Patch Tuesday — December 2025
2025-12-09 · 1607 CVEs
CVEs published or modified the week of 2025-12-09, partitioned by vendor.
Microsoft (87 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14174 | High | 8.8 | KEV | 2025-12-12 | Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. |
CVE-2025-44016 | High | 8.8 | — | 2025-12-11 | A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. |
CVE-2025-64678 | High | 8.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-64672 | High | 8.8 | — | 2025-12-09 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
CVE-2025-62550 | High | 8.8 | — | 2025-12-09 | Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network. |
CVE-2025-62549 | High | 8.8 | — | 2025-12-09 | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-62456 | High | 8.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network. |
CVE-2025-64671 | High | 8.4 | — | 2025-12-09 | Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally. |
CVE-2025-62557 | High | 8.4 | — | 2025-12-09 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-62554 | High | 8.4 | — | 2025-12-09 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-64669 | High | 7.8 | — | 2025-12-11 | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. |
CVE-2025-55314 | High | 7.8 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. |
CVE-2025-55313 | High | 7.8 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. |
CVE-2025-55312 | High | 7.8 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. |
CVE-2025-64899 | High | 7.8 | — | 2025-12-09 | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an alloc… |
CVE-2025-64785 | High | 7.8 | — | 2025-12-09 | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the curr… |
CVE-2025-64783 | High | 7.8 | — | 2025-12-09 | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-64680 | High | 7.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-64679 | High | 7.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
CVE-2025-64673 | High | 7.8 | — | 2025-12-09 | Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-64661 | High | 7.8 | — | 2025-12-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2025-62572 | High | 7.8 | — | 2025-12-09 | Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally. |
CVE-2025-62571 | High | 7.8 | — | 2025-12-09 | Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. |
CVE-2025-62564 | High | 7.8 | — | 2025-12-09 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62563 | High | 7.8 | — | 2025-12-09 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62562 | High | 7.8 | — | 2025-12-09 | Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. |
CVE-2025-62561 | High | 7.8 | — | 2025-12-09 | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62560 | High | 7.8 | — | 2025-12-09 | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62559 | High | 7.8 | — | 2025-12-09 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-62558 | High | 7.8 | — | 2025-12-09 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-62556 | High | 7.8 | — | 2025-12-09 | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62553 | High | 7.8 | — | 2025-12-09 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-62552 | High | 7.8 | — | 2025-12-09 | Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally. |
CVE-2025-62474 | High | 7.8 | — | 2025-12-09 | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. |
CVE-2025-62472 | High | 7.8 | — | 2025-12-09 | Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. |
CVE-2025-62470 | High | 7.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-62467 | High | 7.8 | — | 2025-12-09 | Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-62466 | High | 7.8 | — | 2025-12-09 | Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-62464 | High | 7.8 | — | 2025-12-09 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-62462 | High | 7.8 | — | 2025-12-09 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-62461 | High | 7.8 | — | 2025-12-09 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-62458 | High | 7.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. |
CVE-2025-62457 | High | 7.8 | — | 2025-12-09 | Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-62455 | High | 7.8 | — | 2025-12-09 | Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally. |
CVE-2025-62454 | High | 7.8 | — | 2025-12-09 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-62221 | High | 7.8 | KEV | 2025-12-09 | Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-59517 | High | 7.8 | — | 2025-12-09 | Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-59516 | High | 7.8 | — | 2025-12-09 | Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-55233 | High | 7.8 | — | 2025-12-09 | Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-54100 | High | 7.8 | — | 2025-12-09 | Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally. |
CVE-2025-59802 | High | 7.5 | — | 2025-12-11 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via OCG. |
CVE-2025-64666 | High | 7.5 | — | 2025-12-09 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. |
CVE-2025-64658 | High | 7.5 | — | 2025-12-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2025-55310 | High | 7.3 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. |
CVE-2025-62565 | High | 7.3 | — | 2025-12-09 | Use after free in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2025-64893 | High | 7.1 | — | 2025-12-09 | DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. |
CVE-2025-64784 | High | 7.1 | — | 2025-12-09 | DNG SDK versions 1.7.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure or application denial of service. |
CVE-2025-62570 | High | 7.1 | — | 2025-12-09 | Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. |
CVE-2025-62573 | High | 7.0 | — | 2025-12-09 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. |
CVE-2025-62569 | High | 7.0 | — | 2025-12-09 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-62555 | High | 7.0 | — | 2025-12-09 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-62469 | High | 7.0 | — | 2025-12-09 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-13670 | Medium | 6.7 | — | 2025-12-12 | The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability |
CVE-2025-13669 | Medium | 6.7 | — | 2025-12-12 | Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3. |
CVE-2025-13665 | Medium | 6.7 | — | 2025-12-12 | The System Console Utility for Windows is vulnerable to a DLL planting vulnerability |
CVE-2025-13668 | Medium | 6.7 | — | 2025-12-11 | A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege. |
CVE-2025-13664 | Medium | 6.7 | — | 2025-12-11 | A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege. |
CVE-2025-13663 | Medium | 6.7 | — | 2025-12-11 | Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists. |
CVE-2025-55309 | Medium | 6.7 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. |
CVE-2025-55308 | Medium | 6.7 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. |
CVE-2025-55311 | Medium | 6.5 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. |
CVE-2025-12687 | Medium | 6.5 | — | 2025-12-11 | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (application crash) via a crafted command, re… |
CVE-2025-64670 | Medium | 6.5 | — | 2025-12-09 | Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. |
CVE-2025-62473 | Medium | 6.5 | — | 2025-12-09 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-62465 | Medium | 6.5 | — | 2025-12-09 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. |
CVE-2025-62463 | Medium | 6.5 | — | 2025-12-09 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. |
CVE-2025-14372 | Medium | 6.1 | — | 2025-12-12 | Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2025-64894 | Medium | 5.5 | — | 2025-12-09 | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. |
CVE-2025-62468 | Medium | 5.5 | — | 2025-12-09 | Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally. |
CVE-2025-59803 | Medium | 5.3 | — | 2025-12-11 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers. |
CVE-2025-64667 | Medium | 5.3 | — | 2025-12-09 | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-62567 | Medium | 5.3 | — | 2025-12-09 | Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network. |
CVE-2025-14373 | Medium | 4.3 | — | 2025-12-12 | Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. |
CVE-2025-46266 | Medium | 4.3 | — | 2025-12-11 | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP a… |
CVE-2025-55307 | Low | 3.3 | — | 2025-12-11 | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. |
CVE-2025-64787 | Low | 3.3 | — | 2025-12-09 | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. |
CVE-2025-64786 | Low | 3.3 | — | 2025-12-09 | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. |
Other vendors (1520 CVEs across 529 vendors)
Linux · 235 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40345 | — | — | — | 2025-12-12 | In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. |
CVE-2025-40344 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work se… |
CVE-2025-40343 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_po… |
CVE-2025-40342 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active a… |
CVE-2025-40341 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to… |
CVE-2025-40340 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. |
CVE-2025-40339 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. |
CVE-2025-40338 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. |
CVE-2025-40337 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload… |
CVE-2025-40336 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing someth… |
CVE-2025-40335 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place. |
CVE-2025-40334 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapp… |
CVE-2025-40333 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_… |
CVE-2025-40332 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls… |
CVE-2025-40331 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure n… |
CVE-2025-40330 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. |
CVE-2025-40329 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe lock… |
CVE-2025-40328 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but… |
CVE-2025-40327 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commi… |
CVE-2023-53866 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-compress: Reposition and add pcm_mutex If panic_on_warn is set and compress stream(DPCM) is started, then kernel panic occurred because card->pcm_mutex isn't h… |
CVE-2023-53865 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix warning when putting transaction with qgroups enabled after abort If we have a transaction abort with qgroups enabled we get a warning triggered when doing th… |
CVE-2023-53864 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() When disabling overlay plane in mxsfb_plane_overlay_atomic_update(), overlay plane's framebuffer… |
CVE-2023-53863 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: netlink: do not hard code device address lenth in fdb dumps syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_le… |
CVE-2023-53862 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create Syzbot found a kernel BUG in hfs_bnode_put(): kernel BUG at fs/hfs/bnode.c:466! |
CVE-2023-53861 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ext4: correct grp validation in ext4_mb_good_group Group corruption check will access memory of grp and will trigger kernel crash if grp is NULL. |
CVE-2023-53860 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: dm: don't attempt to queue IO under RCU protection dm looks up the table for IO based on the request type, with an assumption that if the request is marked REQ_NOWAIT, i… |
CVE-2023-53859 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: s390/idle: mark arch_cpu_idle() noinstr linux-next commit ("cpuidle: tracing: Warn about !rcu_is_watching()") adds a new warning which hits on s390's arch_cpu_idle() fun… |
CVE-2023-53858 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error If clk_get_rate() fails, the clk that has just been allocated needs to be freed. |
CVE-2023-53857 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report './test_progs -t test_local_storage' reported a splat: [ 27.137569] ============================= [ 27… |
CVE-2023-53856 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: of: overlay: Call of_changeset_init() early When of_overlay_fdt_apply() fails, the changeset may be partially applied, and the caller is still expected to call of_overla… |
CVE-2023-53855 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver… |
CVE-2023-53854 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path When devm runs function in the "remove" path for a device it runs them in the reverse order. |
CVE-2023-53853 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate accesses to nlk->cb_running Both netlink_recvmsg() and netlink_native_seq_show() read nlk->cb_running locklessly. |
CVE-2023-53852 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_secret_store Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0… |
CVE-2023-53851 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destro… |
CVE-2023-53850 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: iavf: use internal state to free traffic IRQs If the system tries to close the netdev while iavf_reset_task() is running, __LINK_STATE_START will be cleared and netif_ru… |
CVE-2023-53849 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix workqueue leak on bind errors Make sure to destroy the workqueue also in case of early errors during bind (e.g. |
CVE-2023-53848 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix a deadlock in r5l_exit_log() Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing work") introduce a new problem: // caller hold re… |
CVE-2023-53847 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Fix uninit-value in alauda_check_media() Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage… |
CVE-2023-53846 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14… |
CVE-2023-53845 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix infinite loop in nilfs_mdt_get_block() If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata… |
CVE-2023-53844 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on swapout move error If moving the bo to system for swapout failed, we were leaking a resource. |
CVE-2023-53843 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned if… |
CVE-2023-53842 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove The MBHC resources must be released on component probe failure and removal so can not be tied to the li… |
CVE-2023-53841 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: devlink: report devlink_port_type_warn source device devlink_port_type_warn is scheduled for port devlink and warning when the port type is not set. |
CVE-2023-53840 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: usb: early: xhci-dbc: Fix a potential out-of-bound memory access If xdbc_bulk_write() fails, the values in 'buf' can be anything. |
CVE-2023-53839 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: dccp: fix data-race around dp->dccps_mss_cache dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. |
CVE-2023-53838 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: f2fs: synchronize atomic write aborts To fix a race condition between atomic write aborts, I use the inode lock and make COW inode to be re-usable thoroughout the whole … |
CVE-2023-53837 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on snapshot tear down In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be… |
CVE-2023-53836 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix skb refcnt race after locking changes There is a race where skb's from the sk_psock_backlog can be referenced after userspace side has already skb_cons… |
CVE-2023-53834 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: iio: adc: ina2xx: avoid NULL pointer dereference on OF device match The affected lines were resulting in a NULL pointer dereference on our platform because the device tr… |
CVE-2023-53833 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL ptr deref by checking new_crtc_state intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't obtained previously with intel_atomic_g… |
CVE-2023-53832 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool… |
CVE-2023-53831 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: read sk->sk_family once in sk_mc_loop() syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() We have… |
CVE-2023-53830 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leak when showing current settings When retriving a item string with tlmi_setting(), the result has to be freed using kfree(). |
CVE-2023-53829 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: f2fs: flush inode if atomic file is aborted Let's flush the inode being aborted atomic operation to avoid stale dirty inode during eviction in this call stack: f2fs_m… |
CVE-2023-53828 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() KSAN reports use-after-free in hci_add_adv_monitor(). |
CVE-2023-53827 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just… |
CVE-2023-53826 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show()… |
CVE-2023-53825 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). |
CVE-2023-53824 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate lockless accesses to nlk->max_recvmsg_len syzbot reported a data-race in data-race in netlink_recvmsg() [1] Indeed, netlink_recvmsg() can be run concu… |
CVE-2023-53823 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendi… |
CVE-2023-53822 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp. |
CVE-2023-53821 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueui… |
CVE-2023-53820 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: loop: loop_set_status_from_info() check before assignment In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, becau… |
CVE-2022-50679 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: i40e: Fix DMA mappings leak During reallocation of RX buffers, new DMA mappings are created for those buffers. |
CVE-2022-50678 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when… |
CVE-2022-50677 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line. |
CVE-2022-50676 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac361… |
CVE-2022-50675 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_t… |
CVE-2022-50674 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Testing tools/testing/selftests/timens/vfork_exec.c got below kernel log: [ 6.838454] Unable to hand… |
CVE-2022-50673 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-fr… |
CVE-2022-50672 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynq-ipi: fix error handling while device_register() fails If device_register() fails, it has two issues: 1. |
CVE-2022-50671 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not init… |
CVE-2022-50670 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. |
CVE-2022-50669 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible name leak in ocxl_file_register_afu() If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need… |
CVE-2022-50668 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly k… |
CVE-2022-50667 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl() If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get… |
CVE-2022-50666 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix QP destroy to wait for all references dropped. |
CVE-2022-50665 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), as below, it will… |
CVE-2022-50664 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: fix leak of memory fw |
CVE-2022-50663 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix possible memory leak in stmmac_dvr_probe() The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, ot… |
CVE-2022-50662 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: fix memory leak in hns_roce_alloc_mr() When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released. |
CVE-2022-50661 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: seccomp: Move copy_seccomp() to no failure path. |
CVE-2022-50660 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: ipw2200: fix memory leak in ipw_wdev_init() In the error path of ipw_wdev_init(), exception value is returned, and the memory applied for in the function is not re… |
CVE-2022-50659 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: hwrng: geode - Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). |
CVE-2022-50658 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix memory leak in error path If for some reason the speedbin length is incorrect, then there is a memory leak in the error path because we never free the… |
CVE-2022-50657 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: riscv: mm: add missing memcpy in kasan_init Hi Atish, It seems that the panic is due to the missing memcpy during kasan_init. |
CVE-2023-53819 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows. |
CVE-2023-53818 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ARM: zynq: Fix refcount leak in zynq_early_slcr_init of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on error pat… |
CVE-2023-53817 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman… |
CVE-2023-53816 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix potential kgd_mem UAFs kgd_mem pointers returned by kfd_process_device_translate_handle are only guaranteed to be valid while p->mutex is held. |
CVE-2023-53815 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: posix-timers: Prevent RT livelock in itimer_delete() itimer_delete() has a retry loop when the timer is concurrently expired. |
CVE-2023-53814 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix dropping valid root bus resources with .end = zero On r8a7791/koelsch: kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/k… |
CVE-2023-53813 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix rbtree traversal bug in ext4_mb_use_preallocated During allocations, while looking for preallocations(PA) in the per inode rbtree, we can't do a direct travers… |
CVE-2023-53812 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix decoder disable pm crash Can't call pm_runtime_disable when the architecture support sub device for 'dev->pm.dev' is NUll, or will get below… |
CVE-2023-53811 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Cap MSIX used to online CPUs + 1 The irdma driver can use a maximum number of msix vectors equal to num_online_cpus() + 1 and the kernel warning stack below… |
CVE-2023-53810 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: blk-mq: release crypto keyslot before reporting I/O complete Once all I/O using a blk_crypto_key has completed, filesystems can call blk_crypto_evict_key(). |
CVE-2023-53809 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadl… |
CVE-2023-53808 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() Always free the zeroed page on return from 'mwifiex_histogram_read()'. |
CVE-2023-53807 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Smatch detected this potential error pointer dereference clk_wzrd_register_divider(). |
CVE-2023-53806 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: populate subvp cmd info only for the top pipe [Why] System restart observed while changing the display resolution to 8k with extended mode. |
CVE-2023-53804 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer… |
CVE-2023-53803 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() A fix for: BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] Read of size… |
CVE-2023-53802 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its ma… |
CVE-2023-53801 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: iommu/sprd: Release dma buffer to avoid memory leak When attaching to a domain, the driver would alloc a DMA buffer which is used to store address mapping table, and it… |
CVE-2023-53800 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix use-after-free when volume resizing failed There is an use-after-free problem reported by KASAN: =============================================================… |
CVE-2023-53799 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in crypto_destroy_instance The function crypto_drop_spawn expects to be called in process context. |
CVE-2023-53798 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ethtool: Fix uninitialized number of lanes It is not possible to set the number of lanes when setting link modes using the legacy IOCTL ethtool interface. |
CVE-2023-53797 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: Use ktime_t rather than int when dealing with timestamps Code which interacts with timestamps needs to use the ktime_t type returned by functions like ktime_… |
CVE-2023-53796 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix information leak in f2fs_move_inline_dirents() When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it do… |
CVE-2023-53795 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ic… |
CVE-2023-53794 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. |
CVE-2023-53793 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: perf tool x86: Fix perf_env memory leak Found by leak sanitizer: ``` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) all… |
CVE-2023-53792 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_ctrl_secret Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error. |
CVE-2023-53791 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: md: fix warning for holder mismatch from export_rdev() Commit a1d767191096 ("md: use mddev->external to select holder in export_rdev()") fix the problem that 'claim_rdev… |
CVE-2023-53790 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bpf: Zeroing allocated object from slab in bpf memory allocator Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse wil… |
CVE-2023-53789 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Improve page fault error reporting If IOMMU domain for device group is not setup properly then we may hit IOMMU page fault. |
CVE-2023-53788 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() tuning_ctl_set() might have buffer overrun at (X) if it didn't break from loop by matching (A). |
CVE-2023-53787 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: fix null pointer deref with partial DT config When some of the da9063 regulators do not have corresponding DT nodes a null pointer dereference occurs… |
CVE-2023-53786 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: dm flakey: fix a crash with invalid table line This command will crash with NULL pointer dereference: dmsetup create flakey --table \ "0 `blockdev --getsize /dev/ram0… |
CVE-2023-53785 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: don't assume adequate headroom for SDIO headers mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and mt7921_skb_add_usb_sdio_hdr(), both… |
CVE-2023-53784 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm: bridge: dw_hdmi: fix connector access for scdc Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc interface to pick up an i2c adapter from a… |
CVE-2023-53783 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: blk-iocost: fix divide by 0 error in calc_lcoefs() echo max of u64 to cost.model can cause divide by 0 error. |
CVE-2023-53782 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: dccp: Fix out of bounds access in DCCP error handler There was a previous attempt to fix an out-of-bounds access in the DCCP error handlers, but that fix assumed that th… |
CVE-2023-53781 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). |
CVE-2023-53780 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix FCLK pstate change underflow [Why] Currently we set FCLK p-state change watermark calculated based on dummy p-state latency when UCLK p-state is not… |
CVE-2023-53778 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Clean up integer overflow checking in map_user_pages() The encode_dma() function has some validation on in_trans->size but it would be more clear to move tho… |
CVE-2023-53777 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeat… |
CVE-2022-50656 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Clear nfc_target before being used Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, whic… |
CVE-2022-50655 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ppp: associate skb with a device at tx Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x… |
CVE-2022-50654 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix panic due to wrong pageattr of im->image In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampolin… |
CVE-2022-50653 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: mmc: atmel-mci: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. |
CVE-2022-50652 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: uio: uio_dmem_genirq: Fix missing unlock in irq configuration Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") started call… |
CVE-2022-50651 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ethtool: eeprom: fix null-deref on genl_info in dump The similar fix as commit 46cdedf2a0fa ("ethtool: pse-pd: fix null-deref on genl_info in dump") is also needed for e… |
CVE-2022-50650 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference state management for synchronous callbacks Currently, verifier verifies callback functions (sync and async) as if they will be executed once, (i.e. |
CVE-2022-50649 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_… |
CVE-2022-50648 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller Naveen reported recursive locking of direct_mutex with sample ftrace-direct-modify.ko: [ 74… |
CVE-2022-50647 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RISC-V: Make port I/O string accessors actually work Fix port I/O string accessors such as `insb', `outsb', etc. |
CVE-2022-50646 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map. |
CVE-2022-50645 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, so it doe… |
CVE-2022-50644 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter. |
CVE-2022-50643 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_copy_file_range() If the file is used by swap, before return -EOPNOTSUPP, should free the xid, otherwise, the xid will be leaked. |
CVE-2022-50642 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: zero out stale pointers `cros_typec_get_switch_handles` allocates four pointers when obtaining type-c switch handles. |
CVE-2022-50641 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() o… |
CVE-2022-50640 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when th… |
CVE-2022-50639 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: io-wq: Fix memory leak in worker creation If the CPU mask allocation for a node fails, then the memory allocated for the 'io_wqe' struct of the current node doesn't get… |
CVE-2022-50638 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode We got a issue as fllows: ================================================================== kernel… |
CVE-2022-50637 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(), the program will return, resulting in… |
CVE-2022-50636 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_device_is_present() for VFs by checking PF pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xfff… |
CVE-2022-50635 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo 'p cmdline_proc_show' > kprobe_… |
CVE-2022-50634 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may retur… |
CVE-2022-50633 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init of_icc_get() alloc resources for path handle, we should release it when not need anymore. |
CVE-2022-50632 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init() tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_drive… |
CVE-2022-50631 | — | — | — | 2025-12-09 | In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of fdt buffer This is reported by kmemleak detector: unreferenced object 0xff60000082864000 (size 9588): comm "kexec", pid 146, jiffies… |
CVE-2023-53769 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: virt/coco/sev-guest: Double-buffer messages The encryption algorithms read and write directly to shared unencrypted memory, which may leak information as well as permit… |
CVE-2023-53768 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: regmap-irq: Fix out-of-bounds access when allocating config buffers When allocating the 2D array for handling IRQ type registers in regmap_add_irq_chip_fwnode(), the int… |
CVE-2023-53767 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Currently the buffer pointed by event is not freed in case ATH12K_FLAG_UNREGISTERING bit is set, this cau… |
CVE-2023-53766 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Check for read-only mounted filesystem in txBegin This patch adds a check for read-only mounted filesystem in txBegin before starting a transaction potentiall… |
CVE-2023-53765 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: dm cache: free background tracker's queued work in btracker_destroy Otherwise the kernel can BUG with: [ 2245.426978] ==================================================… |
CVE-2023-53764 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Handle lock during peer_id find ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock. |
CVE-2023-53763 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: fix to do sanity check on extent cache correctly" syzbot reports a f2fs bug as below: UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19 index 140… |
CVE-2023-53762 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a cont… |
CVE-2023-53761 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length contro… |
CVE-2023-53760 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock issue When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting for the same lock. |
CVE-2023-53759 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix data race on device refcount The hidraw_open() function increments the hidraw device reference counter. |
CVE-2023-53758 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() An early error exit in atmel_qspi_remove() doesn't prevent the device unbind. |
CVE-2023-53757 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it wh… |
CVE-2023-53756 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. |
CVE-2023-53755 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: check for null desc before calling pt_cmd_callback Resolves a panic that can occur on AMD systems, typically during host shutdown, after the PTDMA driv… |
CVE-2023-53754 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4) returns false, drbl_regs_memmap_p is no… |
CVE-2023-53753 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix mapping to non-allocated address [Why] There is an issue mapping non-allocated location of memory. |
CVE-2023-53752 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: net: deal with integer overflows in kmalloc_reserve() Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr); size = kmalloc_size_roun… |
CVE-2023-53751 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname TCP_Server_Info::hostname may be updated once or many times during reconnect, so protect its access… |
CVE-2023-53750 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetc… |
CVE-2023-53748 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup variable *nplanes is provided by user via system call argument. |
CVE-2023-53747 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_d… |
CVE-2023-53746 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: fix memory leak in vfio_ap device driver The device release callback function invoked to release the matrix device uses the dev_get_drvdata(device *dev) fu… |
CVE-2023-53745 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vector_config If the return value of the uml_parse_vector_ifspec function is NULL, we should call kfree(params) to prevent memory leak. |
CVE-2023-53744 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe wkup_m3_ipc_get() takes refcount, which should be freed by wkup_m3_ipc_put(). |
CVE-2023-53743 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: PCI: Free released resource after coalescing release_resource() doesn't actually free the resource or resource list entry so free the resource list entry to avoid a leak. |
CVE-2023-53742 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: kcsan: Avoid READ_ONCE() in read_instrumented_memory() Haibo Li reported: | Unable to handle kernel paging request at virtual address | ffffff802a0d8d7171 | Mem ab… |
CVE-2022-50630 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfau… |
CVE-2022-50629 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory leak in rsi_coex_attach() The coex_cb needs to be freed when rsi_create_kthread() failed in rsi_coex_attach(). |
CVE-2022-50628 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: drm/gud: Fix UBSAN warning UBSAN complains about invalid value for bool: [ 101.165172] [drm] Initialized gud 1.0.0 20200422 for 2-3.2:1.0 on minor 1 [ 101.213360] gud… |
CVE-2022-50627 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix monitor mode bringup crash When the interface is brought up in monitor mode, it leads to NULL pointer dereference crash. |
CVE-2022-50626 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Syzbot reports a memory leak in "dvb_usb_adapter_init()". |
CVE-2022-50625 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART… |
CVE-2022-50624 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: net: netsec: fix error handling in netsec_register_mdio() If phy_device_register() fails, phy_device_free() need be called to put refcount, so memory of phy device and d… |
CVE-2022-50623 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit systems leading to memory corruption. |
CVE-2022-50622 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak in ext4_fc_record_modified_inode() As krealloc may return NULL, in this case 'state->fc_modified_inodes' may not be freed by krealloc, bu… |
CVE-2022-50621 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: dm: verity-loadpin: Only trust verity targets with enforcement Verity targets can be configured to ignore corrupted data blocks. |
CVE-2022-50620 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to invalidate dcc->f2fs_issue_discard in error path Syzbot reports a NULL pointer dereference issue as below: __refcount_add include/linux/refcount.h:193 [in… |
CVE-2022-50619 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr() If the number of pages from the userptr BO differs from the SG BO then the allocated memory for the SG table does… |
CVE-2022-50618 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. |
CVE-2022-50617 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: Fix memory leak in power state init Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") made the power state… |
CVE-2022-50616 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: regulator: core: Use different devices for resource allocation and DT lookup Following by the below discussion, there's the potential UAF issue between regulator and mfd. |
CVE-2022-50615 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_m… |
CVE-2022-50614 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic The dma_map_single() doesn't permit zero length mapping. |
CVE-2022-50583 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: md/raid0, raid10: Don't set discard sectors for request queue It should use disk_stack_limits to get a proper max_discard_sectors rather than setting a value by stack dr… |
CVE-2025-40326 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to… |
CVE-2025-40324 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. |
CVE-2025-40323 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mo… |
CVE-2025-40322 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may… |
CVE-2025-40321 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always u… |
CVE-2025-40320 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first att… |
CVE-2025-40319 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work execut… |
CVE-2025-40318 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. |
CVE-2025-40317 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the proble… |
CVE-2025-40316 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed t… |
CVE-2025-40315 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. |
CVE-2025-40314 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget struc… |
CVE-2025-40313 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG… |
CVE-2025-40312 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. |
CVE-2025-40311 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc… |
CVE-2025-40310 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. |
CVE-2025-40309 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put inc… |
CVE-2025-40308 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. |
CVE-2025-40307 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. |
CVE-2025-40306 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... |
CVE-2025-40305 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). |
CVE-2025-40304 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen ed… |
CVE-2025-40303 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task co… |
CVE-2025-40302 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some point… |
CVE-2025-40301 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte… |
CVE-2025-40299 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. |
CVE-2025-40298 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). |
CVE-2025-40297 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. |
CVE-2025-40296 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. |
CVE-2025-40295 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8… |
CVE-2025-40294 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HC… |
CVE-2025-40293 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. |
CVE-2025-40292 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the… |
CVE-2025-40291 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. |
CVE-2025-40290 | — | — | — | 2025-12-08 | In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb contr… |
Adobe · 127 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64539 | Critical | 9.3 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. |
CVE-2025-64538 | Critical | 9.3 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. |
CVE-2025-64537 | Critical | 9.3 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. |
CVE-2025-61811 | Critical | 9.1 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-61809 | Critical | 9.1 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. |
CVE-2025-61808 | Critical | 9.1 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. |
CVE-2025-61812 | High | 8.4 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. |
CVE-2025-61810 | High | 8.4 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-61813 | High | 8.2 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. |
CVE-2025-61821 | Medium | 6.8 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. |
CVE-2025-61823 | Medium | 6.2 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. |
CVE-2025-61822 | Medium | 6.2 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. |
CVE-2025-64897 | Medium | 5.6 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. |
CVE-2025-64896 | Medium | 5.5 | — | 2025-12-09 | Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. |
CVE-2025-64888 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64887 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64881 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64875 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64873 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64869 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64863 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64861 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64858 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64857 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64853 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64852 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64850 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64847 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64845 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64841 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64840 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64839 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64833 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64829 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64827 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64826 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64825 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64823 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64822 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64821 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64820 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64817 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64814 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64808 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64804 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64803 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64802 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64801 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64800 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64799 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64797 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64796 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64794 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64793 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64792 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64791 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64790 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64789 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64627 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64626 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64623 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64622 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64620 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64619 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64616 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64615 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64614 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64613 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64612 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64611 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64609 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64607 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64606 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64605 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64604 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64603 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64602 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64601 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64600 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64599 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64598 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64597 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64596 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64594 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64593 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64592 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64591 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64590 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64586 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64585 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64583 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64582 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64581 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64580 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64579 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64578 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64577 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64576 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64575 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64574 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64572 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64569 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64566 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64565 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64564 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64563 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64562 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64560 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64559 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64558 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64557 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64556 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64555 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64554 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64553 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64551 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64550 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64549 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64548 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64547 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64546 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64545 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64544 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64543 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow… |
CVE-2025-64541 | Medium | 5.4 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-64898 | Medium | 5.3 | — | 2025-12-10 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. |
CVE-2025-64872 | Medium | 4.8 | — | 2025-12-10 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. |
Google · 81 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36937 | Critical | 9.8 | — | 2025-12-11 | In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-48626 | Critical | 9.8 | — | 2025-12-08 | In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. |
CVE-2025-36924 | High | 8.0 | — | 2025-12-11 | In ss_DecodeLcsAssistDataReqMsg(void) of ss_LcsManagement.c, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-36923 | High | 8.0 | — | 2025-12-11 | In NrmmDecoder::DecodeSORTransparentContext of cn_NrmmDecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. |
CVE-2025-36936 | High | 7.8 | — | 2025-12-11 | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow. |
CVE-2025-36935 | High | 7.8 | — | 2025-12-11 | In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible memory corruption due to uninitialized data. |
CVE-2025-36932 | High | 7.8 | — | 2025-12-11 | In tracepoint_msg_handler of cpm/google/lib/tracepoint/tracepoint_ipc.c, there is a possible memory overwrite due to improper input validation. |
CVE-2025-36931 | High | 7.8 | — | 2025-12-11 | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. |
CVE-2025-36930 | High | 7.8 | — | 2025-12-11 | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. |
CVE-2025-36928 | High | 7.8 | — | 2025-12-11 | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-36927 | High | 7.8 | — | 2025-12-11 | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check. |
CVE-2025-36925 | High | 7.8 | — | 2025-12-11 | In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2025-36919 | High | 7.8 | — | 2025-12-11 | In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking. |
CVE-2025-36918 | High | 7.8 | — | 2025-12-11 | In aoc_service_read_message of aoc_ipc_core.c, there is a possible out of bounds read due to improper input validation. |
CVE-2025-48606 | High | 7.8 | — | 2025-12-08 | In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. |
CVE-2025-48638 | High | 7.8 | — | 2025-12-08 | In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. |
CVE-2025-48637 | High | 7.8 | — | 2025-12-08 | In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. |
CVE-2025-48632 | High | 7.8 | — | 2025-12-08 | In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. |
CVE-2025-48629 | High | 7.8 | — | 2025-12-08 | In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value. |
CVE-2025-48628 | High | 7.8 | — | 2025-12-08 | In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. |
CVE-2025-48627 | High | 7.8 | — | 2025-12-08 | In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code. |
CVE-2025-48624 | High | 7.8 | — | 2025-12-08 | In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation. |
CVE-2025-48623 | High | 7.8 | — | 2025-12-08 | In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. |
CVE-2025-48620 | High | 7.8 | — | 2025-12-08 | In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third party application's component name to persist even after uninstalling due to a logic error in the code. |
CVE-2025-48615 | High | 7.8 | — | 2025-12-08 | In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. |
CVE-2025-48612 | High | 7.8 | — | 2025-12-08 | In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation. |
CVE-2025-48599 | High | 7.8 | — | 2025-12-08 | In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. |
CVE-2025-48597 | High | 7.8 | — | 2025-12-08 | In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. |
CVE-2025-48596 | High | 7.8 | — | 2025-12-08 | In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-48589 | High | 7.8 | — | 2025-12-08 | In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code. |
CVE-2025-48588 | High | 7.8 | — | 2025-12-08 | In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code. |
CVE-2025-48586 | High | 7.8 | — | 2025-12-08 | In onActivityResult of EditFdnContactScreen.java, there is a possible way to leak contacts from the work profile due to a confused deputy. |
CVE-2025-48583 | High | 7.8 | — | 2025-12-08 | In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. |
CVE-2025-48580 | High | 7.8 | — | 2025-12-08 | In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. |
CVE-2025-48575 | High | 7.8 | — | 2025-12-08 | In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. |
CVE-2025-48573 | High | 7.8 | — | 2025-12-08 | In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. |
CVE-2025-48572 | High | 7.8 | KEV | 2025-12-08 | In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. |
CVE-2025-48566 | High | 7.8 | — | 2025-12-08 | In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. |
CVE-2025-48565 | High | 7.8 | — | 2025-12-08 | In multiple locations, there is a possible way to bypass the cross profile intent filter due to a logic error in the code. |
CVE-2025-48555 | High | 7.8 | — | 2025-12-08 | In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. |
CVE-2025-48536 | High | 7.8 | — | 2025-12-08 | In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. |
CVE-2025-48525 | High | 7.8 | — | 2025-12-08 | In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. |
CVE-2025-32329 | High | 7.8 | — | 2025-12-08 | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. |
CVE-2025-32328 | High | 7.8 | — | 2025-12-08 | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. |
CVE-2025-22420 | High | 7.8 | — | 2025-12-08 | In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. |
CVE-2025-48592 | High | 7.5 | — | 2025-12-08 | In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. |
CVE-2025-36934 | High | 7.4 | — | 2025-12-11 | In bigo_worker_thread of private/google-modules/video/gchips/bigo.c, there is a possible use after free due to a race condition. |
CVE-2025-48639 | High | 7.3 | — | 2025-12-08 | In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. |
CVE-2025-48621 | High | 7.3 | — | 2025-12-08 | In DefaultTransitionHandler.java, there is a possible way to enable a tapjacking attack due to a insecure default. |
CVE-2025-48594 | High | 7.3 | — | 2025-12-08 | In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. |
CVE-2025-13428 | High | 7.2 | — | 2025-12-09 | A vulnerability exists in the SecOps SOAR server. |
CVE-2025-36916 | High | 7.0 | — | 2025-12-11 | In PrepareWorkloadBuffers of gxp_main_actor.cc, there is a possible double fetch due to a race condition. |
CVE-2025-48625 | High | 7.0 | — | 2025-12-08 | In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. |
CVE-2025-48564 | High | 7.0 | — | 2025-12-08 | In multiple locations, there is a possible intent filter bypass due to a race condition. |
CVE-2025-36938 | Medium | 6.8 | — | 2025-12-11 | In U-Boot of append_uint32_le(), there is a possible fault injection due to a logic error in the code. |
CVE-2025-48618 | Medium | 6.8 | — | 2025-12-08 | In processLaunchBrowser of CommandParamsFactory.java, there is a possible browser interaction from the lockscreen due to improper locking. |
CVE-2025-36922 | Medium | 6.7 | — | 2025-12-11 | In bigo_map of bigo_iommu.c, there is a possible information disclosure due to a use after free. |
CVE-2025-32319 | Medium | 6.7 | — | 2025-12-08 | In ensureBound of RemotePrintService.java, there is a possible way for a background app to keep foreground permissions due to a permissions bypass. |
CVE-2025-22432 | Medium | 6.7 | — | 2025-12-08 | In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation. |
CVE-2025-48598 | Medium | 6.6 | — | 2025-12-08 | In multiple locations, there is a possible way to alter the primary user's face unlock settings due to a confused deputy. |
CVE-2025-36917 | Medium | 6.5 | — | 2025-12-11 | In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check. |
CVE-2025-36912 | Medium | 6.5 | — | 2025-12-11 | In cellular modem, there is a possible denial of service due to a logic error in the code. |
CVE-2025-48631 | Medium | 6.5 | — | 2025-12-08 | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. |
CVE-2025-36929 | Medium | 5.5 | — | 2025-12-11 | In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. |
CVE-2025-36921 | Medium | 5.5 | — | 2025-12-11 | In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. |
CVE-2025-36889 | Medium | 5.5 | — | 2025-12-11 | In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. |
CVE-2025-48608 | Medium | 5.5 | — | 2025-12-08 | In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. |
CVE-2025-48569 | Medium | 5.5 | — | 2025-12-08 | In multiple locations, there is a possible permanent denial of service due to resource exhaustion. |
CVE-2025-48633 | Medium | 5.5 | KEV | 2025-12-08 | In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. |
CVE-2025-48622 | Medium | 5.5 | — | 2025-12-08 | In ProcessArea of dng_misc_opcodes.cpp, there is a possible out of bounds read due to a buffer overflow. |
CVE-2025-48610 | Medium | 5.5 | — | 2025-12-08 | In __pkvm_guest_relinquish_to_host of mem_protect.c, there is a possible configuration data leak due to a logic error in the code. |
CVE-2025-48607 | Medium | 5.5 | — | 2025-12-08 | In multiple locations, there is a possible way to create a large amount of app ops due to a logic error in the code. |
CVE-2025-48604 | Medium | 5.5 | — | 2025-12-08 | In multiple locations, there is a possible way to read files from another user due to a missing permission check. |
CVE-2025-48603 | Medium | 5.5 | — | 2025-12-08 | In InputMethodInfo of InputMethodInfo.java, there is a possible permanent denial of service due to resource exhaustion. |
CVE-2025-48601 | Medium | 5.5 | — | 2025-12-08 | In multiple locations, there is a possible permanent denial of service due to improper input validation. |
CVE-2025-48600 | Medium | 5.5 | — | 2025-12-08 | In multiple files, there is a possible way to reveal information across users due to a missing permission check. |
CVE-2025-48591 | Medium | 5.5 | — | 2025-12-08 | In multiple locations, there is a possible way to read files from another user due to a missing permission check. |
CVE-2025-48590 | Medium | 5.5 | — | 2025-12-08 | In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion. |
CVE-2025-48584 | Medium | 5.5 | — | 2025-12-08 | In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion. |
CVE-2025-48576 | Medium | 5.5 | — | 2025-12-08 | In updateNotificationChannelGroupFromPrivilegedListener of NotificationManagerService.java, there is a possible permanent denial of service due to resource exhaustion. |
CVE-2025-48614 | Medium | 4.6 | — | 2025-12-08 | In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check. |
N/a · 78 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65741 | Critical | 9.8 | — | 2025-12-09 | Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. |
CVE-2025-65882 | Critical | 9.8 | — | 2025-12-09 | An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary comma… |
CVE-2025-63742 | Critical | 9.8 | — | 2025-12-09 | SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database struct… |
CVE-2025-64081 | Critical | 9.8 | — | 2025-12-08 | SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter. |
CVE-2025-66430 | Critical | 9.1 | — | 2025-12-12 | Plesk 18.0 has Incorrect Access Control. |
CVE-2025-65849 | Critical | 9.1 | — | 2025-12-08 | A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction. |
CVE-2025-56130 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua. |
CVE-2025-56129 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua. |
CVE-2025-56127 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua. |
CVE-2025-56123 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect… |
CVE-2025-56122 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56120 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. |
CVE-2025-56118 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56117 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56114 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. |
CVE-2025-56113 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. |
CVE-2025-56111 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the network_set_wan_conf in file /usr/lib/lua/luci/controller/admin/netport.lua. |
CVE-2025-56110 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua. |
CVE-2025-56109 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless.lua. |
CVE-2025-56108 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. |
CVE-2025-56107 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua. |
CVE-2025-56106 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56102 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56101 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56099 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-YST AP_3.0(1)B11P280YST250F allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. |
CVE-2025-56098 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56097 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. |
CVE-2025-56096 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua. |
CVE-2025-56095 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56094 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay.lua. |
CVE-2025-56093 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua. |
CVE-2025-56092 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56091 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. |
CVE-2025-56090 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retai… |
CVE-2025-56089 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56088 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua. |
CVE-2025-56087 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. |
CVE-2025-56086 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConn… |
CVE-2025-56085 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_r… |
CVE-2025-56084 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-56083 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge.lua. |
CVE-2025-56082 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua. |
CVE-2025-56079 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-56077 | High | 8.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. |
CVE-2025-8083 | High | 8.6 | — | 2025-12-12 | The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the int… |
CVE-2025-65594 | High | 8.1 | — | 2025-12-09 | OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. |
CVE-2025-56124 | High | 7.8 | — | 2025-12-11 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. |
CVE-2025-65512 | High | 7.5 | — | 2025-12-10 | A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. |
CVE-2025-63094 | High | 7.5 | — | 2025-12-10 | XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. |
CVE-2025-65513 | High | 7.5 | — | 2025-12-09 | fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources. |
CVE-2025-64086 | High | 7.5 | — | 2025-12-09 | A NULL pointer dereference vulnerability in the util.readFileIntoStream component of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
CVE-2025-64085 | High | 7.5 | — | 2025-12-09 | A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
CVE-2025-61258 | High | 7.5 | — | 2025-12-09 | Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service via a crafted content-length value mismatching the body length. |
CVE-2025-65795 | High | 7.5 | — | 2025-12-08 | Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request. |
CVE-2025-67818 | High | 7.2 | — | 2025-12-12 | An issue was discovered in Weaviate OSS before 1.33.4. |
CVE-2025-65363 | High | 7.2 | — | 2025-12-08 | Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the co… |
CVE-2025-65815 | Medium | 6.5 | — | 2025-12-10 | A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal. |
CVE-2025-52493 | Medium | 6.5 | — | 2025-12-10 | PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. |
CVE-2025-65804 | Medium | 6.5 | — | 2025-12-08 | Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE). |
CVE-2025-65797 | Medium | 6.5 | — | 2025-12-08 | Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Servi… |
CVE-2025-8082 | Medium | 6.3 | — | 2025-12-12 | Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. |
CVE-2025-14518 | Medium | 6.3 | — | 2025-12-11 | A vulnerability was identified in PowerJob up to 5.1.2. |
CVE-2025-61078 | Medium | 6.1 | — | 2025-12-09 | Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint. |
CVE-2025-63737 | Medium | 6.1 | — | 2025-12-09 | Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint. |
CVE-2025-14284 | Medium | 6.1 | — | 2025-12-09 | Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. |
CVE-2025-65798 | Medium | 5.4 | — | 2025-12-08 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users. |
CVE-2025-67819 | Medium | 4.9 | — | 2025-12-12 | An issue was discovered in Weaviate OSS before 1.33.4. |
CVE-2025-67342 | Medium | 4.6 | — | 2025-12-12 | RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. |
CVE-2025-64011 | Medium | 4.3 | — | 2025-12-12 | Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. |
CVE-2025-63740 | Medium | 4.3 | — | 2025-12-09 | SQL Injection vulnerability in function getselectdataAjax in file inputAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and othe… |
CVE-2025-63739 | Medium | 4.3 | — | 2025-12-09 | An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index… |
CVE-2025-63738 | Medium | 4.3 | — | 2025-12-09 | An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php. |
CVE-2025-65799 | Medium | 4.3 | — | 2025-12-08 | A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal. |
CVE-2025-65796 | Medium | 4.3 | — | 2025-12-08 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos. |
CVE-2025-14580 | Low | 3.5 | — | 2025-12-12 | A security vulnerability has been detected in Qualitor up to 8.24.73. |
CVE-2025-65228 | Low | 3.5 | — | 2025-12-08 | A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. |
CVE-2025-60912 | Low | 3.3 | — | 2025-12-08 | phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality. |
CVE-2025-14244 | Low | 2.4 | — | 2025-12-08 | A flaw has been found in GreenCMS 2.3.0603. |
Apple · 48 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43539 | High | 8.8 | — | 2025-12-12 | The issue was addressed with improved bounds checks. |
CVE-2025-46285 | High | 7.8 | — | 2025-12-12 | An integer overflow was addressed by adopting 64-bit timestamps. |
CVE-2025-43527 | High | 7.8 | — | 2025-12-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-43512 | High | 7.8 | — | 2025-12-12 | A logic issue was addressed with improved checks. |
CVE-2025-43510 | High | 7.8 | KEV | 2025-12-12 | A memory corruption issue was addressed with improved lock state checking. |
CVE-2025-43467 | High | 7.8 | — | 2025-12-12 | This issue was addressed with improved checks. |
CVE-2025-43402 | High | 7.8 | — | 2025-12-12 | The issue was addressed with improved memory handling. |
CVE-2025-43320 | High | 7.8 | — | 2025-12-12 | The issue was addressed by adding additional logic. |
CVE-2025-43542 | High | 7.5 | — | 2025-12-12 | This issue was addressed with improved state management. |
CVE-2025-43506 | High | 7.5 | — | 2025-12-12 | A logic error was addressed with improved error handling. |
CVE-2025-43494 | High | 7.5 | — | 2025-12-12 | A mail header parsing issue was addressed with improved checks. |
CVE-2025-46287 | Medium | 6.5 | — | 2025-12-12 | An inconsistent user interface issue was addressed with improved state management. |
CVE-2025-43511 | Medium | 6.5 | — | 2025-12-12 | A use-after-free issue was addressed with improved memory management. |
CVE-2025-43464 | Medium | 6.5 | — | 2025-12-12 | A denial-of-service issue was addressed with improved input validation. |
CVE-2025-46289 | Medium | 5.5 | — | 2025-12-12 | A logic issue was addressed with improved file handling. |
CVE-2025-46276 | Medium | 5.5 | — | 2025-12-12 | An information disclosure issue was addressed with improved privacy controls. |
CVE-2025-43538 | Medium | 5.5 | — | 2025-12-12 | A logging issue was addressed with improved data redaction. |
CVE-2025-43530 | Medium | 5.5 | — | 2025-12-12 | This issue was addressed with improved checks. |
CVE-2025-43523 | Medium | 5.5 | — | 2025-12-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-43521 | Medium | 5.5 | — | 2025-12-12 | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. |
CVE-2025-43520 | Medium | 5.5 | KEV | 2025-12-12 | A memory corruption issue was addressed with improved memory handling. |
CVE-2025-43519 | Medium | 5.5 | — | 2025-12-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-43513 | Medium | 5.5 | — | 2025-12-12 | A permissions issue was addressed by removing the vulnerable code. |
CVE-2025-43509 | Medium | 5.5 | — | 2025-12-12 | This issue was addressed with improved data protection. |
CVE-2025-43482 | Medium | 5.5 | — | 2025-12-12 | The issue was addressed with improved input validation. |
CVE-2025-43473 | Medium | 5.5 | — | 2025-12-12 | This issue was addressed with improved state management. |
CVE-2025-43471 | Medium | 5.5 | — | 2025-12-12 | The issue was addressed with improved checks. |
CVE-2025-43470 | Medium | 5.5 | — | 2025-12-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-43466 | Medium | 5.5 | — | 2025-12-12 | An injection issue was addressed with improved validation. |
CVE-2025-43465 | Medium | 5.5 | — | 2025-12-12 | A parsing issue in the handling of directory paths was addressed with improved path validation. |
CVE-2025-43463 | Medium | 5.5 | — | 2025-12-12 | A parsing issue in the handling of directory paths was addressed with improved path validation. |
CVE-2025-43461 | Medium | 5.5 | — | 2025-12-12 | This issue was addressed with improved validation of symlinks. |
CVE-2025-43416 | Medium | 5.5 | — | 2025-12-12 | A logic issue was addressed with improved restrictions. |
CVE-2025-43406 | Medium | 5.5 | — | 2025-12-12 | A logic issue was addressed with improved restrictions. |
CVE-2025-43388 | Medium | 5.5 | — | 2025-12-12 | An injection issue was addressed with improved validation. |
CVE-2025-43381 | Medium | 5.5 | — | 2025-12-12 | This issue was addressed with improved handling of symlinks. |
CVE-2025-43351 | Medium | 5.5 | — | 2025-12-12 | A permissions issue was addressed with additional restrictions. |
CVE-2025-12843 | Medium | 5.5 | — | 2025-12-12 | Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. |
CVE-2025-43497 | Medium | 5.2 | — | 2025-12-12 | An access issue was addressed with additional sandbox restrictions. |
CVE-2025-43393 | Medium | 5.2 | — | 2025-12-12 | A permissions issue was addressed with additional sandbox restrictions. |
CVE-2025-43522 | Low | 3.3 | — | 2025-12-12 | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. |
CVE-2025-43518 | Low | 3.3 | — | 2025-12-12 | A logic issue was addressed with improved checks. |
CVE-2025-43517 | Low | 3.3 | — | 2025-12-12 | A privacy issue was addressed with improved private data redaction for log entries. |
CVE-2025-43516 | Low | 3.3 | — | 2025-12-12 | A session management issue was addressed with improved checks. |
CVE-2025-43437 | Low | 3.3 | — | 2025-12-12 | An information disclosure issue was addressed with improved privacy controls. |
CVE-2025-43404 | Low | 3.3 | — | 2025-12-12 | A permissions issue was addressed with additional sandbox restrictions. |
CVE-2025-43532 | Low | 2.8 | — | 2025-12-12 | A memory corruption issue was addressed with improved bounds checking. |
CVE-2025-43410 | Low | 2.4 | — | 2025-12-12 | The issue was addressed with improved handling of caches. |
Mailenable · 25 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34428 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. |
CVE-2025-34427 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. |
CVE-2025-34424 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34423 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34422 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34421 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34420 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34419 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34418 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34417 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34416 | High | 7.8 | — | 2025-12-10 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34396 | High | 7.3 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. |
CVE-2025-34425 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. |
CVE-2025-34409 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. |
CVE-2025-34408 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Added parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. |
CVE-2025-34407 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx. |
CVE-2025-34406 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Id parameter of /Mobile/ContactDetails.aspx. |
CVE-2025-34404 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. |
CVE-2025-34403 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34402 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34401 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34400 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34399 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34398 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. |
CVE-2025-34397 | Medium | 6.1 | — | 2025-12-09 | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Message parameter of /Mobile/Compose.aspx. |
Siemens · 22 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-56835 | High | 8.8 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2025-40937 | High | 8.3 | — | 2025-12-09 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). |
CVE-2025-40938 | High | 8.1 | — | 2025-12-09 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). |
CVE-2025-40801 | High | 8.1 | — | 2025-12-09 | A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as… |
CVE-2025-40829 | High | 7.8 | — | 2025-12-12 | A vulnerability has been identified in Simcenter Femap (All versions < V2512). |
CVE-2025-40820 | High | 7.5 | — | 2025-12-09 | Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. |
CVE-2024-56836 | High | 7.5 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2025-40800 | High | 7.4 | — | 2025-12-09 | A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcen… |
CVE-2024-56840 | High | 7.2 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2024-56839 | High | 7.2 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2024-56838 | High | 7.2 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2024-56837 | High | 7.2 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM… |
CVE-2025-40830 | Medium | 6.7 | — | 2025-12-09 | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). |
CVE-2025-40831 | Medium | 6.5 | — | 2025-12-09 | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). |
CVE-2025-40807 | Medium | 6.3 | — | 2025-12-09 | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). |
CVE-2025-40806 | Medium | 5.3 | — | 2025-12-09 | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). |
CVE-2025-40940 | Medium | 4.9 | — | 2025-12-09 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). |
CVE-2025-40939 | Medium | 4.6 | — | 2025-12-09 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). |
CVE-2025-40941 | Medium | 4.3 | — | 2025-12-09 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). |
CVE-2025-40935 | Medium | 4.3 | — | 2025-12-09 | A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.1), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.1), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.1), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.1)… |
CVE-2025-40819 | Medium | 4.3 | — | 2025-12-09 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). |
CVE-2025-40818 | Low | 3.3 | — | 2025-12-09 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). |
Fortinet · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59719 | Critical | 9.8 | — | 2025-12-09 | An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authenticatio… |
CVE-2025-59718 | Critical | 9.8 | KEV | 2025-12-09 | A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7… |
CVE-2025-60024 | High | 8.8 | — | 2025-12-09 | Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated… |
CVE-2025-64447 | High | 8.1 | — | 2025-12-09 | A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0… |
CVE-2025-64156 | High | 7.2 | — | 2025-12-09 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may… |
CVE-2025-64153 | High | 7.2 | — | 2025-12-09 | A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions m… |
CVE-2025-53949 | High | 7.2 | — | 2025-12-09 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all version… |
CVE-2025-53679 | High | 7.2 | — | 2025-12-09 | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all version… |
CVE-2025-59808 | Medium | 6.8 | — | 2025-12-09 | An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise… |
CVE-2025-54838 | Medium | 6.8 | — | 2025-12-09 | An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests. |
CVE-2024-47570 | Medium | 6.6 | — | 2025-12-09 | An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all ver… |
CVE-2025-59810 | Medium | 6.5 | — | 2025-12-09 | An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiS… |
CVE-2024-40593 | Medium | 6.0 | — | 2025-12-11 | A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 th… |
CVE-2025-62631 | Medium | 5.6 | — | 2025-12-09 | An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an… |
CVE-2025-54353 | Medium | 5.4 | — | 2025-12-09 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, For… |
CVE-2025-64471 | Medium | 4.9 | — | 2025-12-09 | A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, Forti… |
CVE-2025-59923 | Low | 2.7 | — | 2025-12-09 | An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker… |
CVE-2025-57823 | Low | 2.7 | — | 2025-12-09 | A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated… |
Huawei · 16 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66328 | High | 8.4 | — | 2025-12-08 | Multi-thread race condition vulnerability in the network management module. |
CVE-2025-66324 | High | 8.4 | — | 2025-12-08 | Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity. |
CVE-2025-66327 | High | 7.1 | — | 2025-12-08 | Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2025-66326 | Medium | 6.7 | — | 2025-12-08 | Race condition vulnerability in the audio module. |
CVE-2025-66325 | Medium | 6.2 | — | 2025-12-08 | Permission control vulnerability in the package management module. |
CVE-2025-66323 | Medium | 5.3 | — | 2025-12-08 | Vulnerability of improper criterion security check in the card module. |
CVE-2025-66322 | Medium | 5.1 | — | 2025-12-08 | Multi-thread race condition vulnerability in the camera framework module. |
CVE-2025-66321 | Medium | 5.1 | — | 2025-12-08 | Multi-thread race condition vulnerability in the camera framework module. |
CVE-2025-66320 | Medium | 5.1 | — | 2025-12-08 | Multi-thread race condition vulnerability in the camera framework module. |
CVE-2025-66330 | Medium | 4.9 | — | 2025-12-08 | App lock verification bypass vulnerability in the file management app. |
CVE-2025-58279 | Medium | 4.4 | — | 2025-12-08 | Permission control vulnerability in the media library module. |
CVE-2025-66329 | Medium | 4.0 | — | 2025-12-08 | Permission control vulnerability in the window management module. |
CVE-2025-66334 | Low | 3.3 | — | 2025-12-08 | Denial of service (DoS) vulnerability in the office service. |
CVE-2025-66333 | Low | 3.3 | — | 2025-12-08 | Denial of service (DoS) vulnerability in the office service. |
CVE-2025-66332 | Low | 3.3 | — | 2025-12-08 | Denial of service (DoS) vulnerability in the office service. |
CVE-2025-66331 | Low | 3.3 | — | 2025-12-08 | Denial of service (DoS) vulnerability in the office service. |
Code-projects · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14537 | High | 7.3 | — | 2025-12-11 | A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. |
CVE-2025-14536 | High | 7.3 | — | 2025-12-11 | A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0. |
CVE-2025-14285 | High | 7.3 | — | 2025-12-09 | A vulnerability was found in code-projects Employee Profile Management System 1.0. |
CVE-2025-14251 | High | 7.3 | — | 2025-12-08 | A security vulnerability has been detected in code-projects Online Ordering System 1.0. |
CVE-2025-14250 | High | 7.3 | — | 2025-12-08 | A weakness has been identified in code-projects Online Ordering System 1.0. |
CVE-2025-14249 | High | 7.3 | — | 2025-12-08 | A security flaw has been discovered in code-projects Online Ordering System 1.0. |
CVE-2025-14248 | High | 7.3 | — | 2025-12-08 | A vulnerability was identified in code-projects Simple Shopping Cart 1.0. |
CVE-2025-14218 | High | 7.3 | — | 2025-12-08 | A security flaw has been discovered in code-projects Currency Exchange System 1.0. |
CVE-2025-14217 | High | 7.3 | — | 2025-12-08 | A vulnerability was identified in code-projects Currency Exchange System 1.0. |
CVE-2025-14216 | High | 7.3 | — | 2025-12-08 | A vulnerability was determined in code-projects Currency Exchange System 1.0. |
CVE-2025-14215 | High | 7.3 | — | 2025-12-08 | A vulnerability was found in code-projects Currency Exchange System 1.0. |
CVE-2025-14247 | Medium | 6.3 | — | 2025-12-08 | A vulnerability was determined in code-projects Simple Shopping Cart 1.0. |
CVE-2025-14246 | Medium | 6.3 | — | 2025-12-08 | A vulnerability was found in code-projects Simple Shopping Cart 1.0. |
CVE-2025-14205 | Low | 2.4 | — | 2025-12-08 | A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. |
Ibm · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13481 | High | 8.8 | — | 2025-12-11 | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input. |
CVE-2025-13148 | High | 8.1 | — | 2025-12-11 | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password. |
CVE-2025-13214 | High | 7.6 | — | 2025-12-11 | IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. |
CVE-2025-36140 | Medium | 6.5 | — | 2025-12-08 | IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits. |
CVE-2025-64650 | Medium | 6.5 | — | 2025-12-08 | IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files. |
CVE-2025-36017 | Medium | 6.5 | — | 2025-12-08 | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user. |
CVE-2025-36015 | Medium | 6.5 | — | 2025-12-08 | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input. |
CVE-2025-12635 | Medium | 5.4 | — | 2025-12-08 | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. |
CVE-2025-13211 | Medium | 5.3 | — | 2025-12-11 | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency. |
CVE-2025-12832 | Medium | 4.6 | — | 2025-12-08 | IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). |
CVE-2025-36437 | Medium | 4.3 | — | 2025-12-09 | IBM Planning Analytics Local 2.1.0 - 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system. |
CVE-2025-33111 | Medium | 4.3 | — | 2025-12-08 | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race con… |
CVE-2024-56464 | Low | 2.7 | — | 2025-12-09 | IBM QRadar SIEM 7.5 - 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information. |
CVE-2025-36102 | Low | 2.7 | — | 2025-12-08 | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-… |
Phoenix Contact · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41752 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). |
CVE-2025-41751 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). |
CVE-2025-41750 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). |
CVE-2025-41749 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). |
CVE-2025-41748 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). |
CVE-2025-41747 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management… |
CVE-2025-41746 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (… |
CVE-2025-41745 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (W… |
CVE-2025-41695 | High | 7.1 | — | 2025-12-09 | An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). |
CVE-2025-41697 | Medium | 6.8 | — | 2025-12-09 | An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. |
CVE-2025-41692 | Medium | 6.8 | — | 2025-12-09 | A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm. |
CVE-2025-41694 | Medium | 6.5 | — | 2025-12-09 | A low privileged remote attacker can run the webshell with an empty command containing whitespace. |
CVE-2025-41696 | Medium | 4.6 | — | 2025-12-09 | An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. |
CVE-2025-41693 | Medium | 4.3 | — | 2025-12-09 | A low privileged remote attacker can use the ssh feature to execute commands directly after login. |
Meatmeet · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65826 | Critical | 9.8 | — | 2025-12-10 | The mobile application was found to contain stored credentials for the network it was developed on. |
CVE-2025-65823 | Critical | 9.8 | — | 2025-12-10 | The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. |
CVE-2025-65820 | Critical | 9.8 | — | 2025-12-10 | An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. |
CVE-2025-65830 | Critical | 9.1 | — | 2025-12-10 | Due to a lack of certificate validation, all traffic from the mobile application can be intercepted. |
CVE-2025-65827 | Critical | 9.1 | — | 2025-12-10 | The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. |
CVE-2025-65824 | High | 8.8 | — | 2025-12-10 | An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attack… |
CVE-2025-65831 | High | 7.5 | — | 2025-12-10 | The application uses an insecure hashing algorithm (MD5) to hash passwords. |
CVE-2025-65821 | High | 7.5 | — | 2025-12-10 | As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the N… |
CVE-2025-65829 | Medium | 6.8 | — | 2025-12-10 | The ESP32 system on a chip (SoC) that powers the Meatmeet basestation device was found to lack Secure Boot. |
CVE-2025-65822 | Medium | 6.8 | — | 2025-12-10 | The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. |
CVE-2025-65828 | Medium | 6.5 | — | 2025-12-10 | An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. |
CVE-2025-65832 | Medium | 4.6 | — | 2025-12-10 | The mobile application insecurely handles information stored within memory. |
CVE-2025-65825 | Medium | 4.6 | — | 2025-12-10 | The firmware on the basestation of the Meatmeet is not encrypted. |
Mozilla · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14330 | Critical | 9.8 | — | 2025-12-09 | JIT miscompilation in the JavaScript Engine: JIT component. |
CVE-2025-14326 | Critical | 9.8 | — | 2025-12-09 | Use-after-free in the Audio/Video: GMP component. |
CVE-2025-14324 | Critical | 9.8 | — | 2025-12-09 | JIT miscompilation in the JavaScript Engine: JIT component. |
CVE-2025-14321 | Critical | 9.8 | — | 2025-12-09 | Use-after-free in the WebRTC: Signaling component. |
CVE-2025-14329 | High | 8.8 | — | 2025-12-09 | Privilege escalation in the Netmonitor component. |
CVE-2025-14328 | High | 8.8 | — | 2025-12-09 | Privilege escalation in the Netmonitor component. |
CVE-2025-14323 | High | 8.8 | — | 2025-12-09 | Privilege escalation in the DOM: Notifications component. |
CVE-2025-14333 | High | 8.1 | — | 2025-12-09 | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. |
CVE-2025-14322 | High | 8.0 | — | 2025-12-09 | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. |
CVE-2025-14327 | High | 7.5 | — | 2025-12-09 | Spoofing issue in the Downloads Panel component. |
CVE-2025-14332 | High | 7.3 | — | 2025-12-09 | Memory safety bugs present in Firefox 145 and Thunderbird 145. |
CVE-2025-14325 | High | 7.3 | — | 2025-12-09 | JIT miscompilation in the JavaScript Engine: JIT component. |
CVE-2025-14331 | Medium | 6.5 | — | 2025-12-09 | Same-origin policy bypass in the Request Handling component. |
Angeljudesuarez · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14585 | High | 7.3 | — | 2025-12-12 | A vulnerability was found in itsourcecode COVID Tracking System 1.0. |
CVE-2025-14584 | High | 7.3 | — | 2025-12-12 | A vulnerability has been found in itsourcecode COVID Tracking System 1.0. |
CVE-2025-14578 | High | 7.3 | — | 2025-12-12 | A weakness has been identified in itsourcecode Student Management System 1.0. |
CVE-2025-14337 | High | 7.3 | — | 2025-12-09 | A vulnerability was determined in itsourcecode Student Management System 1.0. |
CVE-2025-14336 | High | 7.3 | — | 2025-12-09 | A vulnerability was found in itsourcecode Student Management System 1.0. |
CVE-2025-14335 | High | 7.3 | — | 2025-12-09 | A vulnerability has been found in itsourcecode Student Management System 1.0. |
CVE-2025-14334 | High | 7.3 | — | 2025-12-09 | A flaw has been found in itsourcecode Student Management System 1.0. |
CVE-2025-14258 | High | 7.3 | — | 2025-12-08 | A vulnerability has been found in itsourcecode Student Management System 1.0. |
CVE-2025-14257 | High | 7.3 | — | 2025-12-08 | A flaw has been found in itsourcecode Student Management System 1.0. |
CVE-2025-14256 | High | 7.3 | — | 2025-12-08 | A vulnerability was detected in itsourcecode Student Management System 1.0. |
CVE-2025-14226 | High | 7.3 | — | 2025-12-08 | A vulnerability was identified in itsourcecode Student Management System 1.0. |
CVE-2025-14214 | Medium | 6.3 | — | 2025-12-08 | A vulnerability has been found in itsourcecode Student Information System 1.0. |
Sap_se · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42880 | Critical | 9.9 | — | 2025-12-09 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. |
CVE-2025-42928 | Critical | 9.1 | — | 2025-12-09 | Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. |
CVE-2025-42878 | High | 8.2 | — | 2025-12-09 | SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. |
CVE-2025-42874 | High | 7.9 | — | 2025-12-09 | SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. |
CVE-2025-42877 | High | 7.5 | — | 2025-12-09 | SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability. |
CVE-2025-42876 | High | 7.1 | — | 2025-12-09 | Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify docume… |
CVE-2025-42875 | Medium | 6.6 | — | 2025-12-09 | The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact… |
CVE-2025-42904 | Medium | 6.5 | — | 2025-12-09 | Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. |
CVE-2025-42872 | Medium | 6.1 | — | 2025-12-09 | Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session c… |
CVE-2025-42873 | Medium | 5.9 | — | 2025-12-09 | SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. |
CVE-2025-42891 | Medium | 5.5 | — | 2025-12-09 | Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. |
CVE-2025-42896 | Medium | 5.4 | — | 2025-12-09 | SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. |
Gitlab · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12716 | High | 8.7 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actio… |
CVE-2025-12029 | High | 8.0 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorize… |
CVE-2025-8405 | High | 7.7 | — | 2025-12-11 | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of ot… |
CVE-2025-12562 | High | 7.5 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending c… |
CVE-2025-11984 | Medium | 6.8 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipul… |
CVE-2025-4097 | Medium | 6.5 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading sp… |
CVE-2025-14157 | Medium | 6.5 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafte… |
CVE-2025-11247 | Medium | 4.3 | — | 2025-12-11 | GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by… |
CVE-2025-13978 | Medium | 4.3 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not h… |
CVE-2025-12734 | Low | 3.5 | — | 2025-12-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs… |
Groupsession · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65120 | Medium | 6.1 | — | 2025-12-12 | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. |
CVE-2025-57883 | Medium | 6.1 | — | 2025-12-12 | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
CVE-2025-54407 | Medium | 6.1 | — | 2025-12-12 | Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
CVE-2025-66284 | Medium | 5.4 | — | 2025-12-12 | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. |
CVE-2025-62192 | Medium | 5.4 | — | 2025-12-12 | SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
CVE-2025-53523 | Medium | 5.4 | — | 2025-12-12 | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
CVE-2025-61987 | Medium | 5.3 | — | 2025-12-12 | GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
CVE-2025-64781 | Medium | 4.7 | — | 2025-12-12 | In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. |
CVE-2025-61950 | Medium | 4.3 | — | 2025-12-12 | In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. |
CVE-2025-58576 | Medium | 4.3 | — | 2025-12-12 | Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. |
Teamviewer · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64989 | High | 7.2 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction prior V21.1. |
CVE-2025-64988 | High | 7.2 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-GetCmContentLocations instruction prior V19.2. |
CVE-2025-64987 | High | 7.2 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-CheckSimpleIoC instruction. |
CVE-2025-64986 | High | 7.2 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21. |
CVE-2025-64993 | Medium | 6.8 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions. |
CVE-2025-64992 | Medium | 6.8 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. |
CVE-2025-64991 | Medium | 6.8 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15. |
CVE-2025-64990 | Medium | 6.8 | — | 2025-12-11 | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-LogoffUser instruction prior V21.1. |
CVE-2025-64995 | Medium | 6.5 | — | 2025-12-11 | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. |
CVE-2025-64994 | Medium | 6.5 | — | 2025-12-11 | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. |
Jenkins · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67635 | High | 7.5 | — | 2025-12-10 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. |
CVE-2025-67641 | Medium | 5.4 | — | 2025-12-10 | Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Confi… |
CVE-2025-67640 | Medium | 5.0 | — | 2025-12-10 | Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace dire… |
CVE-2025-67643 | Medium | 4.3 | — | 2025-12-10 | Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permissio… |
CVE-2025-67642 | Medium | 4.3 | — | 2025-12-10 | Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they ar… |
CVE-2025-67638 | Medium | 4.3 | — | 2025-12-10 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-67637 | Medium | 4.3 | — | 2025-12-10 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkin… |
CVE-2025-67636 | Medium | 4.3 | — | 2025-12-10 | A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. |
CVE-2025-67639 | Low | 3.5 | — | 2025-12-10 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account. |
Unknown · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-14010 | Critical | 9.8 | — | 2025-12-12 | Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. |
CVE-2025-12835 | High | 7.3 | — | 2025-12-12 | The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server. |
CVE-2025-13073 | High | 7.1 | — | 2025-12-10 | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such… |
CVE-2025-13072 | High | 7.1 | — | 2025-12-10 | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such… |
CVE-2025-13071 | High | 7.1 | — | 2025-12-09 | The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
CVE-2025-13070 | Medium | 6.6 | — | 2025-12-09 | The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. |
CVE-2025-13031 | Medium | 5.9 | — | 2025-12-09 | The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks |
CVE-2025-12841 | Medium | 5.3 | — | 2025-12-12 | The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options. |
CVE-2025-10684 | Medium | 4.3 | — | 2025-12-12 | The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . |
Apache · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54947 | Critical | 9.8 | — | 2025-12-12 | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. |
CVE-2025-58130 | Critical | 9.1 | — | 2025-12-12 | Insufficiently Protected Credentials vulnerability in Apache Fineract. |
CVE-2025-26866 | High | 8.8 | — | 2025-12-12 | A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. |
CVE-2025-66675 | High | 8.2 | — | 2025-12-10 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. |
CVE-2025-58137 | High | 8.1 | — | 2025-12-12 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. |
CVE-2025-54981 | High | 7.5 | — | 2025-12-12 | Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affect… |
CVE-2025-23408 | Medium | 6.5 | — | 2025-12-12 | Weak Password Requirements vulnerability in Apache Fineract. |
CVE-2025-53960 | Medium | 5.9 | — | 2025-12-12 | When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). |
Aqara · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65294 | Critical | 9.8 | — | 2025-12-10 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution. |
CVE-2025-65295 | High | 8.1 | — | 2025-12-10 | Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. |
CVE-2025-65297 | High | 7.5 | — | 2025-12-10 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 automatically collect and upload unencrypted sensitive information. |
CVE-2025-65291 | High | 7.4 | — | 2025-12-10 | Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks o… |
CVE-2025-65290 | High | 7.4 | — | 2025-12-10 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic… |
CVE-2025-65292 | High | 7.3 | — | 2025-12-10 | Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names. |
CVE-2025-65293 | Medium | 6.6 | — | 2025-12-10 | Command injection vulnerabilities in Aqara Camera Hub G3 4.1.9_0027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset. |
CVE-2025-65296 | Medium | 6.5 | — | 2025-12-10 | NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs. |
Campcodes · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14583 | High | 7.3 | — | 2025-12-12 | A flaw has been found in campcodes Online Student Enrollment System 1.0. |
CVE-2025-14529 | High | 7.3 | — | 2025-12-11 | A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. |
CVE-2025-14515 | High | 7.3 | — | 2025-12-11 | A vulnerability has been found in Campcodes Supplier Management System 1.0. |
CVE-2025-14514 | High | 7.3 | — | 2025-12-11 | A flaw has been found in Campcodes Supplier Management System 1.0. |
CVE-2025-14209 | High | 7.3 | — | 2025-12-08 | A weakness has been identified in Campcodes School File Management System 1.0. |
CVE-2025-14582 | Medium | 4.7 | — | 2025-12-12 | A vulnerability was detected in campcodes Online Student Enrollment System 1.0. |
CVE-2025-14219 | Medium | 4.7 | — | 2025-12-08 | A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. |
Commax Co., Ltd. · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47719 | — | — | — | 2025-12-09 | COMMAX WebViewer ActiveX Control 2.1.4.5 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. |
CVE-2021-47710 | — | — | — | 2025-12-09 | COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. |
CVE-2021-47709 | — | — | — | 2025-12-09 | COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. |
CVE-2021-47708 | — | — | — | 2025-12-09 | COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. |
CVE-2021-47707 | — | — | — | 2025-12-09 | COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. |
CVE-2021-47706 | — | — | — | 2025-12-09 | COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting… |
CVE-2021-47705 | — | — | — | 2025-12-09 | COMMAX UMS Client ActiveX Control 1.7.0.2 contains a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. |
Thimpress · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67526 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6. |
CVE-2025-67536 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4. |
CVE-2025-63011 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8. |
CVE-2025-67573 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6. |
CVE-2025-67594 | Medium | 4.3 | — | 2025-12-09 | Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a throu… |
CVE-2025-63013 | Medium | 4.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7. |
CVE-2025-63012 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8. |
Libbiosig_project · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66048 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
CVE-2025-66047 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
CVE-2025-66046 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
CVE-2025-66045 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
CVE-2025-66044 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
CVE-2025-66043 | Critical | 9.8 | — | 2025-12-11 | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. |
Projectworlds · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14571 | High | 7.3 | — | 2025-12-12 | A vulnerability has been found in projectworlds Advanced Library Management System 1.0. |
CVE-2025-14570 | High | 7.3 | — | 2025-12-12 | A flaw has been found in projectworlds Advanced Library Management System 1.0. |
CVE-2025-14527 | High | 7.3 | — | 2025-12-11 | A weakness has been identified in projectworlds Advanced Library Management System 1.0. |
CVE-2025-14212 | High | 7.3 | — | 2025-12-08 | A flaw has been found in projectworlds Advanced Library Management System 1.0. |
CVE-2025-14211 | High | 7.3 | — | 2025-12-08 | A vulnerability was detected in projectworlds Advanced Library Management System 1.0. |
CVE-2025-14210 | High | 7.3 | — | 2025-12-08 | A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. |
Azeotech · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66589 | Critical | 9.1 | — | 2025-12-11 | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. |
CVE-2025-66590 | High | 7.8 | — | 2025-12-11 | In AzeoTech DAQFactory release 20.7 (Build 2555), an out-of-bounds write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. |
CVE-2025-66588 | High | 7.8 | — | 2025-12-11 | In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution. |
CVE-2025-66586 | High | 7.8 | — | 2025-12-11 | In AzeoTech DAQFactory release 20.7 (Build 2555), an access of resource using incompatible type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. |
CVE-2025-66585 | High | 7.8 | — | 2025-12-11 | In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. |
Enalean · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64497 | Medium | 6.5 | — | 2025-12-08 | Tuleap is an Open Source Suite for management of software development and collaboration. |
CVE-2025-65962 | Medium | 4.6 | — | 2025-12-09 | Tuleap is a free and open source suite for management of software development and collaboration. |
CVE-2025-64760 | Medium | 4.6 | — | 2025-12-08 | Tuleap is a free and open source suite for management of software development and collaboration. |
CVE-2025-64499 | Medium | 4.6 | — | 2025-12-08 | Tuleap is a free and open source suite for management of software development and collaboration. |
CVE-2025-64498 | Medium | 4.6 | — | 2025-12-08 | Tuleap is an Open Source Suite for management of software development and collaboration. |
Infinera · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-27020 | Critical | 9.8 | — | 2025-12-08 | Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . |
CVE-2025-27019 | Critical | 9.8 | — | 2025-12-08 | Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0. |
CVE-2025-26487 | High | 8.6 | — | 2025-12-08 | Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge. |
CVE-2025-26488 | High | 7.5 | — | 2025-12-08 | Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from… |
CVE-2025-26489 | Medium | 6.5 | — | 2025-12-08 | Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash the service and reboot the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from R22… |
Minidvblinux · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-53774 | Critical | 9.8 | — | 2025-12-09 | MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. |
CVE-2023-53771 | Critical | 9.8 | — | 2025-12-09 | MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. |
CVE-2023-53772 | High | 7.5 | — | 2025-12-09 | MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. |
CVE-2023-53770 | High | 7.5 | — | 2025-12-09 | MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. |
CVE-2023-53773 | Medium | 5.3 | — | 2025-12-09 | MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. |
Open Bmcs · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47701 | High | 8.8 | — | 2025-12-09 | OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script. |
CVE-2021-47718 | High | 7.5 | — | 2025-12-09 | OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. |
CVE-2021-47703 | High | 7.2 | — | 2025-12-09 | OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sess… |
CVE-2021-47704 | Medium | 6.5 | — | 2025-12-09 | OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. |
CVE-2021-47702 | Medium | 4.3 | — | 2025-12-09 | OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. |
Selea · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47731 | Critical | 9.8 | — | 2025-12-09 | Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. |
CVE-2021-47728 | Critical | 9.8 | — | 2025-12-09 | Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. |
CVE-2021-47730 | High | 8.8 | — | 2025-12-09 | Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. |
CVE-2021-47729 | Medium | 5.4 | — | 2025-12-09 | Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code. |
CVE-2021-47727 | Medium | 5.3 | — | 2025-12-09 | Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. |
Wbce · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67504 | Critical | 9.1 | — | 2025-12-09 | WBCE CMS is a content management system. |
CVE-2025-34506 | High | 8.8 | — | 2025-12-11 | WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. |
CVE-2024-58283 | High | 8.8 | — | 2025-12-10 | WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. |
CVE-2025-65950 | High | 8.8 | — | 2025-12-10 | WBCE CMS is a content management system. |
CVE-2025-66204 | High | 8.1 | — | 2025-12-09 | WBCE CMS is a content management system. |
1panel-dev · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66446 | High | 8.8 | — | 2025-12-11 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2025-66419 | High | 8.8 | — | 2025-12-11 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2025-66507 | High | 7.5 | — | 2025-12-09 | 1Panel is an open-source, web-based control panel for Linux server management. |
CVE-2025-66508 | Medium | 6.5 | — | 2025-12-09 | 1Panel is an open-source, web-based control panel for Linux server management. |
Baowzh · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14522 | Medium | 6.3 | — | 2025-12-11 | A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. |
CVE-2025-14520 | Medium | 5.4 | — | 2025-12-11 | A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. |
CVE-2025-14521 | Medium | 4.3 | — | 2025-12-11 | A security vulnerability has been detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. |
CVE-2025-14519 | Low | 3.5 | — | 2025-12-11 | A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. |
Barracuda · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34394 | Critical | 9.8 | — | 2025-12-10 | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. |
CVE-2025-34393 | Critical | 9.8 | — | 2025-12-10 | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an attacker-controlled WSDL service, leading to insecure reflection. |
CVE-2025-34392 | Critical | 9.8 | — | 2025-12-10 | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. |
CVE-2025-34395 | High | 7.5 | — | 2025-12-10 | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service in which an unauthenticated attacker can invoke a method vulnerable to path traversal to read arbitrary files. |
Cridiostudio · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63048 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <=… |
CVE-2025-63046 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS.This issue affects ListingPro: from n/a through <= 2.9.9. |
CVE-2025-63049 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ListingPro Lead Form: from n/a through <= 1.0.7. |
CVE-2025-63047 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9. |
D-link · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13607 | Critical | 9.4 | — | 2025-12-10 | A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. |
CVE-2025-14225 | Medium | 6.3 | — | 2025-12-08 | A vulnerability was determined in D-Link DCS-930L 1.15.04. |
CVE-2025-14208 | Medium | 6.3 | — | 2025-12-08 | A security flaw has been discovered in D-Link DIR-823X up to 20250416. |
CVE-2025-14528 | Medium | 5.3 | — | 2025-12-11 | A vulnerability was detected in D-Link DIR-803 up to 1.04. |
Dbbroadcast · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-53740 | Critical | 9.8 | — | 2025-12-10 | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. |
CVE-2023-53776 | High | 8.8 | — | 2025-12-10 | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. |
CVE-2023-53741 | High | 8.1 | — | 2025-12-10 | Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers. |
CVE-2023-53775 | Medium | 6.5 | — | 2025-12-10 | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change user passwords by exploiting weak session management controls. |
Easyimages2.0_project · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65474 | Critical | 9.8 | — | 2025-12-11 | An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. |
CVE-2025-65473 | Critical | 9.1 | — | 2025-12-11 | An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to execute arbitrary code via injecting a crafted payload into an uploaded file name. |
CVE-2025-65472 | High | 8.8 | — | 2025-12-11 | A Cross-Site Request Forgery (CSRF) in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page. |
CVE-2025-65471 | High | 8.8 | — | 2025-12-11 | An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. |
Eibiz · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36892 | Critical | 9.8 | — | 2025-12-10 | Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. |
CVE-2020-36895 | High | 7.5 | — | 2025-12-10 | EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. |
CVE-2020-36894 | High | 7.5 | — | 2025-12-10 | Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. |
CVE-2020-36893 | High | 7.5 | — | 2025-12-10 | Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server's root directory. |
Howfor · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36897 | Critical | 9.8 | — | 2025-12-10 | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. |
CVE-2020-36898 | Critical | 9.1 | — | 2025-12-10 | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. |
CVE-2020-36899 | High | 7.5 | — | 2025-12-10 | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. |
CVE-2020-36896 | High | 7.5 | — | 2025-12-10 | QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. |
Ivanti · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10573 | Critical | 9.6 | — | 2025-12-09 | Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. |
CVE-2025-13659 | High | 8.8 | — | 2025-12-09 | Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. |
CVE-2025-13662 | High | 7.8 | — | 2025-12-09 | Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. |
CVE-2025-13661 | High | 7.1 | — | 2025-12-09 | Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. |
Jetbrains · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67741 | Medium | 4.6 | — | 2025-12-11 | In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute |
CVE-2025-67742 | Low | 3.8 | — | 2025-12-11 | In JetBrains TeamCity before 2025.11 path traversal was possible via file upload |
CVE-2025-67739 | Low | 3.1 | — | 2025-12-11 | In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure |
CVE-2025-67740 | Low | 2.7 | — | 2025-12-11 | In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata |
Solaredge · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36745 | High | 7.8 | — | 2025-12-12 | SolarEdge SE3680H ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. |
CVE-2025-36743 | Medium | 6.8 | — | 2025-12-12 | SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands. |
CVE-2025-36746 | Medium | 5.4 | — | 2025-12-12 | SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt. |
CVE-2025-36744 | Low | 2.4 | — | 2025-12-12 | SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. |
Talent Software · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12504 | Critical | 9.8 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection. |
CVE-2025-6924 | Medium | 5.4 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Reflected XSS. |
CVE-2025-6923 | Medium | 5.4 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software UNIS allows Reflected XSS. |
CVE-2025-10876 | Medium | 5.3 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Cross-Site Scripting (XSS). |
Carmelo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14223 | High | 7.3 | — | 2025-12-08 | A vulnerability has been found in code-projects Simple Leave Manager 1.0. |
CVE-2025-14230 | Medium | 6.3 | — | 2025-12-08 | A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. |
CVE-2025-14531 | Medium | 4.3 | — | 2025-12-11 | A vulnerability was found in code-projects Rental Management System 2.0. |
Circl · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42620 | — | — | — | 2025-12-08 | In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). |
CVE-2025-42616 | — | — | — | 2025-12-08 | Some endpoints in vulnerability-lookup that modified application state (e.g. |
CVE-2025-42615 | — | — | — | 2025-12-08 | In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. |
Danny-avila · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66451 | Medium | 6.5 | — | 2025-12-11 | LibreChat is a ChatGPT clone with additional features. |
CVE-2025-66452 | Medium | 6.1 | — | 2025-12-11 | LibreChat is a ChatGPT clone with additional features. |
CVE-2025-66450 | Medium | 5.4 | — | 2025-12-11 | LibreChat is a ChatGPT clone with additional features. |
Dream-theme · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63076 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion.This issue affects The7 Elements: from n/a thro… |
CVE-2025-63074 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion.This issue affects The7: from n/a through < 12.8.1.1. |
CVE-2025-63073 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through < 12.9.0. |
Facebook · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67779 | High | 7.5 | — | 2025-12-12 | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. |
CVE-2025-55184 | High | 7.5 | — | 2025-12-11 | A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack… |
CVE-2025-55183 | Medium | 5.3 | — | 2025-12-11 | An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t… |
Fearlessgeekmedia · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56431 | High | 7.5 | — | 2025-12-10 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the file_get_contents() function. |
CVE-2025-56430 | High | 7.5 | — | 2025-12-10 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the deleteDirectory function. |
CVE-2025-56429 | Medium | 6.1 | — | 2025-12-10 | Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component. |
Fit2cloud · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34429 | High | 7.1 | — | 2025-12-10 | 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. |
CVE-2025-34410 | High | 7.1 | — | 2025-12-10 | 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). |
CVE-2025-34430 | Medium | 4.3 | — | 2025-12-10 | 1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. |
Frappe · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10655 | High | 8.8 | — | 2025-12-09 | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0. |
CVE-2025-67734 | Medium | 5.4 | — | 2025-12-12 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. |
CVE-2025-67730 | Medium | 5.4 | — | 2025-12-12 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. |
Freepbx · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66039 | Critical | 9.8 | — | 2025-12-09 | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. |
CVE-2024-58294 | High | 8.8 | — | 2025-12-11 | FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. |
CVE-2025-67513 | — | — | — | 2025-12-10 | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. |
Galaxy Software Services · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14255 | Medium | 6.5 | — | 2025-12-08 | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. |
CVE-2025-14254 | Medium | 6.5 | — | 2025-12-08 | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. |
CVE-2025-14253 | Medium | 4.9 | — | 2025-12-08 | Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files. |
Lenovo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13155 | High | 7.8 | — | 2025-12-10 | An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges. |
CVE-2025-13152 | High | 7.8 | — | 2025-12-10 | A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges. |
CVE-2025-12046 | High | 7.8 | — | 2025-12-10 | A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions. |
Netgear · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12946 | High | 7.5 | — | 2025-12-09 | A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses a… |
CVE-2025-12945 | High | 7.2 | — | 2025-12-09 | A vulnerability in NETGEAR Nighthawk R7000P routers lets an authenticated admin execute OS command injections due to improper input validation. |
CVE-2025-12941 | Medium | 5.7 | — | 2025-12-09 | Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router. |
Pci-sig · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9614 | Medium | 6.5 | — | 2025-12-09 | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous se… |
CVE-2025-9613 | Medium | 6.5 | — | 2025-12-09 | A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the… |
CVE-2025-9612 | Medium | 5.1 | — | 2025-12-09 | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or re… |
Robocode · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14308 | Critical | 9.8 | — | 2025-12-09 | An integer overflow vulnerability exists in the write method of the Buffer class in Robocode version 1.9.3.6. |
CVE-2025-14306 | Critical | 9.1 | — | 2025-12-09 | A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. |
CVE-2025-14307 | High | 8.1 | — | 2025-12-09 | An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6. |
Saad Iqbal · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63030 | High | 7.1 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3. |
CVE-2025-67563 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 3.6.1. |
CVE-2025-67471 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery.This issue affects Quick Contact Form: from n/a through <= 8.2.5. |
Spenetix Ag · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36886 | High | 8.8 | — | 2025-12-10 | SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. |
CVE-2020-36883 | High | 8.1 | — | 2025-12-10 | SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. |
CVE-2020-36888 | Medium | 5.3 | — | 2025-12-10 | SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. |
Thembay · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67532 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. |
CVE-2025-67530 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. |
CVE-2025-67528 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. |
Tornadoweb · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67726 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67725 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67724 | Medium | 5.4 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
Tripples · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67531 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion.This issue affects Turitor: from n/a through < 1.5.3. |
CVE-2025-67527 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7. |
CVE-2025-67523 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9. |
Utt · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14535 | Critical | 9.8 | — | 2025-12-11 | A vulnerability was identified in UTT 进取 512W up to 3.1.7.7-171114. |
CVE-2025-14534 | Critical | 9.8 | — | 2025-12-11 | A vulnerability was determined in UTT 进取 512W up to 3.1.7.7-171114. |
CVE-2025-14572 | High | 8.8 | — | 2025-12-12 | A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. |
Xbtitfm · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58309 | Critical | 9.8 | — | 2025-12-11 | xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. |
CVE-2024-58312 | High | 7.5 | — | 2025-12-11 | xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. |
CVE-2024-58313 | High | 7.2 | — | 2025-12-11 | xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. |
Xwiki · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66474 | High | 8.8 | — | 2025-12-10 | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). |
CVE-2025-66473 | High | 7.5 | — | 2025-12-10 | XWiki is an open-source wiki software platform. |
CVE-2025-66472 | Medium | 6.1 | — | 2025-12-10 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. |
Yandex · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5471 | High | 7.8 | — | 2025-12-09 | Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1. |
CVE-2025-5470 | — | — | — | 2025-12-09 | Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275. |
CVE-2025-5469 | — | — | — | 2025-12-09 | Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245 |
Zauberzeug · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66645 | High | 7.5 | — | 2025-12-09 | NiceGUI is a Python-based UI framework. |
CVE-2025-66470 | Medium | 6.1 | — | 2025-12-09 | NiceGUI is a Python-based UI framework. |
CVE-2025-66469 | Medium | 6.1 | — | 2025-12-09 | NiceGUI is a Python-based UI framework. |
Zitadel · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67494 | Critical | 9.3 | — | 2025-12-09 | ZITADEL is an open-source identity infrastructure tool. |
CVE-2025-67495 | High | 8.0 | — | 2025-12-09 | ZITADEL is an open-source identity infrastructure tool. |
CVE-2025-67717 | Medium | 4.3 | — | 2025-12-11 | ZITADEL is an open-source identity infrastructure tool. |
Adata · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-61075 | High | 8.1 | — | 2025-12-09 | Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized… |
CVE-2025-61074 | Medium | 4.6 | — | 2025-12-09 | A stored Cross Site Scripting (XSS) vulnerability in the bulletin board (SchwarzeBrett) in adata Software GmbH Mitarbeiter Portal 2.15.2.0 allows remote authenticated users to execute arbitrary JavaScript code in the web browser of other u… |
Allskyteam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65573 | High | 8.8 | — | 2025-12-09 | Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status. |
CVE-2025-65572 | Medium | 6.1 | — | 2025-12-09 | Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. |
Asustor · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13052 | Medium | 5.9 | — | 2025-12-12 | When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in… |
CVE-2025-13053 | Low | 3.7 | — | 2025-12-12 | When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MI… |
Auth0 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67716 | Medium | 5.7 | — | 2025-12-11 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. |
CVE-2025-67490 | Medium | 5.4 | — | 2025-12-10 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. |
Averta · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63045 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12. |
CVE-2025-63071 | Medium | 5.3 | — | 2025-12-09 | Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme… |
Ays Pro · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67595 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through <= 6.7.0.82. |
CVE-2025-66529 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery.This issue affects Chartify: from n/a through <= 3.6.3. |
Ays-pro · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14442 | Medium | 5.3 | — | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions… |
CVE-2025-14159 | Medium | 4.3 | — | 2025-12-12 | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. |
Barix · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65231 | Medium | 6.1 | — | 2025-12-08 | Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page. |
CVE-2025-65230 | Medium | 5.4 | — | 2025-12-08 | Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input. |
Crm Perks · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67587 | Medium | 4.7 | — | 2025-12-09 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5. |
CVE-2025-67468 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue a… |
Darendev · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14392 | Medium | 4.3 | — | 2025-12-12 | The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versi… |
CVE-2025-14391 | Medium | 4.3 | — | 2025-12-12 | The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. |
Dell · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46637 | High | 7.3 | — | 2025-12-09 | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. |
CVE-2025-46636 | Medium | 6.6 | — | 2025-12-09 | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. |
Dfdevelopment · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63036 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: f… |
CVE-2025-63037 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68. |
Elysiajs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66456 | Critical | 9.8 | — | 2025-12-09 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. |
CVE-2025-66457 | High | 8.8 | — | 2025-12-09 | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. |
Essential Plugin · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-46845 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Essential Plugin Slider a SlidersPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider a SlidersPack: from n/a before 2.3. |
CVE-2025-67470 | Medium | 4.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Essential Plugin Portfolio and Projects portfolio-and-projects allows Retrieve Embedded Sensitive Data.This issue affects Portfolio and Projects: f… |
Ezcast · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13955 | — | — | — | 2025-12-10 | Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II before version 1.17478.177 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifier… |
CVE-2025-13954 | — | — | — | 2025-12-10 | Hard-coded cryptographic keys in Admin UI of EZCast Pro II before version 1.17478.177 allows attackers to bypass authorization checks and gain full access to the admin UI |
Flarum · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58303 | — | — | — | 2025-12-11 | FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. |
CVE-2024-58302 | — | — | — | 2025-12-11 | FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. |
Gnome · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14512 | Medium | 6.5 | — | 2025-12-11 | A flaw was found in glib. |
CVE-2025-14087 | Medium | 5.6 | — | 2025-12-10 | A flaw was found in GLib (Gnome Lib). |
Google Cloud · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12952 | — | — | — | 2025-12-10 | A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX. |
CVE-2025-9571 | — | — | — | 2025-12-10 | A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. |
Haxxorsid · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14568 | Medium | 6.3 | — | 2025-12-12 | A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. |
CVE-2025-14567 | Medium | 5.3 | — | 2025-12-12 | A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. |
Hippooo · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13339 | High | 7.5 | — | 2025-12-10 | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. |
CVE-2025-12655 | Medium | 5.3 | — | 2025-12-12 | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. |
Hogash · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63061 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash KALLYAS kallyas allows DOM-Based XSS.This issue affects KALLYAS: from n/a through < 4.25.0. |
CVE-2025-63060 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0. |
Jacques Malgrange · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67534 | High | 7.1 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7. |
CVE-2025-67558 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7. |
Jbl · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2104 | High | 8.8 | — | 2025-12-10 | Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. |
CVE-2024-2105 | Medium | 6.5 | — | 2025-12-10 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. |
Jegtheme · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67538 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1. |
CVE-2025-67591 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1. |
Jishenghua · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67344 | Medium | 4.6 | — | 2025-12-12 | jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. |
CVE-2025-67341 | Medium | 4.6 | — | 2025-12-12 | jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. |
Joe Dolson · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67592 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Calendar: from n/a through <= 3.6.16. |
CVE-2025-64257 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Joe Dolson My Tickets my-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Tickets: from n/a through <= 2.1.0. |
Kidaze · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14566 | High | 7.3 | — | 2025-12-12 | A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. |
CVE-2025-14565 | High | 7.3 | — | 2025-12-12 | A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. |
Labredescefetrj · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67501 | High | 8.8 | — | 2025-12-10 | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. |
CVE-2025-67496 | Medium | 4.3 | — | 2025-12-09 | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. |
Lambertgroup · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67518 | High | 8.5 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a throu… |
CVE-2025-62093 | High | 8.5 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection.This issue affects Image&Video FullSc… |
Medivision · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36902 | Critical | 9.8 | — | 2025-12-10 | UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. |
CVE-2020-36901 | High | 8.8 | — | 2025-12-10 | UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. |
Mercurycom · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65288 | Medium | 6.5 | — | 2025-12-09 | A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. |
CVE-2025-65289 | Medium | 6.1 | — | 2025-12-09 | A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hos… |
Metagauss · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63007 | Medium | 4.3 | — | 2025-12-09 | Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.4.1. |
CVE-2025-63006 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.4.1. |
Mikado-themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67515 | High | 8.8 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5. |
CVE-2025-66532 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1. |
Netweblogic · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12408 | Medium | 5.3 | — | 2025-12-12 | The Events Manager – Calendar, Bookings, Tickets, and more! |
CVE-2025-12407 | Medium | 4.3 | — | 2025-12-12 | The Events Manager – Calendar, Bookings, Tickets, and more! |
Neuron-ai · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67510 | Critical | 9.4 | — | 2025-12-10 | Neuron is a PHP framework for creating and orchestrating AI Agents. |
CVE-2025-67509 | High | 8.2 | — | 2025-12-10 | Neuron is a PHP framework for creating and orchestrating AI Agents. |
Nootheme · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67524 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Ele… |
CVE-2025-67522 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion.This issue affects Jobmonster: from n/a through <=… |
Nvidia · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-33214 | High | 8.8 | — | 2025-12-09 | NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue. |
CVE-2025-33213 | High | 8.8 | — | 2025-12-09 | NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. |
Okta · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67505 | High | 8.4 | — | 2025-12-10 | Okta Java Management SDK facilitates interactions with the Okta management API. |
CVE-2025-66033 | Medium | 5.3 | — | 2025-12-10 | Okta Java Management SDK facilitates interactions with the Okta management API. |
Onelogin · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66568 | Critical | 9.1 | — | 2025-12-09 | The ruby-saml library implements the client side of an SAML authorization. |
CVE-2025-66567 | Critical | 9.1 | — | 2025-12-09 | The ruby-saml library is for implementing the client side of a SAML authorization. |
Opal_wp · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67529 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion.This issue affects Fashion: from n/a through < 5.3.0. |
CVE-2025-67525 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1. |
Opicron · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62737 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in opicron Image Cleanup image-cleanup allows Retrieve Embedded Sensitive Data.This issue affects Image Cleanup: from n/a through <= 1.9.2. |
CVE-2025-62736 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Cleanup: from n/a through <= 1.9.2. |
P-themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63066 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Stored XSS.This issue affects Porto Theme - Functionality: from n/a throu… |
CVE-2025-63067 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a through < 3.7… |
Powerdns · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59030 | High | 7.5 | — | 2025-12-09 | An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. |
CVE-2025-59029 | Medium | 5.3 | — | 2025-12-09 | An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. |
Premmerce · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13440 | Medium | 5.3 | — | 2025-12-12 | The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. |
CVE-2025-12783 | Medium | 4.3 | — | 2025-12-12 | The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. |
Quantumcloud · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67576 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through <= 8.8.3. |
CVE-2025-67465 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery.This issue affects Simple Link Directory: from n/a through <= 8.8.3. |
Red Hat · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14523 | High | 8.2 | — | 2025-12-11 | A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. |
CVE-2025-14082 | Low | 2.7 | — | 2025-12-10 | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. |
Rhys Wynne · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67557 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <=… |
CVE-2025-67578 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4. |
Rockwell Automation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9368 | — | — | — | 2025-12-09 | A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. |
CVE-2025-12807 | — | — | — | 2025-12-09 | A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints. |
Ronald Huereca · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67586 | Medium | 4.7 | — | 2025-12-09 | Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0. |
CVE-2025-64254 | Low | 2.7 | — | 2025-12-09 | Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Block: from n/a through <= 1.5.1. |
Select-themes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67521 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through… |
CVE-2025-67539 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Select Core select-core allows DOM-Based XSS.This issue affects Select Core: from n/a through < 2.6. |
Shahjahan Jewel · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67519 | High | 7.6 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3. |
CVE-2025-67597 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Booking: from n/a through <= 1.9.11. |
Sizam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63050 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam REHub Framework rehub-framework allows Stored XSS.This issue affects REHub Framework: from n/a through < 19.9.9.7. |
CVE-2025-67565 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam Rehub rehub-theme allows Retrieve Embedded Sensitive Data.This issue affects Rehub: from n/a through <= 19.9.9.1. |
Stellarwp · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67467 | Medium | 5.4 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1. |
CVE-2025-66533 | Medium | 5.3 | — | 2025-12-09 | Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1. |
Stvs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47723 | High | 8.8 | — | 2025-12-09 | STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. |
CVE-2021-47724 | Medium | 6.5 | — | 2025-12-09 | STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. |
Tenda · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14526 | High | 8.8 | — | 2025-12-11 | A security flaw has been discovered in Tenda CH22 1.0.0.1. |
CVE-2025-14286 | Medium | 5.3 | — | 2025-12-09 | A vulnerability was determined in Tenda AC9 15.03.05.14_multi. |
Themehigh · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67553 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5… |
CVE-2025-67556 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows Stored XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. |
Tianocore · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2296 | — | — | — | 2025-12-09 | EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. |
CVE-2024-38798 | — | — | — | 2025-12-09 | EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. |
Traefik · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66490 | Medium | 6.5 | — | 2025-12-09 | Traefik is an HTTP reverse proxy and load balancer. |
CVE-2025-66491 | Medium | 5.9 | — | 2025-12-09 | Traefik is an HTTP reverse proxy and load balancer. |
Vcita · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67559 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking &… |
CVE-2025-67472 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for W… |
Wago · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41732 | Critical | 9.8 | — | 2025-12-10 | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. |
CVE-2025-41730 | Critical | 9.8 | — | 2025-12-10 | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. |
Wpjobportal · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14293 | Medium | 6.5 | — | 2025-12-11 | The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. |
CVE-2025-14467 | Medium | 4.4 | — | 2025-12-12 | The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. |
Yalantis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14516 | Medium | 6.3 | — | 2025-12-11 | A vulnerability was found in Yalantis uCrop 2.2.11. |
CVE-2025-14517 | Medium | 5.3 | — | 2025-12-11 | A vulnerability was determined in Yalantis uCrop 2.2.11. |
Zoom · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67460 | High | 7.8 | — | 2025-12-10 | Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access. |
CVE-2025-67461 | Medium | 5.0 | — | 2025-12-10 | External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access. |
3ds · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12956 | High | 8.7 | — | 2025-12-08 | A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's brows… |
A1apps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65814 | Medium | 6.5 | — | 2025-12-10 | A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal. |
Aarondoran · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67731 | High | 7.5 | — | 2025-12-12 | Servify Express is a Node.js package to start an Express server and log the port it's running on. |
Addonsorg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14074 | Medium | 4.3 | — | 2025-12-12 | The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6… |
Agile Logix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67516 | High | 8.5 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a t… |
Airlift · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67721 | High | 7.5 | — | 2025-12-12 | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. |
Akaunting · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58293 | — | — | — | 2025-12-11 | Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. |
Akazanstev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62086 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in akazanstev Яндекс Доставка (Boxberry) boxberry allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Яндекс Доставка (Boxberry): from n/a through <= 2.34. |
Aksis Computer Services And Consulting Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13003 | High | 7.6 | — | 2025-12-11 | Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. |
Alekv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67564 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in alekv Pixel Manager for WooCommerce woocommerce-google-adwords-conversion-tracking-tag allows Retrieve Embedded Sensitive Data.This issue affects P… |
Alex Furr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49341 | High | 7.1 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS.This issue affects PDF Creator Lite: from n/a through <= 1.2. |
Alex Prokopenko / Justcoded · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62871 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through <= 1.2.1. |
Alexdtn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14137 | Medium | 6.1 | — | 2025-12-12 | The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. |
Algernon_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65754 | Medium | 6.1 | — | 2025-12-10 | Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. |
Algosec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12381 | High | 7.8 | — | 2025-12-09 | Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. |
Aliasrobotics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67511 | Critical | 9.6 | — | 2025-12-11 | Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. |
All-dynamics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36900 | High | 8.8 | — | 2025-12-10 | All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. |
Amans2k · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14169 | High | 7.5 | — | 2025-12-12 | The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user s… |
Ami · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-58770 | High | 8.8 | — | 2025-12-12 | APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access. |
Andondesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63062 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a throu… |
Andrew Lima · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67575 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Andrew Lima Sitewide Notice WP sitewide-notice-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sitewide Notice WP: from n/a through <= 2.4.1. |
Andru1 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14125 | Medium | 6.1 | — | 2025-12-12 | The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. |
Anydesk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34499 | — | — | — | 2025-12-11 | AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. |
Apasionados · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62102 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case dofollow-case-by-case allows Cross Site Request Forgery.This issue affects DoFollow Case by Case: from n/a through <= 3.5.1. |
Apc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58310 | — | — | — | 2025-12-11 | APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. |
Apprain · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58279 | High | 8.8 | — | 2025-12-10 | appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. |
Apprhyme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14045 | Medium | 4.3 | — | 2025-12-12 | The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. |
Apustheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13764 | Critical | 9.8 | — | 2025-12-11 | The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. |
Argoproj · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66626 | High | 8.1 | — | 2025-12-09 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. |
Arscode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63059 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arscode Ninja Popups arscode-ninja-popups allows Stored XSS.This issue affects Ninja Popups: from n/a through <= 4.7.8. |
Artplacer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67517 | High | 8.5 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2. |
Ashanjay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63064 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Stored XSS.This issue affects EventON: from n/a through <= 4.9.12. |
Astro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66202 | Medium | 6.5 | — | 2025-12-09 | Astro is a web framework. |
Atcom Technology Co., Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58314 | High | 8.8 | — | 2025-12-12 | Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. |
Awanhrp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14393 | Medium | 6.4 | — | 2025-12-12 | The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. |
Ayothemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14143 | Medium | 6.4 | — | 2025-12-12 | The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. |
Azuracast · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67737 | Low | 3.1 | — | 2025-12-12 | AzuraCast is a self-hosted, all-in-one web radio management suite. |
Azuriom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65271 | High | 8.8 | — | 2025-12-08 | Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. |
B3log · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67488 | High | 7.8 | — | 2025-12-09 | SiYuan is self-hosted, open source personal knowledge management software. |
Badi Jones · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59132 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Badi Jones Duplicate Content Cure duplicate-content-cure allows Cross Site Request Forgery.This issue affects Duplicate Content Cure: from n/a through <= 1.0. |
Bannersky · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4970 | Medium | 5.5 | — | 2025-12-12 | The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. |
Beaverbuilder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12558 | Medium | 4.3 | — | 2025-12-09 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. |
Bertha Ai – Andrew Palmer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62085 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13. |
Bestwebsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63056 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through <=… |
Bitdefender · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7073 | High | 7.8 | — | 2025-12-10 | A local privilege escalation vulnerability in Bitdefender Total Security versions prior to 27.0.47.241 allows low-privileged attackers to elevate privileges. |
Blair Williams · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67537 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS.This issue affects ThirstyAffiliates: from n/a through <= 3.11.8. |
Blazethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13334 | High | 8.1 | — | 2025-12-12 | The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. |
Bmc Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58298 | — | — | — | 2025-12-11 | Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. |
Bobbingwide · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67549 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3. |
Bobvanoorschot · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13840 | Medium | 6.4 | — | 2025-12-12 | The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization an… |
Boldthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14032 | Medium | 6.4 | — | 2025-12-12 | The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'bold_timeline_group' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization an… |
Bowo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64255 | Low | 2.7 | — | 2025-12-09 | Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a th… |
Brainstorm Force · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-23729 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. |
Brightsign, Llc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36884 | — | — | — | 2025-12-10 | BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. |
Brother Industries, Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64696 | Low | 3.3 | — | 2025-12-09 | Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. |
Buntegiraffe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13884 | Medium | 6.4 | — | 2025-12-12 | The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitizati… |
C-ares · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62408 | Medium | 5.9 | — | 2025-12-08 | c-ares is an asynchronous resolver library. |
Campay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12883 | Medium | 5.3 | — | 2025-12-12 | The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. |
Canonical · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5467 | Low | 3.3 | — | 2025-12-10 | It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups. |
Carmelogarcia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14222 | Medium | 6.3 | — | 2025-12-08 | A flaw has been found in code-projects Employee Profile Management System 1.0. |
Cashu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65548 | Critical | 9.1 | — | 2025-12-08 | NUT-14 allows cashu tokens to be created with a preimage hash. |
Catch Themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67543 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2. |
Cdpenergy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65287 | Medium | 4.3 | — | 2025-12-09 | An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. |
Chancms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65602 | Critical | 9.8 | — | 2025-12-10 | A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request. |
Chmln · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65807 | High | 8.4 | — | 2025-12-10 | An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command. |
Chyrp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58285 | Medium | 5.4 | — | 2025-12-10 | Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. |
Cisa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67634 | Medium | 4.4 | — | 2025-12-12 | The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. |
Cleantalk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13604 | High | 7.2 | — | 2025-12-09 | The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output esc… |
Cleverdisplay B.v. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36755 | — | — | — | 2025-12-12 | The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. |
Cloudlinux · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65530 | High | 8.8 | — | 2025-12-12 | An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file. |
Cmsimple · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58280 | High | 8.8 | — | 2025-12-10 | CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. |
Code Amp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62996 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Code Amp Custom Layouts – Post + Product grids made easy custom-layouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Layouts – Post + Product grids… |
Codeworkweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67473 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery.This issue affects CWW Companion: from n/a through <= 1.3.2. |
Codnloc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13987 | Medium | 4.3 | — | 2025-12-12 | The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. |
Connectwise · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14265 | Critical | 9.1 | — | 2025-12-11 | In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. |
Constant Contact · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67580 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce… |
Containernetworking · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67499 | Medium | 6.6 | — | 2025-12-10 | The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. |
Conveythis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62152 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.2. |
Coohom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65300 | Medium | 5.4 | — | 2025-12-09 | A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rende… |
Cpanel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66429 | High | 8.8 | — | 2025-12-11 | An issue was discovered in cPanel 110 through 132. |
Cronosweb I2a · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41358 | — | — | — | 2025-12-10 | Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. |
Cslanet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66631 | Critical | 9.8 | — | 2025-12-09 | CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. |
Cszcms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58307 | High | 8.8 | — | 2025-12-11 | CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. |
Cvedovini · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13886 | High | 7.5 | — | 2025-12-12 | The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. |
Cytechltd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14064 | Medium | 5.4 | — | 2025-12-12 | The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. |
Datagear · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65792 | Critical | 9.1 | — | 2025-12-10 | DataGear v5.5.0 is vulnerable to Arbitrary File Deletion. |
David Lingren · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63065 | Medium | 5.3 | — | 2025-12-09 | Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media LIbrary Assist… |
Davidkeen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13960 | Medium | 6.4 | — | 2025-12-12 | The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attr… |
Denx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24857 | High | 7.6 | — | 2025-12-10 | Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbit… |
Developerke · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14165 | Medium | 4.3 | — | 2025-12-12 | The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. |
Digitaldruid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-55816 | Medium | 6.1 | — | 2025-12-11 | HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file. |
Digitalpa S.r.l. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34413 | — | — | — | 2025-12-09 | Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. |
Dimitri Grassi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66531 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3. |
Docker · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13743 | High | 7.5 | — | 2025-12-09 | Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. |
Dormakaba · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58311 | Critical | 9.8 | — | 2025-12-12 | Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. |
Dotclear · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58281 | High | 8.8 | — | 2025-12-10 | Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. |
Doubledome · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14354 | Medium | 4.3 | — | 2025-12-12 | The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. |
Dr.buho · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13733 | High | 7.8 | — | 2025-12-12 | BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2. |
E4jvikwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14049 | Medium | 6.1 | — | 2025-12-12 | The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output… |
Easy Payment · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63023 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway for PayPal on WooCo… |
Efm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14485 | Medium | 5.0 | — | 2025-12-11 | A weakness has been identified in EFM ipTIME A3004T 14.19.0. |
Elastic Email · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66525 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Sender: from n/a through <= 1.2.20. |
Elated Themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13613 | Critical | 9.8 | — | 2025-12-10 | The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. |
Elated-themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66534 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Aisle: from n/a through <= 2.9. |
Elecom Co.,ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66271 | Medium | 6.7 | — | 2025-12-09 | Clone for Windows provided by ELECOM CO.,LTD. |
Elementor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67588 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0. |
Elements · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58290 | — | — | — | 2025-12-11 | Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter. |
Elkarte · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58295 | — | — | — | 2025-12-11 | ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. |
Emby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64113 | Critical | 9.8 | — | 2025-12-09 | Emby Server is a user-installable home media server. |
Emlog · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-61318 | Critical | 9.1 | — | 2025-12-08 | Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. |
Emrevona · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10583 | Low | 3.5 | — | 2025-12-12 | The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. |
Entrust Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34414 | — | — | — | 2025-12-09 | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled… |
Ergonet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62867 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in ergonet Ergonet Cache ergonet-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ergonet Cache: from n/a through <= 1.0.13. |
Essekia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66526 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.1.34. |
Eupago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62870 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a… |
Eurisko · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13969 | Medium | 6.4 | — | 2025-12-12 | The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output… |
Evan Herman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62865 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Cloner: from n/a through <= 1.0.0. |
Expresstech Systems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63054 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3… |
Falselight · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13963 | Medium | 6.4 | — | 2025-12-12 | The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxcc_convert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on… |
Fernandobt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10163 | Medium | 6.5 | — | 2025-12-11 | The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplie… |
Filamentphp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67507 | High | 8.1 | — | 2025-12-10 | Filament is a collection of full-stack components for accelerated Laravel development. |
Fireplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67545 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS.This issue affects FireBox: from n/a through <= 3.1.0-free. |
Flashyapp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62873 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Flashyapp WP Flashy Marketing Automation wp-flashy-marketing-automation allows Cross Site Request Forgery.This issue affects WP Flashy Marketing Automation: from n/a through <= 2.0.8. |
Flatboard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58291 | — | — | — | 2025-12-11 | Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. |
Flexmls · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67585 | Medium | 4.7 | — | 2025-12-09 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing.This issue affects Flexmls® IDX: from n/a through <= 3.15.7. |
Flipper Code - Wordpress Development Company · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67535 | Medium | 6.6 | — | 2025-12-09 | Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6. |
Flow-scanner · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67750 | High | 8.4 | — | 2025-12-12 | Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. |
Formio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67718 | — | — | — | 2025-12-11 | Form.io is a combined Form and API platform for Serverless applications. |
Foxtheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13408 | Medium | 4.3 | — | 2025-12-12 | The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. |
Foysal Imran · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67583 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Foysal Imran IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonate: from n/a through <= 2.1.15. |
Frapesce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13366 | Medium | 4.3 | — | 2025-12-12 | The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. |
Freeimage_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65803 | Medium | 6.5 | — | 2025-12-10 | An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file. |
Fuelthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63003 | High | 7.5 | — | 2025-12-09 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion.This issue affects North - Required Pl… |
Gallerycreator · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63052 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1. |
Gardener · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67508 | High | 8.4 | — | 2025-12-12 | gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. |
Genexus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58288 | — | — | — | 2025-12-11 | Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. |
Get Bowtied · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67544 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS.This issue affects Shopkeeper Extender: from n/a through < 7.0. |
Ggml-org · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14569 | Medium | 5.3 | — | 2025-12-12 | A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. |
Github · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14046 | Medium | 6.1 | — | 2025-12-11 | An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. |
Gladinet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14611 | Critical | 9.8 | KEV | 2025-12-12 | Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. |
Gofiber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66565 | Critical | 9.8 | — | 2025-12-09 | Fiber Utils is a collection of common functions created for Fiber. |
Gogs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8110 | High | 8.8 | KEV | 2025-12-10 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. |
Graham · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62153 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Graham Quick Interest Slider quick-interest-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Interest Slider: from n/a through <= 3.1.7. |
Grassroots · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-11266 | Medium | 6.6 | — | 2025-12-12 | An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). |
Gravitec.net - Web Push Notifications · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62869 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec… |
Gs Yuasa International Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66461 | Medium | 6.7 | — | 2025-12-08 | FULLBACK Manager Pro provided by GS Yuasa International Ltd. |
Gtt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13953 | — | — | — | 2025-12-10 | Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method. |
Happymonster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63077 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <… |
Hashenudara · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66918 | High | 8.8 | — | 2025-12-11 | edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the "title" parameter. |
Hassantafreshi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67577 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.8.20. |
Hcl Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-42197 | Medium | 5.5 | — | 2025-12-11 | HCL Workload Scheduler stores user credentials in plain text which can be read by a local user. |
Hiroaki Miyashita · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63058 | Medium | 4.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Retrieve Embedded Sensitive Data.This issue affects Custom Field Template: fro… |
Hp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-11531 | High | 8.8 | — | 2025-12-09 | HP System Event Utility and Omen Gaming Hub might allow execution of certain files outside of their restricted paths. |
Humanityco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67554 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for G… |
Hummerrisk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63721 | High | 8.8 | — | 2025-12-08 | HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. |
Hype · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49348 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5. |
Hypr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8273 | High | 8.8 | — | 2025-12-11 | Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing.This issue affects Server: before 10.1. |
Ibexa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67719 | — | — | — | 2025-12-11 | Ibexa is a composable end-to-end DXP (Digital Experience Platform). |
Ice00 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13747 | Medium | 6.4 | — | 2025-12-12 | The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user… |
Icegram · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12348 | Medium | 5.3 | — | 2025-12-12 | The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. |
Ideacms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14245 | High | 7.3 | — | 2025-12-08 | A vulnerability has been found in IdeaCMS up to 1.8. |
Ilevia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14276 | Medium | 5.6 | — | 2025-12-08 | A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. |
Im Park Information Technology, Electronics, Press, Publishing And Advertising, Education Ltd. Co. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13125 | Medium | 4.3 | — | 2025-12-10 | Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. |
Imagemagick · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66628 | High | 7.5 | — | 2025-12-10 | ImageMagick is a software suite to create, edit, compose, or convert bitmap images. |
Imaqpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13363 | Medium | 4.3 | — | 2025-12-12 | The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. |
Imran3229 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13885 | Medium | 6.4 | — | 2025-12-12 | The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and o… |
Infility · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12968 | High | 8.8 | — | 2025-12-12 | The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. |
Infinitum Form · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62109 | Medium | 5.3 | — | 2025-12-09 | Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4. |
Insyde Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-10451 | High | 8.2 | — | 2025-12-12 | Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption. |
Intellichoice · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47717 | — | — | — | 2025-12-09 | IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. |
Iworks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12960 | Medium | 6.5 | — | 2025-12-12 | The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. |
Izuchy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13975 | Medium | 4.4 | — | 2025-12-12 | The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output esca… |
Jbrinley · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-11876 | Medium | 6.4 | — | 2025-12-12 | The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and outpu… |
Jegstudio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62090 | Medium | 6.5 | — | 2025-12-09 | Missing Authorization vulnerability in Jegstudio Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Ne… |
Jenyay · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13839 | Medium | 6.4 | — | 2025-12-12 | The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user… |
Jeremybmerrill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14035 | Medium | 4.4 | — | 2025-12-12 | The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. |
Jihai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14259 | Medium | 6.3 | — | 2025-12-08 | A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. |
Jk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62872 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in JK Social Photo Fetcher facebook-photo-fetcher allows Cross Site Request Forgery.This issue affects Social Photo Fetcher: from n/a through <= 3.0.4. |
Jmri · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14311 | — | — | — | 2025-12-09 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JMRI.This issue affects JMRI: before 5.13.3. |
Joel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62735 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Joel User Spam Remover user-spam-remover allows Retrieve Embedded Sensitive Data.This issue affects User Spam Remover: from n/a through <= 1.1. |
Joinmastodon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67500 | Low | 3.7 | — | 2025-12-10 | Mastodon is a free, open-source social network server based on ActivityPub. |
Jonahsc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14048 | Medium | 4.4 | — | 2025-12-12 | The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. |
Jupitercow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49347 | High | 7.1 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1. |
Justdave · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14160 | Medium | 4.3 | — | 2025-12-12 | The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. |
Jxlindia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63895 | High | 7.5 | — | 2025-12-10 | An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet. |
Klemmkeil · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13962 | Medium | 6.4 | — | 2025-12-12 | The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supp… |
Knime · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14262 | Medium | 4.3 | — | 2025-12-08 | A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. |
Kodcloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34504 | Medium | 6.1 | — | 2025-12-11 | KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. |
Kubiq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67469 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery.This issue affects PDF Thumbnail Generator: from n/a through <= 1.4. |
Ladislavsoukupgmailcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13850 | Medium | 6.4 | — | 2025-12-12 | The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. |
Langchain · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67644 | High | 7.3 | — | 2025-12-11 | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). |
Lazycoders · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12963 | Critical | 9.8 | — | 2025-12-12 | The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. |
Lepton-cms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-56704 | High | 8.8 | — | 2025-12-09 | LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. |
Lesion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13904 | Medium | 6.4 | — | 2025-12-12 | The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied… |
Lester Chan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67541 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS.This issue affects WP-ShowHide: from n/a through <= 1.05. |
Levelfourdevelopment · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62997 | Medium | 5.3 | — | 2025-12-09 | Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11. |
Libcoap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-59391 | Medium | 6.5 | — | 2025-12-08 | A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. |
Libimobiledevice · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66004 | Medium | 5.7 | — | 2025-12-10 | A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user.This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba. |
Litmuschaos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14261 | High | 7.1 | — | 2025-12-08 | The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack. |
Liton Arefin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63055 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through… |
Looks_awesome · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13866 | Medium | 6.4 | — | 2025-12-12 | The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. |
Ludwigyou · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14166 | Medium | 5.3 | — | 2025-12-12 | The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. |
Lyrion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65229 | Medium | 4.6 | — | 2025-12-08 | A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. |
M.code · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62734 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in M.Code Media Library Downloader media-library-downloader allows Cross Site Request Forgery.This issue affects Media Library Downloader: from n/a through <= 1.4.0. |
Maartenbelmans · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13924 | Medium | 4.3 | — | 2025-12-09 | The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. |
Machphy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67485 | Medium | 5.3 | — | 2025-12-10 | mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. |
Magblogapi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14162 | Medium | 4.3 | — | 2025-12-12 | The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. |
Mailerlite · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13993 | Medium | 5.5 | — | 2025-12-12 | The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanit… |
Malwarebytes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-29144 | Low | 3.3 | — | 2025-12-12 | Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. |
Marcoingraiti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49350 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through <=… |
Mario Peshev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62740 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.6. |
Markutos987 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13314 | Medium | 5.3 | — | 2025-12-12 | The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on t… |
Masacms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66492 | High | 8.2 | — | 2025-12-12 | Masa CMS is an open source Enterprise Content Management platform. |
Matrix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66622 | High | 7.5 | — | 2025-12-09 | matrix-sdk-base is the base component to build a Matrix client library. |
Mayuri-chan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67720 | Medium | 6.5 | — | 2025-12-11 | Pyrofork is a modern, asynchronous MTProto API framework. |
Microweber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58289 | Medium | 5.4 | — | 2025-12-11 | Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. |
Minalic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58306 | — | — | — | 2025-12-11 | minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. |
Mineadmin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65854 | Critical | 9.8 | — | 2025-12-12 | Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover. |
Miniflux · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67713 | Medium | 6.1 | — | 2025-12-11 | Miniflux 2 is an open source feed reader. |
Miyagawa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2013-10031 | High | 7.5 | — | 2025-12-09 | Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks |
Mmattax · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62738 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formstack Online Forms: from n/a through <= 2.0.2. |
Mongodb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14345 | Medium | 4.2 | — | 2025-12-09 | A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short… |
Moxa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9315 | — | — | — | 2025-12-10 | An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. |
Muffingroup · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63075 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in muffingroup Betheme betheme allows DOM-Based XSS.This issue affects Betheme: from n/a through <= 28.2. |
Multiparcels · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62995 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shippin… |
N8n · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65964 | High | 8.8 | — | 2025-12-09 | n8n is an open source workflow automation platform. |
Nalam-1 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12965 | Medium | 6.4 | — | 2025-12-12 | The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input san… |
Nasir Uddin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62082 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS.This issue affects Generic Elements: from n/a through <= 1… |
Nazsabuz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13989 | Medium | 6.4 | — | 2025-12-12 | The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. |
Nebim Neyir Computer Industry And Services Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13506 | High | 8.8 | — | 2025-12-12 | Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. |
Netiket Information Technologies Ltd. Co. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13124 | High | 7.6 | — | 2025-12-11 | Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. |
Nomysoft Information Technology Training And Consulting Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1161 | High | 7.1 | — | 2025-12-10 | Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. |
Octagonsimon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14158 | Medium | 4.3 | — | 2025-12-12 | The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. |
Oleksandr Lysyi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67561 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Debug Log Viewer: from n/a through <= 2.0.3. |
Opensolution · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58308 | Critical | 9.8 | — | 2025-12-11 | Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. |
Oretnom23 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14221 | Low | 3.5 | — | 2025-12-08 | A vulnerability was detected in SourceCodester Online Banking System 1.0. |
Orico · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14220 | Medium | 4.3 | — | 2025-12-08 | A security vulnerability has been detected in ORICO CD3510 1.9.12. |
Pandikamal03 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14132 | Medium | 6.1 | — | 2025-12-12 | The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. |
Parse-community · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67727 | Critical | 9.8 | — | 2025-12-12 | Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. |
Paysera · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63015 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in paysera WooCommerce Payment Gateway - Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Payment Gateway - Payse… |
Pcman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58299 | Critical | 9.8 | — | 2025-12-12 | PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. |
Pcsx2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67749 | — | — | — | 2025-12-12 | PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. |
Pegasystems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62181 | Medium | 5.3 | — | 2025-12-10 | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. |
Pencidesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67572 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4. |
Personal Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-11022 | Critical | 9.6 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. |
Pgadmin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13780 | Critical | 9.1 | — | 2025-12-11 | pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. |
Philipinho · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14227 | Medium | 6.3 | — | 2025-12-08 | A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. |
Phoenixcart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58296 | — | — | — | 2025-12-11 | CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. |
Photoboxone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62762 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.51. |
Pipeshub · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67506 | Critical | 9.8 | — | 2025-12-10 | PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. |
Popojicms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58284 | High | 7.2 | — | 2025-12-10 | PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. |
Portabilis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9638 | Medium | 4.8 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint. |
Presstigers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64256 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Folio simple-folio allows Cross Site Request Forgery.This issue affects Simple Folio: from n/a through <= 1.1.0. |
Properfraction · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13642 | Medium | 5.4 | — | 2025-12-09 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due… |
Proteusthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62733 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in ProteusThemes Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes allows Cross Site Request Forgery.This issue affects Custom Sidebars by ProteusThemes: from n/a through <= 1… |
Psm Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67598 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1. |
Puneethreddyhc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58316 | High | 7.5 | — | 2025-12-12 | Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. |
Purei · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58301 | — | — | — | 2025-12-11 | Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. |
Pyrocms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58297 | Medium | 5.4 | — | 2025-12-11 | PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. |
Qdonow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14068 | High | 7.5 | — | 2025-12-12 | The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara… |
Qrevo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13846 | Medium | 6.4 | — | 2025-12-12 | The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. |
Qualitysoft Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64701 | High | 7.8 | — | 2025-12-11 | QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administrator privileges. |
Quic-go · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64702 | Medium | 5.3 | — | 2025-12-11 | quic-go is an implementation of the QUIC protocol in Go. |
Radykal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12570 | High | 7.2 | — | 2025-12-12 | The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.p… |
Rainafarai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62993 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notification for Telegram: from n/a through <=… |
Ravynsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14309 | High | 7.5 | — | 2025-12-09 | NULL Pointer Dereference vulnerability in ravynsoft ravynos.This issue affects ravynos: through 0.5.2. |
Rcatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13660 | Medium | 5.3 | — | 2025-12-12 | The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. |
Remram44 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67502 | Medium | 5.4 | — | 2025-12-10 | Taguette is an open source qualitative research tool. |
Remyandrade · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14530 | Medium | 4.7 | — | 2025-12-11 | A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. |
Rengine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58287 | High | 8.8 | — | 2025-12-11 | reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. |
Repute Infosystems · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-47425 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10. |
Rethinkdb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14310 | — | — | — | 2025-12-09 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb.This issue affects rethinkdb: before 2.4.4. |
Rhewlif · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67550 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS.This issue affects Donation Thermometer: from n/a through <= 2.2.6. |
Riyadh Ahmed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63033 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects M… |
Robrichards · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66578 | Medium | 6.0 | — | 2025-12-09 | xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. |
Rodgerholl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14044 | High | 8.1 | — | 2025-12-12 | The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. |
Rodolforizzo76 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14065 | Medium | 4.3 | — | 2025-12-12 | The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. |
Roxnor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63057 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through <= 2.3.7. |
Rtcamp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67584 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoDAM: from n/a through <= 1.4.6. |
Rustaurius · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67590 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate FAQ ultimate-faqs allows Cross Site Request Forgery.This issue affects Ultimate FAQ: from n/a through <= 2.4.3. |
S9y · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58282 | High | 7.2 | — | 2025-12-10 | Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. |
Saifumak · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62739 | Medium | 6.5 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Cross Site Request Forgery.This issue affects Add Custom Codes: from n/a through <= 4.80. |
Sandboxie-plus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-64721 | Critical | 10.0 | — | 2025-12-11 | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. |
Scriptsbundle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67569 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdForest: from n/a through <= 6.0.11. |
Senior-walter · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14206 | Medium | 6.5 | — | 2025-12-08 | A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. |
Sergiotrinity · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67466 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trinity Audio: from n/a through <= 5.23.3. |
Sevenspark · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63068 | Medium | 5.3 | — | 2025-12-09 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7… |
Sgcoskey · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12650 | Medium | 6.4 | — | 2025-12-12 | The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. |
Sh1zen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14344 | Critical | 9.8 | — | 2025-12-12 | The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. |
Shahjada · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63070 | Medium | 4.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32. |
Shaneisrael · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67728 | Critical | 9.8 | — | 2025-12-12 | Fireshare facilitates self-hosted media and link sharing. |
Shinetheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63028 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6. |
Shopware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67648 | High | 7.1 | — | 2025-12-11 | Shopware is an open commerce platform. |
Siklu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58300 | — | — | — | 2025-12-11 | Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. |
Silkypress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67542 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS.This issue affects Multi-Step Checkout for Woo… |
Sonlamtn200 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13966 | Medium | 6.4 | — | 2025-12-12 | The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input saniti… |
Sony · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36885 | Critical | 9.8 | — | 2025-12-10 | Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code. |
Soportecibeles · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14030 | Medium | 6.4 | — | 2025-12-12 | The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. |
Sourcecodester · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14229 | Medium | 4.7 | — | 2025-12-08 | A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. |
Spa-cart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58304 | High | 7.5 | — | 2025-12-11 | SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. |
Spacex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67780 | Medium | 4.2 | — | 2025-12-11 | SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. |
Specialk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13677 | Medium | 4.9 | — | 2025-12-10 | The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. |
Spinetix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2020-36887 | High | 7.5 | — | 2025-12-10 | SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. |
Static-web-server · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67487 | High | 8.6 | — | 2025-12-09 | Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. |
Steve Truman · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63034 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page View Count: from n/a through <= 2.9.0. |
Stiand · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14170 | Medium | 4.3 | — | 2025-12-12 | The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. |
Stiofan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67593 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48. |
Strategy11 Team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67596 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19. |
Subhransu-sekhar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13961 | Medium | 6.4 | — | 2025-12-12 | The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user suppl… |
Susantabeura · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13843 | Medium | 6.4 | — | 2025-12-12 | The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization… |
Tac Information Services Internal And External Trade Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13127 | Low | 3.5 | — | 2025-12-10 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. |
Taylor Hawkes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-22675 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery.This issue affects WP Fast Cache: from n/a through 1.5. |
Tecno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9056 | Medium | 5.3 | — | 2025-12-10 | Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. |
Tekafran · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14062 | Medium | 4.3 | — | 2025-12-12 | The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. |
Telepedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67646 | Low | 3.5 | — | 2025-12-11 | TableProgressTracking is a MediaWiki extension to track progress against specific criterion. |
Tharkun69 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12824 | High | 8.8 | — | 2025-12-12 | The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. |
Themebon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14119 | Medium | 6.4 | — | 2025-12-12 | The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficie… |
Themeco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63072 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3. |
Themefic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14356 | Medium | 4.3 | — | 2025-12-12 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. |
Themeisle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-11467 | Medium | 5.8 | — | 2025-12-11 | The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load f… |
Themerain · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62100 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in themerain ThemeRain Core themerain-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeRain Core: from n/a through <= 1.1.9. |
Themesinflow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63010 | Medium | 4.9 | — | 2025-12-09 | Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4. |
Themetechmount · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67581 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.0. |
Themeum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63042 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a t… |
Themezaa · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62999 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Litho Addons: from n/a through <= 3.5. |
Themifyme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67533 | High | 7.1 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS.This issue affects Themify Portfolio Post: from n/a through <=… |
Thewellnessway · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13971 | Medium | 4.4 | — | 2025-12-12 | The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. |
Thinkinai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66481 | Critical | 9.6 | — | 2025-12-09 | DeepChat is an open-source AI chat platform that supports cloud models and LLMs. |
Thobian · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13988 | Medium | 6.1 | — | 2025-12-12 | The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. |
Tiny Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67520 | High | 7.6 | — | 2025-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1… |
Tinycontrol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-53739 | — | — | — | 2025-12-09 | Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. |
Tmus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13889 | Medium | 6.4 | — | 2025-12-12 | The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. |
Toto Link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13184 | Critical | 9.8 | — | 2025-12-10 | Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). |
Truefy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14161 | Medium | 4.3 | — | 2025-12-12 | The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. |
Trustindex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-9436 | Medium | 6.4 | — | 2025-12-11 | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escapin… |
Tushar-2223 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14207 | High | 7.3 | — | 2025-12-08 | A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. |
Tychesoftwares · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63024 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date fo… |
Uixthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67567 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in uixthemes Sober sober allows Retrieve Embedded Sensitive Data.This issue affects Sober: from n/a through <= 3.5.11. |
Ultimate Member · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67474 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4. |
Umbraco · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66625 | Medium | 4.9 | — | 2025-12-09 | Umbraco is an ASP.NET CMS. |
Usestrict · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67555 | Medium | 5.9 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict UseStrict's Calendly Embedder cal-embedder-lite allows Stored XSS.This issue affects UseStrict's Calendly Embedder: from n/a th… |
Valentin Agachi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49351 | High | 7.1 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS.This issue affects Create Posts & Terms: from n/a through <= 1.3.1. |
Valerio Monti · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62866 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in Valerio Monti Auto Alt Text auto-alt-text allows Cross Site Request Forgery.This issue affects Auto Alt Text: from n/a through <= 2.5.2. |
Vankarwai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66527 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6. |
Vanquish · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67579 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through <= 16.8. |
Vexorian · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58286 | — | — | — | 2025-12-11 | dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. |
Vibethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63035 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4. |
Videomerchant · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14390 | High | 8.8 | — | 2025-12-10 | The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. |
Villatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66528 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer… |
Vinod Dalvi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63069 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Vinod Dalvi Ivory Search add-search-to-menu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ivory Search: from n/a through <= 5.5.12. |
Virtuaria · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62151 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro pa… |
Vitejs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67489 | Critical | 9.8 | — | 2025-12-09 | @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. |
Walkerwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67552 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS.This issue affects Walker Core: from n/a through <= 1.3.17. |
Wappointment Team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67551 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wappointment team Wappointment wappointment allows Stored XSS.This issue affects Wappointment: from n/a through <= 2.6.9. |
Wasiul99 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14129 | Medium | 6.1 | — | 2025-12-12 | The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. |
Wasmi-labs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66627 | High | 8.4 | — | 2025-12-09 | Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. |
Watchtowerhq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13972 | Medium | 4.9 | — | 2025-12-12 | The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. |
Wbcomdesigns · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67582 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wbcom Designs: from n/a through <= 2.1.1. |
Wealcoder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67540 | Medium | 6.5 | — | 2025-12-09 | Missing Authorization vulnerability in Wealcoder Animation Addons for Elementor animation-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animation Addons for Elementor: from… |
Wearefrank · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66214 | High | 7.0 | — | 2025-12-09 | Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. |
Webba Appointment Booking · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-66530 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Webba Booking: from n/a through <= 6.2.1. |
Webcodingplace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67562 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in WebCodingPlace Image Caption Hover Pro image-caption-hover-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Caption Hover Pro: from n/a through < 20… |
Webilia Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67560 | Medium | 5.4 | — | 2025-12-09 | Missing Authorization vulnerability in Webilia Inc. |
Webmin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67738 | High | 8.5 | — | 2025-12-11 | squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. |
Webtoffee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67599 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in WebToffee WebToffee eCommerce Marketing Automation decorator-woocommerce-email-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebToffee eCommerce… |
Wedevs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63008 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7. |
Westerndeal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67570 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPForms Google Sheet Connector: from n/a t… |
Widgetpack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12705 | High | 7.2 | — | 2025-12-09 | The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and… |
Windscribe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-65199 | High | 7.8 | — | 2025-12-10 | A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function. |
Wofficeio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67566 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30. |
Wolfssl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13912 | — | — | — | 2025-12-11 | Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosu… |
Wondercms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58305 | High | 8.8 | — | 2025-12-12 | WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. |
Wp Delicious · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67548 | Medium | 6.5 | — | 2025-12-09 | Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.1. |
Wp Messiah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62994 | Medium | 4.3 | — | 2025-12-09 | Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7. |
Wp Overnight · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67589 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF… |
Wpchill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13891 | Medium | 6.5 | — | 2025-12-12 | The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. |
Wpdevart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67574 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking… |
Wpdive · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12830 | Medium | 6.4 | — | 2025-12-12 | The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied att… |
Wpfunnels · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67571 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPFunnels: from n/a through <= 3.6.2. |
Wpletsgo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14138 | Medium | 6.1 | — | 2025-12-12 | The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. |
Wpmediadownload · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62103 | Medium | 4.3 | — | 2025-12-09 | Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery.This issue affects Media Library File Download: from n/a through <= 1.4. |
Wpusermanager · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13320 | Medium | 6.8 | — | 2025-12-12 | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. |
Xagio Seo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63025 | Medium | 4.3 | — | 2025-12-09 | Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.37. |
Xmbforum2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58292 | — | — | — | 2025-12-11 | XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. |
Xpro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63044 | Medium | 6.5 | — | 2025-12-09 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.1… |
Xtemos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67568 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Basel: from n/a through <= 5.9.1. |
Yandex Metrika · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63063 | Medium | 5.3 | — | 2025-12-09 | Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yandex.Metrica: from n/a through <= 1.2.2. |
Yangshare · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14538 | Low | 3.5 | — | 2025-12-11 | A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0. |
Yealink · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14228 | Low | 3.5 | — | 2025-12-08 | A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. |
Yottamaster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14224 | Medium | 4.3 | — | 2025-12-08 | A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. |
Ysh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13906 | Medium | 6.4 | — | 2025-12-12 | The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied at… |
Yuvalo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63009 | Medium | 5.3 | — | 2025-12-09 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in yuvalo WP Google Analytics Events wp-google-analytics-events allows Retrieve Embedded Sensitive Data.This issue affects WP Google Analytics Events… |
Zealopensource · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-12834 | Medium | 6.1 | — | 2025-12-12 | The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and outpu… |