Patch Tuesday — September 2025
2025-09-09 · 787 CVEs
CVEs published or modified the week of 2025-09-09, partitioned by vendor.
Microsoft (100 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10226 | Critical | 9.8 | — | 2025-09-10 | Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause de… |
CVE-2025-43491 | Critical | 9.8 | — | 2025-09-09 | A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted. |
CVE-2025-55232 | Critical | 9.8 | — | 2025-09-09 | Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. |
CVE-2025-55319 | High | 8.8 | — | 2025-09-12 | Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. |
CVE-2025-10200 | High | 8.8 | — | 2025-09-10 | Use after free in Serviceworker in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2025-55234 | High | 8.8 | — | 2025-09-09 | SMB Server might be susceptible to relay attacks depending on the configuration. |
CVE-2025-55227 | High | 8.8 | — | 2025-09-09 | Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network. |
CVE-2025-54918 | High | 8.8 | — | 2025-09-09 | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
CVE-2025-54897 | High | 8.8 | — | 2025-09-09 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
CVE-2025-54113 | High | 8.8 | — | 2025-09-09 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-54110 | High | 8.8 | — | 2025-09-09 | Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2025-54106 | High | 8.8 | — | 2025-09-09 | Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-36855 | High | 8.8 | — | 2025-09-08 | A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read. |
CVE-2025-54256 | High | 8.6 | — | 2025-09-09 | Dreamweaver Desktop versions 21.5 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54910 | High | 8.4 | — | 2025-09-09 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-36854 | High | 8.1 | — | 2025-09-08 | A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote C… |
CVE-2025-54257 | High | 7.8 | — | 2025-09-09 | Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54242 | High | 7.8 | — | 2025-09-09 | Premiere Pro versions 25.3, 24.6.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-10199 | High | 7.8 | — | 2025-09-09 | A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path. |
CVE-2025-10198 | High | 7.8 | — | 2025-09-09 | Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories. |
CVE-2025-55317 | High | 7.8 | — | 2025-09-09 | Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. |
CVE-2025-55316 | High | 7.8 | — | 2025-09-09 | External control of file name or path in Azure Arc allows an authorized attacker to elevate privileges locally. |
CVE-2025-55245 | High | 7.8 | — | 2025-09-09 | Improper link resolution before file access ('link following') in Xbox allows an authorized attacker to elevate privileges locally. |
CVE-2025-55228 | High | 7.8 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. |
CVE-2025-55224 | High | 7.8 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. |
CVE-2025-54916 | High | 7.8 | — | 2025-09-09 | Stack-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. |
CVE-2025-54913 | High | 7.8 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows UI XAML Maps MapControlSettings allows an authorized attacker to elevate privileges locally. |
CVE-2025-54912 | High | 7.8 | — | 2025-09-09 | Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally. |
CVE-2025-54908 | High | 7.8 | — | 2025-09-09 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. |
CVE-2025-54907 | High | 7.8 | — | 2025-09-09 | Heap-based buffer overflow in Microsoft Office Visio allows an unauthorized attacker to execute code locally. |
CVE-2025-54906 | High | 7.8 | — | 2025-09-09 | Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-54904 | High | 7.8 | — | 2025-09-09 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54903 | High | 7.8 | — | 2025-09-09 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54902 | High | 7.8 | — | 2025-09-09 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54900 | High | 7.8 | — | 2025-09-09 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54899 | High | 7.8 | — | 2025-09-09 | Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54898 | High | 7.8 | — | 2025-09-09 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54896 | High | 7.8 | — | 2025-09-09 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-54895 | High | 7.8 | — | 2025-09-09 | Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally. |
CVE-2025-54894 | High | 7.8 | — | 2025-09-09 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability |
CVE-2025-54111 | High | 7.8 | — | 2025-09-09 | Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally. |
CVE-2025-54102 | High | 7.8 | — | 2025-09-09 | Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-54098 | High | 7.8 | — | 2025-09-09 | Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-54092 | High | 7.8 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-54091 | High | 7.8 | — | 2025-09-09 | Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-53801 | High | 7.8 | — | 2025-09-09 | Untrusted pointer dereference in Windows DWM allows an authorized attacker to elevate privileges locally. |
CVE-2025-53800 | High | 7.8 | — | 2025-09-09 | No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
CVE-2025-49692 | High | 7.8 | — | 2025-09-09 | Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. |
CVE-2025-55243 | High | 7.5 | — | 2025-09-09 | Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-54919 | High | 7.5 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally. |
CVE-2025-53805 | High | 7.5 | — | 2025-09-09 | Out-of-bounds read in Windows Internet Information Services allows an unauthorized attacker to deny service over a network. |
CVE-2025-36853 | High | 7.5 | — | 2025-09-08 | A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. |
CVE-2025-54103 | High | 7.4 | — | 2025-09-09 | Use after free in Windows Management Services allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-59033 | High | 7.4 | — | 2025-09-08 | The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. |
CVE-2022-50238 | High | 7.4 | — | 2025-09-08 | The on-endpoint Microsoft vulnerable driver blocklist is not fully synchronized with the online Microsoft recommended driver block rules. |
CVE-2025-55236 | High | 7.3 | — | 2025-09-09 | Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally. |
CVE-2025-54911 | High | 7.3 | — | 2025-09-09 | Use after free in Windows BitLocker allows an authorized attacker to elevate privileges locally. |
CVE-2025-54116 | High | 7.3 | — | 2025-09-09 | Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. |
CVE-2025-54905 | High | 7.1 | — | 2025-09-09 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to disclose information locally. |
CVE-2025-55223 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2025-54115 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. |
CVE-2025-54114 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-54112 | High | 7.0 | — | 2025-09-09 | Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally. |
CVE-2025-54108 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. |
CVE-2025-54105 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-54099 | High | 7.0 | — | 2025-09-09 | Stack-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2025-54093 | High | 7.0 | — | 2025-09-09 | Time-of-check time-of-use (toctou) race condition in Windows TCP/IP allows an authorized attacker to elevate privileges locally. |
CVE-2025-53807 | High | 7.0 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
CVE-2025-53802 | High | 7.0 | — | 2025-09-09 | Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-49734 | High | 7.0 | — | 2025-09-09 | Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally. |
CVE-2025-55226 | Medium | 6.7 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to execute code locally. |
CVE-2025-54915 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-54109 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-54104 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-54094 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-53810 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-53808 | Medium | 6.7 | — | 2025-09-09 | Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-55225 | Medium | 6.5 | — | 2025-09-09 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-54097 | Medium | 6.5 | — | 2025-09-09 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-54096 | Medium | 6.5 | — | 2025-09-09 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-54095 | Medium | 6.5 | — | 2025-09-09 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-53809 | Medium | 6.5 | — | 2025-09-09 | Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. |
CVE-2025-53806 | Medium | 6.5 | — | 2025-09-09 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-53798 | Medium | 6.5 | — | 2025-09-09 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-53797 | Medium | 6.5 | — | 2025-09-09 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-53796 | Medium | 6.5 | — | 2025-09-09 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-47997 | Medium | 6.5 | — | 2025-09-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network. |
CVE-2025-10221 | Medium | 5.5 | — | 2025-09-10 | Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet / C-WerkNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading… |
CVE-2025-54241 | Medium | 5.5 | — | 2025-09-09 | After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. |
CVE-2025-54240 | Medium | 5.5 | — | 2025-09-09 | After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. |
CVE-2025-54239 | Medium | 5.5 | — | 2025-09-09 | After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. |
CVE-2025-54901 | Medium | 5.5 | — | 2025-09-09 | Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. |
CVE-2025-53804 | Medium | 5.5 | — | 2025-09-09 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2025-53803 | Medium | 5.5 | — | 2025-09-09 | Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2025-53799 | Medium | 5.5 | — | 2025-09-09 | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
CVE-2025-54101 | Medium | 4.8 | — | 2025-09-09 | Use after free in Windows SMBv3 Client allows an authorized attacker to execute code over a network. |
CVE-2025-10227 | Medium | 4.6 | — | 2025-09-10 | Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported storage or stolen physical drives to extract… |
CVE-2025-54917 | Medium | 4.3 | — | 2025-09-09 | Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-54107 | Medium | 4.3 | — | 2025-09-09 | Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-54255 | Medium | 4.0 | — | 2025-09-09 | Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass impacting integrity. |
Other vendors (687 CVEs across 308 vendors)
N/a · 64 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45434 | Critical | 9.8 | — | 2025-09-12 | OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. |
CVE-2025-55835 | Critical | 9.8 | — | 2025-09-12 | File Upload vulnerability in SueamCMS v.0.1.2 allows a remote attacker to execute arbitrary code via the lack of filtering. |
CVE-2025-57633 | Critical | 9.8 | — | 2025-09-09 | A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. |
CVE-2025-57085 | Critical | 9.8 | — | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. |
CVE-2025-57141 | Critical | 9.8 | — | 2025-09-08 | rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. |
CVE-2025-52161 | Critical | 9.8 | — | 2025-09-08 | Scholl Communications AG Weblication CMS Core v019.004.000.000 was discovered to contain a cross-site scripting (XSS) vulnerability. |
CVE-2025-22956 | Critical | 9.8 | — | 2025-09-08 | OPSI before 4.3 allows any client to retrieve any ProductPropertyState, including those of other clients. |
CVE-2025-56407 | High | 8.8 | — | 2025-09-10 | A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. |
CVE-2025-52389 | High | 8.8 | — | 2025-09-08 | An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request. |
CVE-2025-55849 | High | 8.4 | — | 2025-09-08 | WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee |
CVE-2025-57579 | High | 8.0 | — | 2025-09-12 | An issue in TOTOLINK Wi-Fi 6 Router Series Device X2000R-Gh-V2.0.0 allows a remote attacker to execute arbitrary code via the default password |
CVE-2025-57578 | High | 8.0 | — | 2025-09-12 | An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password |
CVE-2025-57577 | High | 8.0 | — | 2025-09-12 | An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. |
CVE-2024-45432 | High | 7.5 | — | 2025-09-12 | OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call. |
CVE-2025-56406 | High | 7.5 | — | 2025-09-10 | An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. |
CVE-2025-57060 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the rules parameter in the dns_forward_rule_store function. |
CVE-2025-29089 | High | 7.5 | — | 2025-09-09 | An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information |
CVE-2025-57086 | High | 7.5 | — | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNode function. |
CVE-2025-57078 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pppoeServerWhiteMacIndex parameter in the formModifyPppAuthWhiteMac function. |
CVE-2025-57087 | High | 7.5 | — | 2025-09-09 | Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the countryCode parameter in the werlessAdvancedSet function. |
CVE-2025-57072 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the staticRouteGateway parameter in the formSetStaticRoute function. |
CVE-2025-57071 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the vpnUsers parameter in the formAddVpnUsers function. |
CVE-2025-57070 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the gstUp parameter in the guestWifiRuleRefresh function. |
CVE-2025-57069 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the pPppUser parameter in the getsinglepppuser function. |
CVE-2025-57064 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the bindDhcpIndex parameter in the modifyDhcpRule function. |
CVE-2025-57063 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the portMappingIndex parameter in the formDelPortMapping function. |
CVE-2025-57062 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the delDhcpIndex parameter in the formDelDhcpRule function. |
CVE-2025-57061 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formIPMacBindModify function via the ruleId, ip, mac, v6 and remark parameters. |
CVE-2025-57059 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the dhcpIndex parameter in the addDhcpRule function. |
CVE-2025-57058 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain multiple stack overflows in the formSetDebugCfg function via the pEnable, pLevel, and pModule parameters. |
CVE-2025-57057 | High | 7.5 | — | 2025-09-09 | Tenda G3 v3.0br_V15.11.0.17 was discovered to contain a stack overflow in the listStr parameter in the ipMacBindListStore function. |
CVE-2025-52322 | High | 7.5 | — | 2025-09-09 | An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field |
CVE-2025-52288 | High | 7.5 | — | 2025-09-08 | Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build.c, the Access and Mobility Management Function (AMF) component, in Open5GS thru 2.7.5 allowing attackers to cause a denial of service or other unspe… |
CVE-2025-10116 | High | 7.3 | — | 2025-09-09 | A vulnerability was identified in SiempreCMS up to 1.3.6. |
CVE-2025-10115 | High | 7.3 | — | 2025-09-09 | A vulnerability was determined in SiempreCMS up to 1.3.6. |
CVE-2025-57642 | High | 7.2 | — | 2025-09-10 | A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized access to the system. |
CVE-2025-52915 | High | 7.2 | — | 2025-09-09 | K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. |
CVE-2025-56467 | Medium | 6.5 | — | 2025-09-12 | An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history, and unspecified other information. |
CVE-2024-45433 | Medium | 6.5 | — | 2025-09-12 | OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Incorrect Control Flow Scoping. |
CVE-2025-55996 | Medium | 6.3 | — | 2025-09-12 | Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward interface |
CVE-2025-10247 | Medium | 6.3 | — | 2025-09-11 | A security vulnerability has been detected in JEPaaS 7.2.8. |
CVE-2025-10121 | Medium | 6.3 | — | 2025-09-09 | A flaw has been found in uverif up to 3.2. |
CVE-2025-52074 | Medium | 6.1 | — | 2025-09-12 | PHPGURUKUL Online Shopping Portal 2.1 is vulnerable to Cross Site Scripting (XSS) due to lack of input sanitization in the quantity parameter when adding a product to the cart. |
CVE-2025-57520 | Medium | 6.1 | — | 2025-09-10 | A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. |
CVE-2025-52277 | Medium | 6.1 | — | 2025-09-09 | Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field |
CVE-2025-56578 | Medium | 5.7 | — | 2025-09-10 | An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms |
CVE-2025-57573 | Medium | 5.6 | — | 2025-09-10 | Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the wifiTimeClose parameter in goform/setWifi. |
CVE-2025-57572 | Medium | 5.6 | — | 2025-09-10 | Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the onlineList parameter in goform/setParentControl. |
CVE-2025-57571 | Medium | 5.6 | — | 2025-09-10 | Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow. |
CVE-2025-57570 | Medium | 5.6 | — | 2025-09-10 | Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the QosList parameter in goform/setQoS. |
CVE-2025-57569 | Medium | 5.6 | — | 2025-09-10 | Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the portList parameter in /goform/setNAT. |
CVE-2025-10232 | Medium | 5.4 | — | 2025-09-10 | A weakness has been identified in 299ko up to 2.0.0. |
CVE-2025-57540 | Medium | 5.4 | — | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4. |
CVE-2025-57539 | Medium | 5.4 | — | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. |
CVE-2025-57538 | Medium | 5.4 | — | 2025-09-09 | A stored cross-site scripting (XSS) vulnerability in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) 8.4 allows an authenticated user to inject malicious input. |
CVE-2024-45431 | Medium | 5.3 | — | 2025-09-12 | OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Improper Input Validation. |
CVE-2025-10195 | Medium | 5.3 | — | 2025-09-10 | A vulnerability has been found in Seismic App 2.4.2 on Android. |
CVE-2025-9910 | Medium | 4.7 | — | 2025-09-11 | Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. |
CVE-2025-10229 | Medium | 4.3 | — | 2025-09-10 | A vulnerability has been found in Freshwork up to 1.2.3. |
CVE-2025-51586 | Low | 3.7 | — | 2025-09-08 | An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. |
CVE-2025-10253 | Low | 3.5 | — | 2025-09-11 | A vulnerability has been found in openDCIM 23.04. |
CVE-2025-10216 | Low | 2.6 | — | 2025-09-10 | A vulnerability was detected in GrandNode up to 2.3.0. |
CVE-2025-10235 | Low | 2.4 | — | 2025-09-11 | A flaw has been found in Scada-LTS up to 2.7.8.1. |
CVE-2025-10234 | Low | 2.4 | — | 2025-09-11 | A vulnerability was detected in Scada-LTS up to 2.7.8.1. |
Linux · 36 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39797 | High | 7.8 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers the kernel function xfrm_alloc_spi(). |
CVE-2025-39796 | High | 7.8 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: net: lapbether: ignore ops-locked netdevs Syzkaller managed to trigger lock dependency in xsk_notify via register_netdevice. |
CVE-2025-39793 | High | 7.8 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: io_uring/memmap: cast nr_pages to size_t before shifting If the allocated size exceeds UINT_MAX, then it's necessary to cast the mr->nr_pages value to size_t to prevent… |
CVE-2025-39740 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: prevent potential UAF If we hit the error path, the previous fence (if there is one) has already been put() prior to this, so doing a fence_wait could le… |
CVE-2025-39786 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7173: fix channels index for syscalib_mode Fix the index used to look up the channel when accessing the syscalib_mode attribute. |
CVE-2025-39761 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Decrement TID on RX peer frag setup error handling Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_f… |
CVE-2025-39750 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Correct tid cleanup when tid setup fails Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), the tid value is already incremented, even th… |
CVE-2025-39744 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. |
CVE-2025-39792 | Medium | 5.5 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: dm: Always split write BIOs to zoned device limits Any zoned DM target that requires zone append emulation will use the block layer zone write plugging. |
CVE-2025-39791 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: dm: dm-crypt: Do not partially accept write BIOs with zoned targets Read and write operations issued to a dm-crypt target may be split according to the dm-crypt internal… |
CVE-2025-39789 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. |
CVE-2025-39785 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix irq_request()'s irq name variable is local The local variable is passed in request_irq (), and there will be use after free problem, which will… |
CVE-2025-39784 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix link speed calculation on retrain failure When pcie_failed_link_retrain() fails to retrain, it tries to revert to the previous link speed. |
CVE-2025-39781 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap I have observed warning to occassionally trigger. |
CVE-2025-39780 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: sched/ext: Fix invalid task state transitions on class switch When enabling a sched_ext scheduler, we may trigger invalid task state transitions, resulting in warnings l… |
CVE-2025-39779 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also c… |
CVE-2025-39777 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - Fix CFI failure due to type punning To avoid a crash when control flow integrity is enabled, make the workspace ("stream") free function use a consistent… |
CVE-2025-39775 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix WARN with uffd that has remap events disabled Registering userfaultd on a VMA that spans at least one PMD and then mremap()'ing that VMA can trigger a WAR… |
CVE-2025-39774 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: iio: adc: rzg2l_adc: Set driver data before enabling runtime PM When stress-testing the system by repeatedly unbinding and binding the ADC device in a loop, and the ADC… |
CVE-2025-39771 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: regulator: pca9450: Use devm_register_sys_off_handler With module test, there is error dump: ------------[ cut here ]------------ notifier callback pca9450_i2c_restart… |
CVE-2025-39769 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix lockdep warning during rmmod The commit under the Fixes tag added a netdev_assert_locked() in bnxt_free_ntp_fltrs(). |
CVE-2025-39768 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, fix complex rules rehash error flow Moving rules from matcher to matcher should not fail. |
CVE-2025-39767 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Optimize module load time by optimizing PLT/GOT counting When enabling CONFIG_KASAN, CONFIG_PREEMPT_VOLUNTARY_BUILD and CONFIG_PREEMPT_VOLUNTARY at the same t… |
CVE-2025-39765 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: fix ida_free call while not allocated In the snd_utimer_create() function, if the kasprintf() function return NULL, snd_utimer_put_id() will be called, fina… |
CVE-2025-39764 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cooki… |
CVE-2025-39763 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit… |
CVE-2025-39762 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: add null check [WHY] Prevents null pointer dereferences to enhance function robustness [HOW] Adds early null check and return false if invalid. |
CVE-2025-39758 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp… |
CVE-2025-39753 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to ->writepage") that occurs in various xfstests, ca… |
CVE-2025-39748 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. |
CVE-2025-39747 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Add error handling for krealloc in metadata setup Function msm_ioctl_gem_info_set_metadata() now checks for krealloc failure and returns -ENOMEM, avoiding poten… |
CVE-2025-39746 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: shutdown driver when hardware is unreliable In rare cases, ath10k may lose connection with the PCIe bus due to some unknown reasons, which could further le… |
CVE-2025-39745 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: rcutorture: Fix rcutorture_one_extend_check() splat in RT kernels For built with CONFIG_PREEMPT_RT=y kernels, running rcutorture tests resulted in the following splat: … |
CVE-2025-39741 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: don't overflow max copy size With non-page aligned copy, we need to use 4 byte aligned pitch, however the size itself might still be close to our maximum… |
CVE-2025-39739 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround. |
CVE-2025-39754 | Medium | 4.7 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to… |
Debian · 25 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39790 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. |
CVE-2025-39788 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up pr… |
CVE-2025-39783 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this fi… |
CVE-2025-39776 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also it… |
CVE-2025-39766 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qle… |
CVE-2025-39743 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. |
CVE-2025-39738 | High | 7.8 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace… |
CVE-2025-39760 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd r… |
CVE-2025-39757 | High | 7.1 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whe… |
CVE-2025-39759 | High | 7.0 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result… |
CVE-2025-39749 | High | 7.0 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code… |
CVE-2025-39798 | Medium | 5.5 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. |
CVE-2025-39795 | Medium | 5.5 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->phys… |
CVE-2025-39794 | Medium | 5.5 | — | 2025-09-12 | In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy. |
CVE-2025-40300 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor… |
CVE-2025-39787 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessa… |
CVE-2025-39782 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after proce… |
CVE-2025-39773 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() m… |
CVE-2025-39772 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not i… |
CVE-2025-39770 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension hea… |
CVE-2025-39756 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes at… |
CVE-2025-39752 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM. |
CVE-2025-39742 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. |
CVE-2025-39737 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a… |
CVE-2025-39736 | Medium | 5.5 | — | 2025-09-11 | In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can… |
Liferay · 17 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43790 | High | 8.1 | — | 2025-09-11 | Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to fr… |
CVE-2025-43796 | High | 7.5 | — | 2025-09-12 | Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers t… |
CVE-2025-43784 | Medium | 6.5 | — | 2025-09-10 | Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entries informatio… |
CVE-2025-43763 | Medium | 6.5 | — | 2025-09-09 | A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1… |
CVE-2025-43795 | Medium | 6.1 | — | 2025-09-12 | Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote at… |
CVE-2025-43783 | Medium | 6.1 | — | 2025-09-10 | Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allow… |
CVE-2025-43785 | Medium | 6.1 | — | 2025-09-10 | Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute… |
CVE-2025-43781 | Medium | 6.1 | — | 2025-09-09 | Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject… |
CVE-2025-43778 | Medium | 6.1 | — | 2025-09-09 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 th… |
CVE-2025-43787 | Medium | 5.4 | — | 2025-09-12 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2… |
CVE-2025-43775 | Medium | 5.4 | — | 2025-09-09 | Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote… |
CVE-2025-43776 | Medium | 5.4 | — | 2025-09-09 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 thr… |
CVE-2025-43789 | Medium | 5.3 | — | 2025-09-12 | JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get ex… |
CVE-2025-43786 | Medium | 5.3 | — | 2025-09-09 | Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers… |
CVE-2025-43777 | Medium | 5.3 | — | 2025-09-09 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 ex… |
CVE-2025-43788 | Medium | 4.3 | — | 2025-09-12 | The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list… |
CVE-2025-43782 | Medium | 4.3 | — | 2025-09-11 | Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to a… |
Sap_se · 16 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42944 | Critical | 10.0 | — | 2025-09-09 | Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. |
CVE-2025-42922 | Critical | 9.9 | — | 2025-09-09 | SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. |
CVE-2025-42958 | Critical | 9.1 | — | 2025-09-09 | Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privile… |
CVE-2025-42933 | High | 8.8 | — | 2025-09-09 | When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. |
CVE-2025-42929 | High | 8.1 | — | 2025-09-09 | Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. |
CVE-2025-42916 | High | 8.1 | — | 2025-09-09 | Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. |
CVE-2025-42930 | Medium | 6.5 | — | 2025-09-09 | SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting in system unavailability. |
CVE-2025-42917 | Medium | 6.5 | — | 2025-09-09 | SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. |
CVE-2025-42912 | Medium | 6.5 | — | 2025-09-09 | SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. |
CVE-2025-42938 | Medium | 6.1 | — | 2025-09-09 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. |
CVE-2025-42915 | Medium | 5.4 | — | 2025-09-09 | Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both th… |
CVE-2025-42925 | Medium | 4.3 | — | 2025-09-09 | Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. |
CVE-2025-42923 | Medium | 4.3 | — | 2025-09-09 | Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. |
CVE-2025-42927 | Low | 3.4 | — | 2025-09-09 | SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to… |
CVE-2025-42914 | Low | 3.1 | — | 2025-09-09 | Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low… |
CVE-2025-42913 | Low | 3.1 | — | 2025-09-09 | Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low… |
Adobe · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54261 | Critical | 10.0 | — | 2025-09-09 | ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. |
CVE-2025-54236 | Critical | 9.1 | KEV | 2025-09-09 | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. |
CVE-2025-54260 | High | 7.8 | — | 2025-09-09 | Substance3D - Modeler versions 1.22.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2025-54259 | High | 7.8 | — | 2025-09-09 | Substance3D - Modeler versions 1.22.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54258 | High | 7.8 | — | 2025-09-09 | Substance3D - Modeler versions 1.22.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54245 | High | 7.8 | — | 2025-09-09 | Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54244 | High | 7.8 | — | 2025-09-09 | Substance3D - Viewer versions 0.25.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54243 | High | 7.8 | — | 2025-09-09 | Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-54248 | High | 7.7 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. |
CVE-2025-54249 | Medium | 6.5 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. |
CVE-2025-54247 | Medium | 6.5 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. |
CVE-2025-54246 | Medium | 6.5 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. |
CVE-2025-54252 | Medium | 5.4 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-54250 | Medium | 4.9 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. |
CVE-2025-54251 | Medium | 4.3 | — | 2025-09-09 | Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. |
Ivanti · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55145 | High | 8.9 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allow… |
CVE-2025-9872 | High | 8.8 | — | 2025-09-09 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2025-9712 | High | 8.8 | — | 2025-09-09 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2025-55147 | High | 8.8 | — | 2025-09-09 | CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthe… |
CVE-2025-55142 | High | 8.8 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows… |
CVE-2025-55141 | High | 8.8 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows… |
CVE-2025-55148 | High | 7.6 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows… |
CVE-2025-55139 | Medium | 6.8 | — | 2025-09-09 | SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authent… |
CVE-2025-55143 | Medium | 6.1 | — | 2025-09-09 | Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) all… |
CVE-2025-8712 | Medium | 5.4 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allow… |
CVE-2025-8711 | Medium | 5.4 | — | 2025-09-09 | CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthe… |
CVE-2025-55144 | Medium | 5.4 | — | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows… |
CVE-2025-55146 | Medium | 4.9 | — | 2025-09-09 | An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) al… |
Phpgurukul · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40692 | Critical | 9.8 | — | 2025-09-11 | SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. |
CVE-2025-40691 | Critical | 9.8 | — | 2025-09-11 | SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. |
CVE-2025-40690 | Critical | 9.8 | — | 2025-09-11 | SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. |
CVE-2025-40689 | Critical | 9.8 | — | 2025-09-11 | SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. |
CVE-2025-40687 | Critical | 9.8 | — | 2025-09-11 | SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. |
CVE-2025-10114 | High | 7.3 | — | 2025-09-09 | A vulnerability was found in PHPGurukul Small CRM 4.0. |
CVE-2025-10079 | High | 7.3 | — | 2025-09-08 | A flaw has been found in PHPGurukul Small CRM 4.0. |
CVE-2025-10098 | Medium | 6.3 | — | 2025-09-08 | A security flaw has been discovered in PHPGurukul User Management System 1.0. |
CVE-2025-40696 | Medium | 5.4 | — | 2025-09-11 | Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fullname', 'location' and 'message' parameters via POST at th… |
CVE-2025-40695 | Medium | 5.4 | — | 2025-09-11 | Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'remark', 'status' and 'takeaction' parameters via POST at the… |
CVE-2025-40694 | Medium | 5.4 | — | 2025-09-11 | Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'fromdate' and 'todate' parameters via POST at the endpoint '/… |
CVE-2025-40693 | Medium | 5.4 | — | 2025-09-11 | Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', '… |
Rockwell Automation · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9364 | High | 8.8 | — | 2025-09-09 | An open database issue exists in the affected product and version. |
CVE-2025-9161 | High | 8.8 | — | 2025-09-09 | A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. |
CVE-2025-9065 | High | 8.8 | — | 2025-09-09 | A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. |
CVE-2025-9166 | High | 7.5 | — | 2025-09-09 | A denial-of-service security issue exists in the affected product and version. |
CVE-2025-7970 | High | 7.5 | — | 2025-09-09 | A security issue exists within FactoryTalk Activation Manager. |
CVE-2025-8008 | Medium | 6.5 | — | 2025-09-09 | A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash. |
CVE-2025-8007 | Medium | 6.5 | — | 2025-09-09 | A security issue exists in the protected mode of 1756-EN4TR and 1756-EN2TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. |
CVE-2025-9160 | — | — | — | 2025-09-09 | A code execution security issue exists in the affected product. |
CVE-2025-7350 | — | — | — | 2025-09-09 | A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. |
Siemens · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40795 | Critical | 9.8 | — | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). |
CVE-2025-40804 | Critical | 9.1 | — | 2025-09-09 | A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). |
CVE-2025-40798 | High | 7.5 | — | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). |
CVE-2025-40797 | High | 7.5 | — | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). |
CVE-2025-40796 | High | 7.5 | — | 2025-09-09 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions < V6.0 SP1 Update 1), User Management Component (UMC) (All versions < V2.15.1.3). |
CVE-2025-40594 | Medium | 6.3 | — | 2025-09-09 | A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions < V6.4 HF7), SINAMICS S210 V6.4 (All versions < V6.4 HF2). |
CVE-2025-40757 | Medium | 5.3 | — | 2025-09-09 | A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). |
CVE-2025-40803 | Low | 3.1 | — | 2025-09-09 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). |
CVE-2025-40802 | Low | 3.1 | — | 2025-09-09 | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). |
Baicells · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55051 | Critical | 10.0 | — | 2025-09-09 | CWE-1392: Use of Default Credentials |
CVE-2025-55050 | Critical | 9.8 | — | 2025-09-09 | CWE-1242: Inclusion of Undocumented Features |
CVE-2025-55048 | Critical | 9.8 | — | 2025-09-09 | Multiple CWE-78 |
CVE-2025-55049 | Critical | 9.1 | — | 2025-09-09 | Use of Default Cryptographic Key (CWE-1394) |
CVE-2025-55047 | High | 8.4 | — | 2025-09-09 | CWE-798 Use of Hard-coded Credentials |
CVE-2025-55053 | Medium | 6.5 | — | 2025-09-09 | CWE-328: Use of Weak Hash |
CVE-2025-55054 | Medium | 6.1 | — | 2025-09-09 | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') |
CVE-2025-55052 | Medium | 4.3 | — | 2025-09-09 | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor |
Dell · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43888 | High | 8.8 | — | 2025-09-10 | Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. |
CVE-2025-43884 | High | 8.2 | — | 2025-09-10 | Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. |
CVE-2025-43885 | High | 7.8 | — | 2025-09-10 | Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. |
CVE-2025-43725 | High | 7.8 | — | 2025-09-10 | Dell PowerProtect Data Manager, Generic Application Agent, version(s) 19.19 and 19.20, contain(s) an Incorrect Default Permissions vulnerability. |
CVE-2025-43887 | High | 7.0 | — | 2025-09-10 | Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Incorrect Default Permissions vulnerability. |
CVE-2025-43722 | Medium | 6.7 | — | 2025-09-08 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper privilege management vulnerability. |
CVE-2025-43938 | Medium | 5.0 | — | 2025-09-10 | Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Plaintext Storage of a Password vulnerability. |
CVE-2025-43886 | Medium | 4.4 | — | 2025-09-10 | Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability. |
Ibm · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36222 | High | 8.7 | — | 2025-09-11 | IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an a… |
CVE-2024-45669 | Medium | 6.5 | — | 2025-09-10 | IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a remote user to cause a denial of service due to improper handling of special characters that could lead to uncontrolled resource consumption. |
CVE-2024-47120 | Medium | 6.4 | — | 2025-09-10 | IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges. |
CVE-2025-36125 | Medium | 6.4 | — | 2025-09-09 | IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting. |
CVE-2024-45671 | Medium | 5.9 | — | 2025-09-10 | IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. |
CVE-2025-1761 | Medium | 5.9 | — | 2025-09-08 | IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. |
CVE-2025-36011 | Medium | 4.3 | — | 2025-09-09 | IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. |
Netgate · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34175 | Medium | 6.1 | — | 2025-09-09 | In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. |
CVE-2025-34172 | Medium | 6.1 | — | 2025-09-09 | In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. |
CVE-2025-34178 | Medium | 5.4 | — | 2025-09-09 | In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. |
CVE-2025-34177 | Medium | 5.4 | — | 2025-09-09 | In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. |
CVE-2025-34174 | Medium | 5.4 | — | 2025-09-09 | In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. |
CVE-2025-34176 | Medium | 4.3 | — | 2025-09-09 | In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. |
CVE-2025-34173 | Medium | 4.3 | — | 2025-09-09 | In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. |
Typo3 · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59017 | High | 8.8 | — | 2025-09-09 | Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to… |
CVE-2025-59018 | Medium | 6.5 | — | 2025-09-09 | Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disc… |
CVE-2025-59015 | Medium | 6.5 | — | 2025-09-09 | A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly. |
CVE-2025-59013 | Medium | 6.1 | — | 2025-09-09 | An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phi… |
CVE-2025-59019 | Medium | 4.3 | — | 2025-09-09 | Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mount… |
CVE-2025-59016 | Medium | 4.3 | — | 2025-09-09 | Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed… |
CVE-2025-59014 | Low | 2.7 | — | 2025-09-09 | An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving man… |
Gitlab · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6454 | High | 8.5 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environ… |
CVE-2025-2256 | High | 7.5 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate use… |
CVE-2025-7337 | Medium | 6.5 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user with Developer-level access to cause a persistent denial o… |
CVE-2025-1250 | Medium | 6.5 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed an authenticated user to stall background job processing by sending specially c… |
CVE-2025-10094 | Medium | 6.5 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to disrupt access to token listings and related administrat… |
CVE-2025-6769 | Medium | 4.3 | — | 2025-09-12 | An issue has been discovered in GitLab CE/EE affecting all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to view administrator-only maintenance notes by accessing r… |
Audi · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-45583 | Critical | 9.1 | — | 2025-09-12 | Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password. |
CVE-2025-45586 | High | 7.5 | — | 2025-09-12 | An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request. |
CVE-2025-45584 | High | 7.5 | — | 2025-09-12 | Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication. |
CVE-2025-45587 | High | 7.0 | — | 2025-09-12 | A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
CVE-2025-45585 | Medium | 5.4 | — | 2025-09-12 | Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid para… |
Axxonsoft · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10220 | Critical | 9.8 | — | 2025-09-10 | Use of Unmaintained Third Party Components (CWE-1104) in the NuGet dependency components in AxxonSoft Axxon One VMS 2.0.0 through 2.0.4 on Windows allows a remote attacker to execute arbitrary code or bypass security features via exploitat… |
CVE-2025-10225 | High | 7.5 | — | 2025-09-10 | Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the OpenSSL-based session module in AxxonSoft Axxon One (C-Werk) 2.0.6 and earlier on Windows allows a remote attacker under high load conditions to cause… |
CVE-2025-10224 | Medium | 5.4 | — | 2025-09-10 | Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One (C-Werk) 2.0.2 and earlier on Windows allows a remote authenticated user to be denied access or misassigned roles via incorrect evaluation of nested… |
CVE-2025-10223 | Medium | 5.4 | — | 2025-09-10 | Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an une… |
CVE-2025-10222 | Low | 3.3 | — | 2025-09-10 | Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump component in AxxonSoft Axxon One VMS (C-Werk) 2.0.0 through 2.0.1 on Windows allows a local attacker to obtain licensing-related information such a… |
Calix · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7635 | High | 7.7 | — | 2025-09-09 | Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. |
CVE-2025-54084 | — | — | — | 2025-09-09 | OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially… |
CVE-2025-54083 | — | — | — | 2025-09-09 | Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. |
CVE-2025-53914 | — | — | — | 2025-09-09 | Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G. |
CVE-2025-53913 | — | — | — | 2025-09-09 | Excessive Privileges vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G. |
Chancms · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10211 | Medium | 6.3 | — | 2025-09-10 | A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. |
CVE-2025-10210 | Medium | 6.3 | — | 2025-09-10 | A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. |
CVE-2025-10110 | Medium | 6.3 | — | 2025-09-08 | A vulnerability was identified in ChanCMS up to 3.3.1. |
CVE-2025-10106 | Medium | 6.3 | — | 2025-09-08 | A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.1. |
CVE-2025-10105 | Medium | 6.3 | — | 2025-09-08 | A flaw has been found in yanyutao0402 ChanCMS up to 3.3.1. |
Lenovo · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8557 | High | 8.8 | — | 2025-09-11 | An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate t… |
CVE-2025-9201 | High | 7.8 | — | 2025-09-11 | A potential DLL hijacking vulnerability was discovered in Lenovo Browser during an internal security assessment that could allow a local user to execute code with elevated privileges. |
CVE-2025-9319 | High | 7.5 | — | 2025-09-11 | A potential vulnerability was reported in the Lenovo Wallpaper Client that could allow arbitrary code execution under certain conditions. |
CVE-2025-8061 | High | 7.0 | — | 2025-09-11 | A potential insufficient access control vulnerability was reported in the Lenovo Dispatcher 3.0 and Dispatcher 3.1 drivers used by some Lenovo consumer notebooks that could allow an authenticated local user to execute code with elevated pr… |
CVE-2025-9214 | Medium | 5.4 | — | 2025-09-11 | A missing authentication vulnerability was reported in some Lenovo printers that could allow a user to view limited device information or modify network settings via the CUPS service. |
Razormist · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10082 | High | 7.3 | — | 2025-09-08 | A vulnerability has been found in SourceCodester Online Polling System 1.0. |
CVE-2025-10078 | High | 7.3 | — | 2025-09-08 | A vulnerability was detected in SourceCodester Online Polling System 1.0. |
CVE-2025-10077 | High | 7.3 | — | 2025-09-08 | A security vulnerability has been detected in SourceCodester Online Polling System 1.0. |
CVE-2025-10076 | High | 7.3 | — | 2025-09-08 | A weakness has been identified in SourceCodester Online Polling System 1.0. |
CVE-2025-10075 | Low | 3.5 | — | 2025-09-08 | A security flaw has been discovered in SourceCodester Online Polling System 1.0. |
Wavlink · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10324 | High | 7.3 | — | 2025-09-12 | A vulnerability was determined in Wavlink WL-WN578W2 221110. |
CVE-2025-10323 | High | 7.3 | — | 2025-09-12 | A vulnerability was found in Wavlink WL-WN578W2 221110. |
CVE-2025-10325 | Medium | 6.3 | — | 2025-09-12 | A vulnerability was identified in Wavlink WL-WN578W2 221110. |
CVE-2025-10322 | Medium | 5.3 | — | 2025-09-12 | A vulnerability has been found in Wavlink WL-WN578W2 221110. |
CVE-2025-10321 | Medium | 5.3 | — | 2025-09-12 | A flaw has been found in Wavlink WL-WN578W2 221110. |
Xen · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58143 | Critical | 9.8 | — | 2025-09-11 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: … |
CVE-2025-58142 | Critical | 9.8 | — | 2025-09-11 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: … |
CVE-2025-27466 | Critical | 9.8 | — | 2025-09-11 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: … |
CVE-2025-58145 | High | 7.5 | — | 2025-09-11 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wro… |
CVE-2025-58144 | High | 7.5 | — | 2025-09-11 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wro… |
Zoom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49458 | Medium | 6.5 | — | 2025-09-09 | Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access. |
CVE-2025-58135 | Medium | 5.3 | — | 2025-09-09 | Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access. |
CVE-2025-58134 | Medium | 4.3 | — | 2025-09-09 | Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access. |
CVE-2025-49461 | Medium | 4.3 | — | 2025-09-09 | Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access. |
CVE-2025-49460 | Medium | 4.3 | — | 2025-09-09 | Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access. |
10oa · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10274 | Medium | 4.3 | — | 2025-09-12 | A security flaw has been discovered in erjinzhi 10OA 1.0. |
CVE-2025-10272 | Medium | 4.3 | — | 2025-09-11 | A vulnerability was determined in erjinzhi 10OA 1.0. |
CVE-2025-10271 | Medium | 4.3 | — | 2025-09-11 | A vulnerability was found in erjinzhi 10OA 1.0. |
CVE-2025-10273 | Low | 3.5 | — | 2025-09-12 | A vulnerability was identified in erjinzhi 10OA 1.0. |
Erlang · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48041 | — | — | — | 2025-09-11 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. |
CVE-2025-48040 | — | — | — | 2025-09-11 | Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. |
CVE-2025-48039 | — | — | — | 2025-09-11 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. |
CVE-2025-48038 | — | — | — | 2025-09-11 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. |
Ethyca · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-57816 | High | 7.5 | — | 2025-09-08 | Fides is an open-source privacy engineering platform. |
CVE-2025-57817 | High | 7.2 | — | 2025-09-08 | Fides is an open-source privacy engineering platform. |
CVE-2025-57815 | Medium | 6.5 | — | 2025-09-08 | Fides is an open-source privacy engineering platform. |
CVE-2025-57766 | Medium | 4.8 | — | 2025-09-08 | Fides is an open-source privacy engineering platform. |
Iocoder · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10278 | Medium | 6.3 | — | 2025-09-12 | A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. |
CVE-2025-10277 | Medium | 6.3 | — | 2025-09-12 | A vulnerability was detected in YunaiV yudao-cloud up to 2025.09. |
CVE-2025-10276 | Medium | 6.3 | — | 2025-09-12 | A security vulnerability has been detected in YunaiV ruoyi-vue-pro up to 2025.09. |
CVE-2025-10275 | Medium | 6.3 | — | 2025-09-12 | A weakness has been identified in YunaiV yudao-cloud up to 2025.09. |
Labredescefetrj · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58745 | Critical | 9.9 | — | 2025-09-08 | WeGIA is a Web manager for charitable institutions. |
CVE-2025-58454 | High | 8.2 | — | 2025-09-08 | WeGIA is a Web manager for charitable institutions. |
CVE-2025-58453 | High | 8.2 | — | 2025-09-08 | WeGIA is a Web manager for charitable institutions. |
CVE-2025-58452 | Medium | 6.1 | — | 2025-09-08 | WeGIA is a Web manager for charitable institutions. |
Mayurik · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10085 | Medium | 6.3 | — | 2025-09-08 | A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. |
CVE-2025-10083 | Medium | 6.3 | — | 2025-09-08 | A vulnerability was determined in SourceCodester Pet Grooming Management Software 1.0. |
CVE-2025-10087 | Medium | 4.7 | — | 2025-09-08 | A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. |
CVE-2025-10081 | Medium | 4.7 | — | 2025-09-08 | A flaw has been found in SourceCodester Pet Management System 1.0. |
Sap · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42920 | Medium | 6.1 | — | 2025-09-09 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. |
CVE-2025-42926 | Medium | 5.3 | — | 2025-09-09 | SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these fil… |
CVE-2025-42911 | Medium | 5.0 | — | 2025-09-09 | SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. |
CVE-2025-42918 | Medium | 4.3 | — | 2025-09-09 | SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. |
Solax Power · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36759 | — | — | — | 2025-09-10 | Through the provision of user names, SolaX Cloud will suggest (similar) user accounts and thereby leak sensitive information such as user email addresses and phone numbers. |
CVE-2025-36758 | — | — | — | 2025-09-10 | It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle. |
CVE-2025-36757 | — | — | — | 2025-09-10 | It is possible to bypass the administrator login screen on SolaX Cloud. |
CVE-2025-36756 | — | — | — | 2025-09-10 | A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known. |
Tautulli · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58762 | Critical | 9.1 | — | 2025-09-09 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. |
CVE-2025-58761 | High | 8.6 | — | 2025-09-09 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. |
CVE-2025-58760 | High | 8.6 | — | 2025-09-09 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. |
CVE-2025-58763 | High | 8.0 | — | 2025-09-09 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. |
Utt · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10172 | High | 8.8 | — | 2025-09-09 | A flaw has been found in UTT 750W up to 3.2.2-191225. |
CVE-2025-10171 | High | 8.8 | — | 2025-09-09 | A vulnerability was detected in UTT 1250GW up to 3.2.2-200710. |
CVE-2025-10170 | High | 8.8 | — | 2025-09-09 | A security vulnerability has been detected in UTT 1200GW up to 3.0.0-170831. |
CVE-2025-10169 | High | 8.8 | — | 2025-09-09 | A weakness has been identified in UTT 1200GW up to 3.0.0-170831. |
Zabbix · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27240 | High | 7.2 | — | 2025-09-12 | A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. |
CVE-2025-27238 | Low | 3.5 | — | 2025-09-12 | Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. |
CVE-2025-27234 | — | — | — | 2025-09-12 | Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. |
CVE-2025-27233 | — | — | — | 2025-09-12 | Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. |
Apache · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48208 | High | 8.8 | — | 2025-09-09 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . |
CVE-2025-24404 | High | 8.8 | — | 2025-09-09 | XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. |
CVE-2025-58782 | Medium | 6.5 | — | 2025-09-08 | Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. |
Carmelo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10104 | High | 7.3 | — | 2025-09-08 | A security vulnerability has been detected in code-projects Online Event Judging System 1.0. |
CVE-2025-10103 | High | 7.3 | — | 2025-09-08 | A weakness has been identified in code-projects Online Event Judging System 1.0. |
CVE-2025-10102 | High | 7.3 | — | 2025-09-08 | A security flaw has been discovered in code-projects Online Event Judging System 1.0. |
Cisco · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20340 | High | 7.4 | — | 2025-09-10 | A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected… |
CVE-2025-20248 | Medium | 6.0 | — | 2025-09-10 | A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned software on an affected device. |
CVE-2025-20159 | Medium | 5.3 | — | 2025-09-10 | A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vu… |
Dreamstechnologies · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9114 | Critical | 9.8 | — | 2025-09-08 | The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.5.0. |
CVE-2025-9113 | Critical | 9.8 | — | 2025-09-08 | The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3. |
CVE-2025-9112 | High | 8.8 | — | 2025-09-08 | The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.5.0. |
Halo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-44594 | Critical | 9.1 | — | 2025-09-09 | halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. |
CVE-2025-44595 | Medium | 6.1 | — | 2025-09-09 | Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}. |
CVE-2025-44593 | Medium | 6.1 | — | 2025-09-09 | Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. |
Itsourcecode · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10113 | High | 7.3 | — | 2025-09-09 | A security vulnerability has been detected in itsourcecode Student Information Management System 1.0. |
CVE-2025-10112 | High | 7.3 | — | 2025-09-09 | A weakness has been identified in itsourcecode Student Information Management System 1.0. |
CVE-2025-10111 | High | 7.3 | — | 2025-09-08 | A security flaw has been discovered in itsourcecode Student Information Management System 1.0. |
Jinher · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10092 | High | 7.3 | — | 2025-09-08 | A vulnerability was found in Jinher OA up to 1.2. |
CVE-2025-10091 | High | 7.3 | — | 2025-09-08 | A vulnerability has been found in Jinher OA up to 1.2. |
CVE-2025-10090 | High | 7.3 | — | 2025-09-08 | A flaw has been found in Jinher OA up to 1.2. |
Miczflor · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10328 | Medium | 6.3 | — | 2025-09-12 | A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. |
CVE-2025-10327 | Medium | 6.3 | — | 2025-09-12 | A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. |
CVE-2025-10326 | Medium | 6.3 | — | 2025-09-12 | A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. |
Monai · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58757 | High | 8.8 | — | 2025-09-09 | MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. |
CVE-2025-58756 | High | 8.8 | — | 2025-09-09 | MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. |
CVE-2025-58755 | High | 8.8 | — | 2025-09-09 | MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. |
Nvidia · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23342 | High | 8.2 | — | 2025-09-09 | The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account . |
CVE-2025-23343 | High | 7.6 | — | 2025-09-09 | The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to write files to restricted components. |
CVE-2025-23344 | High | 7.3 | — | 2025-09-09 | The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to run code on the platform host as a non-privileged user. |
Portabilis · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10073 | Medium | 4.3 | — | 2025-09-08 | A vulnerability was determined in Portabilis i-Educar up to 2.10. |
CVE-2025-10074 | Low | 3.5 | — | 2025-09-08 | A vulnerability was identified in Portabilis i-Educar up to 2.10. |
CVE-2025-10099 | Low | 2.4 | — | 2025-09-08 | A weakness has been identified in Portabilis i-Educar up to 2.10. |
Rathena · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58447 | Critical | 9.8 | — | 2025-09-09 | rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. |
CVE-2025-58448 | Critical | 9.1 | — | 2025-09-09 | rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. |
CVE-2025-58750 | High | 8.2 | — | 2025-09-09 | rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. |
Schneider Electric · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9997 | — | — | — | 2025-09-09 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session. |
CVE-2025-9996 | — | — | — | 2025-09-09 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH sess… |
CVE-2025-7746 | — | — | — | 2025-09-09 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s br… |
Updf · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10215 | High | 7.8 | — | 2025-09-10 | DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\Public\AppData\Loca… |
CVE-2025-10214 | High | 7.8 | — | 2025-09-10 | DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\<user>\AppData\Loca… |
CVE-2025-10213 | High | 7.8 | — | 2025-09-10 | DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a dxtn.dll file of their choice in the 'C:\Users\<user>\AppData\Local\Mi… |
Anthropic · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59041 | Critical | 9.8 | — | 2025-09-10 | Claude Code is an agentic coding tool. |
CVE-2025-58764 | Critical | 9.8 | — | 2025-09-10 | Claude Code is an agentic coding tool. |
Apostrophecms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2014-125128 | Medium | 6.1 | — | 2025-09-08 | 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). |
CVE-2019-25225 | Medium | 6.1 | — | 2025-09-08 | `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). |
Ascensio System Sia · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10255 | Low | 3.5 | — | 2025-09-11 | A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0. |
CVE-2025-10254 | Low | 3.5 | — | 2025-09-11 | A vulnerability was found in Ascensio System SIA OnlyOffice up to 12.7.0. |
Avigilon · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56267 | Critical | 9.8 | — | 2025-09-08 | A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file. |
CVE-2025-56266 | Critical | 9.8 | — | 2025-09-08 | A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL. |
Bender · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41682 | High | 8.8 | — | 2025-09-08 | An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. |
CVE-2025-41708 | High | 7.4 | — | 2025-09-08 | Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. |
Campcodes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10109 | High | 7.3 | — | 2025-09-08 | A vulnerability was determined in Campcodes Online Loan Management System 1.0. |
CVE-2025-10108 | High | 7.3 | — | 2025-09-08 | A vulnerability was found in Campcodes Online Loan Management System 1.0. |
Cdevroe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10329 | Medium | 6.3 | — | 2025-09-12 | A vulnerability was detected in cdevroe unmark up to 1.9.3. |
CVE-2025-10330 | Medium | 4.3 | — | 2025-09-12 | A flaw has been found in cdevroe unmark up to 1.9.3. |
Cern · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59035 | Medium | 4.6 | — | 2025-09-10 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. |
CVE-2025-59034 | Medium | 4.3 | — | 2025-09-10 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. |
Crestron · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47415 | — | — | — | 2025-09-09 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.This issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001. |
CVE-2025-47416 | — | — | — | 2025-09-09 | A vulnerability exists in the ConsoleFindCommandMatchList function in libsymproc. |
Curl · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9086 | High | 7.5 | — | 2025-09-12 | 1. |
CVE-2025-10148 | Medium | 5.3 | — | 2025-09-12 | curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. |
D-link · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10123 | High | 7.3 | — | 2025-09-09 | A vulnerability was determined in D-Link DIR-823X up to 250416. |
CVE-2025-10093 | Medium | 5.3 | — | 2025-09-08 | A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. |
Datahihi1 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58759 | Medium | 5.1 | — | 2025-09-09 | TinyEnv is an environment variable loader for PHP applications. |
CVE-2025-58758 | Medium | 5.1 | — | 2025-09-09 | TinyEnv is an environment variable loader for PHP applications. |
Delta Electronics · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58321 | Critical | 10.0 | — | 2025-09-11 | Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. |
CVE-2025-58320 | High | 7.3 | — | 2025-09-11 | Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability. |
Digiever · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10264 | Critical | 10.0 | — | 2025-09-12 | Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its conn… |
CVE-2025-10265 | High | 8.8 | — | 2025-09-12 | Certain models of NVR developed by Digiever has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. |
Equalize Digital · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58981 | Medium | 5.4 | — | 2025-09-09 | Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital accessibility-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Checker by Equ… |
CVE-2025-58976 | Medium | 4.3 | — | 2025-09-09 | Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital accessibility-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Checker by Equ… |
Evertz · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10365 | — | — | — | 2025-09-12 | The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. |
CVE-2025-10364 | — | — | — | 2025-09-12 | The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. |
Fortinet · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45325 | Medium | 6.7 | — | 2025-09-09 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiDDoS-F version 7.0.0 through 7.02 and before 6.6.3 may allow a privileged attacker to execute unauthori… |
CVE-2025-53609 | Medium | 4.9 | — | 2025-09-09 | A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an arbitrary file read on the underlying syste… |
Foxcms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56630 | High | 7.3 | — | 2025-09-08 | FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file. |
CVE-2025-10251 | Medium | 6.3 | — | 2025-09-11 | A vulnerability was detected in FoxCMS up to 1.24. |
Frenify · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58997 | Critical | 9.6 | — | 2025-09-09 | Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10. |
CVE-2025-59005 | Medium | 4.3 | — | 2025-09-09 | Missing Authorization vulnerability in frenify Categorify categorify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Categorify: from n/a through <= 1.0.7.5. |
Hoverfly · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54123 | Critical | 9.8 | — | 2025-09-10 | Hoverfly is an open source API simulation tool. |
CVE-2025-54376 | High | 7.5 | — | 2025-09-10 | Hoverfly is an open source API simulation tool. |
Jeecg · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10318 | Medium | 6.3 | — | 2025-09-12 | A vulnerability was identified in JeecgBoot up to 3.8.2. |
CVE-2025-10319 | Medium | 4.3 | — | 2025-09-12 | A security flaw has been discovered in JeecgBoot up to 3.8.2. |
Mikado Themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9061 | Medium | 6.4 | — | 2025-09-09 | The Wilmer Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. |
CVE-2025-9058 | Medium | 6.4 | — | 2025-09-09 | The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. |
Mythemeshop · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8425 | High | 8.8 | — | 2025-09-11 | The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including… |
CVE-2025-8423 | Medium | 5.4 | — | 2025-09-11 | The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. |
Newtype Infortech · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10266 | Critical | 9.8 | — | 2025-09-12 | NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. |
CVE-2025-10267 | Medium | 5.3 | — | 2025-09-12 | NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. |
Openprinting · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58060 | High | 8.0 | — | 2025-09-11 | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. |
CVE-2025-58364 | Medium | 6.5 | — | 2025-09-11 | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. |
Palo Alto Networks · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4235 | — | — | — | 2025-09-12 | An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. |
CVE-2025-4234 | — | — | — | 2025-09-12 | A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. |
Prebid · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59039 | — | — | — | 2025-09-09 | Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. |
CVE-2025-59038 | — | — | — | 2025-09-09 | Prebid.js is a free and open source library for publishers to quickly implement header bidding. |
Roncoo · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10288 | Medium | 5.3 | — | 2025-09-12 | A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. |
CVE-2025-10287 | Low | 3.1 | — | 2025-09-12 | A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. |
Rubengc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9539 | High | 8.0 | — | 2025-09-09 | The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_impor… |
CVE-2025-9542 | Medium | 5.4 | — | 2025-09-09 | The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin… |
Samsung · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21043 | High | 8.8 | KEV | 2025-09-12 | Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code. |
CVE-2025-21042 | High | 8.8 | KEV | 2025-09-12 | Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code. |
Sim · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10097 | Medium | 6.3 | — | 2025-09-08 | A vulnerability was identified in SimStudioAI sim up to 1.0.0. |
CVE-2025-10096 | Medium | 6.3 | — | 2025-09-08 | A vulnerability was determined in SimStudioAI sim up to 1.0.0. |
Solwin · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47695 | High | 7.5 | — | 2025-09-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7. |
CVE-2025-47694 | High | 7.1 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7. |
Unknown · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9034 | Medium | 6.1 | — | 2025-09-11 | The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue |
CVE-2025-3650 | Low | 3.5 | — | 2025-09-12 | The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrat… |
Vitejs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58752 | Medium | 5.3 | — | 2025-09-08 | Vite is a frontend tooling framework for JavaScript. |
CVE-2025-58751 | Medium | 5.3 | — | 2025-09-08 | Vite is a frontend tooling framework for JavaScript. |
Webcodingplace · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9874 | High | 7.5 | — | 2025-09-11 | The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. |
CVE-2025-0763 | Medium | 4.3 | — | 2025-09-11 | The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.7. |
Xwiki · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55728 | Critical | 10.0 | — | 2025-09-09 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. |
CVE-2025-55727 | Critical | 10.0 | — | 2025-09-09 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. |
Xwikisas · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55730 | Critical | 10.0 | — | 2025-09-09 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. |
CVE-2025-55729 | Critical | 10.0 | — | 2025-09-09 | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. |
Yonifre · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9979 | Medium | 4.3 | — | 2025-09-10 | The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. |
CVE-2025-9888 | Medium | 4.3 | — | 2025-09-10 | The Maspik – Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. |
Zoom Communications, Inc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49459 | High | 7.8 | — | 2025-09-09 | Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access. |
CVE-2025-58131 | Medium | 6.6 | — | 2025-09-09 | Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated user to conduct a disclosure of informat… |
51mis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5005 | High | 7.3 | — | 2025-09-09 | A vulnerability was detected in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. |
9001 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58753 | High | 7.5 | — | 2025-09-09 | Copyparty is a portable file server. |
Aaluoxiang · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-29592 | Medium | 5.6 | — | 2025-09-10 | oasys v1.1 is vulnerable to Directory Traversal in ProcedureController. |
Akoskm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54994 | — | — | — | 2025-09-08 | @akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. |
Alexandre Froger · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30875 | Medium | 5.9 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexandre Froger WP Weixin wp-weixin allows Stored XSS.This issue affects WP Weixin: from n/a through <= 1.3.16. |
Ami · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-33045 | High | 8.2 | — | 2025-09-09 | APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access. |
Amped Rf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9994 | Critical | 9.8 | — | 2025-09-09 | The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access. |
Andy_moyle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39553 | Medium | 4.3 | — | 2025-09-09 | Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 5.0.9. |
Angular · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59052 | — | — | — | 2025-09-10 | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. |
Antoineh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58987 | Medium | 6.5 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through <= 2.12.6. |
Arjunthakur · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6189 | Medium | 6.5 | — | 2025-09-10 | The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of suf… |
Arm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3212 | Medium | 5.3 | — | 2025-09-08 | Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing oper… |
Aurelienlws · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8575 | High | 7.2 | — | 2025-09-12 | The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. |
Awesomesupport · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53340 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in awesomesupport Awesome Support awesome-support allows Retrieve Embedded Sensitive Data.This issue affects Awesome Support: from n/a through <= 6.3.6. |
Axios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58754 | High | 7.5 | — | 2025-09-12 | Axios is a promise based HTTP client for the browser and Node.js. |
Azon Dominator · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40725 | — | — | — | 2025-09-10 | Reflected Cross-Site Scripting (XSS) vulnerability in Azon Dominator. |
Azurecurve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8398 | Medium | 6.4 | — | 2025-09-11 | The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplie… |
Bearsthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10134 | Critical | 9.1 | — | 2025-09-09 | The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. |
Beckhoff · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41701 | High | 7.8 | — | 2025-09-09 | An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. |
Benimpos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-57392 | High | 7.8 | — | 2025-09-10 | BenimPOS Masaustu 3.0.x is affected by insecure file permissions. |
Berqwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58979 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in BerqWP BerqWP searchpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BerqWP: from n/a through <= 2.2.53. |
Bessermitfahren · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8392 | Medium | 6.4 | — | 2025-09-11 | The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. |
Beyondcart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8570 | Critical | 9.8 | — | 2025-09-11 | The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. |
Binary-husky · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10236 | Medium | 4.3 | — | 2025-09-11 | A vulnerability has been found in binary-husky gpt_academic up to 3.91. |
Bmarshall511 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8318 | Medium | 6.4 | — | 2025-09-11 | The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘keyword’ parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. |
Broadcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9059 | — | — | — | 2025-09-11 | The Altiris Core Agent Updater package (AeXNSC.exe) is prone to an elevation of privileges vulnerability through DLL hijacking. |
Catfolders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9776 | Medium | 6.5 | — | 2025-09-11 | The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user… |
Cbutlerjr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9489 | Medium | 5.0 | — | 2025-09-09 | The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. |
Chuck24 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10117 | Low | 3.5 | — | 2025-09-09 | A weakness has been identified in SourceCodester Simple To-Do List System 1.0. |
Codecept · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-57285 | Critical | 9.8 | — | 2025-09-08 | codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). |
Convers Lab · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32689 | High | 7.5 | — | 2025-09-09 | Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through <= 2.8.2. |
Coredns · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58063 | High | 7.1 | — | 2025-09-09 | CoreDNS is a DNS server that chains plugins. |
Cristiano Zanca · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58991 | High | 7.1 | — | 2025-09-09 | Cross-Site Request Forgery (CSRF) vulnerability in Cristiano Zanca WooCommerce Booking Bundle Hours allows Stored XSS. |
Cssigniterteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8689 | Medium | 6.4 | — | 2025-09-11 | The Elements Plus! |
Cyberchimps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8215 | Medium | 6.4 | — | 2025-09-11 | The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user suppl… |
Daikin Europe N.v · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10127 | Critical | 9.8 | — | 2025-09-11 | Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. |
Danny-avila · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6088 | Low | 3.1 | — | 2025-09-11 | In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. |
Dasinfomedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7049 | High | 8.8 | — | 2025-09-10 | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. |
Dejocar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9880 | Medium | 6.1 | — | 2025-09-12 | The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. |
Devitems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58990 | Medium | 6.5 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevItems ShopLentor woolentor-addons allows Stored XSS.This issue affects ShopLentor: from n/a through <= 3.2.0. |
Display Painéis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10245 | Medium | 4.3 | — | 2025-09-11 | A security flaw has been discovered in Display Painéis TGA up to 7.1.41. |
Dji · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10250 | Medium | 5.0 | — | 2025-09-11 | A weakness has been identified in DJI Mavic Spark, Mavic Air and Mavic Mini 01.00.0500. |
Dontcare · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9623 | Medium | 4.3 | — | 2025-09-11 | The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. |
Dpgaspar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58065 | Medium | 6.5 | — | 2025-09-11 | Flask-AppBuilder is an application development framework. |
Dstack-tee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59054 | — | — | — | 2025-09-12 | dstack is a software development kit (SDK) to simplify the deployment of arbitrary containerized apps into trusted execution environments. |
Duckdb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59037 | — | — | — | 2025-09-09 | DuckDB is an analytical in-process SQL database management system. |
Easeus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-50892 | High | 7.8 | — | 2025-09-10 | The eudskacs.sys driver version 20250328 shipped with EaseUs Todo Backup 1.2.0.1 fails to properly validate privileges for I/O requests (IRP_MJ_READ/IRP_MJ_WRITE) sent to its device object. |
Edsteep · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9620 | Medium | 6.1 | — | 2025-09-11 | The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. |
Eideasy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9128 | Medium | 6.4 | — | 2025-09-11 | The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. |
Eladmin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10084 | Medium | 4.3 | — | 2025-09-08 | A vulnerability was identified in elunez eladmin up to 2.7. |
Elangovan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9877 | Medium | 6.4 | — | 2025-09-12 | The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user… |
Element-plus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-57665 | Medium | 6.4 | — | 2025-09-09 | Element Plus Link component (el-link) through 2.10.6 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. |
Eliehanna · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8889 | Low | 3.8 | — | 2025-09-09 | The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in mult… |
Emiloi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10118 | High | 7.3 | — | 2025-09-09 | A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. |
Evenium · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9850 | Medium | 6.4 | — | 2025-09-11 | The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium_single_event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user… |
Evidentlycube · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9617 | Medium | 5.3 | — | 2025-09-11 | The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. |
Fassionstorage · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8422 | High | 7.5 | — | 2025-09-11 | The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. |
Fernandiez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7843 | Medium | 6.4 | — | 2025-09-10 | The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. |
Ffmpeg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9951 | — | — | — | 2025-09-09 | A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000. |
Fit2cloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56413 | High | 8.8 | — | 2025-09-10 | OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary commands via the operation parameter to the /api/v2/hosts/ssh/operate endpoint. |
Flowiseai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58434 | Critical | 9.8 | — | 2025-09-12 | Flowise is a drag & drop user interface to build a customized large language model flow. |
Fuyang_lipengjun · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10086 | Medium | 6.3 | — | 2025-09-08 | A weakness has been identified in fuyang_lipengjun platform 1.0.0. |
Fwdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49430 | High | 7.2 | — | 2025-09-09 | Server-Side Request Forgery (SSRF) vulnerability in FWDesign Ultimate Video Player fwduvp allows Server Side Request Forgery.This issue affects Ultimate Video Player: from n/a through <= 10.1. |
Gavias · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58215 | High | 8.1 | — | 2025-09-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Ziston ziston allows PHP Local File Inclusion.This issue affects Ziston: from n/a through < 1.4.5. |
Geeeeeeeek · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48341 | Low | 3.7 | — | 2025-09-08 | dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addShop |
Germanpearls · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9018 | High | 8.8 | — | 2025-09-11 | The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and incl… |
Goodbarber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39523 | Medium | 4.7 | — | 2025-09-09 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in GoodBarber GoodBarber goodbarber.This issue affects GoodBarber: from n/a through <= 1.0.26. |
Google · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10201 | High | 8.8 | — | 2025-09-10 | Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. |
Google Cloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9918 | — | — | — | 2025-09-11 | A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions to import Use Cases to achieve Remote C… |
Grandstream Networks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40979 | — | — | — | 2025-09-10 | DLL search order hijacking vulnerability in the wave.exe executable for Windows 11, version 1.27.8. |
Gyaku · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9631 | Medium | 4.3 | — | 2025-09-11 | The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. |
Heateor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9857 | Medium | 6.4 | — | 2025-09-10 | The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitizatio… |
Helmut Wandl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58975 | Medium | 4.3 | — | 2025-09-09 | Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1. |
Highwarden · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47571 | High | 7.5 | — | 2025-09-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in highwarden Super Store Finder superstorefinder-wp allows PHP Local File Inclusion.This issue affects Super Store Finde… |
Himmelblau-idm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59044 | Medium | 4.4 | — | 2025-09-09 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. |
Hjsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10197 | Medium | 6.3 | — | 2025-09-10 | A vulnerability was found in HJSoft HCM Human Resources Management System up to 20250822. |
Hono · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59139 | Medium | 5.3 | — | 2025-09-12 | Hono is a Web application framework that provides support for any JavaScript runtime. |
Hossein · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32486 | Critical | 9.8 | — | 2025-09-09 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6. |
Huggingface · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6638 | High | 7.5 | — | 2025-09-12 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. |
Iambriansreed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8280 | Medium | 5.8 | — | 2025-09-12 | The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. |
Ideaboxcreations · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8388 | Medium | 6.4 | — | 2025-09-10 | The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, and including, 2.9.4 due to insufficient input… |
Idiatech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8417 | High | 8.1 | — | 2025-09-11 | The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. |
Ieaturanium238 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58451 | — | — | — | 2025-09-08 | Cattown is a JavaScript markdown parser. |
Info@welcart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58984 | Medium | 5.9 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.20. |
Instantcms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59055 | Medium | 4.7 | — | 2025-09-11 | InstantCMS is a free and open source content management system. |
Intelbras · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55976 | High | 8.4 | — | 2025-09-10 | Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. |
Intelliants · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56556 | Low | 3.8 | — | 2025-09-11 | An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL quer… |
Isc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8696 | High | 7.5 | — | 2025-09-10 | If an unauthenticated user sends a large amount of data to the Stork UI, it may cause memory and disk use problems for the system running the Stork server. |
Ishan001 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9635 | Medium | 4.3 | — | 2025-09-11 | The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. |
Itcube Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5993 | — | — | — | 2025-09-08 | ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. |
Iteachyou · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10320 | Low | 3.1 | — | 2025-09-12 | A vulnerability was detected in iteachyou Dreamer CMS up to 4.1.3.2. |
Izem · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9627 | Medium | 4.3 | — | 2025-09-11 | The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. |
Jegerwan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9634 | Medium | 4.3 | — | 2025-09-11 | The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. |
Jensg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9881 | Medium | 6.1 | — | 2025-09-12 | The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. |
Jh5ru · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9628 | Medium | 4.3 | — | 2025-09-11 | The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. |
Joe Dolson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58988 | Medium | 6.5 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Dolson My Tickets my-tickets allows Stored XSS.This issue affects My Tickets: from n/a through <= 2.0.22. |
Junkurihara · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59058 | Medium | 5.9 | — | 2025-09-12 | httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. |
Kalcaddle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10233 | Medium | 6.3 | — | 2025-09-10 | A security vulnerability has been detected in kalcaddle kodbox 1.61. |
Kamilkhan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8692 | Medium | 4.9 | — | 2025-09-11 | The Coupon API plugin for WordPress is vulnerable to SQL Injection via the ‘log_duration’ parameter in all versions up to, and including, 6.2.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation… |
Khaledsaikat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9693 | High | 8.0 | — | 2025-09-11 | The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and includi… |
Kiosoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8699 | Critical | 9.1 | — | 2025-09-12 | Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards. |
Knadh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58430 | Medium | 6.1 | — | 2025-09-09 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. |
Kovah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53838 | Medium | 5.4 | — | 2025-09-08 | LinkAce is a self-hosted archive to collect website links. |
Laborator · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53348 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in Laborator Kalium kalium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalium: from n/a through <= 3.18.3. |
Laki_patel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7826 | Medium | 6.5 | — | 2025-09-10 | The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio… |
Langchaingo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9556 | Critical | 9.8 | — | 2025-09-12 | Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Gonja supports include and extends syntax to read files, which leads to a server side template injection vulnerabi… |
Lb-link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-57278 | High | 8.8 | — | 2025-09-09 | The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. |
Lexmark · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9269 | — | — | — | 2025-09-09 | A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices. |
Libxml2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9714 | Medium | 6.2 | — | 2025-09-10 | Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. |
Linlinjava · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10291 | Medium | 6.3 | — | 2025-09-12 | A weakness has been identified in linlinjava litemall up to 1.8.0. |
Litespeed Technologies · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47437 | Medium | 6.4 | — | 2025-09-09 | Server-Side Request Forgery (SSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 7.0.1. |
Litmus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56405 | High | 7.5 | — | 2025-09-10 | An issue was discovered in litmusautomation litmus-mcp-server thru 0.0.1 allowing unauthorized attackers to control the target's MCP service through the SSE protocol. |
Livingos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9861 | Medium | 6.4 | — | 2025-09-11 | The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'los_showposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on us… |
Lmsys · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10164 | High | 7.3 | — | 2025-09-09 | A security flaw has been discovered in lmsys sglang 0.4.6. |
Lokibhardwaj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10246 | Low | 3.5 | — | 2025-09-11 | A weakness has been identified in lokibhardwaj PHP-Code-For-Unlimited-File-Upload up to 124fe96324915490c81eaf7db3234b0b4e4bab3c. |
Lostvip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10218 | Medium | 6.3 | — | 2025-09-10 | A flaw has been found in lostvip-com ruoyi-go 2.1. |
Maccms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10122 | Medium | 4.7 | — | 2025-09-09 | A vulnerability was found in Maccms10 2025.1000.4050. |
Maheshmthorat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9073 | High | 7.5 | — | 2025-09-11 | The All in one Minifier plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio… |
Mahocommerce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58449 | — | — | — | 2025-09-08 | Maho is a free and open source ecommerce platform. |
Majestic Support · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49860 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support.This issue affects Majestic Support: from n/a through <= 1.1.0. |
Manchumahara · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9123 | Medium | 6.4 | — | 2025-09-11 | The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 2.0.1 due to insufficient input saniti… |
Mariadb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56404 | High | 7.5 | — | 2025-09-10 | An issue was discovered in MariaDB MCP 0.1.0 allowing attackers to gain sensitive information via the SSE service as the SSE service lacks user validation. |
Markohoven · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10126 | Medium | 6.4 | — | 2025-09-10 | The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user sup… |
Martins56 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10142 | Medium | 4.9 | — | 2025-09-10 | The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and la… |
Masterlifecrm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56466 | High | 7.5 | — | 2025-09-10 | Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information. |
Matrix-org · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59047 | — | — | — | 2025-09-11 | matrix-sdk-base is the base component to build a Matrix client library. |
Mdimran41 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8481 | Medium | 4.3 | — | 2025-09-11 | The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. |
Metaphorcreations · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8085 | High | 8.6 | — | 2025-09-08 | The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. |
Mezereon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55998 | High | 8.1 | — | 2025-09-08 | A cross-site scripting (XSS) vulnerability in Smart Search & Filter Shopify and BigCommerce apps allows a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into several filter pa… |
Miriamgoldman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8721 | Medium | 6.4 | — | 2025-09-11 | The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workable_jobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supp… |
Mlehmann · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40928 | High | 7.5 | — | 2025-09-08 | JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact |
Mockoon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59049 | High | 7.5 | — | 2025-09-10 | Mockoon provides way to design and run mock APIs. |
Modelcontextprotocol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58444 | — | — | — | 2025-09-08 | The MCP inspector is a developer tool for testing and debugging MCP servers. |
Moeru-ai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59053 | Critical | 9.6 | — | 2025-09-11 | AIRI is a self-hosted, artificial intelligence based Grok Companion. |
Moreirapontocom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8316 | Medium | 6.4 | — | 2025-09-11 | The Certifica WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘evento’ parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. |
Multi-purpose Inventory Management System · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40641 | — | — | — | 2025-09-08 | Cross-site Scripting (XSS) vulnerability stored in Multi-Purpose Inventory Management System, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request using the product_name parameter in /Controll… |
N-able · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10231 | High | 7.0 | — | 2025-09-10 | An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions. |
N8n · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56265 | High | 8.8 | — | 2025-09-08 | An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file. |
Natata7 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9860 | Medium | 6.4 | — | 2025-09-11 | The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attrib… |
Nebojsa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32688 | Medium | 5.4 | — | 2025-09-09 | Missing Authorization vulnerability in Nebojsa Target Video Easy Publish brid-video-easy-publish.This issue affects Target Video Easy Publish: from n/a through <= 3.8.9. |
Neo4j · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10193 | — | — | — | 2025-09-11 | DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user… |
Nik00726 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10049 | High | 7.2 | — | 2025-09-10 | The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. |
Ninofiliu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59046 | Critical | 9.8 | — | 2025-09-09 | The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. |
Nitropack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8778 | Medium | 4.3 | — | 2025-09-10 | The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. |
Octoprint · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58180 | High | 8.8 | — | 2025-09-09 | OctoPrint provides a web interface for controlling consumer 3D printers. |
Opentext · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8716 | — | — | — | 2025-09-11 | In Content Management versions 20.4- 25.3 authenticated attackers may exploit a complex cache poisoning technique to download unprotected files from the server if the filenames are known. |
Opexus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58462 | Critical | 9.8 | — | 2025-09-09 | OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. |
Opsmill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59036 | Medium | 5.5 | — | 2025-09-09 | Infrahub offers a central hub to manage data, templates, and playbooks. |
Oretnom23 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10100 | High | 7.3 | — | 2025-09-08 | A vulnerability was detected in SourceCodester Simple Forum Discussion System 1.0. |
Osc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58435 | — | — | — | 2025-09-09 | Open OnDemand is an open-source HPC portal. |
Papermerge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10209 | Medium | 5.4 | — | 2025-09-10 | A security flaw has been discovered in Papermerge DMS up to 3.5.3. |
Peachpay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9463 | Medium | 6.5 | — | 2025-09-10 | The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.117.5 due to… |
Pega · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8681 | Medium | 5.5 | — | 2025-09-10 | Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. |
Pixel_prime · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7718 | High | 8.8 | — | 2025-09-10 | The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. |
Pixeline · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58982 | Medium | 5.9 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline's Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline's Email Protector: from n/a t… |
Pjuhasz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40930 | High | 7.5 | — | 2025-09-08 | JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. |
Presstigers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59008 | High | 7.6 | — | 2025-09-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PressTigers ZIP Code Based Content Protection zip-code-based-content-protection allows SQL Injection.This issue affects ZIP Code Based Co… |
Prest · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58450 | — | — | — | 2025-09-08 | pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. |
Proximus Sp. Z O.o. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10095 | — | — | — | 2025-09-09 | A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database interactions. |
Pyinstaller · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59042 | — | — | — | 2025-09-09 | PyInstaller bundles a Python application and all its dependencies into a single package. |
Quantumcloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9111 | Low | 3.5 | — | 2025-09-09 | The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_htm… |
Recorp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58980 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in recorp Export WP Page to Static HTML/CSS export-wp-page-to-static-html allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Export WP Page to Static HTML/CSS: from n/a th… |
Red Hat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8277 | Low | 3.1 | — | 2025-09-09 | A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. |
Rejuancse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5801 | Medium | 6.4 | — | 2025-09-11 | The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. |
Rems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10088 | Low | 3.5 | — | 2025-09-08 | A vulnerability was detected in SourceCodester Time Tracker 1.0. |
Rhys Wynne · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58977 | Medium | 4.9 | — | 2025-09-09 | Server-Side Request Forgery (SSRF) vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Server Side Request Forgery.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.8. |
Ricoh Company, Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58422 | Low | 3.1 | — | 2025-09-08 | RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. |
Roland Murg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-39541 | Medium | 6.5 | — | 2025-09-09 | Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar wp-simple-booking-calendar.This issue affects WP Simple Booking Calendar: from n/a through <= 2.0.13. |
Running-elephant · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10080 | Low | 3.1 | — | 2025-09-08 | A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. |
Rurban · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40929 | Medium | 5.6 | — | 2025-09-08 | Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact |
Saleor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58442 | Medium | 5.3 | — | 2025-09-09 | Saleor is an e-commerce platform. |
Seat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10252 | Low | 3.1 | — | 2025-09-11 | A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. |
Shaikhaezaz80 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8445 | Medium | 6.4 | — | 2025-09-11 | The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. |
Shawfactor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9633 | Medium | 4.3 | — | 2025-09-11 | The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. |
Shibboleth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9943 | Critical | 9.1 | — | 2025-09-10 | An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. |
Silabs.com · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7448 | — | — | — | 2025-09-12 | Wi-SUN unexpected 4- Way Handshake packet receptions may lead to predictable keys and potentially leading to Man in the middle (MitM) attack |
Silverplugins217 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58989 | Medium | 6.5 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silverplugins217 Dynamic Text Field For Contact Form 7 dynamic-text-field-for-contact-form-7 allows Stored XSS.This issue affects Dynamic… |
Slowmove · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9879 | Medium | 6.4 | — | 2025-09-12 | The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user… |
Smackcoders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10040 | High | 7.7 | — | 2025-09-10 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. |
Smartcatai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9451 | Medium | 6.5 | — | 2025-09-11 | The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.72 due to insufficient escaping on the user supplied parameter and lack o… |
Softmus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8691 | Medium | 6.4 | — | 2025-09-11 | The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. |
Sophos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10159 | Critical | 9.8 | — | 2025-09-09 | An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). |
Spoddev2021 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53291 | Medium | 5.4 | — | 2025-09-09 | Missing Authorization vulnerability in spoddev2021 Spreadconnect wc-spod.This issue affects Spreadconnect: from n/a through <= 2.1.5. |
Sqlite · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7709 | — | — | — | 2025-09-08 | An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. |
Stalwartlabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59045 | — | — | — | 2025-09-10 | Stalwart is a mail and collaboration server. |
Stefano Lissa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58983 | Medium | 5.9 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefano Lissa Include Me include-me allows Stored XSS.This issue affects Include Me: from n/a through <= 1.3.2. |
Stellarwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9807 | High | 7.5 | — | 2025-09-12 | The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient pr… |
Teccom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10183 | Critical | 9.1 | — | 2025-09-09 | A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. |
Tenda · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10120 | High | 8.8 | — | 2025-09-09 | A vulnerability was detected in Tenda AC20 up to 16.03.08.12. |
Theme-spirit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10269 | High | 7.5 | — | 2025-09-12 | The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13. |
Themegoods · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47579 | Critical | 9.0 | — | 2025-09-09 | Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2. |
Thememove · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53303 | High | 8.8 | — | 2025-09-09 | Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2. |
Themeum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58993 | High | 7.6 | — | 2025-09-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS tutor allows SQL Injection.This issue affects Tutor LMS: from n/a through <= 3.7.4. |
Thinkinai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58768 | Critical | 9.6 | — | 2025-09-09 | DeepChat is a smart assistant uses artificial intelligence. |
Trendnet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10107 | Medium | 4.7 | — | 2025-09-09 | A vulnerability has been found in TRENDnet TEW-831DR 1.0 (601.130.1.1410). |
Tvcnet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10176 | High | 7.2 | — | 2025-09-12 | The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. |
Uscnanbu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9367 | Medium | 5.5 | — | 2025-09-10 | The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. |
Uxper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54709 | High | 8.1 | — | 2025-09-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Sala. |
Villatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47570 | High | 7.1 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.3.13. |
Vinzzb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9632 | Medium | 4.3 | — | 2025-09-11 | The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. |
Volkovlabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58746 | Critical | 9.0 | — | 2025-09-08 | The Volkov Labs Business Links panel for Grafana provides an interface to navigate using external links, internal dashboards, time pickers, and dropdown menus. |
Wago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41664 | High | 7.5 | — | 2025-09-08 | A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). |
Webdevstudios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48101 | High | 8.8 | — | 2025-09-09 | Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. |
Webrecorder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58765 | High | 7.1 | — | 2025-09-09 | wabac.js provides a full web archive replay system, or 'wayback machine', using Service Workers. |
Webwork · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40642 | — | — | — | 2025-09-08 | Reflected Cross-Site Scripting (XSS) vulnerability in WebWork, which allows remote attackers to execute arbitrary code through the 'q' and 'engine' request parameters in /search. |
Welotec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41714 | High | 8.8 | — | 2025-09-10 | The upload endpoint insufficiently validates the 'Upload-Key' request header. |
Wen-solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8686 | Medium | 6.4 | — | 2025-09-11 | The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WP_EASY_FAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user suppli… |
Wind River Studio Developer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-26499 | Medium | 6.0 | — | 2025-09-11 | Under heavy system utilization a random race condition can occur during authentication or token refresh operation. |
Wireless Tsukamoto Co., Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58781 | Medium | 4.8 | — | 2025-09-12 | WTW-EAGLE App does not properly validate server certificates, which may allow a man-in-the-middle attacker to monitor encrypted traffic. |
Wordpresschef · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8492 | Medium | 5.3 | — | 2025-09-11 | The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and… |
Wp Swings · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58978 | Medium | 5.3 | — | 2025-09-09 | Missing Authorization vulnerability in WP Swings PDF Generator for WordPress pdf-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Generator for WordPress: from n/a through <= 1… |
Wpallimport · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10001 | High | 7.2 | — | 2025-09-10 | The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. |
Wpblast · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9622 | Medium | 4.3 | — | 2025-09-10 | The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. |
Wpfactory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58985 | Medium | 6.5 | — | 2025-09-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Cus… |
Wpswings · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47569 | Critical | 9.3 | — | 2025-09-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card allows Blind SQL Injection.This issue affects WooCommerce Ultimate… |
Xwiki-contrib · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58365 | — | — | — | 2025-09-08 | The XWiki blog application allows users of the XWiki platform to create and manage blog posts. |
Zhenshi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5500 | Medium | 5.3 | — | 2025-09-09 | A flaw has been found in ZhenShi Mibro Fit App 1.6.3.17499 on Android. |
Zohoflow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8479 | Medium | 4.3 | — | 2025-09-11 | The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. |
Zuotian · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9855 | Medium | 6.4 | — | 2025-09-11 | The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping… |