Patch Tuesday — November 2025

2025-11-11 · 896 CVEs

CVEs published or modified the week of 2025-11-11, partitioned by vendor.

Microsoft (107 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13032Critical9.92025-11-11Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3  on windows allows local attacker to escalate privelages via pool overflow.
CVE-2025-60724Critical9.82025-11-11Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
CVE-2025-13042High8.82025-11-12Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-62222High8.82025-11-11Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.
CVE-2025-62220High8.82025-11-11Heap-based buffer overflow in Windows Subsystem for Linux GUI allows an unauthorized attacker to execute code over a network.
CVE-2025-59499High8.82025-11-11Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-12727High8.82025-11-10Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-12725High8.82025-11-10Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2025-12432High8.82025-11-10Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-12429High8.82025-11-10Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.
CVE-2025-12428High8.82025-11-10Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.
CVE-2025-62211High8.72025-11-11Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
CVE-2025-62210High8.72025-11-11Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
CVE-2025-30398High8.12025-11-11Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.
CVE-2025-62452High8.02025-11-11Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
CVE-2025-62204High8.02025-11-11Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2025-60715High8.02025-11-11Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
CVE-2025-64531High7.82025-11-11Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61835High7.82025-11-11Substance3D - Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61834High7.82025-11-11Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61833High7.82025-11-11Substance3D - Stager versions 3.1.5 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2025-62216High7.82025-11-11Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-62205High7.82025-11-11Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62203High7.82025-11-11Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62201High7.82025-11-11Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62200High7.82025-11-11Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62199High7.82025-11-11Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-61831High7.82025-11-11Illustrator versions 28.7.10, 29.8.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61820High7.82025-11-11Illustrator versions 28.7.10, 29.8.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61819High7.82025-11-11Photoshop Desktop versions 26.8.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-60727High7.82025-11-11Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-60721High7.82025-11-11Privilege context switching error in Windows Administrator Protection allows an authorized attacker to elevate privileges locally.
CVE-2025-60720High7.82025-11-11Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally.
CVE-2025-60718High7.82025-11-11Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally.
CVE-2025-60714High7.82025-11-11Heap-based buffer overflow in Windows OLE allows an unauthorized attacker to execute code locally.
CVE-2025-60713High7.82025-11-11Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
CVE-2025-60710High7.8KEV2025-11-11Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
CVE-2025-60709High7.82025-11-11Out-of-bounds read in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-60707High7.82025-11-11Use after free in Multimedia Class Scheduler Service (MMCSS) allows an authorized attacker to elevate privileges locally.
CVE-2025-60705High7.82025-11-11Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.
CVE-2025-60703High7.82025-11-11Untrusted pointer dereference in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
CVE-2025-59514High7.82025-11-11Improper privilege management in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally.
CVE-2025-59512High7.82025-11-11Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally.
CVE-2025-59511High7.82025-11-11External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally.
CVE-2025-59505High7.82025-11-11Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.
CVE-2025-61832High7.82025-11-11InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61824High7.82025-11-11InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61818High7.82025-11-11InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61817High7.82025-11-11InCopy versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61816High7.82025-11-11InCopy versions 20.5, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61815High7.82025-11-11InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61814High7.82025-11-11InDesign Desktop versions 20.5, 19.5.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2024-7017High7.52025-11-14Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2025-60704High7.52025-11-11Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-12726High7.52025-11-10Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page.
CVE-2025-12437High7.52025-11-10Use after free in PageInfo in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-12430High7.52025-11-10Object lifecycle issue in Media in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-59504High7.32025-11-11Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally.
CVE-2025-62202High7.12025-11-11Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2025-60726High7.12025-11-11Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2025-62219High7.02025-11-11Double free in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally.
CVE-2025-62218High7.02025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally.
CVE-2025-62217High7.02025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-62215High7.0KEV2025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2025-62213High7.02025-11-11Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-60719High7.02025-11-11Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-60717High7.02025-11-11Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally.
CVE-2025-60716High7.02025-11-11Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2025-59515High7.02025-11-11Use after free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally.
CVE-2025-59508High7.02025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.
CVE-2025-59507High7.02025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.
CVE-2025-59506High7.02025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2025-12763Medium6.82025-11-13pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems.
CVE-2025-62449Medium6.82025-11-11Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally.
CVE-2025-62214Medium6.72025-11-11Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code locally.
CVE-2025-47179Medium6.72025-11-11Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-62206Medium6.52025-11-11Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network.
CVE-2025-60722Medium6.52025-11-11Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network.
CVE-2025-60708Medium6.52025-11-11Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally.
CVE-2025-33202Medium6.52025-11-11NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where an attacker could cause a stack overflow by sending extra-large payloads.
CVE-2025-12445Medium6.52025-11-10Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.
CVE-2025-12431Medium6.52025-11-10Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
CVE-2025-60723Medium6.32025-11-11Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to deny service over a network.
CVE-2025-12436Medium5.92025-11-10Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.
CVE-2025-62209Medium5.52025-11-11Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally.
CVE-2025-62208Medium5.52025-11-11Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally.
CVE-2025-60706Medium5.52025-11-11Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally.
CVE-2025-59513Medium5.52025-11-11Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally.
CVE-2025-59510Medium5.52025-11-11Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally.
CVE-2025-59509Medium5.52025-11-11Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally.
CVE-2025-59240Medium5.52025-11-11Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2025-12439Medium5.52025-11-10Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file.
CVE-2025-13097Medium5.42025-11-14Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2025-12440Medium5.32025-11-10Inappropriate implementation in Autofill in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted…
CVE-2025-62453Medium5.02025-11-11Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally.
CVE-2025-9479Medium4.32025-11-14Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2025-13107Medium4.32025-11-14Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2024-7021Medium4.32025-11-14Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2024-13178Medium4.32025-11-14Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-60728Medium4.32025-11-11Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
CVE-2025-12443Medium4.32025-11-10Out of bounds read in WebXR in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2025-12441Medium4.32025-11-10Out of bounds read in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2025-12433Medium4.32025-11-10Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.
CVE-2025-12728Medium4.22025-11-10Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
CVE-2025-12446Medium4.22025-11-10Incorrect security UI in SplitView in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name.
CVE-2025-12444Medium4.22025-11-10Incorrect security UI in Fullscreen UI in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
CVE-2025-12434Medium4.22025-11-10Race in Storage in Google Chrome on Windows prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

Other vendors (789 CVEs across 307 vendors)

Linux · 96 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40149High7.82025-11-12In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
CVE-2025-40164Medium5.52025-11-12In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: d…
CVE-2025-402082025-11-12In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33…
CVE-2025-402072025-11-12In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc()…
CVE-2025-402062025-11-12In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive ca…
CVE-2025-402052025-11-12In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles.
CVE-2025-402042025-11-12In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time.
CVE-2025-402032025-11-12In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore.
CVE-2025-402022025-11-12In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free.
CVE-2025-402012025-11-12In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path…
CVE-2025-402002025-11-12In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
CVE-2025-401992025-11-12In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc ma…
CVE-2025-401982025-11-12In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL…
CVE-2025-401972025-11-12In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released.
CVE-2025-401962025-11-12In the Linux kernel, the following vulnerability has been resolved: fs: quota: create dedicated workqueue for quota_release_work There is a kernel panic due to WARN_ONCE when panic_on_warn is set.
CVE-2025-401952025-11-12In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer.
CVE-2025-401942025-11-12In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter sub…
CVE-2025-401932025-11-12In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash.
CVE-2025-401922025-11-12In the Linux kernel, the following vulnerability has been resolved: Revert "ipmi: fix msg stack when IPMI is disconnected" This reverts commit c608966f3f9c2dca596967501d00753282b395fc.
CVE-2025-401912025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd process ref leaking when userptr unmapping kfd_lookup_process_by_pid hold the kfd process reference to ensure it doesn't get destroyed while sending…
CVE-2025-401902025-11-12In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <=…
CVE-2025-401892025-11-12In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom Syzbot reported read of uninitialized variable BUG with following call stack.
CVE-2025-401882025-11-12In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong addre…
CVE-2025-401872025-11-12In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_auth…
CVE-2025-401862025-11-12In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
CVE-2025-401852025-11-12In the Linux kernel, the following vulnerability has been resolved: ice: ice_adapter: release xa entry on adapter allocation failure When ice_adapter_new() fails, the reserved XArray entry created by xa_insert() is not released.
CVE-2025-401842025-11-12In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix debug checking for np-guests using huge mappings When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then the debug checking in assert_hos…
CVE-2025-401832025-11-12In the Linux kernel, the following vulnerability has been resolved: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} Cilium has a BPF egress gateway feature which forces outgoing K8s Pod traffic to pass through dedicated egress gat…
CVE-2025-401822025-11-12In the Linux kernel, the following vulnerability has been resolved: crypto: skcipher - Fix reqsize handling Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace typ…
CVE-2025-401812025-11-12In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e.
CVE-2025-401802025-11-12In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop The cleanup loop was starting at the wrong array index, causing out-of-bounds access.
CVE-2025-401792025-11-12In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large.
CVE-2025-401782025-11-12In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns)…
CVE-2025-401772025-11-12In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data.
CVE-2025-401762025-11-12In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the…
CVE-2025-401752025-11-12In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get.
CVE-2025-401742025-11-12In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(…
CVE-2025-401732025-11-12In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.
CVE-2025-401722025-11-12In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field…
CVE-2025-401712025-11-12In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req.
CVE-2025-401702025-11-12In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size().
CVE-2025-401692025-11-12In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations.
CVE-2025-401682025-11-12In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
CVE-2025-401672025-11-12In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem…
CVE-2025-401662025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed…
CVE-2025-401652025-11-12In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, t…
CVE-2025-401632025-11-12In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2].
CVE-2025-401622025-11-12In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_n…
CVE-2025-401612025-11-12In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix SGI cleanup on unbind The driver incorrectly determines SGI vs SPI interrupts by checking IRQ number < 16, which fails with dynamic IRQ allocati…
CVE-2025-401602025-11-12In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in.
CVE-2025-401592025-11-12In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() a…
CVE-2025-401582025-11-12In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF.
CVE-2025-401572025-11-12In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller When loading the i10nm_edac driver on some Intel Granite Rapids servers, a call trace may appear as fol…
CVE-2025-401562025-11-12In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which would lead to a error po…
CVE-2025-401552025-11-12In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b.
CVE-2025-401542025-11-12In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message bu…
CVE-2025-401532025-11-12In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memor…
CVE-2025-401522025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix bootup splat with separate_gpu_drm modparam The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses drm_gem_obj.gpuva.list, which is not initialized…
CVE-2025-401512025-11-12In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument.
CVE-2025-401502025-11-12In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-6…
CVE-2025-401482025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions The function dc_stream_set_cursor_attributes() currently dereferences the `stream` point…
CVE-2025-401472025-11-12In the Linux kernel, the following vulnerability has been resolved: blk-throttle: fix access race during throttle policy activation On repeated cold boots we occasionally hit a NULL pointer crash in blk_should_throtl() when throttling is…
CVE-2025-401462025-11-12In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix potential deadlock while nr_requests grown Allocate and free sched_tags while queue is freezed can deadlock[1], this is a long term problem, hence allocate m…
CVE-2025-401452025-11-12In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure When devm_add_action_or_reset() fails, it calls the passed cleanup function.
CVE-2025-401432025-11-12In the Linux kernel, the following vulnerability has been resolved: bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Syzbot generated a program that triggers a verifier_bug() call in maybe_exit_scc().
CVE-2025-401422025-11-12In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq().
CVE-2025-401412025-11-12In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix possible UAF on iso_conn_free This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn…
CVE-2025-401402025-11-12In the Linux kernel, the following vulnerability has been resolved: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
CVE-2025-401392025-11-12In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
CVE-2025-401382025-11-12In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() syzbot reported a f2fs bug as below: Oops: gen[ 107.736417][ T5848] Oops: general protect…
CVE-2025-401372025-11-12In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate first page in error path of f2fs_truncate() syzbot reports a bug as below: loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong…
CVE-2025-401362025-11-12In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - request reserved interrupt for virtual function The device interrupt vector 3 is an error interrupt for physical function and a reserved interrupt…
CVE-2025-401352025-11-12In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF.
CVE-2025-401342025-11-12In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference.
CVE-2025-401332025-11-12In the Linux kernel, the following vulnerability has been resolved: mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().
CVE-2025-401322025-11-12In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar is not NULL before calling it.
CVE-2025-401312025-11-12In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because rxcb->peer_id is not updated with a valid…
CVE-2025-401302025-11-12In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, r…
CVE-2025-401292025-11-12In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL.
CVE-2025-401272025-11-12In the Linux kernel, the following vulnerability has been resolved: hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fix division by zero in ks_sa_rng_init caused by missing clock pointer initialization.
CVE-2025-401262025-11-12In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC The referenced commit introduced exception handlers on user-space memory references in copy…
CVE-2025-401252025-11-12In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not…
CVE-2025-401242025-11-12In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios enabled result…
CVE-2025-401232025-11-12In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al.
CVE-2025-401222025-11-12In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access error" is seen when accessing IA32_PMC…
CVE-2025-401212025-11-12In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver just ignores and leaves as is…
CVE-2025-401202025-11-12In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind.
CVE-2025-401192025-11-12In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitiali…
CVE-2025-401182025-11-12In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports: UBSAN…
CVE-2025-401172025-11-12In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() Commit eefb83790a0d ("misc: pci_endpoint_test: Add doorbell test case") added NO_BAR (-1) to th…
CVE-2025-401162025-11-12In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be ei…
CVE-2025-401152025-11-12In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_por…
CVE-2025-401132025-11-12In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware and the DTB.
CVE-2025-401122025-11-12In the Linux kernel, the following vulnerability has been resolved: sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara The referenced commit introduced exception handlers on user-space memory references in copy_fr…
CVE-2025-401112025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_p…
CVE-2025-401102025-11-12In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it.

N/a · 96 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56385Critical9.82025-11-12A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint.
CVE-2025-63666Critical9.82025-11-12Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier.
CVE-2025-63289Critical9.12025-11-12Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file
CVE-2025-57310High8.82025-11-12A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code.
CVE-2025-63835High8.82025-11-10A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi.
CVE-2025-63712High8.82025-11-10Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System.
CVE-2025-63680High8.62025-11-14Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted…
CVE-2025-12613High8.62025-11-10Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand.
CVE-2025-35971High8.22025-11-11Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-32091High8.22025-11-11Incorrect default permissions in some firmware for the Intel(R) Arc(TM) B-series GPUs within Ring 1: Device Drivers may allow an escalation of privilege.
CVE-2025-30255High8.22025-11-11Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-30185High7.92025-11-11Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege.
CVE-2025-13131High7.82025-11-13A vulnerability was found in Sonarr 4.0.15.2940.
CVE-2025-13130High7.82025-11-13A vulnerability has been found in Radarr 5.28.0.10274.
CVE-2025-20010High7.82025-11-11Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2024-57695High7.72025-11-11An issue in Agnitum Outpost Security Suite 7.5.3 (3942.608.1810) and 7.6 (3984.693.1842) allows a local attacker to execute arbitrary code via the lock function.
CVE-2025-63891High7.52025-11-14Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthentica…
CVE-2025-63149High7.52025-11-10Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function.
CVE-2025-63288High7.52025-11-10In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.
CVE-2025-63457High7.52025-11-10Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function.
CVE-2025-63456High7.52025-11-10Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function.
CVE-2025-63455High7.52025-11-10Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function.
CVE-2025-63147High7.52025-11-10Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function.
CVE-2025-63154High7.52025-11-10TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the addEffect parameter of the urldecode function.
CVE-2025-63153High7.52025-11-10TOTOLink A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function.
CVE-2025-63152High7.52025-11-10Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function.
CVE-2025-35967High7.42025-11-11Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-35963High7.42025-11-11Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-33029High7.42025-11-11Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-63497High7.12025-11-10The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability.
CVE-2025-35972Medium6.72025-11-11Uncontrolled search path for the Intel MPI Library before version 2021.16 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-32449Medium6.72025-11-11Unquoted search path for some PRI Driver software before version 03.03.1002 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-32038Medium6.72025-11-11Uncontrolled search path for some FPGA Support Package for the Intel oneAPI DPC++C++ Compiler software before version 2025.0.1 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-32001Medium6.72025-11-11Uncontrolled search path for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-31940Medium6.72025-11-11Incorrect default permissions for some Intel(R) Thread Director Visualizer software before version 1.1.1 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-31931Medium6.72025-11-11Uncontrolled search path for the Instrumentation and Tracing Technology API (ITT API) software before version 3.25.4 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-31647Medium6.72025-11-11Uncontrolled search path for some Intel(R) Graphics Software before version 25.22.1502.2 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-31645Medium6.72025-11-11Uncontrolled search path for some System Event Log Viewer Utility software for all versions within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-30518Medium6.72025-11-11Incorrect default permissions for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-30506Medium6.72025-11-11Uncontrolled search path for some Intel Driver and Support Assistant before version 25.2 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-30182Medium6.72025-11-11Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-27711Medium6.72025-11-11Incorrect default permissions for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-27246Medium6.72025-11-11Incorrect default permissions for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-25059Medium6.72025-11-11Uncontrolled search path for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24918Medium6.72025-11-11Improper link resolution before file access ('link following') for some Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software before version 16.0.12.
CVE-2025-24842Medium6.72025-11-11Uncontrolled search path for the Intel(R) System Support Utility before version 4.1.0 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24491Medium6.72025-11-11Uncontrolled search path for some Intel(R) Killer(TM) Performance Suite software before version killer 4.0 40.25.509.1465 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24327Medium6.72025-11-11Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-22391Medium6.72025-11-11Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-20065Medium6.72025-11-11Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege.
CVE-2024-55016Medium6.52025-11-14PHPGurukul Student Record Management System 3.20 is vulnerable to SQL Injection via the id and password parameters in login.php.
CVE-2024-44640Medium6.52025-11-14PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the course-short, course-full, and cdate parameters in add-course.php.
CVE-2024-44639Medium6.52025-11-14PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the sub1, sub2, sub3, sub4, and course-short parameters in add-subject.php.
CVE-2024-44636Medium6.52025-11-14PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the adminname and aemailid parameters in /admin-profile.php.
CVE-2024-44633Medium6.52025-11-14PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the currentpassword parameter in change-password.php.
CVE-2024-44632Medium6.52025-11-14PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the id and emailid parameters in password-recovery.php.
CVE-2024-44630Medium6.52025-11-14Multiple parameters in register.php in PHPGurukul Student Record System 3.20 are vulnerable to SQL injection.
CVE-2025-60702Medium6.52025-11-13A command injection vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `system.so` binary.
CVE-2025-60699Medium6.52025-11-13A buffer overflow vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `global.so` binary.
CVE-2025-60688Medium6.52025-11-13A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (setDefResponse function).
CVE-2025-60687Medium6.52025-11-13An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function).
CVE-2025-60684Medium6.52025-11-13A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function).
CVE-2025-60683Medium6.52025-11-13A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface reinitialization from '/var/system/linu…
CVE-2025-60682Medium6.52025-11-13A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters.
CVE-2025-60645Medium6.52025-11-12A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.
CVE-2025-26402Medium6.52025-11-11Protection mechanism failure for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service.
CVE-2025-63397Medium6.52025-11-10Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion.
CVE-2025-56503Medium6.52025-11-10An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder.
CVE-2025-63710Medium6.52025-11-10The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF).
CVE-2025-35968Medium6.42025-11-11Protection mechanism failure in the UEFI firmware for the Slim Bootloader within firmware may allow an escalation of privilege.
CVE-2025-13171Medium6.32025-11-14A vulnerability was identified in ZZCMS 2023.
CVE-2025-63725Medium6.12025-11-14Reflected Cross-Site Scripting (XSS) vulnerability in SVX Portal 2.7A via the id parameter to Recivers.php.
CVE-2024-44635Medium6.12025-11-14PHPGurukul Student Record System 3.20 is vulnerable to Cross Site Scripting (XSS) via adminname and aemailid parameters in /admin-profile.php.
CVE-2025-60646Medium6.12025-11-12A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
CVE-2025-52331Medium6.12025-11-12Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address.
CVE-2025-31146Medium6.12025-11-11Time-of-check time-of-use race condition for some Intel Ethernet Adapter Complete Driver Pack software before version 1.5.1.0 within Ring 3: User Applications may allow a denial of service.
CVE-2025-63724Medium6.02025-11-14SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php.
CVE-2025-12818Medium5.92025-11-13Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes.
CVE-2025-26405Medium5.92025-11-11Improper control of dynamically-managed code resources for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service.
CVE-2025-27712Medium5.72025-11-11Improper neutralization for some Intel(R) Neural Compressor software before version v3.4 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24512Medium5.62025-11-11Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-63745Medium5.52025-11-14A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c.
CVE-2025-27249Medium5.52025-11-11Uncontrolled resource consumption for some Gaudi software before version 1.21.0 within Ring 3: User Applications may allow a denial of service.
CVE-2025-63645Medium5.42025-11-12A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system.
CVE-2025-63834Medium5.42025-11-10A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi.
CVE-2025-60686Medium5.12025-11-13A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, and NR1800X V9.1.0u.6681_B20230703).
CVE-2025-60685Medium5.12025-11-13A stack buffer overflow exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary (sub_401EE0 function).
CVE-2025-24516Medium4.52025-11-11Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-27725Medium4.42025-11-11Time-of-check time-of-use race condition for some ACAT before version 3.13 within Ring 3: User Applications may allow a denial of service.
CVE-2025-20056Medium4.42025-11-11Improper input validation for some Intel VTune Profiler before version 2025.1 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-63744Medium4.32025-11-14A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c.
CVE-2025-20622Low3.82025-11-11Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-31948Low3.32025-11-11Improper input validation for some Intel(R) oneAPI Math Kernel Library before version 2025.2 within Ring 3: User Applications may allow a denial of service.
CVE-2025-25216Low3.32025-11-11Improper input validation in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service.
CVE-2025-12817Low3.12025-11-13Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema.
CVE-2025-32037Low2.02025-11-11Improper access control for some Intel(R) PresentMon before version 2.3.1 within Ring 3: User Applications may allow a denial of service.

Intel · 21 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-33000High8.82025-11-11Improper input validation for some Intel QuickAssist Technology before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24838High8.82025-11-11Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24299High8.82025-11-11Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-27713High7.82025-11-11Out-of-bounds write for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-20614Medium6.72025-11-11External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-20050Medium6.72025-11-11Uncontrolled search path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-32732Medium6.62025-11-11Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-32446Medium6.52025-11-11Untrusted pointer dereference for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-27710Medium6.52025-11-11Untrusted pointer dereference for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-24863Medium6.52025-11-11Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-24834Medium6.52025-11-11Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-24519Medium6.52025-11-11Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-24848Medium6.32025-11-11Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-31937Medium5.62025-11-11Out-of-bounds read for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-26694Medium5.52025-11-11Null pointer dereference for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-24847Medium4.52025-11-11Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-30509Low3.82025-11-11Improper input validation for some Intel QuickAssist Technology software before version 2.6.0 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-32088Low3.32025-11-11Improper conditions check for some Intel(R) QAT Windows software before version 2.6.0.
CVE-2025-24314Low2.22025-11-11Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure.
CVE-2025-24862Low2.02025-11-11Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-24307Low2.02025-11-11Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege.

Mozilla · 16 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13026Critical9.82025-11-11Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
CVE-2025-13024Critical9.82025-11-11JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2025-13023Critical9.82025-11-11Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
CVE-2025-13022Critical9.82025-11-11Incorrect boundary conditions in the Graphics: WebGPU component.
CVE-2025-13021Critical9.82025-11-11Incorrect boundary conditions in the Graphics: WebGPU component.
CVE-2025-13020High8.82025-11-11Use-after-free in the WebRTC: Audio/Video component.
CVE-2025-13014High8.82025-11-11Use-after-free in the Audio/Video component.
CVE-2025-13027High8.12025-11-11Memory safety bugs present in Firefox 144 and Thunderbird 144.
CVE-2025-13019High8.12025-11-11Same-origin policy bypass in the DOM: Workers component.
CVE-2025-13018High8.12025-11-11Mitigation bypass in the DOM: Security component.
CVE-2025-13017High8.12025-11-11Same-origin policy bypass in the DOM: Notifications component.
CVE-2025-13025High7.52025-11-11Incorrect boundary conditions in the Graphics: WebGPU component.
CVE-2025-13016High7.52025-11-11Incorrect boundary conditions in the JavaScript: WebAssembly component.
CVE-2025-13012High7.52025-11-11Race condition in the Graphics component.
CVE-2025-13013Medium6.12025-11-11Mitigation bypass in the DOM: Core & HTML component.
CVE-2025-13015Low3.42025-11-11Spoofing issue in Firefox.

Adobe · 15 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-61839High7.82025-11-11Format Plugins versions 1.1.1 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2025-61838High7.82025-11-11Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61837High7.82025-11-11Format Plugins versions 1.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61836High7.82025-11-11Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61829High7.82025-11-11Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61828High7.82025-11-11Illustrator on iPad versions 3.0.9 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61827High7.82025-11-11Illustrator on iPad versions 3.0.9 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61826High7.82025-11-11Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61830High7.12025-11-11Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability.
CVE-2025-61845Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61844Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61843Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61842Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by a Use After Free vulnerability that could lead to memory exposure.
CVE-2025-61841Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure.
CVE-2025-61840Medium5.52025-11-11Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure.

Sap_se · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42890Critical10.02025-11-11SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentia…
CVE-2025-42887Critical9.92025-11-11Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.
CVE-2025-42940High7.52025-11-11SAP CommonCryptoLib does not perform necessary boundary checks during pre-authentication parsing of manipulated ASN.1 data over the network.
CVE-2025-42895Medium6.92025-11-11Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confi…
CVE-2025-42884Medium6.52025-11-11SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosur…
CVE-2025-42924Medium6.12025-11-11SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker.
CVE-2025-42885Medium5.82025-11-11Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information.
CVE-2025-42888Medium5.52025-11-11SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on int…
CVE-2025-42889Medium5.42025-11-11SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database.
CVE-2025-42919Medium5.32025-11-11Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs.
CVE-2025-42897Medium5.32025-11-11Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information.
CVE-2025-42899Medium4.32025-11-11SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges.
CVE-2025-42882Medium4.32025-11-11Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the syste…
CVE-2025-42883Low2.72025-11-11Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server.

Siemens · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-32011High8.82025-11-11A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2).
CVE-2025-40827High7.82025-11-11A vulnerability has been identified in Siemens Software Center (All versions < V3.5), Solid Edge SE2025 (All versions < V225.0 Update 10).
CVE-2025-40763High7.82025-11-11A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0).
CVE-2024-32010High7.82025-11-11A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2).
CVE-2024-32009High7.82025-11-11A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2).
CVE-2024-32008High7.82025-11-11A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2).
CVE-2025-40816High7.62025-11-11A vulnerability has been identified in LOGO!
CVE-2025-40744High7.52025-11-11A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11).
CVE-2025-40815High7.22025-11-11A vulnerability has been identified in LOGO!
CVE-2025-40817Medium6.52025-11-11A vulnerability has been identified in LOGO!
CVE-2025-40760Medium5.52025-11-11A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0).
CVE-2024-32014Medium4.72025-11-11A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2).

Dell · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46608Critical9.12025-11-12Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability.
CVE-2025-46428High8.82025-11-12Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability.
CVE-2025-46427High8.82025-11-12Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability.
CVE-2025-46369High7.82025-11-13Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability.
CVE-2025-46367High7.82025-11-13Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Detection of Error Condition Without Action vulnerability.
CVE-2025-46430High7.32025-11-10Dell Display and Peripheral Manager, versions prior to 2.1.2.12, contains an Execution with Unnecessary Privileges vulnerability in the Installer.
CVE-2024-48829Medium6.72025-11-12Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Control of Generation of Code ('Code Injection') vulnerability.
CVE-2025-46368Medium6.62025-11-13Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability.
CVE-2025-46362Medium6.62025-11-13Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain an Improper Access Control vulnerability.
CVE-2025-43723Medium5.92025-11-10Dell PowerScale OneFS, versions prior to 9.10.1.3 and versions 9.11.0.0 through 9.12.0.0, contains a use of a broken or risky cryptographic algorithm vulnerability.
CVE-2025-46370Low3.32025-11-13Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Process Control vulnerability.

Desktopalert · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54339Critical10.02025-11-14An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.
CVE-2025-54343Critical9.62025-11-14An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.
CVE-2025-54346High7.62025-11-14A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information.
CVE-2025-54345High7.52025-11-14An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2.
CVE-2025-54348Medium6.52025-11-14A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information.
CVE-2025-54562Medium4.32025-11-14A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace.
CVE-2025-54561Medium4.32025-11-14An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorizatio…
CVE-2025-54340Medium4.12025-11-14A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2.
CVE-2025-54560Low3.82025-11-14A Server-side Request Forgery vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Probing of internal infrastructure.
CVE-2025-54559Low3.72025-11-14An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content.
CVE-2025-54342Low3.32025-11-14A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-60679High8.82025-11-13A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information.
CVE-2025-60698High7.32025-11-13A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries.
CVE-2025-60697High7.32025-11-13A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries.
CVE-2025-60674Medium6.82025-11-13A stack buffer overflow vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin in the rc binary's USB storage handling module.
CVE-2025-60676Medium6.52025-11-13An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin.
CVE-2025-60673Medium6.52025-11-13An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin.
CVE-2025-60672Medium6.52025-11-13An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin.
CVE-2025-60701Medium6.52025-11-13A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries.
CVE-2025-60700Medium6.52025-11-13A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries.
CVE-2025-60675Medium5.42025-11-13A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file.
CVE-2025-60671Medium5.42025-11-13A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit file.

Apache · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64403High8.12025-11-12Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources".
CVE-2025-64405High7.52025-11-12Apache OpenOffice documents can contain links.
CVE-2025-64404High7.52025-11-12Apache OpenOffice documents can contain links to other files.
CVE-2025-64401High7.52025-11-12Apache OpenOffice documents can contain links.
CVE-2025-59118High7.32025-11-12Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
CVE-2025-61623Medium6.52025-11-12Reflected cross-site scripting vulnerability in Apache OFBiz.
CVE-2025-64402Medium6.52025-11-12Apache OpenOffice documents can contain links.
CVE-2025-64407Medium5.32025-11-12Apache OpenOffice documents can contain links.
CVE-2025-64406Medium4.32025-11-12An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas.

Zoom · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62484High8.12025-11-13Inefficient regular expression complexity in certain Zoom Workplace Clients before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.
CVE-2025-64741High8.12025-11-13Improper authorization handling in Zoom Workplace for Android before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.
CVE-2025-64740High7.52025-11-13Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2025-30662Medium6.62025-11-13Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via…
CVE-2025-62483Medium5.32025-11-13Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.
CVE-2025-64738Medium5.02025-11-13External control of file name or path in Zoom Workplace for macOS before version 6.5.10 may allow an authenticated user to conduct a disclosure of information via local access.
CVE-2025-30669Medium4.82025-11-13Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.
CVE-2025-64739Medium4.32025-11-13External control of file name or path in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via network access.
CVE-2025-62482Medium4.32025-11-13Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access.

Combodo · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-48065High8.82025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-47932High8.82025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-47773High8.82025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-49145High8.72025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-48055High8.52025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-47286High7.22025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-64167High7.12025-11-10Combodo iTop is a web based IT service management tool.
CVE-2025-48878Medium4.32025-11-10Combodo iTop is a web based IT service management tool.

Ibm · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-36250Critical10.02025-11-13IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls.
CVE-2025-36251Critical9.62025-11-13IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls.
CVE-2025-36096Critical9.02025-11-13IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.
CVE-2025-36236High8.22025-11-13IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to traverse directories on the system.
CVE-2025-33119Medium6.52025-11-12IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user.
CVE-2025-36223Medium5.42025-11-12IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.
CVE-2025-33150Medium5.32025-11-10IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.
CVE-2025-27368Medium4.32025-11-12IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages.

Jetbrains · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64456High8.42025-11-10In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
CVE-2025-64685High8.12025-11-10In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
CVE-2025-64683Medium5.32025-11-10In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
CVE-2025-64684Medium4.32025-11-10In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
CVE-2025-64457Medium4.22025-11-10In JetBrains ReSharper, Rider and dotTrace before 2025.2.5 local privilege escalation was possible via race condition
CVE-2025-64773Low2.72025-11-11In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
CVE-2025-64682Low2.72025-11-10In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
CVE-2025-64681Low2.72025-11-10In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations

Linksys · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-60691High8.82025-11-13A stack-based buffer overflow exists in the httpd binary of Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).
CVE-2025-60690High8.82025-11-13A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).
CVE-2025-60696High8.42025-11-13A stack-based buffer overflow vulnerability exists in the makeRequest.cgi binary of Linksys RE7000 routers (Firmware FW_v2.0.15_211230_1012).
CVE-2025-60692High8.42025-11-13A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).
CVE-2025-60694High7.52025-11-13A stack-based buffer overflow exists in the validate_static_route function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).
CVE-2025-60693Medium6.52025-11-13A stack-based buffer overflow exists in the get_merge_mac function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).
CVE-2025-60695Medium5.92025-11-13A stack-based buffer overflow vulnerability exists in the mtk_dut binary of Linksys E7350 routers (Firmware 1.1.00.032).
CVE-2025-60689Medium5.42025-11-13An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz).

Axis · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5718Medium6.82025-11-11The ACAP Application framework could allow privilege escalation through a symlink attack.
CVE-2025-8108Medium6.72025-11-11An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation.
CVE-2025-6779Medium6.72025-11-11An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation.
CVE-2025-6298Medium6.72025-11-11ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation.
CVE-2025-4645Medium6.72025-11-11An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution.
CVE-2025-5452Medium6.62025-11-11A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application.
CVE-2025-5454Medium6.42025-11-11An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation.

Mattermost · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55070Medium6.52025-11-14Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
CVE-2025-59480Medium6.12025-11-13Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-UR…
CVE-2025-55073Medium5.42025-11-14Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted…
CVE-2025-11794Medium4.92025-11-14Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member…
CVE-2025-11776Medium4.32025-11-14Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-41436Low3.12025-11-14Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
CVE-2025-11777Low3.12025-11-13Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from…

Zohocorp · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8324Critical9.82025-11-11Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
CVE-2025-9223High8.82025-11-11Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.
CVE-2025-7633High7.32025-11-11Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.
CVE-2025-7632High7.32025-11-11Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.
CVE-2025-7430High7.32025-11-11Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.
CVE-2025-7429High7.32025-11-11Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.
CVE-2025-9227Medium6.52025-11-11Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor.

Bdtask · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13185Medium4.72025-11-14A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3.
CVE-2025-13179Medium4.32025-11-14A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320.
CVE-2025-13177Medium4.32025-11-14A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728.
CVE-2025-13180Low3.52025-11-14A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320.
CVE-2025-13178Low3.52025-11-14A flaw has been found in Bdtask/CodeCanyon SalesERP up to 20250728.
CVE-2025-13186Low2.42025-11-14A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0.

Fairsketch · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41106Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'first_name' in '/clients/save_con…
CVE-2025-41105Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/tickets/save'.
CVE-2025-41104Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'custom_field_1' in '/estimate_req…
CVE-2025-41103Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'reply_message' in '/messages/repl…
CVE-2025-41102Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in '/events/save'.
CVE-2025-41101Medium5.42025-11-11HTML injection vulnerability found in Fairsketch's RISE CRM Framework v3.8.1, which consist of an HTML code injection due to lack of proper validation of user inputs by sending a POST request in parameter 'title' in'/projects/save'.

Google · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12438High8.82025-11-10Use after free in Ozone in Google Chrome on Linux and ChromeOS prior to 142.0.7444.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.
CVE-2025-12435Medium5.42025-11-10Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-13102Medium4.32025-11-14Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2024-11919Medium4.32025-11-14Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2025-12729Medium4.22025-11-10Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
CVE-2025-12447Medium4.22025-11-10Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.

Janobe · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12939Medium6.32025-11-10A security flaw has been discovered in SourceCodester Interview Management System up to 1.0.
CVE-2025-12933Medium6.32025-11-10A vulnerability was identified in SourceCodester Baby Care System 1.0.
CVE-2025-12931Medium6.32025-11-10A vulnerability was found in SourceCodester Food Ordering System 1.0.
CVE-2025-12930Medium6.32025-11-10A vulnerability has been found in SourceCodester Food Ordering System 1.0.
CVE-2025-12926Medium6.32025-11-10A weakness has been identified in SourceCodester Farm Management System 1.0.
CVE-2025-12932Medium4.72025-11-10A vulnerability was determined in SourceCodester Baby Care System 1.0.

Rockwell Automation · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11918High7.32025-11-14Rockwell Automation Arena® suffers from a stack-based buffer overflow vulnerability.
CVE-2025-118622025-11-11A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API.
CVE-2025-116972025-11-11A local code execution security issue exists within Studio 5000® Simulation Interface™ via the API.
CVE-2025-116962025-11-11A local server-side request forgery (SSRF) security issue exists within Studio 5000® Simulation Interface™ via the API.
CVE-2025-110852025-11-11A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS.
CVE-2025-110842025-11-11A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password.

Apple · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43515High8.82025-11-13The issue was addressed by refusing external connections by default.
CVE-2024-9126High7.52025-11-14Use after free in Internals in Google Chrome on iOS prior to 127.0.6533.88 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a series of curated UI gestures.
CVE-2024-13983Medium6.32025-11-14Inappropriate implementation in Lens in Google Chrome on iOS prior to 136.0.7103.59 allowed a remote attacker to perform UI spoofing via a crafted QR code.
CVE-2024-11920Medium4.32025-11-14Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.
CVE-2025-43205Medium4.02025-11-12An out-of-bounds access issue was addressed with improved bounds checking.

Axis Communications Ab · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10714High8.42025-11-11AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system.
CVE-2025-9055Medium6.42025-11-11The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges.
CVE-2025-6571Medium6.02025-11-11A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it.
CVE-2025-9524Medium4.32025-11-11The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability.
CVE-2025-8998Low3.12025-11-11It was possible to upload files with a specific name to a temporary directory, which may result in process crashes and impact usability.

Cisco · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20341High8.82025-11-13A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied…
CVE-2025-20349Medium6.32025-11-13A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. This vulnerability is due to insufficient validation of use…
CVE-2025-20353Medium6.12025-11-13A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vu…
CVE-2025-20355Medium4.72025-11-13A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input val…
CVE-2025-20346Medium4.32025-11-13A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges.

Code-projects · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13170High7.32025-11-14A vulnerability was detected in code-projects Simple Online Hotel Reservation System 1.0.
CVE-2025-13169High7.32025-11-14A security vulnerability has been detected in code-projects Simple Online Hotel Reservation System 1.0.
CVE-2025-12928High7.32025-11-10A vulnerability was detected in code-projects Online Job Search Engine 1.0.
CVE-2025-13076Medium4.72025-11-12A flaw has been found in code-projects Responsive Hotel Site 1.0.
CVE-2025-13075Medium4.72025-11-12A vulnerability was detected in code-projects Responsive Hotel Site 1.0.

Lenovo · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12048High7.52025-11-12An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system.
CVE-2025-10495High7.52025-11-12A potential vulnerability was reported in the Lenovo PC Manager, Lenovo App Store, Lenovo Browser, and Lenovo Legion Zone client applications that, under certain conditions, could allow an attacker on the same logical network to execute ar…
CVE-2025-8485High7.32025-11-12An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application.
CVE-2025-8421Medium6.62025-11-12An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges.
CVE-2025-12047Medium5.32025-11-12A vulnerability was reported in the Lenovo Scanner pro application during an internal security assessment that, under certain circumstances, could allow an attacker on the same logical network to disclose sensitive user files from the appl…

Macrozheng · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13118Medium6.32025-11-13A vulnerability was detected in macrozheng mall-swarm up to 1.0.3.
CVE-2025-13114Medium6.32025-11-13A vulnerability was identified in macrozheng mall-swarm up to 1.0.3.
CVE-2025-13117Medium5.42025-11-13A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3.
CVE-2025-13116Medium5.42025-11-13A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3.
CVE-2025-13115Medium4.32025-11-13A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3.

Nvidia · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-33186High8.82025-11-11NVIDIA AIStore contains a vulnerability in AuthN.
CVE-2025-33178High7.82025-11-11NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection.
CVE-2025-23361High7.82025-11-11NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation.
CVE-2025-23357High7.82025-11-11NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue.
CVE-2025-33185Medium5.32025-11-11NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure.  A successful exploit of this vulnerability may lead to information disclosure.

Unknown · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11307High8.82025-11-11The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and out…
CVE-2025-11855High7.52025-11-11The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and…
CVE-2025-10686High7.22025-11-14The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion.
CVE-2025-11560High7.12025-11-12The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as adm…
CVE-2025-11237Medium5.32025-11-11The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress opti…

Aenrich · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12871Critical9.82025-11-12The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.
CVE-2025-12870Critical9.82025-11-12The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.
CVE-2025-12872Medium5.42025-11-12The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tr…
CVE-2025-12869Medium4.82025-11-12The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load.

Directus · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64748Medium6.52025-11-13Directus is a real-time API and App dashboard for managing SQL database content.
CVE-2025-64747Medium5.52025-11-13Directus is a real-time API and App dashboard for managing SQL database content.
CVE-2025-64746Medium4.62025-11-13Directus is a real-time API and App dashboard for managing SQL database content.
CVE-2025-64749Medium4.32025-11-13Directus is a real-time API and App dashboard for managing SQL database content.

Google Cloud · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-124052025-11-10An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors.
CVE-2025-124092025-11-10A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources.
CVE-2025-123972025-11-10A SQL injection vulnerability was found in Looker Studio.
CVE-2025-121552025-11-10A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.

N-able · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11367Critical9.82025-11-12The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization
CVE-2025-11366Critical9.82025-11-12N-central < 2025.4 is vulnerable to authentication bypass via path traversal
CVE-2025-11700High7.52025-11-12N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
CVE-2025-93162025-11-12N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.

Netgear · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12944High8.82025-11-11Improper input validation in NETGEAR DGN2200v4 (N300 Wireless ADSL2+ Modem Router) allows attackers with direct network access to the device to potentially execute code on the device.
CVE-2025-12943High7.52025-11-11Improper certificate validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router) allows attackers with the ability to intercept and tamper traff…
CVE-2025-12942High7.52025-11-11Improper Input Validation vulnerability in NETGEAR R6260 and NETGEAR R6850 allows unauthenticated attackers connected to LAN with ability to perform MiTM attacks and control over DNS Server to perform command execution.This issue affects R…
CVE-2025-12940Medium5.52025-11-11Login credentials are inadvertently recorded in logs if a Syslog Server is configured in NETGEAR WAX610 and WAX610Y (AX1800 Dual Band PoE Multi-Gig Insight Managed WiFi 6 Access Points).

Palo Alto Networks · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46182025-11-14A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.
CVE-2025-46172025-11-14An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin user to bypass the screenshot control feature of the browser.
CVE-2025-46162025-11-14An insufficient validation of an untrusted input vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to revert the browser’s security controls.
CVE-2025-46192025-11-13A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane.

Sap · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42894Medium6.82025-11-11Due to a Path Traversal vulnerability in SAP Business Connector, an attacker authenticated as an administrator with adjacent access could read, write, overwrite, and delete arbitrary files on the host system.
CVE-2025-42892Medium6.82025-11-11Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server.
CVE-2025-42893Medium6.12025-11-11Due to an Open Redirect vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site displayed within an embedded frame.
CVE-2025-42886Medium6.12025-11-11Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible.

Academysoftwarefoundation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64182High7.82025-11-10OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry.
CVE-2025-64183High7.52025-11-10OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry.
CVE-2025-64181High7.52025-11-10OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry.

Ays-pro · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12891Medium5.32025-11-13The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4.
CVE-2025-12892Medium5.32025-11-13The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4.
CVE-2025-12620Medium4.92025-11-13The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user…

Centralsquare · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64281Critical9.82025-11-12An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.
CVE-2025-64280Critical9.82025-11-12A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field.
CVE-2025-59491Medium6.12025-11-12Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.

Keyfactor · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47222Medium6.52025-11-13A class name enumeration was found in Keyfactor SignServer versions prior to 7.3.2.
CVE-2025-47221Medium5.32025-11-13An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2.
CVE-2025-47220Medium5.32025-11-13A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an…

Oretnom23 · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13060High7.32025-11-12A security vulnerability has been detected in SourceCodester Survey Application System 1.0.
CVE-2025-12929High7.32025-11-10A flaw has been found in SourceCodester Survey Application System 1.0.
CVE-2025-13059Medium6.32025-11-12A weakness has been identified in SourceCodester Alumni Management System 1.0.

Pgadmin · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12762Critical9.12025-11-13pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files.
CVE-2025-12765High7.52025-11-13pgAdmin <= 9.9  is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
CVE-2025-12764High7.52025-11-13pgAdmin <= 9.9  is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amoun…

Schneider Electric · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-115672025-11-12CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.
CVE-2025-115662025-11-12CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with…
CVE-2025-115652025-11-12CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request pa…

1panel-dev · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64511High7.42025-11-13MaxKB is an open-source AI assistant for enterprise.
CVE-2025-64703Medium6.32025-11-13MaxKB is an open-source AI assistant for enterprise.

Airpig2011 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63929High7.52025-11-12A null pointer dereference vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08).
CVE-2025-63927Medium4.02025-11-12A heap-use-after-free vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08).

Astro · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64525Medium6.52025-11-13Astro is a web framework.
CVE-2025-64745Low2.72025-11-13Astro is a web framework.

Autodesk · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11797High7.82025-11-12A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability.
CVE-2025-11795High7.82025-11-12A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability.

Baptistearno · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64709Critical9.62025-11-13Typebot is an open-source chatbot builder.
CVE-2025-64706Medium5.02025-11-13Typebot is an open-source chatbot builder.

Booster · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64380Medium6.52025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Stored XSS.This issue affects Booster for WooCommerce: from n/a through <= 7…
CVE-2025-64379Medium4.32025-11-13Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0.

Bugsink · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64509High7.52025-11-10Bugsink is a self-hosted error tracking tool.
CVE-2025-64508High7.52025-11-10Bugsink is a self-hosted error tracking tool.

Codepeople · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64369Medium6.52025-11-13Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58.
CVE-2025-64261Medium5.42025-11-13Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a t…

Edetw · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12865High8.82025-11-10U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-12864High8.82025-11-10U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents.

Enalean · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64482Medium4.62025-11-12Tuleap is an Open Source Suite to improve management of software developments and collaboration.
CVE-2025-64117Medium4.62025-11-12Tuleap is an Open Source Suite to improve management of software developments and collaboration.

Fiberhome · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63353Critical9.82025-11-12A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID.
CVE-2021-44642025-11-12FiberHome AN5506-04-FA firmware versions up to and including RP2631 and HG6245D prior to RP2602 contain a stack-based buffer overflow, as the HTTP service ('webs') fails to enforce maximum lengths for Cookie header values.

Frappe · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64707Medium5.42025-11-12Frappe Learning is a learning system that helps users structure their content.
CVE-2025-64705Medium4.32025-11-12Frappe Learning is a learning system that helps users structure their content.

Getgrist · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64752Medium6.82025-11-13grist-core is a spreadsheet hosting server.
CVE-2025-64753Medium5.32025-11-13grist-core is a spreadsheet hosting server.

Github · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11892Critical9.62025-11-10An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow trigge…
CVE-2025-11578High7.22025-11-10A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments.

Gnu · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62689High7.52025-11-10NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier.
CVE-2025-59777High7.52025-11-10NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier.

Grafana Labs · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-411162025-11-11When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it  could result in  the wrong user id…
CVE-2025-37172025-11-11When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it  could result in  the wrong user ide…

H3blog · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13182Low3.52025-11-14A vulnerability was identified in pojoin h3blog 1.0.
CVE-2025-13181Low3.52025-11-14A vulnerability was determined in pojoin h3blog 1.0.

Hp · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12785High7.52025-11-13Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server.
CVE-2025-12784Medium4.92025-11-13Certain HP LaserJet Pro printers may be vulnerable to information disclosure leading to credential exposure by altering the scan/send destination address and/or modifying the LDAP Server.

Hundred Plus · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12866Critical9.82025-11-10EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.
CVE-2025-12867High7.22025-11-10EIP Plus developed by Hundred Plus has an Arbitrary File Uplaod vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Iq Service International · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13161High7.52025-11-14IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
CVE-2025-13160Medium5.32025-11-14IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network.

Latchset · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59088High8.62025-11-12If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name.
CVE-2025-59089Medium5.92025-11-12If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g.

Odude · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11988Medium5.32025-11-11The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22.
CVE-2025-11986Medium5.32025-11-11The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22.

Openclinica · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12922Medium6.32025-11-10A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13.
CVE-2025-12921Medium4.32025-11-10A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13.

Openprinting · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64503Medium4.02025-11-12cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos.
CVE-2025-57812Low3.72025-11-12CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Appli…

Opensolution · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9982High7.52025-11-14A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext.
CVE-2025-10018Medium4.82025-11-14QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages).

Privatebin · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64714Medium5.82025-11-13PrivateBin is an online pastebin where the server has zero knowledge of pasted data.
CVE-2025-64711Low3.92025-11-13PrivateBin is an online pastebin where the server has zero knowledge of pasted data.

Red Hat · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-2843High8.82025-11-12A flaw was found in the Observability Operator.
CVE-2025-12748Medium5.52025-11-11A flaw was discovered in libvirt in the XML file processing.

Rymcu · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12925High7.32025-11-10A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224.
CVE-2025-12924Medium4.32025-11-10A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224.

Shelfplanner · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11894Medium5.32025-11-11The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1.
CVE-2025-11891Medium5.32025-11-11The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files.

Splunk · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-20379Low3.52025-11-12In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk ro…
CVE-2025-20378Low3.12025-11-12In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter…

Tg8 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44712025-11-14TG8 Firewall exposes a directory such as /data/ over HTTP without authentication.
CVE-2021-44702025-11-14TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint.

Themefic · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12788Medium5.32025-11-11The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27.
CVE-2025-12787Medium5.32025-11-11The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27.

Trifectatechfoundation · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64517Medium4.42025-11-12sudo-rs is a memory safe implementation of sudo and su written in Rust.
CVE-2025-64170Low3.82025-11-12sudo-rs is a memory safe implementation of sudo and su written in Rust.

Webtoffee · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64382Medium4.32025-11-13Missing Authorization vulnerability in WebToffee Order Export & Order Import for WooCommerce order-import-export-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Export & Orde…
CVE-2025-12113Medium4.32025-11-12The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, an…

Wpdevelop · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64381Medium6.52025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7.
CVE-2025-64275Medium6.52025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.17.

1000mz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12923Low2.72025-11-10A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8.

Acowebs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12087Medium4.32025-11-12The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing valid…

Advantech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63701Medium6.82025-11-14A heap corruption vulnerability exists in the Advantech TP-3250 printer driver's DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer.

Alagaai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55810Medium6.82025-11-13A vulnerability was found in Alaga Home Security WiFi Camera 3K (model S-CW2503C-H) with hardware version V03 and firmware version 1.4.2, which allows physical attackers to execute commands as root via script file with a specific name on a…

Algosec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12382High8.82025-11-12Improper Limitation of a Pathname 'Path Traversal') vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection.

Alteryx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63291Medium5.42025-11-14When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller.

Altocms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-42749Medium6.12025-11-14Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script.

Aman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64264Medium5.92025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows Stored XSS.This issue affects Popup addon for Ninja Forms: from n/a t…

Amtt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13123Medium6.32025-11-13A flaw has been found in AMTT Hotel Broadband Operation System 1.0.

Andreaferracani · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12590Medium6.12025-11-11The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1.

Andrico · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12662Medium6.42025-11-11The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0.

Angeljudesuarez · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13061Medium6.32025-11-12A vulnerability was detected in itsourcecode Online Voting System 1.0.

Apollographql · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64530High7.52025-11-13Apollo Federation is an architecture for declaratively composing APIs into a unified graph.

Arista Networks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8870Medium4.92025-11-14On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153

Aryom Software High Technology Systems Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11960Medium6.12025-11-11Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aryom Software High Technology Systems Inc.

Asecam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63667High7.52025-11-12Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication.

Asgaros · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12901Medium4.32025-11-12The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1.

Astrasecuritysuite · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11521High8.12025-11-11The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and includin…

Asus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59367Critical9.82025-11-13An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system.

Aumsrini · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11769Medium6.42025-11-13The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1.

Authzed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64529Medium6.52025-11-10SpiceDB is an open source database system for creating and managing security-critical application permissions.

Avast · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10905Medium4.42025-11-11Collision in MiniFilter driver in Avast Software Avast Free Antivirus  before 25.9  on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms.

Aws · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12967High8.02025-11-10An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role.

Ays Pro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64276Medium6.52025-11-13Missing Authorization vulnerability in Ays Pro Survey Maker survey-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through <= 5.1.9.4.

Baronen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12589Medium6.12025-11-11The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5.

Behzadrohizadeh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12588Medium4.32025-11-11The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0.

Benmoody · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11260Medium5.32025-11-13The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15.

Bitdefender · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5317Medium5.52025-11-11An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection.

Bitfoundation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-647102025-11-13Bitplatform Boilerplate is a Visual studio and .NET project template.

Brainstormforce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12536Medium5.32025-11-13The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration.

Busybox · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-60876Medium6.52025-11-10BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected.

Bytecodealliance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64345Low1.82025-11-12Wasmtime is a runtime for WebAssembly.

Cameasy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13121High7.32025-11-13A security vulnerability has been detected in cameasy Liketea 1.0.0.

Campcodes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13057Medium6.32025-11-12A vulnerability was identified in Campcodes School Fees Payment Management System 1.0.

Caselock · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11860Medium6.42025-11-11The Twitter Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ottwitter_feed' shortcode in all versions up to, and including, 1.3.1.

Ceph · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-47866High7.52025-11-12Ceph is a distributed object, block, and file storage platform.

Changedetection · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62780Low3.52025-11-10changedetection.io is a free open source web page change detection tool.

Charm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64522Critical9.12025-11-10Soft Serve is a self-hostable Git server for the command line.

Chipsalliance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63384Medium6.52025-11-10A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor's privilege level.

Chrisbadgett · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11923High8.82025-11-13The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation.

Chuck24 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63709Medium5.42025-11-10A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input.

Cksource · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63830Medium6.12025-11-14CKFinder 1.4.3 is vulnerable to Cross Site Scripting (XSS) in the File Upload function.

Cmsmadesimple · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63678High7.22025-11-10An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file.

Codeastro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13172Medium6.32025-11-14A security flaw has been discovered in CodeAstro Gym Management System 1.0.

Codethislab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11886Medium4.32025-11-11The CTL Arcade Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.

Coenjacobs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11859Medium6.42025-11-11The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1.

Creativethemeshq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12846High8.82025-11-11The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19.

Crushftp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63419Medium6.12025-11-12Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48.

Cybertutor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12868Critical9.82025-11-10New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website.

Cyclonedx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64518High7.52025-11-10The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-13188Critical9.82025-11-14A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta.

Datadog · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-616672025-11-12The Datadog Agent collects events and metrics from hosts and sends them to Datadog.

Dbbroadcast · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-7328Medium5.32025-11-14Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadat…

Dbl Technology (Dbltek) · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-49822025-11-12DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability.

Debian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64512High8.62025-11-10Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents.

Dedebiz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12927Medium4.72025-11-10A security vulnerability has been detected in DedeBIZ up to 6.3.2.

Denver · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44692025-11-14Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a '/snapshot' endpoint without authentication.

Dinukanavaratna · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13063High7.32025-11-12A flaw has been found in DinukaNavaratna Dee Store 1.0.

Divvydrive Information Technologies Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11962High7.32025-11-12Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc.

Doytch · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11805Medium6.42025-11-11The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4.

Duckdb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64429Medium6.52025-11-12DuckDB is a SQL database management system.

Dvsekhvalnov · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63811High7.52025-11-12An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

Easycommerce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11457Critical9.82025-11-11The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2.

Edgarrojas · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64269Medium4.32025-11-13Missing Authorization vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoice Builder: from n/a…

Eflyjason · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11873Medium6.42025-11-11The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attrib…

Eggemplo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12651Medium6.42025-11-11The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1.

Elastic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-37734Medium4.32025-11-12Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

Elvismdev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11821Medium6.42025-11-11The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woo_products_custom_tax' shortcode in all versions up to, and including, 2.2.

Employee Records System · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-4462Critical9.82025-11-10Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the applic…

Etaminstudio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64501High7.62025-11-10ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML.

Ethoseo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11882Medium6.42025-11-11The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied…

Eventbee · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11856Medium6.42025-11-11The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0.

Evervault · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64186High8.72025-11-12Evervault is a payment security solution.

Extplorer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13058Low3.52025-11-12A security flaw has been discovered in soerennb eXtplorer up to 2.1.15.

Fabian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13119Medium4.32025-11-13A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0.

Filebrowser · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64523High8.82025-11-12File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files.

Five9 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11829Medium6.42025-11-11The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2.

Floragunn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-121492025-11-14In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the q…

Fortinet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64446Critical9.8KEV2025-11-14A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute adm…

Free5gc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63679High7.52025-11-12free5gc v4.1.0 and before is vulnerable to Buffer Overflow.

Fujitsu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65001High8.22025-11-12Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability.

Fujitsu / Fsas Technologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65002High7.52025-11-12Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.

Giuse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11454Medium6.52025-11-12The Specific Content For Mobile – Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to…

Gladinet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12480Critical9.1KEV2025-11-10Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.

Go · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-47913High7.52025-11-13SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Golemiq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64293High7.62025-11-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Golemiq 0 Day Analytics 0-day-analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through <= 4.0.0.

Group-office · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63406High8.82025-11-13An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php

Hasthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64271Medium4.32025-11-13Cross-Site Request Forgery (CSRF) vulnerability in HasThemes WP Plugin Manager wp-plugin-manager allows Cross Site Request Forgery.This issue affects WP Plugin Manager: from n/a through <= 1.4.7.

Hectavex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12021Medium6.12025-11-11The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'error_description' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping.

Intelbras · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13187Medium5.32025-11-14A security vulnerability has been detected in Intelbras ICIP 2.0.20.

Ipcop Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44662025-11-14IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface.

Irai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2011-100342025-11-12AUTOMGEN versions up to and including 8.0.0.7 (also referenced as 8.022) contain a vulnerability in that project file handling frees an object and subsequently dereferences the stale pointer when processing certain malformed fields.

Ivanti · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10918High7.12025-11-11Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk

Iworks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12538Medium4.42025-11-11The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping.

Jahed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12663Medium6.42025-11-11The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0.

Jdsofttech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11981Medium4.92025-11-14The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack o…

Jeroen Schmit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64259Medium5.32025-11-13Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.

Jetmonsters · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64384Medium5.32025-11-13Missing Authorization vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetFormBuilder: from n/a through <= 3.5.3.

Jitsi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-647542025-11-13Jitsi Meet is an open source video conferencing application.

Jobayer534 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12880Medium5.42025-11-11The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping.

Jumo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41731High7.42025-11-10A vulnerability was identified in the password generation algorithm when accessing the debug-interface.

Jvc (Jvckenwood) · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2016-150552025-11-12JVC VN-T IP-camera models firmware versions up to 2016-08-22 (confirmed on the VN-T216VPRU model) contain a directory traversal vulnerability in the checkcgi endpoint that accepts a user-controlled file parameter.

Kanwei_doublethedonation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12020Medium4.92025-11-11The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input s…

Kayapati · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10295Medium6.42025-11-13The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output…

Kddiwebcommunications · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11170Critical9.82025-11-11The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2.

Keruistore · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63296Medium6.52025-11-10KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD cards and, if /mnt/update.nor.sh is presen…

Keycloak · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11538Medium6.82025-11-13A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0).

Koopersmith · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12637High8.82025-11-11The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3.

Krishaweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11999Medium5.32025-11-11The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including…

Kutangguo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63617Medium6.52025-11-10ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability.

Langfuse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64504Medium5.02025-11-10Langfuse is an open source large language model engineering platform.

Larsactionhero · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12132Medium4.32025-11-11The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4.

Leopardhost · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12539Critical10.02025-11-11The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2.

Lerouxyxchire · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63711High7.12025-11-10A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent.

Lichess · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-52186Medium6.52025-11-13Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API.

Linuxcontainers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64507High7.82025-11-10Incus is a system container and virtual machine manager.

Linuxfoundation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63396Low3.32025-11-12An issue was discovered in PyTorch v2.5 and v2.7.1.

Loveless · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12632Medium5.52025-11-11The RandomQuotr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping.

Lovelightplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12665Medium4.32025-11-11The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0.

Magicbug · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64084Medium5.42025-11-14An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier.

Mer.vin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12019Medium4.42025-11-11The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping.

Mheob · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11129Medium6.42025-11-11The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping.

Michielve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12526Medium4.32025-11-11The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811.

Milvus-io · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-645132025-11-10Milvus is an open-source vector database built for generative AI applications.

Mindstien · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11863Medium6.42025-11-11The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeo_city' shortcode in all versions up to, and including, 1.2.

Mintty · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-45301Medium5.32025-11-12Mintty is a terminal emulator for Cygwin, MSYS, and WSL.

Mitegvg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11874Medium5.42025-11-11The Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slippy-slider' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitiz…

Miunosoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11451High7.52025-11-11The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint.

Mmdeveloper · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12658Medium6.42025-11-11The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'complete' parameter in the 'preload_progress_bar' shortcode in all versions up to, and including, 1.3.

Mruby · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13120Medium5.32025-11-13A vulnerability has been found in mruby up to 3.4.0.

Mrx3k1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12671Medium6.42025-11-11The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping.

Mvirik · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11168High8.82025-11-11The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5.

N-media · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64265Medium4.32025-11-13Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.2.

Netis Systems Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2018-251252025-11-14Netis ADSL Router DL4322D firmware RTK 2.1.1 contains a buffer overflow vulnerability in the embedded FTP service that allows an authenticated remote user to trigger a denial of service.

Netscaler · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-121012025-11-11Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Ngothoai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11997Medium5.32025-11-11The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9.

Nodeca · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64718Medium5.32025-11-13js-yaml is a JavaScript YAML parser and dumper.

Nodemailer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13033High7.52025-11-14A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses.

Nuvuscripts · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12672Medium6.42025-11-11The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'div_height' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output esca…

Oauth2-proxy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64484High8.52025-11-10OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups.

Omnissa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-25236Medium5.32025-11-12Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability.

Openidentityplatform · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-640992025-11-12Open Access Management (OpenAM) is an access management solution.

Openobserve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64744Low3.52025-11-13OpenObserve is a cloud-native observability platform.

Optimus Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8855High8.12025-11-14Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Cl…

Oscaruribe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12652Medium6.42025-11-11The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1.

Otacke · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12904High7.22025-11-14The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping.

Ozeki Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-73272025-11-12Ozeki SMS Gateway versions up to and including 10.3.208 contain a path traversal vulnerability.

Pamzey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13122High7.32025-11-13A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0.

Paoltaia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12833Medium4.32025-11-12The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' functio…

Parse-community · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-645022025-11-10Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Pascalbajorat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64292Medium6.52025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PascalBajorat Analytics Germanized for Google Analytics ga-germanized allows DOM-Based XSS.This issue affects Analytics Germanized for Go…

Paul1999 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12667Medium6.42025-11-11The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping.

Paymentplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12903High7.52025-11-12The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2…

Planex Communications Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44682025-11-14PLANEX CS-QP50F-ING2 smart cameras expose a configuration backup interface over HTTP that does not require authentication.

Pluginever · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64263Medium5.42025-11-13Missing Authorization vulnerability in PluginEver WP Content Pilot wp-content-pilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Content Pilot: from n/a through <= 2.1.7.

Positive Technologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44672025-11-14Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002.

Premierturk Information Technologies Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11959High8.12025-11-11Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc.

Pritenhshah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12711Medium6.42025-11-11The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the share_to_google shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user…

Projectworlds · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12938High7.32025-11-10A vulnerability was identified in projectworlds Online Admission System 1.0.

Pubudu-malalasekara · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11828Medium6.42025-11-11The Magazine Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headerHtmlTag' attribute in the bnm-blocks/featured-posts-1 block in all versions up to, and including, 1.2.3.

Qdocs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41107Medium5.42025-11-10Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and…

Qingdao Esoft Tianchuang Network Technology Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-49842025-11-13ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality.

Qnap · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2017-20210Critical9.82025-11-11Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.

Qode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64383Medium6.52025-11-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Qode Qi Blocks qi-blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through <= 1.4.3.

Qualys Inc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43079Medium6.32025-11-10The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment.

Quantumcloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64277Medium5.32025-11-13Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9.

Rachelos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13174Medium6.32025-11-14A weakness has been identified in rachelos WeRSS we-mp-rss up to 1.4.7.

Rainbowfish Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2018-251242025-11-10PacsOne Server version 6.6.2 (prior versions are likely affected) contains a directory traversal vulnerability within the web-based DICOM viewer component.

Ramon Fincken · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64262Medium6.52025-11-13Cross-Site Request Forgery (CSRF) vulnerability in ramon fincken Auto Prune Posts auto-prune-posts allows Cross Site Request Forgery.This issue affects Auto Prune Posts: from n/a through <= 3.0.0.

Rampantlogic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12754Medium6.42025-11-11The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2.

Request Serious Play Llc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44652025-11-14ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability.

Restpack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8397Medium6.42025-11-13The Save as PDF Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's restpackpdfbutton shortcode in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on…

Ronalfy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12681Medium5.32025-11-13The Comment Edit Core – Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the 'ajax_get_comment' function.

Ryanmoyer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12126Medium5.42025-11-11The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key.

Sagortouch · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12753Medium6.42025-11-11The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0.

Sanderkah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12015Medium4.32025-11-13The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_d…

Seiko Epson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-73262025-11-12The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML.

Sensiolabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64500High7.32025-11-12Symfony is a PHP framework for web and console applications and a set of reusable PHP components.

Shenzhen Longjing Technology Co. Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-44632025-11-12Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint.

Silentmatt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13204High7.32025-11-14npm package `expr-eval` is vulnerable to Prototype Pollution.

Simonpedge · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11869Medium6.42025-11-11The Precise Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wrap_id` shortcode attribute in all versions up to, and including, 1.0.

Sitedin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12668Medium6.42025-11-11The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_countdown_timer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and…

Smackcoders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12732Medium4.32025-11-12The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and includ…

Smci · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7704Medium5.42025-11-13Supermicro BMC Insyde SMASH shell program has a stacked-based overflow vulnerability

Smub · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12377Medium4.32025-11-13The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0.

Socketdev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-647262025-11-13Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages.

Softaculous · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12366Medium4.32025-11-13The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validatio…

Softivus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11532Medium5.32025-11-11The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key.

Sony Network Communications Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64444High7.22025-11-14Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier.

Soplanning · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41001Medium5.42025-11-10Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/proc…

Sourcefound · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12018Medium4.42025-11-12The MembershipWorks – Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping…

Spokanetony · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12631Medium4.42025-11-11The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping.

Stellarwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12633High7.52025-11-12The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all vers…

Strix-bubol5 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12813Critical9.82025-11-11The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter.

Supsysticcom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12089Medium6.52025-11-13The Data Tables Generator by Supsystic plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cleanCache() function in all versions up to, and including, 1.10.45.

Suse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-628762025-11-12A Execution with Unnecessary Privileges vulnerability in lightdm-kde-greeter allows escalation from the service user to root.This issue affects lightdm-kde-greeter. before 6.0.4.

T-innova Deporsite · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-410692025-11-13Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA.

Tec-it Datenverarbeitung Gmbh, Austria · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-49832025-11-12TEC-IT TBarCode version 11.15 contains a vulnerability in the TBarCode11.ocx ActiveX/OCX control's licensing handling (INI-file based) that can be abused to cause remote creation of files on the host filesystem.

Techarohq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-647162025-11-13Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots.

Techlabpro1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12953Medium4.32025-11-11The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update…

Tigroumeow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12844High7.12025-11-13The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the 'rest_simpleTranscribeAudio' and 'rest_simpleVision…

Tinycontrol · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-73292025-11-12Tinycontrol LAN Controller v3 (LK3) firmware versions up to 1.58a (hardware v3.8) contain a missing authentication vulnerability in the stm.cgi endpoint.

Toastwebsites · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11996Medium5.32025-11-11The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7.

Torrentpier · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64519High8.82025-11-10TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php.

Turkguven Software Technologies Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10161High7.32025-11-11Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc.

Typo3 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-129982025-11-12Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5.

Ubee Interactive · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2016-150562025-11-14Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download.

Ucancode.net Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2017-202112025-11-12UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control.

Unisoc (Shanghai) Technologies Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31719Medium5.12025-11-11In TEE EcDSA algorithm, there is a possible memory consistency issue.

Ury · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13168Medium6.32025-11-14A weakness has been identified in ury-erp ury up to 0.2.0.

Uscnanbu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12979Medium5.32025-11-13The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24.

Usememos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-21635High7.52025-11-14Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access.

Vega · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59840High8.12025-11-13Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.

Virtus-designs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11822Medium6.42025-11-11The WP Bootstrap Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bootstrap_tab' shortcode in all versions up to, and including, 1.0.4.

Vodacom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-49852025-11-14Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint.

Wpallimport · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12733High8.82025-11-13The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6.

Wpcox · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12644Medium6.42025-11-11The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11.

Wpkoithemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64274Medium4.32025-11-13Missing Authorization vulnerability in wpkoithemes WPKoi Templates for Elementor wpkoi-templates-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPKoi Templates for Elementor: from n…

Wpkube · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12010Medium6.52025-11-11The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class.

Wpswings · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64267Medium4.32025-11-13Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects…

Xcally · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-406812025-11-13Cross-site Scripting (XSS) vulnerability reflected in xCally's Omnichannel v3.30.1.

Yop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64370Medium5.32025-11-13Missing Authorization vulnerability in YOP YOP Poll yop-poll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YOP Poll: from n/a through <= 6.5.38.

Yudiz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11994High7.22025-11-12The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping.

Zephyrproject-rtos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9408High8.12025-11-11System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

Zitadel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64717Critical9.82025-11-13ZITADEL is an open source identity management platform.

Zscaler · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54983Medium5.22025-11-12A health check port on Zscaler Client Connector on Windows, versions 4.6 < 4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.