31071Medium5.32025-05-16Missing Authorization vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2025-31066Medium5.32025-05-16Missing Authorization vulnerability in themeton Acerola acerola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Acerola: from n/a through <= 1.6.5.
CVE-2025-31065Medium5.32025-05-16Missing Authorization vulnerability in themeton Rozario allows Exploiting Incorrectly Configured Access Control Security Levels.
CVE-2025-31639Medium4.32025-05-16Cross-Site Request Forgery (CSRF) vulnerability in themeton Spare allows Cross Site Request Forgery.
CVE-2025-31068Medium4.32025-05-16Cross-Site Request Forgery (CSRF) vulnerability in themeton Seven Stars allows Cross Site Request Forgery.

Anujk305 · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4736High7.32025-05-16A vulnerability was found in PHPGurukul Daily Expense Tracker 1.1 and classified as critical.
CVE-2025-44183Medium6.12025-05-15Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the name, email, and mobile parameters.
CVE-2025-44182Medium6.12025-05-15Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, enginenumber' in the /admin/edit-vehicle.php component.
CVE-2025-44181Medium6.12025-05-15Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/add-brand.php via the brandname parameter.
CVE-2025-44180Medium6.12025-05-15Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit-brand.php?bid={brandId}.

Apache · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47436Critical9.82025-05-14Heap-based Buffer Overflow vulnerability in Apache ORC.
CVE-2024-24780Critical9.82025-05-14Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB.
CVE-2025-27696High8.82025-05-13Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.
CVE-2025-26864High7.52025-05-14Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.
CVE-2025-26795High7.52025-05-14Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.

Freefloat · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4792High7.32025-05-16A vulnerability was found in FreeFloat FTP Server 1.0 and classified as critical.
CVE-2025-4791High7.32025-05-16A vulnerability has been found in FreeFloat FTP Server 1.0 and classified as critical.
CVE-2025-4790High7.32025-05-16A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0.
CVE-2025-4789High7.32025-05-16A vulnerability, which was classified as critical, has been found in FreeFloat FTP Server 1.0.
CVE-2025-4788High7.32025-05-16A vulnerability classified as critical was found in FreeFloat FTP Server 1.0.

Hailey888 · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-29691Medium6.12025-05-14A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the userName parameter at /login/LoginsController.java.
CVE-2025-29690Medium6.12025-05-14A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the outtype parameter at /address/AddrController.java.
CVE-2025-29689Medium6.12025-05-14A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at /mail/MailController.java.
CVE-2025-29688Medium6.12025-05-14A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /daymanager/daymanageabilitycontroller.java.
CVE-2025-29686Medium6.12025-05-14A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /inform/InformManageController.java.

Ibm · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2900High7.52025-05-14IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect i…
CVE-2025-3632High7.52025-05-12IBM 4769 Developers Toolkit 7.0.0 through 7.5.52 could allow a remote attacker to cause a denial of service in the Hardware Security Module (HSM) due to improper memory allocation of an excessive size.
CVE-2025-3440Medium5.52025-05-15IBM Security Guardium 11.5 is vulnerable to stored cross-site scripting.
CVE-2024-51475Medium5.42025-05-16IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection.
CVE-2025-1138Medium4.32025-05-15IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing.

Nextcloud · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47790Medium6.42025-05-16Nextcloud Server is a self hosted personal cloud system.
CVE-2025-47792Medium5.02025-05-16Nextcloud Desktop is the desktop sync client for Nextcloud.
CVE-2025-47793Medium4.32025-05-16Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team.
CVE-2025-47791Medium4.32025-05-16Nextcloud Server is a self hosted personal cloud system.
CVE-2025-47794Low2.62025-05-16Nextcloud Server is a self hosted personal cloud system.

Ni · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30421High7.82025-05-15There is a memory corruption vulnerability due to a stack-based buffer overflow in DrObjectStorage::XML_Serialize() when using the SymbolEditor in NI Circuit Design Suite.
CVE-2025-30420High7.82025-05-15There is a memory corruption vulnerability due to an out of bounds read in Bitmap::InternalDraw() when using the SymbolEditor in NI Circuit Design Suite.
CVE-2025-30419High7.82025-05-15There is a memory corruption vulnerability due to an out of bounds read in GetSymbolBorderRectSize() when using the SymbolEditor in NI Circuit Design Suite.
CVE-2025-30418High7.82025-05-15There is a memory corruption vulnerability due to an out of bounds write in CheckPins() when using the SymbolEditor in NI Circuit Design Suite.
CVE-2025-30417High7.82025-05-15There is a memory corruption vulnerability due to an out of bounds write in Library!DecodeBase64() when using the SymbolEditor in NI Circuit Design Suite.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-4733High8.82025-05-16A vulnerability, which was classified as critical, has been found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615.
CVE-2025-4732High8.82025-05-16A vulnerability classified as critical was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615.
CVE-2025-4731High8.82025-05-16A vulnerability classified as critical has been found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615.
CVE-2025-4730High8.82025-05-16A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615.
CVE-2025-4729Medium6.32025-05-16A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615.

Centreon · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4648High8.42025-05-13The content of a SVG file, received as input in Centreon web, was not properly checked.
CVE-2025-4647High8.42025-05-13Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS.
CVE-2025-4646High7.22025-05-13Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
CVE-2025-4649Medium4.92025-05-13Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.

Emlog · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47787Critical9.82025-05-15Emlog is an open source website building system.
CVE-2025-47784Critical9.82025-05-15Emlog is an open source website building system.
CVE-2025-47785High8.32025-05-15Emlog is an open source website building system.
CVE-2025-47786Medium4.82025-05-15Emlog is an open source website building system.

Evanliewer · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7231High7.32025-05-15The illi Link Party!
CVE-2023-7230Medium6.12025-05-15The illi Link Party!
CVE-2023-7228Medium6.12025-05-15The illi Link Party!
CVE-2023-7229Medium5.52025-05-15The illi Link Party!

Insyde · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52880High7.92025-05-15An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7…
CVE-2024-52879High7.52025-05-15An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7…
CVE-2024-52878High7.52025-05-15An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7…
CVE-2024-52877High7.52025-05-15An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7…

Ivanti · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22462Critical9.82025-05-13An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
CVE-2025-22460High7.82025-05-13Default credentials in Ivanti Cloud Services Application before version 5.0.5 allows a local authenticated attacker to escalate their privileges.
CVE-2025-4428High7.2KEV2025-05-13Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
CVE-2025-4427Medium5.3KEV2025-05-13An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Mattermost · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31947Medium5.82025-05-15Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures…
CVE-2025-2527Medium4.32025-05-15Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
CVE-2025-3446Medium4.32025-05-15Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest us…
CVE-2025-2570Low2.72025-05-15Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmi…

Mayurik · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4728High7.32025-05-15A vulnerability was found in SourceCodester Best Online News Portal 1.0.
CVE-2025-44185Medium5.42025-05-15SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/change_pass.php via the password parameter.
CVE-2025-44186Medium5.42025-05-14SourceCodester Best Employee Management System 1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/Operation/User.php page.
CVE-2025-44184Medium4.82025-05-14SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the website_image, fname, lname, contact, username, and address parameters.

Oretnom23 · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4806Medium6.32025-05-16A vulnerability, which was classified as critical, has been found in SourceCodester/oretnom23 Stock Management System 1.0.
CVE-2025-4787Medium6.32025-05-16A vulnerability classified as critical has been found in SourceCodester/oretnom23 Stock Management System 1.0.
CVE-2025-4786Medium6.32025-05-16A vulnerability was found in SourceCodester/oretnom23 Stock Management System 1.0.
CVE-2025-4782Medium6.32025-05-16A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as critical.

Romancode · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47557Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg allows Stored XSS.This issue affects MapSVG: from n/a through <= 8.5.31.
CVE-2025-48120Medium5.32025-05-16Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Code Injection.This issue affects MapSVG: from n/a through <= 8.6.9.
CVE-2025-47562Medium5.32025-05-16Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34.
CVE-2025-47560Medium5.02025-05-16Missing Authorization vulnerability in RomanCode MapSVG mapsvg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through < 8.6.13.

Code-projects · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4743Medium6.32025-05-16A vulnerability classified as critical was found in code-projects Employee Record System 1.0.
CVE-2025-4745Low3.52025-05-16A vulnerability, which was classified as problematic, was found in code-projects Employee Record System 1.0.
CVE-2025-4744Low3.52025-05-16A vulnerability, which was classified as problematic, has been found in code-projects Employee Record System 1.0.

Codepeople · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8854Medium5.42025-05-15The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit…
CVE-2024-8851Medium5.42025-05-15The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit…
CVE-2024-13382Medium4.82025-05-15The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html…

Dell · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30475High8.12025-05-15Dell PowerScale InsightIQ, versions 5.0 through 5.2, contains an improper privilege management vulnerability.
CVE-2025-26481High7.52025-05-15Dell PowerScale OneFS, versions 9.4.0.0 through 9.9.0.0, contains an uncontrolled resource consumption vulnerability.
CVE-2025-30476Medium5.32025-05-15Dell PowerScale InsightIQ, version 5.2, contains an uncontrolled resource consumption vulnerability.

Dyadyalesha · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6798Medium4.82025-05-15The DL Verification WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabilit…
CVE-2024-6797Medium4.82025-05-15The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…
CVE-2024-6462Medium4.82025-05-15The DL Yandex Metrika WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Fortinet · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32756Critical9.8KEV2025-05-13A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, Fort…
CVE-2025-22859Medium5.32025-05-13A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upl…
CVE-2024-35281Low2.52025-05-13An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClientMac version 7.4.2 and below, version 7.2.8 and below, 7.0 all versions and FortiVoiceUCDesktop 3.0 all versions desktop application may allow an authentica…

Getkirby · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31493Critical9.12025-05-13Kirby is an open-source content management system.
CVE-2025-30159Critical9.12025-05-13Kirby is an open-source content management system.
CVE-2025-30207High7.52025-05-13Kirby is an open-source content management system.

Icewarp · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40632Medium6.12025-05-16Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0.
CVE-2025-40631Medium6.12025-05-16HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0.
CVE-2025-40630Medium6.12025-05-16Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0.

Lukashuser · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9765Medium6.52025-05-15The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
CVE-2024-9711Medium5.42025-05-15The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-9709Medium5.42025-05-15The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Metagauss · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4665Medium6.42025-05-15The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users.
CVE-2024-9390Medium4.82025-05-15The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html cap…
CVE-2025-48079Medium4.32025-05-16Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid : from n/a through <= 5.9…

Mozilla · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3909High8.12025-05-14Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context.
CVE-2025-3875High7.52025-05-14Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used.
CVE-2025-3932Medium6.52025-05-14It was possible to craft an email that showed a tracking link as an attachment.

Quanticalabs · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31922High7.12025-05-16Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Stored XSS.This issue affects CSS3 Accordions for WordPress: from n/a through <= 3.0.
CVE-2025-47556Medium5.42025-05-16Missing Authorization vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress css3_web_pricing_tables_grids allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CSS3 Compare Pricing Tab…
CVE-2025-31923Medium5.42025-05-16Missing Authorization vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CSS3 Accordions for WordPress: from n/a through <=…

Quantumcloud · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6809Critical9.82025-05-15The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVE-2025-32296Medium5.32025-05-16Missing Authorization vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through < 14.8.1.
CVE-2025-0329Medium4.82025-05-15The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm…

Red Hat · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3931High7.82025-05-14A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component.
CVE-2025-4574Medium6.52025-05-13In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
CVE-2025-4476Medium4.32025-05-16A denial-of-service vulnerability has been identified in the libsoup HTTP client library.

Shapedplugin · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48134High7.22025-05-16Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
CVE-2024-8187Medium4.82025-05-15The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…
CVE-2024-3996Low3.52025-05-15The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabi…

Valvepress · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47534Medium4.32025-05-16Missing Authorization vulnerability in ValvePress Wordpress Auto Spinner wp-auto-spinner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wordpress Auto Spinner: from n/a through <= 3.25.0.
CVE-2025-39511Medium4.32025-05-16Missing Authorization vulnerability in ValvePress Pinterest Automatic Pin wp-pinterest-automatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinterest Automatic Pin: from n/a through <= 4.19.0.
CVE-2025-39493Medium4.32025-05-16Missing Authorization vulnerability in ValvePress Rankie valvepress-rankie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rankie: from n/a through < 1.8.2.

Zong Yu · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4556Critical9.82025-05-12The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code…
CVE-2025-4555Critical9.82025-05-12The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions.
CVE-2025-4557Critical9.12025-05-12The specific APIs of Parking Management System from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific APIs and operate system functions.

10web · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8670Medium4.82025-05-15The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html…
CVE-2024-13053Medium4.82025-05-15The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c…

Abantecart · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40627Medium6.12025-05-12Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL.
CVE-2025-40626Medium6.12025-05-12Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL.

Aomedia · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48175Medium4.52025-05-16In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes.
CVE-2025-48174Medium4.52025-05-16In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size.

Artec-it · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46610High8.82025-05-12ARTEC EMA Mail 6.92 allows CSRF.
CVE-2025-46611Medium6.12025-05-12Cross Site Scripting vulnerability in ARTEC EMA Mail v6.92 allows an attacker to execute arbitrary code via a crafted script.

Ays-pro · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9599Medium5.42025-05-15The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…
CVE-2024-8617Medium4.82025-05-15The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Codexthemes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4317High8.82025-05-13The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3.
CVE-2025-4339Medium4.32025-05-13The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3.

Coffee-code · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1303Medium6.12025-05-15The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
CVE-2025-1289Medium4.82025-05-15The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Couleurcitron · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11719Medium6.12025-05-15The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-11718Medium5.42025-05-15The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Cr1000 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12733Medium6.12025-05-15The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adm…
CVE-2024-12732Medium6.12025-05-15The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adm…

Danielpowney · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13828Medium6.12025-05-15The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2025-1033Medium4.82025-05-15The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i…

Data443 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6335Medium4.82025-05-15The Tracking Code Manager WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html ca…
CVE-2024-13621Medium4.82025-05-15The GDPR Framework By Data443 WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm…

Debian · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-37890High7.82025-05-16In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child…
CVE-2025-47287High7.52025-05-15Tornado is a Python web framework and asynchronous networking library.

Engineercms_project · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-44831Critical9.82025-05-13EngineerCMS v1.02 through v2.0.5 has a SQL injection vulnerability in the /project/addproject interface.
CVE-2025-44830Critical9.82025-05-12EngineerCMS v1.02 through v.2.0.5 has a SQL injection vulnerability in the /project/addprojtemplet interface.

Floriansimunek · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11372High7.22025-05-15The Connexion Logs WordPress plugin through 3.0.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
CVE-2024-11373Medium4.32025-05-15The Connexion Logs WordPress plugin through 3.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Freebiesdownload · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6718Medium5.42025-05-15The PVN Auth Popup WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and…
CVE-2024-6713Medium4.82025-05-15The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili…

Gnu · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4802High7.82025-05-16Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including inte…
CVE-2025-48188Low2.92025-05-16libpspp-core.a in GNU PSPP through 2.0.1 has an incorrect call from fill_buffer (in data/encrypted-file.c) to the Gnulib rijndaelDecrypt function, leading to a heap-based buffer over-read.

Google · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4600High7.52025-05-16A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests.
CVE-2025-4664Medium4.32025-05-14Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

I-o Data Device, Inc. · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32002Critical9.82025-05-15Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled.
CVE-2025-32738Medium5.32025-05-15Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier.

Icegram · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13486Medium4.82025-05-15The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…
CVE-2024-13482Medium4.82025-05-15The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Imithemes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39481Critical9.32025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
CVE-2025-39482Medium4.32025-05-16Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventer: from n/a through < 3.11.4.

Joomlaserviceprovider · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11267High8.82025-05-15The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.
CVE-2024-12301Medium6.52025-05-15The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

Justintadlock · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8090Medium6.12025-05-15The JavaScript Logic WordPress plugin through 0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
CVE-2024-8082Medium4.32025-05-15The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Manageengine · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3834High8.12025-05-14Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report.
CVE-2025-3833High8.12025-05-14Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.

Mantus667 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2248Medium5.42025-05-15The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
CVE-2025-2247Medium5.42025-05-15The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Melapress · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9879Medium5.42025-05-15The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
CVE-2024-10009Medium4.12025-05-15The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Mohsinrasool · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12722Medium5.42025-05-15The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow us…
CVE-2024-11221Medium4.82025-05-15The Full Screen (Page) Background Image Slideshow WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when…

Mynamedia · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0688Medium6.12025-05-15The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agai…
CVE-2025-0687Medium6.12025-05-15The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agai…

Netalertx · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-46506Critical10.02025-05-13NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025.
CVE-2024-48766High8.62025-05-13NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025.

Netvision · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4559Critical9.82025-05-12The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-4560Medium6.52025-05-12The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions.

Niceit · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12735High7.22025-05-15The Advance Post Prefix WordPress plugin through 1.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins and above to perform SQL injection attacks
CVE-2024-12734Medium6.12025-05-15The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which co…

Nokautpl · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10632Medium4.82025-05-15The Nokaut Offers Box WordPress plugin through 1.4.0 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab…
CVE-2024-10634Medium4.32025-05-15The Nokaut Offers Box WordPress plugin through 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset the Nokaut Offers Box WordPress plugin through 1.4.0 via a CSRF…

Openpubkey · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4658Critical9.82025-05-13Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.
CVE-2025-3757Critical9.82025-05-13Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.

Opentext · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-108652025-05-14Improper Input validation leads to XSS or Cross-site Scripting vulnerability in OpenText Advanced Authentication.
CVE-2024-108642025-05-14Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenText Advanced Authentication. This issue affects Advanced Authentication versions before 6.5

Optimalaccess · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6667Medium6.12025-05-15The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin.
CVE-2024-6665Medium4.82025-05-15The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilte…

Pagelayer · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8618Medium4.82025-05-15The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html…
CVE-2024-8426Medium4.82025-05-15The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallo…

Podlove · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13730Medium4.82025-05-15The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm…
CVE-2024-13729Medium4.82025-05-15The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht…

Pointcloudlibrary · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4638Critical9.82025-05-14A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL).
CVE-2025-46402025-05-14Out-of-bounds Write vulnerability in PointCloudLibrary pcl allows Overflow Buffers.

Presstigers · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7761Medium6.12025-05-15In the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
CVE-2024-7762Low3.72025-05-15The Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes

Prisna · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12680Medium4.82025-05-15The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…
CVE-2024-12679Medium4.82025-05-15The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Projectworlds · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4739High7.32025-05-16A vulnerability was found in projectworlds Hospital Database Management System 1.0.
CVE-2025-4706High7.32025-05-15A vulnerability was found in projectworlds Online Examination System 1.0.

Redhat · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4982High7.62025-05-12A directory traversal vulnerability was discovered in Pagure server.
CVE-2024-4981High7.62025-05-12A vulnerability was discovered in Pagure server.

Redqteam · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31063Medium4.32025-05-16Missing Authorization vulnerability in redqteam Wishlist wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wishlist: from n/a through <= 2.1.0.
CVE-2025-31062Medium4.32025-05-16Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist wishlist allows Retrieve Embedded Sensitive Data.This issue affects Wishlist: from n/a through <= 2.1.0.

Reputeinfosystems · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10504Medium5.42025-05-15The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attac…
CVE-2024-11189Medium4.82025-05-15The Social Share And Social Locker WordPress plugin before 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilter…

Robosoft · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13384Medium4.82025-05-15The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks ev…
CVE-2024-10144Medium4.82025-05-15The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting atta…

Schneider Electric · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2875High7.52025-05-14CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to access resources.
CVE-2025-39162025-05-13CWE-121: Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by th…

Syncpilot · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2305High8.62025-05-16A Path traversal vulnerability in the file download functionality was identified.
CVE-2025-2306Medium5.92025-05-16An Improper Access Control vulnerability was identified in the file download functionality.

Tenda · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4810High8.82025-05-16A vulnerability was found in Tenda AC7 15.03.06.44.
CVE-2025-4809High8.82025-05-16A vulnerability was found in Tenda AC7 15.03.06.44.

Thimpress · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13128Medium4.82025-05-15The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili…
CVE-2024-13127Medium4.82025-05-15The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili…

Toolstack · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9663Medium5.42025-05-15The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i…
CVE-2024-9662Medium5.42025-05-15The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i…

Travelpayouts · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2023-5934High7.32025-05-15The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF a…
CVE-2023-5932Medium4.82025-05-15The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high p…

Trifectatech · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46718Low3.32025-05-12sudo-rs is a memory safe implementation of sudo and su written in Rust.
CVE-2025-46717Low3.32025-05-12sudo-rs is a memory safe implementation of sudo and su written in Rust.

Uncannyowl · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3623Critical9.12025-05-14The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function.
CVE-2025-4520Medium5.42025-05-14The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2.

Vinoth06 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4474High8.82025-05-13The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7.
CVE-2025-4473High8.82025-05-13The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7.

Vyperlang · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-477742025-05-15Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine.
CVE-2025-472852025-05-15Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine.

Watchguard · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48052025-05-16Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS.
CVE-2025-48042025-05-16Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the spamBlocker module.

Whmpress · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39491High8.12025-05-16Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal.
CVE-2025-39492High7.52025-05-16Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal.

5ire · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47777Critical9.62025-05-145ire is a cross-platform desktop artificial intelligence assistant and model context protocol client.

Abitgone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7174High7.12025-05-15The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Ablyperu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7086Medium5.42025-05-15The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Absolute · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6364Medium6.42025-05-13A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated.

Acugis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6712Medium6.12025-05-15The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Admintwentytwenty · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3053High8.82025-05-15The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function.

Alchemyplatform · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-468342025-05-15Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900.

Ami · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-42446High7.52025-05-13APTIOV contains a vulnerability in BIOS where an attacker may cause a Time-of-check Time-of-use (TOCTOU) Race Condition by local means.

Ani2life · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7195Medium4.32025-05-15The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Annabansaghi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12739Medium4.82025-05-15The Mobile Contact Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab…

Antonpug · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7168Medium4.82025-05-15The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilter…

App Cheap · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48127Medium6.52025-05-16Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app push-notification-mobile-and-web-app allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Push notification for…

Aptivada · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48135Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aptivadadev Aptivada for WP aptivada-for-wp allows DOM-Based XSS.This issue affects Aptivada for WP: from n/a through <= 2.0.0.

Archetyped · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3516Medium5.92025-05-16The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scri…

Arraytics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47445High7.52025-05-14Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.

Ashan Perera · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48116Medium5.32025-05-16Missing Authorization vulnerability in Ashan Perera EventON eventon-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 2.4.4.

Ashanjay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47564Medium5.32025-05-16Missing Authorization vulnerability in ashanjay EventON eventon allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 4.9.8.

Asus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15332025-05-12A stack buffer overflow has been identified in the AsIO3.sys driver.

Atheos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-477882025-05-15Atheos is a self-hosted browser-based cloud IDE.

Auma Riester · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3496High7.52025-05-12An unauthenticated remote attacker can cause a buffer overflow which could lead to unexpected behaviour or DoS via Bluetooth or RS-232 interface.

Auth0 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47275Critical9.12025-05-15Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs.

Aweber · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13313Medium4.82025-05-15The AWeber WordPress plugin through 7.3.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

Bdwm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4091Low3.52025-05-15The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallo…

Beamctrl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4740Medium5.32025-05-16A vulnerability was found in BeamCtrl Airiana up to 11.0.

Bertha · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48138Medium4.32025-05-16Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.

Blaze Concepts · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39537High7.12025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blaze Concepts Better Customer List for WooCommerce woo-better-customer-list allows Reflected XSS.This issue affects Better Customer List…

Blubrry · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9227Medium4.82025-05-15The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the…

Bluetrait · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10677Medium4.32025-05-15The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Bluewave · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48024Medium5.02025-05-15In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.

Bohua · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4747Medium6.32025-05-16A vulnerability was found in Bohua NetDragon Firewall 1.0 and classified as critical.

Bonigarcia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46412025-05-14Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup.

Bootstrap · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1647Medium5.62025-05-15Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.

Bracketspace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4004Low3.52025-05-15The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c…

Brijeshk89 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12800Medium4.82025-05-15The IP Based Login WordPress plugin before 2.4.1 does not sanitise values when importing, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disal…

Broadcom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22248High7.52025-05-13The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user t…

Broadstreet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48113Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet Broadstreet Ads broadstreet allows Stored XSS.This issue affects Broadstreet Ads: from n/a through <= 1.51.2.

Buddyboss · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12767Low3.52025-05-15The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts

Bulktheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1288Medium6.12025-05-15The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.

Bullfrogsec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47775Medium6.22025-05-14Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows.

Bytecodealliance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43853Medium5.52025-05-15The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface.

Cap-collectif · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-472922025-05-14Cap Collectif is an online decision making platform that integrates several tools.

Cbewin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4769High7.02025-05-16A vulnerability classified as critical was found in CBEWIN Anytxt Searcher 1.3.1128.0.

Cedcommerce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-4363Medium6.52025-05-16The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via…

Chaser324 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32245Medium6.52025-05-16Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll featured-posts-scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through <= 1.25.

Checkmk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32917High8.82025-05-13Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate privileges.

Chewkeanho · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47276High7.52025-05-13Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS).

Clicksold · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7769Medium4.82025-05-15The ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Cloud Foundry · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22246Low3.02025-05-13Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.

Cm-wp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10149Medium4.82025-05-15The Social Slider Feed WordPress plugin before 2.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab…

Cminds · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-5026Medium4.82025-05-15The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capa…

Codeastro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4811High7.32025-05-16A vulnerability was found in CodeAstro Pharmacy Management System 1.0.

Codeflock · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12724Medium6.12025-05-15The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Comesio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4396High7.52025-05-13The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 (Free) and <= 2.27.5 (Premium) due to insufficient escaping…

Continew · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4552Medium5.42025-05-12A vulnerability has been found in ContiNew Admin up to 3.6.0 and classified as problematic.

Contrid · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3107Medium6.52025-05-13The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient pre…
CVESeverityCVSSKEVPublishedSummary
CVE-2025-47703Medium6.12025-05-14Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2…

Corbyboy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7197High7.12025-05-15The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Cozmoslabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6708Medium4.82025-05-15The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.

Cozy Vision · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47682Critical9.32025-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a throu…

Cpplusworld · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-44039Medium5.12025-05-13CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console.

Cure53 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48050High7.52025-05-15In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.

Davidstutz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47204Medium6.12025-05-13An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2.

Davisking · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46372025-05-14Divide By Zero vulnerability in davisking dlib allows remote attackers to cause a denial of service via a crafted file.

Defog-ai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4767Medium5.32025-05-16A vulnerability was found in defog-ai introspect up to 0.1.4.

Deluxeblogtips · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10143Medium4.82025-05-15The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the…

Deryckoe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-6030Medium5.42025-05-15The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request…

Dev4press · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-0852High8.82025-05-15The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users…

Devpups · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10145Medium4.82025-05-15The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Dfactory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3742Medium6.82025-05-15The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored C…

Digi International · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-36592025-05-12Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP I…

Domainspro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-406282025-05-13SQL injection vulnerability in DomainsPRO 1.2.

Dpgaspar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32962Medium4.32025-05-16Flask-AppBuilder is an application development framework built on top of Flask.

Dumbwareio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-479292025-05-15DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b.

Dyland · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4579High7.22025-05-15The WP Content Security Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters in all versions up to, and including, 2.3 due to insufficient input sanitization and o…

Ecki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46836Medium6.62025-05-14net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system.

Edimax · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-45857Critical9.82025-05-13EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function.

Edward Caissie · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47578Medium6.52025-05-12Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Edward Caissie BNS Twitter Follow Button bns-twitter-follow-button allows DOM-Based XSS.This issue affects BNS Twitter Follow Button: fro…

Emmanuelg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4126Medium6.42025-05-15The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied att…

Ericsson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-53827High7.52025-05-16Ericsson Packet Core Controller (PCC) contains a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation

Espocrm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32390High8.52025-05-12EspoCRM is a free, open-source customer relationship management platform.

Estatik · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48136High7.52025-05-16Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik estatik-mortgage-calculator allows PHP Local File Inclusion.This issue affects Mor…

Ether · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40907Medium5.32025-05-16FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.

Etoilewebdesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47580Medium5.42025-05-15Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Front End Users: from n/a through <= 3.2.35.

F1logic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12873Medium6.12025-05-15The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admi…

Facturaone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4564Critical9.82025-05-15The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18.

Feng_ha_ha · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4768Medium6.32025-05-16A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0.

Firelightwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3597Medium5.92025-05-12The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled.

Flamescorpion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9838Medium5.42025-05-15The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Flickdevs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10631Medium6.52025-05-15The Countdown Timer for WordPress Block Editor WordPress plugin through 1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the cont…

Fluxbb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-44110Medium5.42025-05-15FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php.

Flytxt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-34732Medium5.42025-05-12An issue in the userId parameter in the change password function of Flytxt NEON-dX v0.0.1-SNAPSHOT-6.9-qa-2-9-g5502a0c allows attackers to execute brute force attacks to discover user passwords.

Freerdp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4478Medium6.52025-05-16A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault.

Funnelkit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2203Medium6.12025-05-15The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Gamipress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8245Medium4.32025-05-15The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Gongfuxiang · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4795Medium4.72025-05-16A vulnerability classified as critical has been found in gongfuxiang schoolcms 2.3.1.

Grandplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9238Medium5.42025-05-15The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Gsheetconnector · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-2334Medium5.42025-05-15The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged…

Gsplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9233Medium4.32025-05-15The Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Happyforms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10054Medium4.82025-05-15The Happyforms WordPress plugin before 1.26.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Harmonicdesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13383Medium4.82025-05-15The HD Quiz WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is di…

Hashicorp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3744High7.62025-05-13Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies.

Hijiriworld · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-0249High7.12025-05-15The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as…

Hkdigit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-6786Medium6.12025-05-15The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue

Horilla · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47789Medium6.12025-05-15Horilla is a free and open source Human Resource Management System (HRMS).

Humansignal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47783Medium6.12025-05-14Label Studio is a multi-type data labeling and annotation tool.

If-so · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-5440Medium5.42025-05-15The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with t…

Inisev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10362Medium4.82025-05-15The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.9.1 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even…

Inventivo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7088Medium5.42025-05-15The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Invisioncommunity · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47916Critical10.02025-05-16Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php.

Ionutstaicu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8094Medium6.52025-05-15The Ntz Antispam WordPress plugin through 2.0e does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Javier Revilla · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48115Medium4.32025-05-16Cross-Site Request Forgery (CSRF) vulnerability in Javier Revilla ValidateCertify validar-certificados-de-cursos allows Cross Site Request Forgery.This issue affects ValidateCertify: from n/a through <= 1.6.4.

Jeroensormani · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7239High7.52025-05-15The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action.

Jfarthing · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8050Medium4.32025-05-15The Custom Author Base WordPress plugin through 1.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Jidaikobo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11190Medium4.82025-05-15The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

Jonkemp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7196Medium4.32025-05-15The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Jontasc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11141Medium6.12025-05-15The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht…

Julmud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-467292025-05-12julmud/phpDVDProfiler is an adoption of the defunct phpDVDProfiler project, which allows users to display on the web their DVD collections maintained with Invelos's DVDProfiler software.

Justinas · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46721Medium6.12025-05-13nosurf is cross-site request forgery (CSRF) protection middleware for Go.

Kaliforms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3201Medium5.92025-05-16The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting at…

Kamleshyadav · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31915Medium5.42025-05-16Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: f…

Kanboard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46825Medium5.42025-05-12Kanboard is project management software that focuses on the Kanban methodology.

Karimmughal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48112High7.12025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages dot-htmlphpxml-etc-pages allows Reflected XSS.This issue affects Dot html,php,xml etc pages: from…

Kashipara Group · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-49641Critical9.82025-05-13Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Kelerkgibo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3917Critical9.82025-05-15The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6.

Kilbot · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48117Medium5.32025-05-16Missing Authorization vulnerability in kilbot WooCommerce POS woocommerce-pos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce POS: from n/a through <= 1.7.8.

Kinfor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4561High8.82025-05-12The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Kingsoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-57096Medium5.52025-05-14An issue in wps office before v.19302 allows a local attacker to obtain sensitive information via a crafted file.

Klarned · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10639Medium4.82025-05-15The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Konica Minolta Japan, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41393Medium6.12025-05-12Reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor.

Kylephillips · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8759Medium4.82025-05-15The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Latepoint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3769Medium5.32025-05-14The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missi…

Lf-edge · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-52290Medium6.32025-05-14LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine.

Lichess · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48051Medium4.72025-05-15powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML.

Lifterlms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13619Medium6.12025-05-15The LifterLMS WordPress plugin before 8.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Lightpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3649Medium6.82025-05-12The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.

Linux · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-53146Medium5.52025-05-14In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user.

Lirantal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4759High8.32025-05-16Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an at…

Ljapps · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11109Medium4.82025-05-15The WP Google Review Slider WordPress plugin before 15.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c…

Lleidanet Pki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47622025-05-15Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation…

Loopus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31921Medium4.32025-05-16Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Ultimate Tours Builder WP_UltimateToursBuilder allows Cross Site Request Forgery.This issue affects WP Ultimate Tours Builder: from n/a through <= 1.055.

Lukevella · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47781Critical9.82025-05-14Rallly is an open-source scheduling and collaboration tool.

Lupsonline · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48146High7.12025-05-16Cross-Site Request Forgery (CSRF) vulnerability in Michael Lups SEO Flow by LupsOnline lupsonline-link-netwerk allows Stored XSS.This issue affects SEO Flow by LupsOnline: from n/a through <= 2.2.1.

Magazine3 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7759Medium4.82025-05-15The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Mappresspro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8620Medium4.82025-05-15The MapPress Maps for WordPress plugin before 2.93 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Memberspace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13727Medium6.12025-05-15The MemberSpace WordPress plugin before 2.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Metaphorcreations · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13357Medium4.82025-05-15The Ditty WordPress plugin before 3.1.52 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is d…

Meteor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4727Low3.72025-05-15A vulnerability was found in Meteor up to 3.2.1 and classified as problematic.

Missionmike · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7556Medium4.82025-05-15The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Mitchelllevy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11269High7.22025-05-15The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.

Mitsubishi Electric Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-0921Medium6.52025-05-15Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.9…

Mojofywp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32180Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojofywp Product Carousel For WooCommerce – WoorouSell woorousell allows Stored XSS.This issue affects Product Carousel For WooCommerce –…

Mojoomla · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32643Critical9.32025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection.

Mongodb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40906Critical9.82025-05-16BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.

Mooveagency · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-0970Medium5.32025-05-15This User Activity Tracking and Log WordPress plugin before 4.1.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.

Motioneye-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-477822025-05-14motionEye is an online interface for the software motion, a video surveillance program with motion detection.

Munyweki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4720Medium5.42025-05-15A vulnerability was found in SourceCodester Student Result Management System 1.0.

Mutonufoai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48027Medium5.42025-05-15The HttpAuth plugin in pGina.Fork through 3.9.9.12 allows authentication bypass when an adversary controls DNS resolution for pginaloginserver.

Nackle2k10 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4589Medium6.42025-05-15The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied a…

Nasatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39507High7.52025-05-16Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4.

Naukowa I Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-44302025-05-14Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024).

Nimiq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47270High7.52025-05-12nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm.

Ninja Forms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13940Medium5.52025-05-14The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality.

Ninja_pages_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1454Medium5.42025-05-15The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability…

Nodejs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47279Low3.12025-05-15Undici is an HTTP/1.1 client for Node.js.

Ollama · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1975High7.52025-05-16A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service.

Opswat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-01312025-05-14An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated non-administrative Windows user to escalat…

Orangelab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6486High7.22025-05-15The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter.

Ozi-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-472712025-05-12The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release.

Pagevisitcounter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-5529Medium4.82025-05-15The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_…

Pallets · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-472782025-05-13Flask is a web server gateway interface (WSGI) web application framework.

Pdfcrowd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-3062Medium4.82025-05-15The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilte…

Peepso · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8988Medium5.32025-05-14The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key.

Peergos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46392025-05-14CWE-611 Improper Restriction of XML External Entity Reference in the getDocumentBuilder() method of WebDav servlet in Peergos.

Pencilwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48132Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Stored XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.1…

Philipwalton · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8398Medium4.32025-05-15The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Phoenix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12533Low3.32025-05-13Improper Check for Unusual or Exceptional Conditions vulnerability in Phoenix SecureCore Technology 4 allows Input Data Manipulation.This issue affects SecureCore Technology 4: from 4.0.1.0 before 4.0.1.1018, from 4.1.0.1 before 4.1.0.573…

Pickplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9645Medium5.42025-05-15The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could a…

Pixeljar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11266Medium4.82025-05-15The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm…

Pnetlab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-406292025-05-16PNETLab 4.2.10 does not properly sanitize user inputs in its file access mechanisms.

Pnfpb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6159Critical9.82025-05-15The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL inject…

Premio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-2643Medium4.82025-05-15The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to…

Progress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3600High7.52025-05-14In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.

Projectpanorama · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-11843Medium4.82025-05-15The Panorama WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

Proxymis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48137High8.52025-05-16Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in proxymis Interview interview allows SQL Injection.This issue affects Interview: from n/a through <= 1.01.

Python Software Foundation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-45162025-05-15There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`.

Radiustheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9236Medium4.82025-05-15The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disa…

Raiserweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12750Medium4.32025-05-15The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Realestateconnected · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-2869Medium4.82025-05-15The Easy Property Listings WordPress plugin before 3.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c…

Reneade · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7297Low3.52025-05-15The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Roninwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47693High7.52025-05-16Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking fat-services-booking allows PHP Local File Inclusion.This issue affects FAT Services Book…

Rs Wp Themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48119Medium5.32025-05-16Improper Control of Generation of Code ('Code Injection') vulnerability in RS WP THEMES RS WP Book Showcase rs-wp-books-showcase allows Code Injection.This issue affects RS WP Book Showcase: from n/a through <= 6.7.59.

Ryanchristenson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8095Medium6.12025-05-15The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

S3bubble · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13865Medium6.12025-05-15The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Saiful Islam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48131Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite ultraaddons-elementor-lite allows Stored XSS.This issue affects UltraAddons Elementor Lite: from…

Saleswonder Team: Tobias · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32922High7.12025-05-15Cross-Site Request Forgery (CSRF) vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Stored XSS.This issue affects WP2LEADS: from n/a through <= 3.5.0.

Salonbookingsystem · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9882Medium4.82025-05-15The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cr…

Samsung · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4632Critical9.8KEV2025-05-13Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

Scripteo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46464Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Stored XSS.This issue affects Ads Pro: from n/a through <= 5.0.

Seedprod · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10107Medium4.82025-05-15The Giveaways and Contests by RafflePress WordPress plugin before 1.12.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the…

Senior-walter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4807Medium5.32025-05-16A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0.

Sfarbota · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1286Medium6.12025-05-15The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such…

Sharespine · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48128Medium4.32025-05-16Missing Authorization vulnerability in Sharespine Sharespine Woocommerce Connector sharespine-woocommerce-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sharespine Woocommerce Connector…

Shayan Farhang Pazhooh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48114High7.12025-05-16Cross-Site Request Forgery (CSRF) vulnerability in Shayan Farhang Pazhooh ShayanWeb Admin FontChanger shayanweb-admin-fontchanger allows Stored XSS.This issue affects ShayanWeb Admin FontChanger: from n/a through <= 1.9.1.

Sidngr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48144High7.12025-05-16Cross-Site Request Forgery (CSRF) vulnerability in sidngr Import Export For WooCommerce import-export-for-woocommerce allows Stored XSS.This issue affects Import Export For WooCommerce: from n/a through <= 1.6.2.

Sma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41645High8.62025-05-13An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake.

Smartdatasoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12725Medium6.12025-05-15The Clasify Classified Listing WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such…

Smyx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12282Medium6.12025-05-15The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Snumb130 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8701Medium4.82025-05-15The events-calendar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabil…

Solidcode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8085Medium6.12025-05-15The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Sonicwall · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40595High7.22025-05-14A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface.

Spiderteams · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10098Low2.72025-05-15The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain

Spotipy-dev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47928Critical9.12025-05-15Spotipy is a Python library for the Spotify Web API.

Spring · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22233Low3.12025-05-16CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names.

Stacklok · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-472742025-05-12ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers.

Stellarwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8493Medium4.82025-05-15The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capabili…

Steve Puddick · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48121Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Puddick WP Notes Widget wp-notes-widget allows DOM-Based XSS.This issue affects WP Notes Widget: from n/a through <= 1.0.6.

Stylishpricelist · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7758Medium4.82025-05-15The Stylish Price List WordPress plugin before 7.1.8 does not sanitise and escape some of its settings, which could allow high privilege users of contributor and above to perform Stored Cross-Site Scripting attacks even when the unfiltere…

Sulu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-477782025-05-14Sulu is an open-source PHP content management system based on the Symfony framework.

Synology · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4679Medium6.52025-05-16A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors.

Syntacticsinc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9450Medium6.52025-05-15The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF…

Takien · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12726Medium6.12025-05-15The ClipArt WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Taskbuilder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-9831High7.22025-05-15The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Techearty · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-4002Low3.52025-05-15The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when th…

Technowich · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12770Medium4.82025-05-15The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is…

Tecno · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4737Medium6.22025-05-15Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage.

Texttheater · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-1663Medium4.82025-05-15The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilt…

The Qt Company · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42112025-05-16Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious Files.

Themehunk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10475Medium4.82025-05-15The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac…

Thememove · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32310High8.82025-05-16Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a thro…

Themencode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39509Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode TNC FlipBook pdf-viewer-for-wordpress allows Stored XSS.This issue affects TNC FlipBook: from n/a through <= 12.1.0.

Themovation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32299Medium4.32025-05-16Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Ap…

Thisfunctional · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-6478Medium4.82025-05-15The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltere…

Top_comments_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-12874Medium4.82025-05-15The Top Comments WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability i…

Tosin Oguntuyi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-51666Medium4.32025-05-15Missing Authorization vulnerability in Tosin Oguntuyi Tours tours.This issue affects Tours: from n/a through <= 1.0.0.

Total-soft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8700High7.52025-05-15The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars.

Ulfbenjaminsson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8032Medium6.12025-05-15The Smooth Gallery Replacement WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF at…

Ultimatewpsms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-7984Medium4.32025-05-15The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Umbraco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47280Medium6.12025-05-13Umbraco Forms is a form builder that integrates with the Umbraco content management system.

Uncanny Owl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48080Medium6.52025-05-16Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash uncanny-learndash-toolkit allows Stored XSS.This issue affects Uncanny Toolkit for LearnDash: f…

Urkekg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4169Medium6.42025-05-16The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on us…

Varnish-software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47905Medium5.42025-05-13Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

Vercel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32421Low3.72025-05-14Next.js is a React framework for building full-stack web applications.

Villatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47563Medium5.32025-05-16Missing Authorization vulnerability in villatheme CURCY woocommerce-multi-currency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CURCY: from n/a through <= 2.3.7.

Vita-mllm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4701Medium5.32025-05-15A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421.

Vmware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22249High8.22025-05-13VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clic…

Welukame · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4591Medium6.42025-05-15The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user suppli…

Wibu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47809High8.22025-05-16Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot).

Wordpresschef · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32295Medium4.32025-05-16Missing Authorization vulnerability in wordpresschef Salon Booking Pro salon-booking-plugin-pro-cc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon Booking Pro: from n/a through <= 10.10.2.

Wormhole Tech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4558Critical9.82025-05-12The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.

Wp Experts · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-13914High7.22025-05-15The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the 'file_manag…

Xu-yijie · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4742Medium5.32025-05-16A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856.

Zkteco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-45746Medium6.52025-05-13In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console.

Zulip · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47930Medium5.32025-05-16Zulip is an open-source team chat application.