Patch Tuesday — September 2025

2025-09-09 · 787 CVEs

CVEs published or modified the week of 2025-09-09, partitioned by vendor.

Microsoft (100 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10226Critical9.82025-09-10Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause de…
CVE-2025-43491Critical9.82025-09-09A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted.
CVE-2025-55232Critical9.82025-09-09Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.
CVE-2025-55319High8.82025-09-12Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.
CVE-2025-10200High8.82025-09-10Use after free in Serviceworker in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-55234High8.82025-09-09SMB Server might be susceptible to relay attacks depending on the configuration.
CVE-2025-55227High8.82025-09-09Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-54918High8.82025-09-09Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network.
CVE-2025-54897High8.82025-09-09Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2025-54113High8.82025-09-09Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
CVE-2025-54110High8.82025-09-09Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2025-54106High8.82025-09-09Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
CVE-2025-36855High8.82025-09-08A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read.
CVE-2025-54256High8.62025-09-09Dreamweaver Desktop versions 21.5 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54910High8.42025-09-09Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-36854High8.12025-09-08A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote C…
CVE-2025-54257High7.82025-09-09Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54242High7.82025-09-09Premiere Pro versions 25.3, 24.6.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-10199High7.82025-09-09A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
CVE-2025-10198High7.82025-09-09Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
CVE-2025-55317High7.82025-09-09Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.
CVE-2025-55316High7.82025-09-09External control of file name or path in Azure Arc allows an authorized attacker to elevate privileges locally.
CVE-2025-55245High7.82025-09-09Improper link resolution before file access ('link following') in Xbox allows an authorized attacker to elevate privileges locally.
CVE-2025-55228High7.82025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
CVE-2025-55224High7.82025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
CVE-2025-54916High7.82025-09-09Stack-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.
CVE-2025-54913High7.82025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows UI XAML Maps MapControlSettings allows an authorized attacker to elevate privileges locally.
CVE-2025-54912High7.82025-09-09Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally.
CVE-2025-54908High7.82025-09-09Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
CVE-2025-54907High7.82025-09-09Heap-based buffer overflow in Microsoft Office Visio allows an unauthorized attacker to execute code locally.
CVE-2025-54906High7.82025-09-09Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-54904High7.82025-09-09Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54903High7.82025-09-09Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54902High7.82025-09-09Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54900High7.82025-09-09Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54899High7.82025-09-09Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54898High7.82025-09-09Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54896High7.82025-09-09Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-54895High7.82025-09-09Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally.
CVE-2025-54894High7.82025-09-09Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2025-54111High7.82025-09-09Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally.
CVE-2025-54102High7.82025-09-09Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
CVE-2025-54098High7.82025-09-09Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2025-54092High7.82025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2025-54091High7.82025-09-09Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2025-53801High7.82025-09-09Untrusted pointer dereference in Windows DWM allows an authorized attacker to elevate privileges locally.
CVE-2025-53800High7.82025-09-09No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVE-2025-49692High7.82025-09-09Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2025-55243High7.52025-09-09Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-54919High7.52025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
CVE-2025-53805High7.52025-09-09Out-of-bounds read in Windows Internet Information Services allows an unauthorized attacker to deny service over a network.
CVE-2025-36853High7.52025-09-08A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow.
CVE-2025-54103High7.42025-09-09Use after free in Windows Management Services allows an unauthorized attacker to elevate privileges locally.
CVE-2025-59033High7.42025-09-08The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy.
CVE-2022-50238High7.42025-09-08The on-endpoint Microsoft vulnerable driver blocklist is not fully synchronized with the online Microsoft recommended driver block rules.
CVE-2025-55236High7.32025-09-09Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally.
CVE-2025-54911High7.32025-09-09Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally.
CVE-2025-54116High7.32025-09-09Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally.
CVE-2025-54905High7.12025-09-09Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2025-55223High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally.
CVE-2025-54115High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2025-54114High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
CVE-2025-54112High7.02025-09-09Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.
CVE-2025-54108High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
CVE-2025-54105High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2025-54099High7.02025-09-09Stack-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-54093High7.02025-09-09Time-of-check time-of-use (toctou) race condition in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2025-53807High7.02025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVE-2025-53802High7.02025-09-09Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
CVE-2025-49734High7.02025-09-09Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally.
CVE-2025-55226Medium6.72025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to execute code locally.
CVE-2025-54915Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-54109Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-54104Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-54094Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-53810Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-53808Medium6.72025-09-09Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
CVE-2025-55225Medium6.52025-09-09Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-54097Medium6.52025-09-09Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-54096Medium6.52025-09-09Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-54095Medium6.52025-09-09Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-53809Medium6.52025-09-09Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
CVE-2025-53806Medium6.52025-09-09Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-53798Medium6.52025-09-09Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-53797Medium6.52025-09-09Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-53796Medium6.52025-09-09Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-47997Medium6.52025-09-09Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network.
CVE-2025-10221Medium5.52025-09-10Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet / C-WerkNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading…
CVE-2025-54241Medium5.52025-09-09After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information.
CVE-2025-54240Medium5.52025-09-09After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information.
CVE-2025-54239Medium5.52025-09-09After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information.
CVE-2025-54901Medium5.52025-09-09Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2025-53804Medium5.52025-09-09Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2025-53803Medium5.52025-09-09Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2025-53799Medium5.52025-09-09Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally.
CVE-2025-54101Medium4.82025-09-09Use after free in Windows SMBv3 Client allows an authorized attacker to execute code over a network.
CVE-2025-10227Medium4.62025-09-10Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported storage or stolen physical drives to extract…
CVE-2025-54917Medium4.32025-09-09Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
CVE-2025-54107Medium4.32025-09-09Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
CVE-2025-54255Medium4.02025-09-09Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass impacting integrity.

Other vendors (687 CVEs across 308 vendors)

N/a · 64 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-45434Critical9.82025-09-12OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free.
CVE-2025-55835Critical9.82025-09-12File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering.
CVE-2025-57633Critical9.82025-09-09A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands.
CVE-2025-57085Critical9.82025-09-09Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function.
CVE-2025-57141Critical9.82025-09-08rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc.
CVE-2025-52161Critical9.82025-09-08Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability.
CVE-2025-22956Critical9.82025-09-08OPSI before 4.3 allows any client to retrieve any ProductPropertyState, including those of other clients.
CVE-2025-56407High8.82025-09-10A vulnerability has been found in HuangDou UTCMS V9 and classified as critical.
CVE-2025-52389High8.82025-09-08An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request.
CVE-2025-55849High8.42025-09-08WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee
CVE-2025-57579High8.02025-09-12An issue in TOTOLINK Wi-Fi 6 Router Series Device X2000R-Gh-V2.0.0 allows a remote attacker to execute arbitrary code via the default password
CVE-2025-57578High8.02025-09-12An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password
CVE-2025-57577High8.02025-09-12An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password.
CVE-2024-45432High7.52025-09-12OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call.
CVE-2025-56406High7.52025-09-10An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service.
CVE-2025-57060High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the rules parameter in the dns_forward_rule_store function.
CVE-2025-29089High7.52025-09-09An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information
CVE-2025-57086High7.52025-09-09Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNode function.
CVE-2025-57078High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pppoeServerWhiteMacIndex parameter in the formModifyPppAuthWhiteMac function.
CVE-2025-57087High7.52025-09-09Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the countryCode parameter in the werlessAdvancedSet function.
CVE-2025-57072High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the staticRouteGateway parameter in the formSetStaticRoute function.
CVE-2025-57071High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the vpnUsers parameter in the formAddVpnUsers function.
CVE-2025-57070High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the gstUp parameter in the guestWifiRuleRefresh function.
CVE-2025-57069High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pPppUser parameter in the getsinglepppuser function.
CVE-2025-57064High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the bindDhcpIndex parameter in the modifyDhcpRule function.
CVE-2025-57063High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the portMappingIndex parameter in the formDelPortMapping function.
CVE-2025-57062High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the delDhcpIndex parameter in the formDelDhcpRule function.
CVE-2025-57061High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formIPMacBindModify function via the ruleId, ip, mac, v6 and remark parameters.
CVE-2025-57059High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the dhcpIndex parameter in the addDhcpRule function.
CVE-2025-57058High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formSetDebugCfg function via the pEnable, pLevel, and pModule parameters.
CVE-2025-57057High7.52025-09-09Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the listStr parameter in the ipMacBindListStore function.
CVE-2025-52322High7.52025-09-09An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field
CVE-2025-52288High7.52025-09-08Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build.c, the Access and Mobility Management Function (AMF) component, in Open5GS thru 2.7.5 allowing attackers to cause a denial of service or other unspe…
CVE-2025-10116High7.32025-09-09A vulnerability was identified in SiempreCMS up to 1.3.6.
CVE-2025-10115High7.32025-09-09A vulnerability was determined in SiempreCMS up to 1.3.6.
CVE-2025-57642High7.22025-09-10A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system.
CVE-2025-52915High7.22025-09-09K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation.
CVE-2025-56467Medium6.52025-09-12An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history, and unspecified other information.
CVE-2024-45433Medium6.52025-09-12OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Incorrect Control Flow Scoping.
CVE-2025-55996Medium6.32025-09-12Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface
CVE-2025-10247Medium6.32025-09-11A security vulnerability has been detected in JEPaaS 7.2.8.
CVE-2025-10121Medium6.32025-09-09A flaw has been found in uverif up to 3.2.
CVE-2025-52074Medium6.12025-09-12PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart.
CVE-2025-57520Medium6.12025-09-10A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3.
CVE-2025-52277Medium6.12025-09-09Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field
CVE-2025-56578Medium5.72025-09-10An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms
CVE-2025-57573Medium5.62025-09-10Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the wifiTimeClose parameter in goform/setWifi.
CVE-2025-57572Medium5.62025-09-10Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the onlineList parameter in goform/setParentControl.
CVE-2025-57571Medium5.62025-09-10Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow.
CVE-2025-57570Medium5.62025-09-10Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the QosList parameter in goform/setQoS.
CVE-2025-57569Medium5.62025-09-10Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the portList parameter in /goform/setNAT.
CVE-2025-10232Medium5.42025-09-10A weakness has been identified in 299ko up to 2.0.0.
CVE-2025-57540Medium5.42025-09-09A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4.
CVE-2025-57539Medium5.42025-09-09A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input.
CVE-2025-57538Medium5.42025-09-09A stored cross-site scripting (XSS) vulnerability in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) 8.4 allows an authenticated user to inject malicious input.
CVE-2024-45431Medium5.32025-09-12OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Improper Input Validation.
CVE-2025-10195Medium5.32025-09-10A vulnerability has been found in Seismic App 2.4.2 on Android.
CVE-2025-9910Medium4.72025-09-11Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin.
CVE-2025-10229Medium4.32025-09-10A vulnerability has been found in Freshwork up to 1.2.3.
CVE-2025-51586Low3.72025-09-08An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
CVE-2025-10253Low3.52025-09-11A vulnerability has been found in openDCIM 23.04.
CVE-2025-10216Low2.62025-09-10A vulnerability was detected in GrandNode up to 2.3.0.
CVE-2025-10235Low2.42025-09-11A flaw has been found in Scada-LTS up to 2.7.8.1.
CVE-2025-10234Low2.42025-09-11A vulnerability was detected in Scada-LTS up to 2.7.8.1.

Linux · 36 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39797High7.82025-09-12In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers the kernel function xfrm_alloc_spi().
CVE-2025-39796High7.82025-09-12In the Linux kernel, the following vulnerability has been resolved: net: lapbether: ignore ops-locked netdevs Syzkaller managed to trigger lock dependency in xsk_notify via register_netdevice.
CVE-2025-39793High7.82025-09-12In the Linux kernel, the following vulnerability has been resolved: io_uring/memmap: cast nr_pages to size_t before shifting If the allocated size exceeds UINT_MAX, then it's necessary to cast the mr->nr_pages value to size_t to prevent…
CVE-2025-39740High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: prevent potential UAF If we hit the error path, the previous fence (if there is one) has already been put() prior to this, so doing a fence_wait could le…
CVE-2025-39786High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7173: fix channels index for syscalib_mode Fix the index used to look up the channel when accessing the syscalib_mode attribute.
CVE-2025-39761High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Decrement TID on RX peer frag setup error handling Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_f…
CVE-2025-39750High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Correct tid cleanup when tid setup fails Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), the tid value is already incremented, even th…
CVE-2025-39744High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued.
CVE-2025-39792Medium5.52025-09-12In the Linux kernel, the following vulnerability has been resolved: dm: Always split write BIOs to zoned device limits Any zoned DM target that requires zone append emulation will use the block layer zone write plugging.
CVE-2025-39791Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: dm: dm-crypt: Do not partially accept write BIOs with zoned targets Read and write operations issued to a dm-crypt target may be split according to the dm-crypt internal…
CVE-2025-39789Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary.
CVE-2025-39785Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix irq_request()'s irq name variable is local The local variable is passed in request_irq (), and there will be use after free problem, which will…
CVE-2025-39784Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: PCI: Fix link speed calculation on retrain failure When pcie_failed_link_retrain() fails to retrain, it tries to revert to the previous link speed.
CVE-2025-39781Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap I have observed warning to occassionally trigger.
CVE-2025-39780Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: sched/ext: Fix invalid task state transitions on class switch When enabling a sched_ext scheduler, we may trigger invalid task state transitions, resulting in warnings l…
CVE-2025-39779Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also c…
CVE-2025-39777Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - Fix CFI failure due to type punning To avoid a crash when control flow integrity is enabled, make the workspace ("stream") free function use a consistent…
CVE-2025-39775Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix WARN with uffd that has remap events disabled Registering userfaultd on a VMA that spans at least one PMD and then mremap()'ing that VMA can trigger a WAR…
CVE-2025-39774Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: iio: adc: rzg2l_adc: Set driver data before enabling runtime PM When stress-testing the system by repeatedly unbinding and binding the ADC device in a loop, and the ADC…
CVE-2025-39771Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: regulator: pca9450: Use devm_register_sys_off_handler With module test, there is error dump: ------------[ cut here ]------------ notifier callback pca9450_i2c_restart…
CVE-2025-39769Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix lockdep warning during rmmod The commit under the Fixes tag added a netdev_assert_locked() in bnxt_free_ntp_fltrs().
CVE-2025-39768Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, fix complex rules rehash error flow Moving rules from matcher to matcher should not fail.
CVE-2025-39767Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: LoongArch: Optimize module load time by optimizing PLT/GOT counting When enabling CONFIG_KASAN, CONFIG_PREEMPT_VOLUNTARY_BUILD and CONFIG_PREEMPT_VOLUNTARY at the same t…
CVE-2025-39765Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: fix ida_free call while not allocated In the snd_utimer_create() function, if the kasprintf() function return NULL, snd_utimer_put_id() will be called, fina…
CVE-2025-39764Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cooki…
CVE-2025-39763Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit…
CVE-2025-39762Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid.
CVE-2025-39758Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp…
CVE-2025-39753Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to ->writepage") that occurs in various xfstests, ca…
CVE-2025-39748Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program.
CVE-2025-39747Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/msm: Add error handling for krealloc in metadata setup Function msm_ioctl_gem_info_set_metadata() now checks for krealloc failure and returns -ENOMEM, avoiding poten…
CVE-2025-39746Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: shutdown driver when hardware is unreliable In rare cases, ath10k may lose connection with the PCIe bus due to some unknown reasons, which could further le…
CVE-2025-39745Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: rcutorture: Fix rcutorture_one_extend_check() splat in RT kernels For built with CONFIG_PREEMPT_RT=y kernels, running rcutorture tests resulted in the following splat: …
CVE-2025-39741Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: don't overflow max copy size With non-page aligned copy, we need to use 4 byte aligned pitch, however the size itself might still be close to our maximum…
CVE-2025-39739Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround.
CVE-2025-39754Medium4.72025-09-11In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to…

Debian · 25 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39790High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE.
CVE-2025-39788High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up pr…
CVE-2025-39783High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this fi…
CVE-2025-39776High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also it…
CVE-2025-39766High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qle…
CVE-2025-39743High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I.
CVE-2025-39738High7.82025-09-11In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace…
CVE-2025-39760High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd r…
CVE-2025-39757High7.12025-09-11In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whe…
CVE-2025-39759High7.02025-09-11In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result…
CVE-2025-39749High7.02025-09-11In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code…
CVE-2025-39798Medium5.52025-09-12In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem.
CVE-2025-39795Medium5.52025-09-12In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->phys…
CVE-2025-39794Medium5.52025-09-12In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy.
CVE-2025-40300Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor…
CVE-2025-39787Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessa…
CVE-2025-39782Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after proce…
CVE-2025-39773Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() m…
CVE-2025-39772Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not i…
CVE-2025-39770Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension hea…
CVE-2025-39756Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes at…
CVE-2025-39752Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM.
CVE-2025-39742Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero.
CVE-2025-39737Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a…
CVE-2025-39736Medium5.52025-09-11In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can…

Liferay · 17 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43790High8.12025-09-11Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to fr…
CVE-2025-43796High7.52025-09-12Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers t…
CVE-2025-43784Medium6.52025-09-10Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entries informatio…
CVE-2025-43763Medium6.52025-09-09A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1…
CVE-2025-43795Medium6.12025-09-12Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote at…
CVE-2025-43783Medium6.12025-09-10Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allow…
CVE-2025-43785Medium6.12025-09-10Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute…
CVE-2025-43781Medium6.12025-09-09Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject…
CVE-2025-43778Medium6.12025-09-09A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 th…
CVE-2025-43787Medium5.42025-09-12A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2…
CVE-2025-43775Medium5.42025-09-09Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote…
CVE-2025-43776Medium5.42025-09-09A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 thr…
CVE-2025-43789Medium5.32025-09-12JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get ex…
CVE-2025-43786Medium5.32025-09-09Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers…
CVE-2025-43777Medium5.32025-09-09Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 ex…
CVE-2025-43788Medium4.32025-09-12The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list…
CVE-2025-43782Medium4.32025-09-11Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to a…

Sap_se · 16 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42944Critical10.02025-09-09Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port.
CVE-2025-42922Critical9.92025-09-09SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file.
CVE-2025-42958Critical9.12025-09-09Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privile…
CVE-2025-42933High8.82025-09-09When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs.
CVE-2025-42929High8.12025-09-09Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group.
CVE-2025-42916High8.12025-09-09Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group.
CVE-2025-42930Medium6.52025-09-09SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting in system unavailability.
CVE-2025-42917Medium6.52025-09-09SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2025-42912Medium6.52025-09-09SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2025-42938Medium6.12025-09-09Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible.
CVE-2025-42915Medium5.42025-09-09Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both th…
CVE-2025-42925Medium4.32025-09-09Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search.
CVE-2025-42923Medium4.32025-09-09Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server.
CVE-2025-42927Low3.42025-09-09SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to…
CVE-2025-42914Low3.12025-09-09Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low…
CVE-2025-42913Low3.12025-09-09Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low…

Adobe · 15 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54261Critical10.02025-09-09ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker.
CVE-2025-54236Critical9.1KEV2025-09-09Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability.
CVE-2025-54260High7.82025-09-09Substance3D - Modeler versions 1.22.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2025-54259High7.82025-09-09Substance3D - Modeler versions 1.22.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54258High7.82025-09-09Substance3D - Modeler versions 1.22.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54245High7.82025-09-09Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54244High7.82025-09-09Substance3D - Viewer versions 0.25.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54243High7.82025-09-09Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-54248High7.72025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass.
CVE-2025-54249Medium6.52025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass.
CVE-2025-54247Medium6.52025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass.
CVE-2025-54246Medium6.52025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass.
CVE-2025-54252Medium5.42025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-54250Medium4.92025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass.
CVE-2025-54251Medium4.32025-09-09Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass.

Ivanti · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55145High8.92025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allow…
CVE-2025-9872High8.82025-09-09Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-9712High8.82025-09-09Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-55147High8.82025-09-09CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthe…
CVE-2025-55142High8.82025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
CVE-2025-55141High8.82025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
CVE-2025-55148High7.62025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
CVE-2025-55139Medium6.82025-09-09SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authent…
CVE-2025-55143Medium6.12025-09-09Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) all…
CVE-2025-8712Medium5.42025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allow…
CVE-2025-8711Medium5.42025-09-09CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthe…
CVE-2025-55144Medium5.42025-09-09Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
CVE-2025-55146Medium4.92025-09-09An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) al…

Phpgurukul · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40692Critical9.82025-09-11SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul.
CVE-2025-40691Critical9.82025-09-11SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul.
CVE-2025-40690Critical9.82025-09-11SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul.
CVE-2025-40689Critical9.82025-09-11SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul.
CVE-2025-40687Critical9.82025-09-11SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul.
CVE-2025-10114High7.32025-09-09A vulnerability was found in PHPGurukul Small CRM 4.0.
CVE-2025-10079High7.32025-09-08A flaw has been found in PHPGurukul Small CRM 4.0.
CVE-2025-10098Medium6.32025-09-08A security flaw has been discovered in PHPGurukul User Management System 1.0.
CVE-2025-40696Medium5.42025-09-11Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fullname', 'location' and 'message' parameters via POST at th…
CVE-2025-40695Medium5.42025-09-11Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'remark', 'status' and 'takeaction' parameters via POST at the…
CVE-2025-40694Medium5.42025-09-11Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fromdate' and 'todate' parameters via POST at the endpoint '/…
CVE-2025-40693Medium5.42025-09-11Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', '…

Rockwell Automation · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9364High8.82025-09-09An open database issue exists in the affected product and version.
CVE-2025-9161High8.82025-09-09A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization.
CVE-2025-9065High8.82025-09-09A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization.
CVE-2025-9166High7.52025-09-09A denial-of-service security issue exists in the affected product and version.
CVE-2025-7970High7.52025-09-09A security issue exists within FactoryTalk Activation Manager.
CVE-2025-8008Medium6.52025-09-09A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash.
CVE-2025-8007Medium6.52025-09-09A security issue exists in the protected mode of 1756-EN4TR and 1756-EN2TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault.
CVE-2025-91602025-09-09A code execution security issue exists in the affected product.
CVE-2025-73502025-09-09A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices.

Siemens · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40795Critical9.82025-09-09A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3).
CVE-2025-40804Critical9.12025-09-09A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions).
CVE-2025-40798High7.52025-09-09A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3).
CVE-2025-40797High7.52025-09-09A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3).
CVE-2025-40796High7.52025-09-09A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3).
CVE-2025-40594Medium6.32025-09-09A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions < V6.4 HF7), SINAMICS S210 V6.4 (All versions < V6.4 HF2).
CVE-2025-40757Medium5.32025-09-09A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions).
CVE-2025-40803Low3.12025-09-09A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions).
CVE-2025-40802Low3.12025-09-09A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions).

Baicells · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55051Critical10.02025-09-09CWE-1392: Use of Default Credentials
CVE-2025-55050Critical9.82025-09-09CWE-1242: Inclusion of Undocumented Features
CVE-2025-55048Critical9.82025-09-09Multiple CWE-78
CVE-2025-55049Critical9.12025-09-09Use of Default Cryptographic Key (CWE-1394)
CVE-2025-55047High8.42025-09-09CWE-798 Use of Hard-coded Credentials
CVE-2025-55053Medium6.52025-09-09CWE-328: Use of Weak Hash
CVE-2025-55054Medium6.12025-09-09CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
CVE-2025-55052Medium4.32025-09-09CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Dell · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43888High8.82025-09-10Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability.
CVE-2025-43884High8.22025-09-10Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability.
CVE-2025-43885High7.82025-09-10Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability.
CVE-2025-43725High7.82025-09-10Dell PowerProtect Data Manager, Generic Application Agent, version(s) 19.19 and 19.20, contain(s) an Incorrect Default Permissions vulnerability.
CVE-2025-43887High7.02025-09-10Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Incorrect Default Permissions vulnerability.
CVE-2025-43722Medium6.72025-09-08Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper privilege management vulnerability.
CVE-2025-43938Medium5.02025-09-10Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Plaintext Storage of a Password vulnerability.
CVE-2025-43886Medium4.42025-09-10Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability.

Ibm · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-36222High8.72025-09-11IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an a…
CVE-2024-45669Medium6.52025-09-10IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a remote user to cause a denial of service due to improper handling of special characters that could lead to uncontrolled resource consumption.
CVE-2024-47120Medium6.42025-09-10IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges.
CVE-2025-36125Medium6.42025-09-09IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting.
CVE-2024-45671Medium5.92025-09-10IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVE-2025-1761Medium5.92025-09-08IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
CVE-2025-36011Medium4.32025-09-09IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies.

Netgate · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-34175Medium6.12025-09-09In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings.
CVE-2025-34172Medium6.12025-09-09In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests.
CVE-2025-34178Medium5.42025-09-09In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed.
CVE-2025-34177Medium5.42025-09-09In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed.
CVE-2025-34174Medium5.42025-09-09In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box.
CVE-2025-34176Medium4.32025-09-09In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters.
CVE-2025-34173Medium4.32025-09-09In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists.

Typo3 · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59017High8.82025-09-09Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to…
CVE-2025-59018Medium6.52025-09-09Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disc…
CVE-2025-59015Medium6.52025-09-09A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
CVE-2025-59013Medium6.12025-09-09An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phi…
CVE-2025-59019Medium4.32025-09-09Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mount…
CVE-2025-59016Medium4.32025-09-09Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed…
CVE-2025-59014Low2.72025-09-09An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving man…

Gitlab · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-6454High8.52025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environ…
CVE-2025-2256High7.52025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate use…
CVE-2025-7337Medium6.52025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial o…
CVE-2025-1250Medium6.52025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially c…
CVE-2025-10094Medium6.52025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrat…
CVE-2025-6769Medium4.32025-09-12An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing r…

Audi · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-45583Critical9.12025-09-12Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password.
CVE-2025-45586High7.52025-09-12An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request.
CVE-2025-45584High7.52025-09-12Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.
CVE-2025-45587High7.02025-09-12A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-45585Medium5.42025-09-12Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid para…

Axxonsoft · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10220Critical9.82025-09-10Use of Unmaintained Third Party Components (CWE-1104) in the NuGet dependency components in AxxonSoft Axxon One VMS 2.0.0 through 2.0.4 on Windows allows a remote attacker to execute arbitrary code or bypass security features via exploitat…
CVE-2025-10225High7.52025-09-10Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the OpenSSL-based session module in AxxonSoft Axxon One (C-Werk) 2.0.6 and earlier on Windows allows a remote attacker under high load conditions to cause…
CVE-2025-10224Medium5.42025-09-10Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One (C-Werk) 2.0.2 and earlier on Windows allows a remote authenticated user to be denied access or misassigned roles via incorrect evaluation of nested…
CVE-2025-10223Medium5.42025-09-10Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an une…
CVE-2025-10222Low3.32025-09-10Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump component in AxxonSoft Axxon One VMS (C-Werk) 2.0.0 through 2.0.1 on Windows allows a local attacker to obtain licensing-related information such a…

Calix · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7635High7.72025-09-09Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
CVE-2025-540842025-09-09OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially…
CVE-2025-540832025-09-09Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
CVE-2025-539142025-09-09Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G.
CVE-2025-539132025-09-09Excessive Privileges vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G.

Chancms · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10211Medium6.32025-09-10A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0.
CVE-2025-10210Medium6.32025-09-10A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0.
CVE-2025-10110Medium6.32025-09-08A vulnerability was identified in ChanCMS up to 3.3.1.
CVE-2025-10106Medium6.32025-09-08A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.1.
CVE-2025-10105Medium6.32025-09-08A flaw has been found in yanyutao0402 ChanCMS up to 3.3.1.

Lenovo · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8557High8.82025-09-11An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate t…
CVE-2025-9201High7.82025-09-11A potential DLL hijacking vulnerability was discovered in Lenovo Browser during an internal security assessment that could allow a local user to execute code with elevated privileges.
CVE-2025-9319High7.52025-09-11A potential vulnerability was reported in the Lenovo Wallpaper Client that could allow arbitrary code execution under certain conditions.
CVE-2025-8061High7.02025-09-11A potential insufficient access control vulnerability was reported in the Lenovo Dispatcher 3.0 and Dispatcher 3.1 drivers used by some Lenovo consumer notebooks that could allow an authenticated local user to execute code with elevated pr…
CVE-2025-9214Medium5.42025-09-11A missing authentication vulnerability was reported in some Lenovo printers that could allow a user to view limited device information or modify network settings via the CUPS service.

Razormist · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10082High7.32025-09-08A vulnerability has been found in SourceCodester Online Polling System 1.0.
CVE-2025-10078High7.32025-09-08A vulnerability was detected in SourceCodester Online Polling System 1.0.
CVE-2025-10077High7.32025-09-08A security vulnerability has been detected in SourceCodester Online Polling System 1.0.
CVE-2025-10076High7.32025-09-08A weakness has been identified in SourceCodester Online Polling System 1.0.
CVE-2025-10075Low3.52025-09-08A security flaw has been discovered in SourceCodester Online Polling System 1.0.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-10324High7.32025-09-12A vulnerability was determined in Wavlink WL-WN578W2 221110.
CVE-2025-10323High7.32025-09-12A vulnerability was found in Wavlink WL-WN578W2 221110.
CVE-2025-10325Medium6.32025-09-12A vulnerability was identified in Wavlink WL-WN578W2 221110.
CVE-2025-10322Medium5.32025-09-12A vulnerability has been found in Wavlink WL-WN578W2 221110.
CVE-2025-10321Medium5.32025-09-12A flaw has been found in Wavlink WL-WN578W2 221110.

Xen · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58143Critical9.82025-09-11[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: …
CVE-2025-58142Critical9.82025-09-11[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: …
CVE-2025-27466Critical9.82025-09-11[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: …
CVE-2025-58145High7.52025-09-11[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wro…
CVE-2025-58144High7.52025-09-11[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wro…

Zoom · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49458Medium6.52025-09-09Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access.
CVE-2025-58135Medium5.32025-09-09Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.
CVE-2025-58134Medium4.32025-09-09Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access.
CVE-2025-49461Medium4.32025-09-09Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.
CVE-2025-49460Medium4.32025-09-09Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.

10oa · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10274Medium4.32025-09-12A security flaw has been discovered in erjinzhi 10OA 1.0.
CVE-2025-10272Medium4.32025-09-11A vulnerability was determined in erjinzhi 10OA 1.0.
CVE-2025-10271Medium4.32025-09-11A vulnerability was found in erjinzhi 10OA 1.0.
CVE-2025-10273Low3.52025-09-12A vulnerability was identified in erjinzhi 10OA 1.0.

Erlang · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-480412025-09-11Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.
CVE-2025-480402025-09-11Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.
CVE-2025-480392025-09-11Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.
CVE-2025-480382025-09-11Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure.

Ethyca · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-57816High7.52025-09-08Fides is an open-source privacy engineering platform.
CVE-2025-57817High7.22025-09-08Fides is an open-source privacy engineering platform.
CVE-2025-57815Medium6.52025-09-08Fides is an open-source privacy engineering platform.
CVE-2025-57766Medium4.82025-09-08Fides is an open-source privacy engineering platform.

Iocoder · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10278Medium6.32025-09-12A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09.
CVE-2025-10277Medium6.32025-09-12A vulnerability was detected in YunaiV yudao-cloud up to 2025.09.
CVE-2025-10276Medium6.32025-09-12A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09.
CVE-2025-10275Medium6.32025-09-12A weakness has been identified in YunaiV yudao-cloud up to 2025.09.

Labredescefetrj · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58745Critical9.92025-09-08WeGIA is a Web manager for charitable institutions.
CVE-2025-58454High8.22025-09-08WeGIA is a Web manager for charitable institutions.
CVE-2025-58453High8.22025-09-08WeGIA is a Web manager for charitable institutions.
CVE-2025-58452Medium6.12025-09-08WeGIA is a Web manager for charitable institutions.

Mayurik · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10085Medium6.32025-09-08A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0.
CVE-2025-10083Medium6.32025-09-08A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0.
CVE-2025-10087Medium4.72025-09-08A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0.
CVE-2025-10081Medium4.72025-09-08A flaw has been found in SourceCodester Pet Management System 1.0.

Sap · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42920Medium6.12025-09-09Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible.
CVE-2025-42926Medium5.32025-09-09SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these fil…
CVE-2025-42911Medium5.02025-09-09SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system.
CVE-2025-42918Medium4.32025-09-09SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters.

Solax Power · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-367592025-09-10Through the provision of user names, SolaX Cloud will suggest (similar) user accounts and thereby leak sensitive information such as user email addresses and phone numbers.
CVE-2025-367582025-09-10It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle.
CVE-2025-367572025-09-10It is possible to bypass the administrator login screen on SolaX Cloud.
CVE-2025-367562025-09-10A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known.

Tautulli · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58762Critical9.12025-09-09Tautulli is a Python based monitoring and tracking tool for Plex Media Server.
CVE-2025-58761High8.62025-09-09Tautulli is a Python based monitoring and tracking tool for Plex Media Server.
CVE-2025-58760High8.62025-09-09Tautulli is a Python based monitoring and tracking tool for Plex Media Server.
CVE-2025-58763High8.02025-09-09Tautulli is a Python based monitoring and tracking tool for Plex Media Server.

Utt · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10172High8.82025-09-09A flaw has been found in UTT 750W up to 3.2.2-191225.
CVE-2025-10171High8.82025-09-09A vulnerability was detected in UTT 1250GW up to 3.2.2-200710.
CVE-2025-10170High8.82025-09-09A security vulnerability has been detected in UTT 1200GW up to 3.0.0-170831.
CVE-2025-10169High8.82025-09-09A weakness has been identified in UTT 1200GW up to 3.0.0-170831.

Zabbix · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-27240High7.22025-09-12A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field.
CVE-2025-27238Low3.52025-09-12Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
CVE-2025-272342025-09-12Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command.
CVE-2025-272332025-09-12Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command.

Apache · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48208High8.82025-09-09Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .
CVE-2025-24404High8.82025-09-09XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.
CVE-2025-58782Medium6.52025-09-08Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

Carmelo · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10104High7.32025-09-08A security vulnerability has been detected in code-projects Online Event Judging System 1.0.
CVE-2025-10103High7.32025-09-08A weakness has been identified in code-projects Online Event Judging System 1.0.
CVE-2025-10102High7.32025-09-08A security flaw has been discovered in code-projects Online Event Judging System 1.0.

Cisco · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20340High7.42025-09-10A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected…
CVE-2025-20248Medium6.02025-09-10A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned software on an affected device.
CVE-2025-20159Medium5.32025-09-10A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vu…

Dreamstechnologies · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9114Critical9.82025-09-08The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.5.0.
CVE-2025-9113Critical9.82025-09-08The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3.
CVE-2025-9112High8.82025-09-08The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.5.0.

Halo · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-44594Critical9.12025-09-09halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url.
CVE-2025-44595Medium6.12025-09-09Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.
CVE-2025-44593Medium6.12025-09-09Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files.

Itsourcecode · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10113High7.32025-09-09A security vulnerability has been detected in itsourcecode Student Information Management System 1.0.
CVE-2025-10112High7.32025-09-09A weakness has been identified in itsourcecode Student Information Management System 1.0.
CVE-2025-10111High7.32025-09-08A security flaw has been discovered in itsourcecode Student Information Management System 1.0.

Jinher · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10092High7.32025-09-08A vulnerability was found in Jinher OA up to 1.2.
CVE-2025-10091High7.32025-09-08A vulnerability has been found in Jinher OA up to 1.2.
CVE-2025-10090High7.32025-09-08A flaw has been found in Jinher OA up to 1.2.

Miczflor · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10328Medium6.32025-09-12A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0.
CVE-2025-10327Medium6.32025-09-12A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0.
CVE-2025-10326Medium6.32025-09-12A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0.

Monai · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58757High8.82025-09-09MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging.
CVE-2025-58756High8.82025-09-09MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging.
CVE-2025-58755High8.82025-09-09MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging.

Nvidia · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-23342High8.22025-09-09The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account .
CVE-2025-23343High7.62025-09-09The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components.
CVE-2025-23344High7.32025-09-09The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to run code on the platform host as a non-privileged user.

Portabilis · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10073Medium4.32025-09-08A vulnerability was determined in Portabilis i-Educar up to 2.10.
CVE-2025-10074Low3.52025-09-08A vulnerability was identified in Portabilis i-Educar up to 2.10.
CVE-2025-10099Low2.42025-09-08A weakness has been identified in Portabilis i-Educar up to 2.10.

Rathena · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58447Critical9.82025-09-09rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server.
CVE-2025-58448Critical9.12025-09-09rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server.
CVE-2025-58750High8.22025-09-09rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server.

Schneider Electric · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-99972025-09-09CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session.
CVE-2025-99962025-09-09CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH sess…
CVE-2025-77462025-09-09CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s br…

Updf · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10215High7.82025-09-10DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\Public\AppData\Loca…
CVE-2025-10214High7.82025-09-10DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\<user>\AppData\Loca…
CVE-2025-10213High7.82025-09-10DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a dxtn.dll file of their choice in the 'C:\Users\<user>\AppData\Local\Mi…

Anthropic · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59041Critical9.82025-09-10Claude Code is an agentic coding tool.
CVE-2025-58764Critical9.82025-09-10Claude Code is an agentic coding tool.

Apostrophecms · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2014-125128Medium6.12025-09-08'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS).
CVE-2019-25225Medium6.12025-09-08`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS).

Ascensio System Sia · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10255Low3.52025-09-11A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0.
CVE-2025-10254Low3.52025-09-11A vulnerability was found in Ascensio System SIA OnlyOffice up to 12.7.0.

Avigilon · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56267Critical9.82025-09-08A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.
CVE-2025-56266Critical9.82025-09-08A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

Bender · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41682High8.82025-09-08An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password.
CVE-2025-41708High7.42025-09-08Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface.

Campcodes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10109High7.32025-09-08A vulnerability was determined in Campcodes Online Loan Management System 1.0.
CVE-2025-10108High7.32025-09-08A vulnerability was found in Campcodes Online Loan Management System 1.0.

Cdevroe · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10329Medium6.32025-09-12A vulnerability was detected in cdevroe unmark up to 1.9.3.
CVE-2025-10330Medium4.32025-09-12A flaw has been found in cdevroe unmark up to 1.9.3.

Cern · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59035Medium4.62025-09-10Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask.
CVE-2025-59034Medium4.32025-09-10Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask.

Crestron · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-474152025-09-09Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.This issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001.
CVE-2025-474162025-09-09A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc.

Curl · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9086High7.52025-09-121.
CVE-2025-10148Medium5.32025-09-12curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-10123High7.32025-09-09A vulnerability was determined in D-Link DIR-823X up to 250416.
CVE-2025-10093Medium5.32025-09-08A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09.

Datahihi1 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58759Medium5.12025-09-09TinyEnv is an environment variable loader for PHP applications.
CVE-2025-58758Medium5.12025-09-09TinyEnv is an environment variable loader for PHP applications.

Delta Electronics · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58321Critical10.02025-09-11Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.
CVE-2025-58320High7.32025-09-11Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.

Digiever · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10264Critical10.02025-09-12Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its conn…
CVE-2025-10265High8.82025-09-12Certain models of NVR developed by Digiever has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.

Equalize Digital · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58981Medium5.42025-09-09Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital accessibility-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Checker by Equ…
CVE-2025-58976Medium4.32025-09-09Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital accessibility-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Checker by Equ…

Evertz · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-103652025-09-12The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application.
CVE-2025-103642025-09-12The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application.

Fortinet · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-45325Medium6.72025-09-09An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiDDoS-F version 7.0.0 through 7.02 and before 6.6.3 may allow a privileged attacker to execute unauthori…
CVE-2025-53609Medium4.92025-09-09A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an arbitrary file read on the underlying syste…

Foxcms · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56630High7.32025-09-08FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file.
CVE-2025-10251Medium6.32025-09-11A vulnerability was detected in FoxCMS up to 1.24.

Frenify · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58997Critical9.62025-09-09Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10.
CVE-2025-59005Medium4.32025-09-09Missing Authorization vulnerability in frenify Categorify categorify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Categorify: from n/a through <= 1.0.7.5.

Hoverfly · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54123Critical9.82025-09-10Hoverfly is an open source API simulation tool.
CVE-2025-54376High7.52025-09-10Hoverfly is an open source API simulation tool.

Jeecg · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10318Medium6.32025-09-12A vulnerability was identified in JeecgBoot up to 3.8.2.
CVE-2025-10319Medium4.32025-09-12A security flaw has been discovered in JeecgBoot up to 3.8.2.

Mikado Themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9061Medium6.42025-09-09The Wilmer Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes.
CVE-2025-9058Medium6.42025-09-09The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes.

Mythemeshop · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8425High8.82025-09-11The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including…
CVE-2025-8423Medium5.42025-09-11The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1.

Newtype Infortech · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10266Critical9.82025-09-12NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-10267Medium5.32025-09-12NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files.

Openprinting · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58060High8.02025-09-11OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems.
CVE-2025-58364Medium6.52025-09-11OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems.

Palo Alto Networks · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42352025-09-12An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations.
CVE-2025-42342025-09-12A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs.

Prebid · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590392025-09-09Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats.
CVE-2025-590382025-09-09Prebid.js is a free and open source library for publishers to quickly implement header bidding.

Roncoo · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10288Medium5.32025-09-12A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40.
CVE-2025-10287Low3.12025-09-12A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40.

Rubengc · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9539High8.02025-09-09The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_impor…
CVE-2025-9542Medium5.42025-09-09The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin…

Samsung · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-21043High8.8KEV2025-09-12Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.
CVE-2025-21042High8.8KEV2025-09-12Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.

Sim · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10097Medium6.32025-09-08A vulnerability was identified in SimStudioAI sim up to 1.0.0.
CVE-2025-10096Medium6.32025-09-08A vulnerability was determined in SimStudioAI sim up to 1.0.0.

Solwin · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47695High7.52025-09-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.
CVE-2025-47694High7.12025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.

Unknown · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9034Medium6.12025-09-11The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
CVE-2025-3650Low3.52025-09-12The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrat…

Vitejs · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58752Medium5.32025-09-08Vite is a frontend tooling framework for JavaScript.
CVE-2025-58751Medium5.32025-09-08Vite is a frontend tooling framework for JavaScript.

Webcodingplace · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9874High7.52025-09-11The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode.
CVE-2025-0763Medium4.32025-09-11The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.7.

Xwiki · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55728Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence.
CVE-2025-55727Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence.

Xwikisas · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55730Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence.
CVE-2025-55729Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence.

Yonifre · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9979Medium4.32025-09-10The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior.
CVE-2025-9888Medium4.32025-09-10The Maspik – Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6.

Zoom Communications, Inc · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49459High7.82025-09-09Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2025-58131Medium6.62025-09-09Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated user to conduct a disclosure of informat…

51mis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5005High7.32025-09-09A vulnerability was detected in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4.

9001 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58753High7.52025-09-09Copyparty is a portable file server.

Aaluoxiang · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-29592Medium5.62025-09-10oasys v1.1 is vulnerable to Directory Traversal in ProcedureController.

Akoskm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-549942025-09-08@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport.

Alexandre Froger · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30875Medium5.92025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexandre Froger WP Weixin wp-weixin allows Stored XSS.This issue affects WP Weixin: from n/a through <= 1.3.16.

Ami · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-33045High8.22025-09-09APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access.

Amped Rf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9994Critical9.82025-09-09The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.

Andy_moyle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39553Medium4.32025-09-09Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 5.0.9.

Angular · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590522025-09-10Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages.

Antoineh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58987Medium6.52025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through <= 2.12.6.

Arjunthakur · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-6189Medium6.52025-09-10The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of suf…

Arm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3212Medium5.32025-09-08Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing oper…

Aurelienlws · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8575High7.22025-09-12The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3.

Awesomesupport · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53340Medium5.32025-09-09Missing Authorization vulnerability in awesomesupport Awesome Support awesome-support allows Retrieve Embedded Sensitive Data.This issue affects Awesome Support: from n/a through <= 6.3.6.

Axios · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58754High7.52025-09-12Axios is a promise based HTTP client for the browser and Node.js.

Azon Dominator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-407252025-09-10Reflected Cross-Site Scripting (XSS) vulnerability in Azon Dominator.

Azurecurve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8398Medium6.42025-09-11The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplie…

Bearsthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10134Critical9.12025-09-09The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2.

Beckhoff · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41701High7.82025-09-09An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool.

Benimpos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-57392High7.82025-09-10BenimPOS Masaustu 3.0.x is affected by insecure file permissions.

Berqwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58979Medium5.32025-09-09Missing Authorization vulnerability in BerqWP BerqWP searchpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BerqWP: from n/a through <= 2.2.53.

Bessermitfahren · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8392Medium6.42025-09-11The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping.

Beyondcart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8570Critical9.82025-09-11The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1.

Binary-husky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10236Medium4.32025-09-11A vulnerability has been found in binary-husky gpt_academic up to 3.91.

Bmarshall511 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8318Medium6.42025-09-11The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘keyword’ parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping.

Broadcom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-90592025-09-11The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking.

Catfolders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9776Medium6.52025-09-11The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user…

Cbutlerjr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9489Medium5.02025-09-09The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2.

Chuck24 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10117Low3.52025-09-09A weakness has been identified in SourceCodester Simple To-Do List System 1.0.

Codecept · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-57285Critical9.82025-09-08codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js).

Convers Lab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32689High7.52025-09-09Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through <= 2.8.2.

Coredns · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58063High7.12025-09-09CoreDNS is a DNS server that chains plugins.

Cristiano Zanca · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58991High7.12025-09-09Cross-Site Request Forgery (CSRF) vulnerability in Cristiano Zanca WooCommerce Booking Bundle Hours allows Stored XSS.

Cssigniterteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8689Medium6.42025-09-11The Elements Plus!

Cyberchimps · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8215Medium6.42025-09-11The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user suppl…

Daikin Europe N.v · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10127Critical9.82025-09-11Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication.

Danny-avila · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-6088Low3.12025-09-11In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known.

Dasinfomedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7049High8.82025-09-10The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key.

Dejocar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9880Medium6.12025-09-12The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.

Devitems · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58990Medium6.52025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevItems ShopLentor woolentor-addons allows Stored XSS.This issue affects ShopLentor: from n/a through <= 3.2.0.

Display Painéis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10245Medium4.32025-09-11A security flaw has been discovered in Display Painéis TGA up to 7.1.41.

Dji · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10250Medium5.02025-09-11A weakness has been identified in DJI Mavic Spark, Mavic Air and Mavic Mini 01.00.0500.

Dontcare · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9623Medium4.32025-09-11The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.

Dpgaspar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58065Medium6.52025-09-11Flask-AppBuilder is an application development framework.

Dstack-tee · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590542025-09-12dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments.

Duckdb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590372025-09-09DuckDB is an analytical in-process SQL database management system.

Easeus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-50892High7.82025-09-10The eudskacs.sys driver version 20250328 shipped with EaseUs Todo Backup 1.2.0.1 fails to properly validate privileges for I/O requests (IRP_MJ_READ/IRP_MJ_WRITE) sent to its device object.

Edsteep · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9620Medium6.12025-09-11The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3.

Eideasy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9128Medium6.42025-09-11The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping.

Eladmin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10084Medium4.32025-09-08A vulnerability was identified in elunez eladmin up to 2.7.

Elangovan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9877Medium6.42025-09-12The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user…

Element-plus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-57665Medium6.42025-09-09Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors.

Eliehanna · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8889Low3.82025-09-09The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in mult…

Emiloi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10118High7.32025-09-09A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0.

Evenium · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9850Medium6.42025-09-11The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium_single_event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user…

Evidentlycube · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9617Medium5.32025-09-11The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.

Fassionstorage · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8422High7.52025-09-11The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function.

Fernandiez · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7843Medium6.42025-09-10The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function.

Ffmpeg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-99512025-09-09A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.

Fit2cloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56413High8.82025-09-10OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary commands via the operation parameter to the /api/v2/hosts/ssh/operate endpoint.

Flowiseai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58434Critical9.82025-09-12Flowise is a drag & drop user interface to build a customized large language model flow.

Fuyang_lipengjun · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10086Medium6.32025-09-08A weakness has been identified in fuyang_lipengjun platform 1.0.0.

Fwdesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49430High7.22025-09-09Server-Side Request Forgery (SSRF) vulnerability in FWDesign Ultimate Video Player fwduvp allows Server Side Request Forgery.This issue affects Ultimate Video Player: from n/a through <= 10.1.

Gavias · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58215High8.12025-09-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Ziston ziston allows PHP Local File Inclusion.This issue affects Ziston: from n/a through < 1.4.5.

Geeeeeeeek · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-48341Low3.72025-09-08dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addShop

Germanpearls · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9018High8.82025-09-11The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and incl…

Goodbarber · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39523Medium4.72025-09-09URL Redirection to Untrusted Site ('Open Redirect') vulnerability in GoodBarber GoodBarber goodbarber.This issue affects GoodBarber: from n/a through <= 1.0.26.

Google · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10201High8.82025-09-10Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Google Cloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-99182025-09-11A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions to import Use Cases to achieve Remote C…

Grandstream Networks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-409792025-09-10DLL search order hijacking vulnerability in the wave.exe executable for Windows 11, version 1.27.8.

Gyaku · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9631Medium4.32025-09-11The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4.

Heateor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9857Medium6.42025-09-10The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitizatio…

Helmut Wandl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58975Medium4.32025-09-09Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1.

Highwarden · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47571High7.52025-09-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in highwarden Super Store Finder superstorefinder-wp allows PHP Local File Inclusion.This issue affects Super Store Finde…

Himmelblau-idm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59044Medium4.42025-09-09Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune.

Hjsoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10197Medium6.32025-09-10A vulnerability was found in HJSoft HCM Human Resources Management System up to 20250822.

Hono · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59139Medium5.32025-09-12Hono is a Web application framework that provides support for any JavaScript runtime.

Hossein · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32486Critical9.82025-09-09Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6.

Huggingface · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-6638High7.52025-09-12A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method.

Iambriansreed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8280Medium5.82025-09-12The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

Ideaboxcreations · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8388Medium6.42025-09-10The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, and including, 2.9.4 due to insufficient input…

Idiatech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8417High8.12025-09-11The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4.

Ieaturanium238 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-584512025-09-08Cattown is a JavaScript markdown parser.

Info@welcart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58984Medium5.92025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.20.

Instantcms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59055Medium4.72025-09-11InstantCMS is a free and open source content management system.

Intelbras · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55976High8.42025-09-10Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint.

Intelliants · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56556Low3.82025-09-11An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL quer…

Isc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8696High7.52025-09-10If an unauthenticated user sends a large amount of data to the Stork UI, it may cause memory and disk use problems for the system running the Stork server.

Ishan001 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9635Medium4.32025-09-11The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.

Itcube Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59932025-09-08ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal.

Iteachyou · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10320Low3.12025-09-12A vulnerability was detected in iteachyou Dreamer CMS up to 4.1.3.2.

Izem · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9627Medium4.32025-09-11The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10.

Jegerwan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9634Medium4.32025-09-11The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.

Jensg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9881Medium6.12025-09-12The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2.

Jh5ru · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9628Medium4.32025-09-11The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1.

Joe Dolson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58988Medium6.52025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Dolson My Tickets my-tickets allows Stored XSS.This issue affects My Tickets: from n/a through <= 2.0.22.

Junkurihara · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59058Medium5.92025-09-12httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures.

Kalcaddle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10233Medium6.32025-09-10A security vulnerability has been detected in kalcaddle kodbox 1.61.

Kamilkhan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8692Medium4.92025-09-11The Coupon API plugin for WordPress is vulnerable to SQL Injection via the ‘log_duration’ parameter in all versions up to, and including, 6.2.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation…

Khaledsaikat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9693High8.02025-09-11The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and includi…

Kiosoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8699Critical9.12025-09-12Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards.

Knadh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58430Medium6.12025-09-09listmonk is a standalone, self-hosted, newsletter and mailing list manager.

Kovah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53838Medium5.42025-09-08LinkAce is a self-hosted archive to collect website links.

Laborator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53348Medium5.32025-09-09Missing Authorization vulnerability in Laborator Kalium kalium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalium: from n/a through <= 3.18.3.

Laki_patel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7826Medium6.52025-09-10The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio…

Langchaingo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9556Critical9.82025-09-12Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Gonja supports include and extends syntax to read files, which leads to a server side template injection vulnerabi…
CVESeverityCVSSKEVPublishedSummary
CVE-2025-57278High8.82025-09-09The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling.

Lexmark · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-92692025-09-09A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices.

Libxml2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9714Medium6.22025-09-10Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions.

Linlinjava · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10291Medium6.32025-09-12A weakness has been identified in linlinjava litemall up to 1.8.0.

Litespeed Technologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47437Medium6.42025-09-09Server-Side Request Forgery (SSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 7.0.1.

Litmus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56405High7.52025-09-10An issue was discovered in litmusautomation litmus-mcp-server thru 0.0.1 allowing unauthorized attackers to control the target's MCP service through the SSE protocol.

Livingos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9861Medium6.42025-09-11The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'los_showposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on us…

Lmsys · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10164High7.32025-09-09A security flaw has been discovered in lmsys sglang 0.4.6.

Lokibhardwaj · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10246Low3.52025-09-11A weakness has been identified in lokibhardwaj PHP-Code-For-Unlimited-File-Upload up to 124fe96324915490c81eaf7db3234b0b4e4bab3c.

Lostvip · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10218Medium6.32025-09-10A flaw has been found in lostvip-com ruoyi-go 2.1.

Maccms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10122Medium4.72025-09-09A vulnerability was found in Maccms10 2025.1000.4050.

Maheshmthorat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9073High7.52025-09-11The All in one Minifier plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio…

Mahocommerce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-584492025-09-08Maho is a free and open source ecommerce platform.

Majestic Support · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49860Medium5.32025-09-09Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support.This issue affects Majestic Support: from n/a through <= 1.1.0.

Manchumahara · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9123Medium6.42025-09-11The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 2.0.1 due to insufficient input saniti…

Mariadb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56404High7.52025-09-10An issue was discovered in MariaDB MCP 0.1.0 allowing attackers to gain sensitive information via the SSE service as the SSE service lacks user validation.

Markohoven · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10126Medium6.42025-09-10The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user sup…

Martins56 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10142Medium4.92025-09-10The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and la…

Masterlifecrm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56466High7.52025-09-10Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information.

Matrix-org · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590472025-09-11matrix-sdk-base is the base component to build a Matrix client library.

Mdimran41 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8481Medium4.32025-09-11The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7.

Metaphorcreations · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8085High8.62025-09-08The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

Mezereon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55998High8.12025-09-08A cross-site scripting (XSS) vulnerability in Smart Search & Filter Shopify and BigCommerce apps allows a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into several filter pa…

Miriamgoldman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8721Medium6.42025-09-11The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workable_jobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supp…

Mlehmann · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40928High7.52025-09-08JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Mockoon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59049High7.52025-09-10Mockoon provides way to design and run mock APIs.

Modelcontextprotocol · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-584442025-09-08The MCP inspector is a developer tool for testing and debugging MCP servers.

Moeru-ai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59053Critical9.62025-09-11AIRI is a self-hosted, artificial intelligence based Grok Companion.

Moreirapontocom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8316Medium6.42025-09-11The Certifica WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘evento’ parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping.

Multi-purpose Inventory Management System · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-406412025-09-08Cross-site Scripting (XSS) vulnerability stored in Multi-Purpose Inventory Management System, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request using the product_name parameter in /Controll…

N-able · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10231High7.02025-09-10An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions.

N8n · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56265High8.82025-09-08An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.

Natata7 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9860Medium6.42025-09-11The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attrib…

Nebojsa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32688Medium5.42025-09-09Missing Authorization vulnerability in Nebojsa Target Video Easy Publish brid-video-easy-publish.This issue affects Target Video Easy Publish: from n/a through <= 3.8.9.

Neo4j · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-101932025-09-11DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user…

Nik00726 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10049High7.22025-09-10The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24.

Ninofiliu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59046Critical9.82025-09-09The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line.

Nitropack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8778Medium4.32025-09-10The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4.

Octoprint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58180High8.82025-09-09OctoPrint provides a web interface for controlling consumer 3D printers.

Opentext · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-87162025-09-11In Content Management versions 20.4- 25.3 authenticated attackers may exploit a complex cache poisoning technique to download unprotected files from the server if the filenames are known.

Opexus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58462Critical9.82025-09-09OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx.

Opsmill · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59036Medium5.52025-09-09Infrahub offers a central hub to manage data, templates, and playbooks.

Oretnom23 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10100High7.32025-09-08A vulnerability was detected in SourceCodester Simple Forum Discussion System 1.0.

Osc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-584352025-09-09Open OnDemand is an open-source HPC portal.

Papermerge · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10209Medium5.42025-09-10A security flaw has been discovered in Papermerge DMS up to 3.5.3.

Peachpay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9463Medium6.52025-09-10The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.117.5 due to…

Pega · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8681Medium5.52025-09-10Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component.

Pixel_prime · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7718High8.82025-09-10The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4.

Pixeline · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58982Medium5.92025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline's Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline's Email Protector: from n/a t…

Pjuhasz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40930High7.52025-09-08JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact.

Presstigers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59008High7.62025-09-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PressTigers ZIP Code Based Content Protection zip-code-based-content-protection allows SQL Injection.This issue affects ZIP Code Based Co…

Prest · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-584502025-09-08pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database.

Proximus Sp. Z O.o. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-100952025-09-09A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database interactions.

Pyinstaller · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590422025-09-09PyInstaller bundles a Python application and all its dependencies into a single package.

Quantumcloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9111Low3.52025-09-09The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm…

Recorp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58980Medium5.32025-09-09Missing Authorization vulnerability in recorp Export WP Page to Static HTML/CSS export-wp-page-to-static-html allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Export WP Page to Static HTML/CSS: from n/a th…

Red Hat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8277Low3.12025-09-09A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses.

Rejuancse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5801Medium6.42025-09-11The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping.

Rems · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10088Low3.52025-09-08A vulnerability was detected in SourceCodester Time Tracker 1.0.

Rhys Wynne · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58977Medium4.92025-09-09Server-Side Request Forgery (SSRF) vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Server Side Request Forgery.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.8.

Ricoh Company, Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58422Low3.12025-09-08RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history.

Roland Murg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-39541Medium6.52025-09-09Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar wp-simple-booking-calendar.This issue affects WP Simple Booking Calendar: from n/a through <= 2.0.13.

Running-elephant · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10080Low3.12025-09-08A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3.

Rurban · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40929Medium5.62025-09-08Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Saleor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58442Medium5.32025-09-09Saleor is an e-commerce platform.

Seat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10252Low3.12025-09-11A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827.

Shaikhaezaz80 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8445Medium6.42025-09-11The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping.

Shawfactor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9633Medium4.32025-09-11The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83.

Shibboleth · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9943Critical9.12025-09-10An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service.

Silabs.com · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-74482025-09-12Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack

Silverplugins217 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58989Medium6.52025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silverplugins217 Dynamic Text Field For Contact Form 7 dynamic-text-field-for-contact-form-7 allows Stored XSS.This issue affects Dynamic…

Slowmove · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9879Medium6.42025-09-12The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user…

Smackcoders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10040High7.72025-09-10The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27.

Smartcatai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9451Medium6.52025-09-11The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.72 due to insufficient escaping on the user supplied parameter and lack o…

Softmus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8691Medium6.42025-09-11The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping.

Sophos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10159Critical9.82025-09-09An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).

Spoddev2021 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53291Medium5.42025-09-09Missing Authorization vulnerability in spoddev2021 Spreadconnect wc-spod.This issue affects Spreadconnect: from n/a through <= 2.1.5.

Sqlite · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-77092025-09-08An integer overflow exists in the FTS5 https://sqlite.org/fts5.html  extension.

Stalwartlabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-590452025-09-10Stalwart is a mail and collaboration server.

Stefano Lissa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58983Medium5.92025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefano Lissa Include Me include-me allows Stored XSS.This issue affects Include Me: from n/a through <= 1.3.2.

Stellarwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9807High7.52025-09-12The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient pr…

Teccom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10183Critical9.12025-09-09A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server.

Tenda · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10120High8.82025-09-09A vulnerability was detected in Tenda AC20 up to 16.03.08.12.

Theme-spirit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10269High7.52025-09-12The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13.

Themegoods · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47579Critical9.02025-09-09Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.

Thememove · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53303High8.82025-09-09Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.

Themeum · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58993High7.62025-09-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS tutor allows SQL Injection.This issue affects Tutor LMS: from n/a through <= 3.7.4.

Thinkinai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58768Critical9.62025-09-09DeepChat is a smart assistant uses artificial intelligence.

Trendnet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10107Medium4.72025-09-09A vulnerability has been found in TRENDnet TEW-831DR 1.0 (601.130.1.1410).

Tvcnet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10176High7.22025-09-12The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4.

Uscnanbu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9367Medium5.52025-09-10The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping.

Uxper · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54709High8.12025-09-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala.

Villatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47570High7.12025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.3.13.

Vinzzb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9632Medium4.32025-09-11The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.

Volkovlabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58746Critical9.02025-09-08The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus.

Wago · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41664High7.52025-09-08A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP).

Webdevstudios · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48101High8.82025-09-09Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection.

Webrecorder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58765High7.12025-09-09wabac.js provides a full web archive replay system, or 'wayback machine', using Service Workers.

Webwork · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-406422025-09-08Reflected Cross-Site Scripting (XSS) vulnerability in WebWork, which allows remote attackers to execute arbitrary code through the 'q' and 'engine' request parameters in /search.

Welotec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41714High8.82025-09-10The upload endpoint insufficiently validates the 'Upload-Key' request header.

Wen-solutions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8686Medium6.42025-09-11The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WP_EASY_FAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user suppli…

Wind River Studio Developer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-26499Medium6.02025-09-11Under heavy system utilization a random race condition can occur during authentication or token refresh operation.

Wireless Tsukamoto Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58781Medium4.82025-09-12WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic.

Wordpresschef · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8492Medium5.32025-09-11The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and…

Wp Swings · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58978Medium5.32025-09-09Missing Authorization vulnerability in WP Swings PDF Generator for WordPress pdf-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Generator for WordPress: from n/a through <= 1…

Wpallimport · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10001High7.22025-09-10The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3.

Wpblast · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9622Medium4.32025-09-10The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6.

Wpfactory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58985Medium6.52025-09-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Cus…

Wpswings · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47569Critical9.32025-09-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card allows Blind SQL Injection.This issue affects WooCommerce Ultimate…

Xwiki-contrib · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-583652025-09-08The XWiki blog application allows users of the XWiki platform to create and manage blog posts.

Zhenshi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5500Medium5.32025-09-09A flaw has been found in ZhenShi Mibro Fit App 1.6.3.17499 on Android.

Zohoflow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8479Medium4.32025-09-11The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1.

Zuotian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9855Medium6.42025-09-11The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping…