Patch Tuesday — December 2025

2025-12-09 · 1607 CVEs

CVEs published or modified the week of 2025-12-09, partitioned by vendor.

Microsoft (87 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14174High8.8KEV2025-12-12Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.
CVE-2025-44016High8.82025-12-11A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request.
CVE-2025-64678High8.82025-12-09Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
CVE-2025-64672High8.82025-12-09Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2025-62550High8.82025-12-09Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network.
CVE-2025-62549High8.82025-12-09Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
CVE-2025-62456High8.82025-12-09Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network.
CVE-2025-64671High8.42025-12-09Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.
CVE-2025-62557High8.42025-12-09Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-62554High8.42025-12-09Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2025-64669High7.82025-12-11Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.
CVE-2025-55314High7.82025-12-11An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2.
CVE-2025-55313High7.82025-12-11An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2.
CVE-2025-55312High7.82025-12-11An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2.
CVE-2025-64899High7.82025-12-09Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an alloc…
CVE-2025-64785High7.82025-12-09Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the curr…
CVE-2025-64783High7.82025-12-09DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-64680High7.82025-12-09Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2025-64679High7.82025-12-09Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2025-64673High7.82025-12-09Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-64661High7.82025-12-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2025-62572High7.82025-12-09Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally.
CVE-2025-62571High7.82025-12-09Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally.
CVE-2025-62564High7.82025-12-09Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62563High7.82025-12-09Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62562High7.82025-12-09Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
CVE-2025-62561High7.82025-12-09Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62560High7.82025-12-09Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62559High7.82025-12-09Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62558High7.82025-12-09Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62556High7.82025-12-09Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62553High7.82025-12-09Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62552High7.82025-12-09Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally.
CVE-2025-62474High7.82025-12-09Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-62472High7.82025-12-09Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-62470High7.82025-12-09Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-62467High7.82025-12-09Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2025-62466High7.82025-12-09Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.
CVE-2025-62464High7.82025-12-09Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2025-62462High7.82025-12-09Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2025-62461High7.82025-12-09Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-62458High7.82025-12-09Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2025-62457High7.82025-12-09Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-62455High7.82025-12-09Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
CVE-2025-62454High7.82025-12-09Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-62221High7.8KEV2025-12-09Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-59517High7.82025-12-09Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-59516High7.82025-12-09Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-55233High7.82025-12-09Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2025-54100High7.82025-12-09Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.
CVE-2025-59802High7.52025-12-11Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via OCG.
CVE-2025-64666High7.52025-12-09Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-64658High7.52025-12-09Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2025-55310High7.32025-12-11An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2.
CVE-2025-62565High7.32025-12-09Use after free in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2025-64893High7.12025-12-09DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service.
CVE-2025-64784High7.12025-12-09DNG SDK versions 1.7.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure or application denial of service.
CVE-2025-62570High7.12025-12-09Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.
CVE-2025-62573High7.02025-12-09Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2025-62569High7.02025-12-09Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2025-62555High7.02025-12-09Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62469High7.02025-12-09Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2025-13670Medium6.72025-12-12The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability
CVE-2025-13669Medium6.72025-12-12Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3.
CVE-2025-13665Medium6.72025-12-12The System Console Utility for Windows is vulnerable to a DLL planting vulnerability
CVE-2025-13668Medium6.72025-12-11A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege.
CVE-2025-13664Medium6.72025-12-11A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege.
CVE-2025-13663Medium6.72025-12-11Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists.
CVE-2025-55309Medium6.72025-12-11An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2.
CVE-2025-55308Medium6.72025-12-11An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2.
CVE-2025-55311Medium6.52025-12-11An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2.
CVE-2025-12687Medium6.52025-12-11A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (application crash) via a crafted command, re…
CVE-2025-64670Medium6.52025-12-09Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network.
CVE-2025-62473Medium6.52025-12-09Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-62465Medium6.52025-12-09Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
CVE-2025-62463Medium6.52025-12-09Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
CVE-2025-14372Medium6.12025-12-12Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2025-64894Medium5.52025-12-09DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service.
CVE-2025-62468Medium5.52025-12-09Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally.
CVE-2025-59803Medium5.32025-12-11Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers.
CVE-2025-64667Medium5.32025-12-09User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-62567Medium5.32025-12-09Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network.
CVE-2025-14373Medium4.32025-12-12Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2025-46266Medium4.32025-12-11A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP a…
CVE-2025-55307Low3.32025-12-11An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2.
CVE-2025-64787Low3.32025-12-09Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass.
CVE-2025-64786Low3.32025-12-09Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass.

Other vendors (1520 CVEs across 529 vendors)

Linux · 235 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-403452025-12-12In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine.
CVE-2025-403442025-12-09In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work se…
CVE-2025-403432025-12-09In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_po…
CVE-2025-403422025-12-09In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active a…
CVE-2025-403412025-12-09In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to…
CVE-2025-403402025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
CVE-2025-403392025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL.
CVE-2025-403382025-12-09In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors.
CVE-2025-403372025-12-09In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload…
CVE-2025-403362025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing someth…
CVE-2025-403352025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.
CVE-2025-403342025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapp…
CVE-2025-403332025-12-09In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_…
CVE-2025-403322025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls…
CVE-2025-403312025-12-09In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure n…
CVE-2025-403302025-12-09In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA.
CVE-2025-403292025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe lock…
CVE-2025-403282025-12-09In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but…
CVE-2025-403272025-12-09In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commi…
CVE-2023-538662025-12-09In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-compress: Reposition and add pcm_mutex If panic_on_warn is set and compress stream(DPCM) is started, then kernel panic occurred because card->pcm_mutex isn't h…
CVE-2023-538652025-12-09In the Linux kernel, the following vulnerability has been resolved: btrfs: fix warning when putting transaction with qgroups enabled after abort If we have a transaction abort with qgroups enabled we get a warning triggered when doing th…
CVE-2023-538642025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() When disabling overlay plane in mxsfb_plane_overlay_atomic_update(), overlay plane's framebuffer…
CVE-2023-538632025-12-09In the Linux kernel, the following vulnerability has been resolved: netlink: do not hard code device address lenth in fdb dumps syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_le…
CVE-2023-538622025-12-09In the Linux kernel, the following vulnerability has been resolved: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create Syzbot found a kernel BUG in hfs_bnode_put(): kernel BUG at fs/hfs/bnode.c:466!
CVE-2023-538612025-12-09In the Linux kernel, the following vulnerability has been resolved: ext4: correct grp validation in ext4_mb_good_group Group corruption check will access memory of grp and will trigger kernel crash if grp is NULL.
CVE-2023-538602025-12-09In the Linux kernel, the following vulnerability has been resolved: dm: don't attempt to queue IO under RCU protection dm looks up the table for IO based on the request type, with an assumption that if the request is marked REQ_NOWAIT, i…
CVE-2023-538592025-12-09In the Linux kernel, the following vulnerability has been resolved: s390/idle: mark arch_cpu_idle() noinstr linux-next commit ("cpuidle: tracing: Warn about !rcu_is_watching()") adds a new warning which hits on s390's arch_cpu_idle() fun…
CVE-2023-538582025-12-09In the Linux kernel, the following vulnerability has been resolved: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error If clk_get_rate() fails, the clk that has just been allocated needs to be freed.
CVE-2023-538572025-12-09In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report './test_progs -t test_local_storage' reported a splat: [ 27.137569] ============================= [ 27…
CVE-2023-538562025-12-09In the Linux kernel, the following vulnerability has been resolved: of: overlay: Call of_changeset_init() early When of_overlay_fdt_apply() fails, the changeset may be partially applied, and the caller is still expected to call of_overla…
CVE-2023-538552025-12-09In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver…
CVE-2023-538542025-12-09In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path When devm runs function in the "remove" path for a device it runs them in the reverse order.
CVE-2023-538532025-12-09In the Linux kernel, the following vulnerability has been resolved: netlink: annotate accesses to nlk->cb_running Both netlink_recvmsg() and netlink_native_seq_show() read nlk->cb_running locklessly.
CVE-2023-538522025-12-09In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_secret_store Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0…
CVE-2023-538512025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destro…
CVE-2023-538502025-12-09In the Linux kernel, the following vulnerability has been resolved: iavf: use internal state to free traffic IRQs If the system tries to close the netdev while iavf_reset_task() is running, __LINK_STATE_START will be cleared and netif_ru…
CVE-2023-538492025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix workqueue leak on bind errors Make sure to destroy the workqueue also in case of early errors during bind (e.g.
CVE-2023-538482025-12-09In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix a deadlock in r5l_exit_log() Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing work") introduce a new problem: // caller hold re…
CVE-2023-538472025-12-09In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Fix uninit-value in alauda_check_media() Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage…
CVE-2023-538462025-12-09In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14…
CVE-2023-538452025-12-09In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix infinite loop in nilfs_mdt_get_block() If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata…
CVE-2023-538442025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on swapout move error If moving the bo to system for swapout failed, we were leaking a resource.
CVE-2023-538432025-12-09In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned if…
CVE-2023-538422025-12-09In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove The MBHC resources must be released on component probe failure and removal so can not be tied to the li…
CVE-2023-538412025-12-09In the Linux kernel, the following vulnerability has been resolved: devlink: report devlink_port_type_warn source device devlink_port_type_warn is scheduled for port devlink and warning when the port type is not set.
CVE-2023-538402025-12-09In the Linux kernel, the following vulnerability has been resolved: usb: early: xhci-dbc: Fix a potential out-of-bound memory access If xdbc_bulk_write() fails, the values in 'buf' can be anything.
CVE-2023-538392025-12-09In the Linux kernel, the following vulnerability has been resolved: dccp: fix data-race around dp->dccps_mss_cache dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
CVE-2023-538382025-12-09In the Linux kernel, the following vulnerability has been resolved: f2fs: synchronize atomic write aborts To fix a race condition between atomic write aborts, I use the inode lock and make COW inode to be re-usable thoroughout the whole …
CVE-2023-538372025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on snapshot tear down In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be…
CVE-2023-538362025-12-09In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix skb refcnt race after locking changes There is a race where skb's from the sk_psock_backlog can be referenced after userspace side has already skb_cons…
CVE-2023-538342025-12-09In the Linux kernel, the following vulnerability has been resolved: iio: adc: ina2xx: avoid NULL pointer dereference on OF device match The affected lines were resulting in a NULL pointer dereference on our platform because the device tr…
CVE-2023-538332025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL ptr deref by checking new_crtc_state intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't obtained previously with intel_atomic_g…
CVE-2023-538322025-12-09In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool…
CVE-2023-538312025-12-09In the Linux kernel, the following vulnerability has been resolved: net: read sk->sk_family once in sk_mc_loop() syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() We have…
CVE-2023-538302025-12-09In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leak when showing current settings When retriving a item string with tlmi_setting(), the result has to be freed using kfree().
CVE-2023-538292025-12-09In the Linux kernel, the following vulnerability has been resolved: f2fs: flush inode if atomic file is aborted Let's flush the inode being aborted atomic operation to avoid stale dirty inode during eviction in this call stack: f2fs_m…
CVE-2023-538282025-12-09In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() KSAN reports use-after-free in hci_add_adv_monitor().
CVE-2023-538272025-12-09In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just…
CVE-2023-538262025-12-09In the Linux kernel, the following vulnerability has been resolved: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show()…
CVE-2023-538252025-12-09In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
CVE-2023-538242025-12-09In the Linux kernel, the following vulnerability has been resolved: netlink: annotate lockless accesses to nlk->max_recvmsg_len syzbot reported a data-race in data-race in netlink_recvmsg() [1] Indeed, netlink_recvmsg() can be run concu…
CVE-2023-538232025-12-09In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendi…
CVE-2023-538222025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp.
CVE-2023-538212025-12-09In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueui…
CVE-2023-538202025-12-09In the Linux kernel, the following vulnerability has been resolved: loop: loop_set_status_from_info() check before assignment In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, becau…
CVE-2022-506792025-12-09In the Linux kernel, the following vulnerability has been resolved: i40e: Fix DMA mappings leak During reallocation of RX buffers, new DMA mappings are created for those buffers.
CVE-2022-506782025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when…
CVE-2022-506772025-12-09In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line.
CVE-2022-506762025-12-09In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac361…
CVE-2022-506752025-12-09In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_t…
CVE-2022-506742025-12-09In the Linux kernel, the following vulnerability has been resolved: riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Testing tools/testing/selftests/timens/vfork_exec.c got below kernel log: [ 6.838454] Unable to hand…
CVE-2022-506732025-12-09In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-fr…
CVE-2022-506722025-12-09In the Linux kernel, the following vulnerability has been resolved: mailbox: zynq-ipi: fix error handling while device_register() fails If device_register() fails, it has two issues: 1.
CVE-2022-506712025-12-09In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not init…
CVE-2022-506702025-12-09In the Linux kernel, the following vulnerability has been resolved: mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1.
CVE-2022-506692025-12-09In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible name leak in ocxl_file_register_afu() If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need…
CVE-2022-506682025-12-09In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly k…
CVE-2022-506672025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl() If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get…
CVE-2022-506662025-12-09In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix QP destroy to wait for all references dropped.
CVE-2022-506652025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), as below, it will…
CVE-2022-506642025-12-09In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: fix leak of memory fw
CVE-2022-506632025-12-09In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix possible memory leak in stmmac_dvr_probe() The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, ot…
CVE-2022-506622025-12-09In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: fix memory leak in hns_roce_alloc_mr() When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released.
CVE-2022-506612025-12-09In the Linux kernel, the following vulnerability has been resolved: seccomp: Move copy_seccomp() to no failure path.
CVE-2022-506602025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: ipw2200: fix memory leak in ipw_wdev_init() In the error path of ipw_wdev_init(), exception value is returned, and the memory applied for in the function is not re…
CVE-2022-506592025-12-09In the Linux kernel, the following vulnerability has been resolved: hwrng: geode - Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device().
CVE-2022-506582025-12-09In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix memory leak in error path If for some reason the speedbin length is incorrect, then there is a memory leak in the error path because we never free the…
CVE-2022-506572025-12-09In the Linux kernel, the following vulnerability has been resolved: riscv: mm: add missing memcpy in kasan_init Hi Atish, It seems that the panic is due to the missing memcpy during kasan_init.
CVE-2023-538192025-12-09In the Linux kernel, the following vulnerability has been resolved: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows.
CVE-2023-538182025-12-09In the Linux kernel, the following vulnerability has been resolved: ARM: zynq: Fix refcount leak in zynq_early_slcr_init of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on error pat…
CVE-2023-538172025-12-09In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman…
CVE-2023-538162025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix potential kgd_mem UAFs kgd_mem pointers returned by kfd_process_device_translate_handle are only guaranteed to be valid while p->mutex is held.
CVE-2023-538152025-12-09In the Linux kernel, the following vulnerability has been resolved: posix-timers: Prevent RT livelock in itimer_delete() itimer_delete() has a retry loop when the timer is concurrently expired.
CVE-2023-538142025-12-09In the Linux kernel, the following vulnerability has been resolved: PCI: Fix dropping valid root bus resources with .end = zero On r8a7791/koelsch: kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/k…
CVE-2023-538132025-12-09In the Linux kernel, the following vulnerability has been resolved: ext4: fix rbtree traversal bug in ext4_mb_use_preallocated During allocations, while looking for preallocations(PA) in the per inode rbtree, we can't do a direct travers…
CVE-2023-538122025-12-09In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix decoder disable pm crash Can't call pm_runtime_disable when the architecture support sub device for 'dev->pm.dev' is NUll, or will get below…
CVE-2023-538112025-12-09In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Cap MSIX used to online CPUs + 1 The irdma driver can use a maximum number of msix vectors equal to num_online_cpus() + 1 and the kernel warning stack below…
CVE-2023-538102025-12-09In the Linux kernel, the following vulnerability has been resolved: blk-mq: release crypto keyslot before reporting I/O complete Once all I/O using a blk_crypto_key has completed, filesystems can call blk_crypto_evict_key().
CVE-2023-538092025-12-09In the Linux kernel, the following vulnerability has been resolved: l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadl…
CVE-2023-538082025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() Always free the zeroed page on return from 'mwifiex_histogram_read()'.
CVE-2023-538072025-12-09In the Linux kernel, the following vulnerability has been resolved: clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Smatch detected this potential error pointer dereference clk_wzrd_register_divider().
CVE-2023-538062025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: populate subvp cmd info only for the top pipe [Why] System restart observed while changing the display resolution to 8k with extended mode.
CVE-2023-538042025-12-09In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer…
CVE-2023-538032025-12-09In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() A fix for: BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] Read of size…
CVE-2023-538022025-12-09In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its ma…
CVE-2023-538012025-12-09In the Linux kernel, the following vulnerability has been resolved: iommu/sprd: Release dma buffer to avoid memory leak When attaching to a domain, the driver would alloc a DMA buffer which is used to store address mapping table, and it…
CVE-2023-538002025-12-09In the Linux kernel, the following vulnerability has been resolved: ubi: Fix use-after-free when volume resizing failed There is an use-after-free problem reported by KASAN: =============================================================…
CVE-2023-537992025-12-09In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in crypto_destroy_instance The function crypto_drop_spawn expects to be called in process context.
CVE-2023-537982025-12-09In the Linux kernel, the following vulnerability has been resolved: ethtool: Fix uninitialized number of lanes It is not possible to set the number of lanes when setting link modes using the legacy IOCTL ethtool interface.
CVE-2023-537972025-12-09In the Linux kernel, the following vulnerability has been resolved: HID: wacom: Use ktime_t rather than int when dealing with timestamps Code which interacts with timestamps needs to use the ktime_t type returned by functions like ktime_…
CVE-2023-537962025-12-09In the Linux kernel, the following vulnerability has been resolved: f2fs: fix information leak in f2fs_move_inline_dirents() When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it do…
CVE-2023-537952025-12-09In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ic…
CVE-2023-537942025-12-09In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon.
CVE-2023-537932025-12-09In the Linux kernel, the following vulnerability has been resolved: perf tool x86: Fix perf_env memory leak Found by leak sanitizer: ``` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) all…
CVE-2023-537922025-12-09In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_ctrl_secret Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error.
CVE-2023-537912025-12-09In the Linux kernel, the following vulnerability has been resolved: md: fix warning for holder mismatch from export_rdev() Commit a1d767191096 ("md: use mddev->external to select holder in export_rdev()") fix the problem that 'claim_rdev…
CVE-2023-537902025-12-09In the Linux kernel, the following vulnerability has been resolved: bpf: Zeroing allocated object from slab in bpf memory allocator Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse wil…
CVE-2023-537892025-12-09In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Improve page fault error reporting If IOMMU domain for device group is not setup properly then we may hit IOMMU page fault.
CVE-2023-537882025-12-09In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() tuning_ctl_set() might have buffer overrun at (X) if it didn't break from loop by matching (A).
CVE-2023-537872025-12-09In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: fix null pointer deref with partial DT config When some of the da9063 regulators do not have corresponding DT nodes a null pointer dereference occurs…
CVE-2023-537862025-12-09In the Linux kernel, the following vulnerability has been resolved: dm flakey: fix a crash with invalid table line This command will crash with NULL pointer dereference: dmsetup create flakey --table \ "0 `blockdev --getsize /dev/ram0…
CVE-2023-537852025-12-09In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: don't assume adequate headroom for SDIO headers mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and mt7921_skb_add_usb_sdio_hdr(), both…
CVE-2023-537842025-12-09In the Linux kernel, the following vulnerability has been resolved: drm: bridge: dw_hdmi: fix connector access for scdc Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc interface to pick up an i2c adapter from a…
CVE-2023-537832025-12-09In the Linux kernel, the following vulnerability has been resolved: blk-iocost: fix divide by 0 error in calc_lcoefs() echo max of u64 to cost.model can cause divide by 0 error.
CVE-2023-537822025-12-09In the Linux kernel, the following vulnerability has been resolved: dccp: Fix out of bounds access in DCCP error handler There was a previous attempt to fix an out-of-bounds access in the DCCP error handlers, but that fix assumed that th…
CVE-2023-537812025-12-09In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler().
CVE-2023-537802025-12-09In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix FCLK pstate change underflow [Why] Currently we set FCLK p-state change watermark calculated based on dummy p-state latency when UCLK p-state is not…
CVE-2023-537782025-12-09In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Clean up integer overflow checking in map_user_pages() The encode_dma() function has some validation on in_trans->size but it would be more clear to move tho…
CVE-2023-537772025-12-09In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeat…
CVE-2022-506562025-12-09In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Clear nfc_target before being used Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, whic…
CVE-2022-506552025-12-09In the Linux kernel, the following vulnerability has been resolved: ppp: associate skb with a device at tx Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x…
CVE-2022-506542025-12-09In the Linux kernel, the following vulnerability has been resolved: bpf: Fix panic due to wrong pageattr of im->image In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampolin…
CVE-2022-506532025-12-09In the Linux kernel, the following vulnerability has been resolved: mmc: atmel-mci: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1.
CVE-2022-506522025-12-09In the Linux kernel, the following vulnerability has been resolved: uio: uio_dmem_genirq: Fix missing unlock in irq configuration Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") started call…
CVE-2022-506512025-12-09In the Linux kernel, the following vulnerability has been resolved: ethtool: eeprom: fix null-deref on genl_info in dump The similar fix as commit 46cdedf2a0fa ("ethtool: pse-pd: fix null-deref on genl_info in dump") is also needed for e…
CVE-2022-506502025-12-09In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference state management for synchronous callbacks Currently, verifier verifies callback functions (sync and async) as if they will be executed once, (i.e.
CVE-2022-506492025-12-09In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_…
CVE-2022-506482025-12-09In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller Naveen reported recursive locking of direct_mutex with sample ftrace-direct-modify.ko: [ 74…
CVE-2022-506472025-12-09In the Linux kernel, the following vulnerability has been resolved: RISC-V: Make port I/O string accessors actually work Fix port I/O string accessors such as `insb', `outsb', etc.
CVE-2022-506462025-12-09In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map.
CVE-2022-506452025-12-09In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, so it doe…
CVE-2022-506442025-12-09In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter.
CVE-2022-506432025-12-09In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_copy_file_range() If the file is used by swap, before return -EOPNOTSUPP, should free the xid, otherwise, the xid will be leaked.
CVE-2022-506422025-12-09In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: zero out stale pointers `cros_typec_get_switch_handles` allocates four pointers when obtaining type-c switch handles.
CVE-2022-506412025-12-09In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() o…
CVE-2022-506402025-12-09In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when th…
CVE-2022-506392025-12-09In the Linux kernel, the following vulnerability has been resolved: io-wq: Fix memory leak in worker creation If the CPU mask allocation for a node fails, then the memory allocated for the 'io_wqe' struct of the current node doesn't get…
CVE-2022-506382025-12-09In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode We got a issue as fllows: ================================================================== kernel…
CVE-2022-506372025-12-09In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(), the program will return, resulting in…
CVE-2022-506362025-12-09In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_device_is_present() for VFs by checking PF pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xfff…
CVE-2022-506352025-12-09In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo 'p cmdline_proc_show' > kprobe_…
CVE-2022-506342025-12-09In the Linux kernel, the following vulnerability has been resolved: power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may retur…
CVE-2022-506332025-12-09In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init of_icc_get() alloc resources for path handle, we should release it when not need anymore.
CVE-2022-506322025-12-09In the Linux kernel, the following vulnerability has been resolved: drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init() tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_drive…
CVE-2022-506312025-12-09In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of fdt buffer This is reported by kmemleak detector: unreferenced object 0xff60000082864000 (size 9588): comm "kexec", pid 146, jiffies…
CVE-2023-537692025-12-08In the Linux kernel, the following vulnerability has been resolved: virt/coco/sev-guest: Double-buffer messages The encryption algorithms read and write directly to shared unencrypted memory, which may leak information as well as permit…
CVE-2023-537682025-12-08In the Linux kernel, the following vulnerability has been resolved: regmap-irq: Fix out-of-bounds access when allocating config buffers When allocating the 2D array for handling IRQ type registers in regmap_add_irq_chip_fwnode(), the int…
CVE-2023-537672025-12-08In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Currently the buffer pointed by event is not freed in case ATH12K_FLAG_UNREGISTERING bit is set, this cau…
CVE-2023-537662025-12-08In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Check for read-only mounted filesystem in txBegin This patch adds a check for read-only mounted filesystem in txBegin before starting a transaction potentiall…
CVE-2023-537652025-12-08In the Linux kernel, the following vulnerability has been resolved: dm cache: free background tracker's queued work in btracker_destroy Otherwise the kernel can BUG with: [ 2245.426978] ==================================================…
CVE-2023-537642025-12-08In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Handle lock during peer_id find ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock.
CVE-2023-537632025-12-08In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: fix to do sanity check on extent cache correctly" syzbot reports a f2fs bug as below: UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19 index 140…
CVE-2023-537622025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a cont…
CVE-2023-537612025-12-08In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length contro…
CVE-2023-537602025-12-08In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock issue When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting for the same lock.
CVE-2023-537592025-12-08In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix data race on device refcount The hidraw_open() function increments the hidraw device reference counter.
CVE-2023-537582025-12-08In the Linux kernel, the following vulnerability has been resolved: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() An early error exit in atmel_qspi_remove() doesn't prevent the device unbind.
CVE-2023-537572025-12-08In the Linux kernel, the following vulnerability has been resolved: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it wh…
CVE-2023-537562025-12-08In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V.
CVE-2023-537552025-12-08In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: check for null desc before calling pt_cmd_callback Resolves a panic that can occur on AMD systems, typically during host shutdown, after the PTDMA driv…
CVE-2023-537542025-12-08In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4) returns false, drbl_regs_memmap_p is no…
CVE-2023-537532025-12-08In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix mapping to non-allocated address [Why] There is an issue mapping non-allocated location of memory.
CVE-2023-537522025-12-08In the Linux kernel, the following vulnerability has been resolved: net: deal with integer overflows in kmalloc_reserve() Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr); size = kmalloc_size_roun…
CVE-2023-537512025-12-08In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname TCP_Server_Info::hostname may be updated once or many times during reconnect, so protect its access…
CVE-2023-537502025-12-08In the Linux kernel, the following vulnerability has been resolved: pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetc…
CVE-2023-537482025-12-08In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup variable *nplanes is provided by user via system call argument.
CVE-2023-537472025-12-08In the Linux kernel, the following vulnerability has been resolved: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_d…
CVE-2023-537462025-12-08In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: fix memory leak in vfio_ap device driver The device release callback function invoked to release the matrix device uses the dev_get_drvdata(device *dev) fu…
CVE-2023-537452025-12-08In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vector_config If the return value of the uml_parse_vector_ifspec function is NULL, we should call kfree(params) to prevent memory leak.
CVE-2023-537442025-12-08In the Linux kernel, the following vulnerability has been resolved: soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe wkup_m3_ipc_get() takes refcount, which should be freed by wkup_m3_ipc_put().
CVE-2023-537432025-12-08In the Linux kernel, the following vulnerability has been resolved: PCI: Free released resource after coalescing release_resource() doesn't actually free the resource or resource list entry so free the resource list entry to avoid a leak.
CVE-2023-537422025-12-08In the Linux kernel, the following vulnerability has been resolved: kcsan: Avoid READ_ONCE() in read_instrumented_memory() Haibo Li reported: | Unable to handle kernel paging request at virtual address | ffffff802a0d8d7171 | Mem ab…
CVE-2022-506302025-12-08In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfau…
CVE-2022-506292025-12-08In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory leak in rsi_coex_attach() The coex_cb needs to be freed when rsi_create_kthread() failed in rsi_coex_attach().
CVE-2022-506282025-12-08In the Linux kernel, the following vulnerability has been resolved: drm/gud: Fix UBSAN warning UBSAN complains about invalid value for bool: [ 101.165172] [drm] Initialized gud 1.0.0 20200422 for 2-3.2:1.0 on minor 1 [ 101.213360] gud…
CVE-2022-506272025-12-08In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix monitor mode bringup crash When the interface is brought up in monitor mode, it leads to NULL pointer dereference crash.
CVE-2022-506262025-12-08In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Syzbot reports a memory leak in "dvb_usb_adapter_init()".
CVE-2022-506252025-12-08In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART…
CVE-2022-506242025-12-08In the Linux kernel, the following vulnerability has been resolved: net: netsec: fix error handling in netsec_register_mdio() If phy_device_register() fails, phy_device_free() need be called to put refcount, so memory of phy device and d…
CVE-2022-506232025-12-08In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit systems leading to memory corruption.
CVE-2022-506222025-12-08In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak in ext4_fc_record_modified_inode() As krealloc may return NULL, in this case 'state->fc_modified_inodes' may not be freed by krealloc, bu…
CVE-2022-506212025-12-08In the Linux kernel, the following vulnerability has been resolved: dm: verity-loadpin: Only trust verity targets with enforcement Verity targets can be configured to ignore corrupted data blocks.
CVE-2022-506202025-12-08In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to invalidate dcc->f2fs_issue_discard in error path Syzbot reports a NULL pointer dereference issue as below: __refcount_add include/linux/refcount.h:193 [in…
CVE-2022-506192025-12-08In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr() If the number of pages from the userptr BO differs from the SG BO then the allocated memory for the SG table does…
CVE-2022-506182025-12-08In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1.
CVE-2022-506172025-12-08In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: Fix memory leak in power state init Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") made the power state…
CVE-2022-506162025-12-08In the Linux kernel, the following vulnerability has been resolved: regulator: core: Use different devices for resource allocation and DT lookup Following by the below discussion, there's the potential UAF issue between regulator and mfd.
CVE-2022-506152025-12-08In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_m…
CVE-2022-506142025-12-08In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic The dma_map_single() doesn't permit zero length mapping.
CVE-2022-505832025-12-08In the Linux kernel, the following vulnerability has been resolved: md/raid0, raid10: Don't set discard sectors for request queue It should use disk_stack_limits to get a proper max_discard_sectors rather than setting a value by stack dr…
CVE-2025-403262025-12-08In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to…
CVE-2025-403242025-12-08In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.
CVE-2025-403232025-12-08In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mo…
CVE-2025-403222025-12-08In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may…
CVE-2025-403212025-12-08In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always u…
CVE-2025-403202025-12-08In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first att…
CVE-2025-403192025-12-08In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work execut…
CVE-2025-403182025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections.
CVE-2025-403172025-12-08In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the proble…
CVE-2025-403162025-12-08In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed t…
CVE-2025-403152025-12-08In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
CVE-2025-403142025-12-08In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget struc…
CVE-2025-403132025-12-08In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG…
CVE-2025-403122025-12-08In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid.
CVE-2025-403112025-12-08In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc…
CVE-2025-403102025-12-08In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt.
CVE-2025-403092025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put inc…
CVE-2025-403082025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered.
CVE-2025-403072025-12-08In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap.
CVE-2025-403062025-12-08In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow...
CVE-2025-403052025-12-08In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list).
CVE-2025-403042025-12-08In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen ed…
CVE-2025-403032025-12-08In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task co…
CVE-2025-403022025-12-08In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some point…
CVE-2025-403012025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte…
CVE-2025-402992025-12-08In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time.
CVE-2025-402982025-12-08In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64().
CVE-2025-402972025-12-08In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb.
CVE-2025-402962025-12-08In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device.
CVE-2025-402952025-12-08In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8…
CVE-2025-402942025-12-08In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HC…
CVE-2025-402932025-12-08In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0.
CVE-2025-402922025-12-08In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the…
CVE-2025-402912025-12-08In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues.
CVE-2025-402902025-12-08In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb contr…

Adobe · 127 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64539Critical9.32025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution.
CVE-2025-64538Critical9.32025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution.
CVE-2025-64537Critical9.32025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution.
CVE-2025-61811Critical9.12025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61809Critical9.12025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass.
CVE-2025-61808Critical9.12025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker.
CVE-2025-61812High8.42025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution.
CVE-2025-61810High8.42025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2025-61813High8.22025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read.
CVE-2025-61821Medium6.82025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read.
CVE-2025-61823Medium6.22025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read.
CVE-2025-61822Medium6.22025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write.
CVE-2025-64897Medium5.62025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability.
CVE-2025-64896Medium5.52025-12-09Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service.
CVE-2025-64888Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64887Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64881Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64875Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64873Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64869Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64863Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64861Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64858Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64857Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64853Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64852Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64850Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64847Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64845Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64841Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64840Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64839Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64833Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64829Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64827Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64826Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64825Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64823Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64822Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64821Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64820Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64817Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64814Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64808Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64804Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64803Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64802Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64801Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64800Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64799Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64797Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64796Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64794Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64793Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64792Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64791Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64790Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64789Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64627Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64626Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64623Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64622Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64620Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64619Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64616Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64615Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64614Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64613Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64612Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64611Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64609Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64607Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64606Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64605Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64604Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64603Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64602Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64601Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64600Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64599Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64598Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64597Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64596Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64594Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64593Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64592Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64591Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64590Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64586Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64585Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64583Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64582Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64581Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64580Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64579Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64578Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64577Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64576Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64575Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64574Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64572Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64569Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64566Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64565Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64564Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64563Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64562Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64560Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64559Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64558Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64557Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64556Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64555Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64554Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64553Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64551Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64550Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64549Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64548Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64547Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64546Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64545Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64544Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64543Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's brow…
CVE-2025-64541Medium5.42025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields.
CVE-2025-64898Medium5.32025-12-10ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access.
CVE-2025-64872Medium4.82025-12-10Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields.

Google · 81 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-36937Critical9.82025-12-11In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check.
CVE-2025-48626Critical9.82025-12-08In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure.
CVE-2025-36924High8.02025-12-11In ss_DecodeLcsAssistDataReqMsg(void) of ss_LcsManagement.c, there is a possible out of bounds write due to an incorrect bounds check.
CVE-2025-36923High8.02025-12-11In NrmmDecoder::DecodeSORTransparentContext of cn_NrmmDecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow.
CVE-2025-36936High7.82025-12-11In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow.
CVE-2025-36935High7.82025-12-11In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible memory corruption due to uninitialized data.
CVE-2025-36932High7.82025-12-11In tracepoint_msg_handler of cpm/google/lib/tracepoint/tracepoint_ipc.c, there is a possible memory overwrite due to improper input validation.
CVE-2025-36931High7.82025-12-11In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check.
CVE-2025-36930High7.82025-12-11In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check.
CVE-2025-36928High7.82025-12-11In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to an incorrect bounds check.
CVE-2025-36927High7.82025-12-11In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check.
CVE-2025-36925High7.82025-12-11In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check.
CVE-2025-36919High7.82025-12-11In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking.
CVE-2025-36918High7.82025-12-11In aoc_service_read_message of aoc_ipc_core.c, there is a possible out of bounds read due to improper input validation.
CVE-2025-48606High7.82025-12-08In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code.
CVE-2025-48638High7.82025-12-08In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation.
CVE-2025-48637High7.82025-12-08In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow.
CVE-2025-48632High7.82025-12-08In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation.
CVE-2025-48629High7.82025-12-08In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value.
CVE-2025-48628High7.82025-12-08In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy.
CVE-2025-48627High7.82025-12-08In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code.
CVE-2025-48624High7.82025-12-08In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation.
CVE-2025-48623High7.82025-12-08In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation.
CVE-2025-48620High7.82025-12-08In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third party application's component name to persist even after uninstalling due to a logic error in the code.
CVE-2025-48615High7.82025-12-08In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion.
CVE-2025-48612High7.82025-12-08In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation.
CVE-2025-48599High7.82025-12-08In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check.
CVE-2025-48597High7.82025-12-08In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack.
CVE-2025-48596High7.82025-12-08In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check.
CVE-2025-48589High7.82025-12-08In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code.
CVE-2025-48588High7.82025-12-08In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code.
CVE-2025-48586High7.82025-12-08In onActivityResult of EditFdnContactScreen.java, there is a possible way to leak contacts from the work profile due to a confused deputy.
CVE-2025-48583High7.82025-12-08In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code.
CVE-2025-48580High7.82025-12-08In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code.
CVE-2025-48575High7.82025-12-08In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass.
CVE-2025-48573High7.82025-12-08In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse.
CVE-2025-48572High7.8KEV2025-12-08In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass.
CVE-2025-48566High7.82025-12-08In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation.
CVE-2025-48565High7.82025-12-08In multiple locations, there is a possible way to bypass the cross profile intent filter due to a logic error in the code.
CVE-2025-48555High7.82025-12-08In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy.
CVE-2025-48536High7.82025-12-08In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy.
CVE-2025-48525High7.82025-12-08In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation.
CVE-2025-32329High7.82025-12-08In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code.
CVE-2025-32328High7.82025-12-08In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code.
CVE-2025-22420High7.82025-12-08In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy.
CVE-2025-48592High7.52025-12-08In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow.
CVE-2025-36934High7.42025-12-11In bigo_worker_thread of private/google-modules/video/gchips/bigo.c, there is a possible use after free due to a race condition.
CVE-2025-48639High7.32025-12-08In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack.
CVE-2025-48621High7.32025-12-08In DefaultTransitionHandler.java, there is a possible way to enable a tapjacking attack due to a insecure default.
CVE-2025-48594High7.32025-12-08In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation.
CVE-2025-13428High7.22025-12-09A vulnerability exists in the SecOps SOAR server.
CVE-2025-36916High7.02025-12-11In PrepareWorkloadBuffers of gxp_main_actor.cc, there is a possible double fetch due to a race condition.
CVE-2025-48625High7.02025-12-08In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition.
CVE-2025-48564High7.02025-12-08In multiple locations, there is a possible intent filter bypass due to a race condition.
CVE-2025-36938Medium6.82025-12-11In U-Boot of append_uint32_le(), there is a possible fault injection due to a logic error in the code.
CVE-2025-48618Medium6.82025-12-08In processLaunchBrowser of CommandParamsFactory.java, there is a possible browser interaction from the lockscreen due to improper locking.
CVE-2025-36922Medium6.72025-12-11In bigo_map of bigo_iommu.c, there is a possible information disclosure due to a use after free.
CVE-2025-32319Medium6.72025-12-08In ensureBound of RemotePrintService.java, there is a possible way for a background app to keep foreground permissions due to a permissions bypass.
CVE-2025-22432Medium6.72025-12-08In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation.
CVE-2025-48598Medium6.62025-12-08In multiple locations, there is a possible way to alter the primary user's face unlock settings due to a confused deputy.
CVE-2025-36917Medium6.52025-12-11In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check.
CVE-2025-36912Medium6.52025-12-11In cellular modem, there is a possible denial of service due to a logic error in the code.
CVE-2025-48631Medium6.52025-12-08In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion.
CVE-2025-36929Medium5.52025-12-11In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation.
CVE-2025-36921Medium5.52025-12-11In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check.
CVE-2025-36889Medium5.52025-12-11In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy.
CVE-2025-48608Medium5.52025-12-08In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check.
CVE-2025-48569Medium5.52025-12-08In multiple locations, there is a possible permanent denial of service due to resource exhaustion.
CVE-2025-48633Medium5.5KEV2025-12-08In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code.
CVE-2025-48622Medium5.52025-12-08In ProcessArea of dng_misc_opcodes.cpp, there is a possible out of bounds read due to a buffer overflow.
CVE-2025-48610Medium5.52025-12-08In __pkvm_guest_relinquish_to_host of mem_protect.c, there is a possible configuration data leak due to a logic error in the code.
CVE-2025-48607Medium5.52025-12-08In multiple locations, there is a possible way to create a large amount of app ops due to a logic error in the code.
CVE-2025-48604Medium5.52025-12-08In multiple locations, there is a possible way to read files from another user due to a missing permission check.
CVE-2025-48603Medium5.52025-12-08In InputMethodInfo of InputMethodInfo.java, there is a possible permanent denial of service due to resource exhaustion.
CVE-2025-48601Medium5.52025-12-08In multiple locations, there is a possible permanent denial of service due to improper input validation.
CVE-2025-48600Medium5.52025-12-08In multiple files, there is a possible way to reveal information across users due to a missing permission check.
CVE-2025-48591Medium5.52025-12-08In multiple locations, there is a possible way to read files from another user due to a missing permission check.
CVE-2025-48590Medium5.52025-12-08In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion.
CVE-2025-48584Medium5.52025-12-08In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion.
CVE-2025-48576Medium5.52025-12-08In updateNotificationChannelGroupFromPrivilegedListener of NotificationManagerService.java, there is a possible permanent denial of service due to resource exhaustion.
CVE-2025-48614Medium4.62025-12-08In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check.

N/a · 78 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65741Critical9.82025-12-09Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection.
CVE-2025-65882Critical9.82025-12-09An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary comma…
CVE-2025-63742Critical9.82025-12-09SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database struct…
CVE-2025-64081Critical9.82025-12-08SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.
CVE-2025-66430Critical9.12025-12-12Plesk 18.0 has Incorrect Access Control.
CVE-2025-65849Critical9.12025-12-08A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction.
CVE-2025-56130High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua.
CVE-2025-56129High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua.
CVE-2025-56127High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua.
CVE-2025-56123High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect…
CVE-2025-56122High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56120High8.82025-12-11OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
CVE-2025-56118High8.82025-12-11OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56117High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56114High8.82025-12-11OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
CVE-2025-56113High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.
CVE-2025-56111High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the network_set_wan_conf in file /usr/lib/lua/luci/controller/admin/netport.lua.
CVE-2025-56110High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua.
CVE-2025-56109High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless.lua.
CVE-2025-56108High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.
CVE-2025-56107High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua.
CVE-2025-56106High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56102High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56101High8.82025-12-11OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56099High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-YST AP_3.0(1)B11P280YST250F allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.
CVE-2025-56098High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56097High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
CVE-2025-56096High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua.
CVE-2025-56095High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56094High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay.lua.
CVE-2025-56093High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua.
CVE-2025-56092High8.82025-12-11OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56091High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
CVE-2025-56090High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retai…
CVE-2025-56089High8.82025-12-11OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56088High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua.
CVE-2025-56087High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua.
CVE-2025-56086High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConn…
CVE-2025-56085High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_r…
CVE-2025-56084High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-56083High8.82025-12-11OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge.lua.
CVE-2025-56082High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua.
CVE-2025-56079High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-56077High8.82025-12-11OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
CVE-2025-8083High8.62025-12-12The Preset configuration https://v2.vuetifyjs.com/en/features/presets  feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html  due to the int…
CVE-2025-65594High8.12025-12-09OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
CVE-2025-56124High7.82025-12-11OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
CVE-2025-65512High7.52025-12-10A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before.
CVE-2025-63094High7.52025-12-10XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache.
CVE-2025-65513High7.52025-12-09fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.
CVE-2025-64086High7.52025-12-09A NULL pointer dereference vulnerability in the util.readFileIntoStream component of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-64085High7.52025-12-09A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2025-61258High7.52025-12-09Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service via a crafted content-length value mismatching the body length.
CVE-2025-65795High7.52025-12-08Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
CVE-2025-67818High7.22025-12-12An issue was discovered in Weaviate OSS before 1.33.4.
CVE-2025-65363High7.22025-12-08Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the co…
CVE-2025-65815Medium6.52025-12-10A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal.
CVE-2025-52493Medium6.52025-12-10PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page.
CVE-2025-65804Medium6.52025-12-08Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE).
CVE-2025-65797Medium6.52025-12-08Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Servi…
CVE-2025-8082Medium6.32025-12-12Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss  attack.
CVE-2025-14518Medium6.32025-12-11A vulnerability was identified in PowerJob up to 5.1.2.
CVE-2025-61078Medium6.12025-12-09Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint.
CVE-2025-63737Medium6.12025-12-09Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint.
CVE-2025-14284Medium6.12025-12-09Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links.
CVE-2025-65798Medium5.42025-12-08Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
CVE-2025-67819Medium4.92025-12-12An issue was discovered in Weaviate OSS before 1.33.4.
CVE-2025-67342Medium4.62025-12-12RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint.
CVE-2025-64011Medium4.32025-12-12Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint.
CVE-2025-63740Medium4.32025-12-09SQL Injection vulnerability in function getselectdataAjax in file inputAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and othe…
CVE-2025-63739Medium4.32025-12-09An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index…
CVE-2025-63738Medium4.32025-12-09An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php.
CVE-2025-65799Medium4.32025-12-08A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.
CVE-2025-65796Medium4.32025-12-08Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.
CVE-2025-14580Low3.52025-12-12A security vulnerability has been detected in Qualitor up to 8.24.73.
CVE-2025-65228Low3.52025-12-08A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R.
CVE-2025-60912Low3.32025-12-08phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality.
CVE-2025-14244Low2.42025-12-08A flaw has been found in GreenCMS 2.3.0603.

Apple · 48 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-43539High8.82025-12-12The issue was addressed with improved bounds checks.
CVE-2025-46285High7.82025-12-12An integer overflow was addressed by adopting 64-bit timestamps.
CVE-2025-43527High7.82025-12-12A permissions issue was addressed with additional restrictions.
CVE-2025-43512High7.82025-12-12A logic issue was addressed with improved checks.
CVE-2025-43510High7.8KEV2025-12-12A memory corruption issue was addressed with improved lock state checking.
CVE-2025-43467High7.82025-12-12This issue was addressed with improved checks.
CVE-2025-43402High7.82025-12-12The issue was addressed with improved memory handling.
CVE-2025-43320High7.82025-12-12The issue was addressed by adding additional logic.
CVE-2025-43542High7.52025-12-12This issue was addressed with improved state management.
CVE-2025-43506High7.52025-12-12A logic error was addressed with improved error handling.
CVE-2025-43494High7.52025-12-12A mail header parsing issue was addressed with improved checks.
CVE-2025-46287Medium6.52025-12-12An inconsistent user interface issue was addressed with improved state management.
CVE-2025-43511Medium6.52025-12-12A use-after-free issue was addressed with improved memory management.
CVE-2025-43464Medium6.52025-12-12A denial-of-service issue was addressed with improved input validation.
CVE-2025-46289Medium5.52025-12-12A logic issue was addressed with improved file handling.
CVE-2025-46276Medium5.52025-12-12An information disclosure issue was addressed with improved privacy controls.
CVE-2025-43538Medium5.52025-12-12A logging issue was addressed with improved data redaction.
CVE-2025-43530Medium5.52025-12-12This issue was addressed with improved checks.
CVE-2025-43523Medium5.52025-12-12A permissions issue was addressed with additional restrictions.
CVE-2025-43521Medium5.52025-12-12A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
CVE-2025-43520Medium5.5KEV2025-12-12A memory corruption issue was addressed with improved memory handling.
CVE-2025-43519Medium5.52025-12-12A permissions issue was addressed with additional restrictions.
CVE-2025-43513Medium5.52025-12-12A permissions issue was addressed by removing the vulnerable code.
CVE-2025-43509Medium5.52025-12-12This issue was addressed with improved data protection.
CVE-2025-43482Medium5.52025-12-12The issue was addressed with improved input validation.
CVE-2025-43473Medium5.52025-12-12This issue was addressed with improved state management.
CVE-2025-43471Medium5.52025-12-12The issue was addressed with improved checks.
CVE-2025-43470Medium5.52025-12-12A permissions issue was addressed with additional restrictions.
CVE-2025-43466Medium5.52025-12-12An injection issue was addressed with improved validation.
CVE-2025-43465Medium5.52025-12-12A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2025-43463Medium5.52025-12-12A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2025-43461Medium5.52025-12-12This issue was addressed with improved validation of symlinks.
CVE-2025-43416Medium5.52025-12-12A logic issue was addressed with improved restrictions.
CVE-2025-43406Medium5.52025-12-12A logic issue was addressed with improved restrictions.
CVE-2025-43388Medium5.52025-12-12An injection issue was addressed with improved validation.
CVE-2025-43381Medium5.52025-12-12This issue was addressed with improved handling of symlinks.
CVE-2025-43351Medium5.52025-12-12A permissions issue was addressed with additional restrictions.
CVE-2025-12843Medium5.52025-12-12Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass.
CVE-2025-43497Medium5.22025-12-12An access issue was addressed with additional sandbox restrictions.
CVE-2025-43393Medium5.22025-12-12A permissions issue was addressed with additional sandbox restrictions.
CVE-2025-43522Low3.32025-12-12A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
CVE-2025-43518Low3.32025-12-12A logic issue was addressed with improved checks.
CVE-2025-43517Low3.32025-12-12A privacy issue was addressed with improved private data redaction for log entries.
CVE-2025-43516Low3.32025-12-12A session management issue was addressed with improved checks.
CVE-2025-43437Low3.32025-12-12An information disclosure issue was addressed with improved privacy controls.
CVE-2025-43404Low3.32025-12-12A permissions issue was addressed with additional sandbox restrictions.
CVE-2025-43532Low2.82025-12-12A memory corruption issue was addressed with improved bounds checking.
CVE-2025-43410Low2.42025-12-12The issue was addressed with improved handling of caches.

Mailenable · 25 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-34428High7.82025-12-10MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover.
CVE-2025-34427High7.82025-12-10MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover.
CVE-2025-34424High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34423High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34422High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34421High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34420High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34419High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34418High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34417High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34416High7.82025-12-10MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34396High7.32025-12-09MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution.
CVE-2025-34425Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx.
CVE-2025-34409Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx.
CVE-2025-34408Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Added parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx.
CVE-2025-34407Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx.
CVE-2025-34406Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Id parameter of /Mobile/ContactDetails.aspx.
CVE-2025-34404Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx.
CVE-2025-34403Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34402Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34401Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34400Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34399Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34398Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx.
CVE-2025-34397Medium6.12025-12-09MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Message parameter of /Mobile/Compose.aspx.

Siemens · 22 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-56835High8.82025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2025-40937High8.32025-12-09A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1).
CVE-2025-40938High8.12025-12-09A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1).
CVE-2025-40801High8.12025-12-09A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as…
CVE-2025-40829High7.82025-12-12A vulnerability has been identified in Simcenter Femap (All versions < V2512).
CVE-2025-40820High7.52025-12-09Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range.
CVE-2024-56836High7.52025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2025-40800High7.42025-12-09A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcen…
CVE-2024-56840High7.22025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2024-56839High7.22025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2024-56838High7.22025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2024-56837High7.22025-12-09A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM…
CVE-2025-40830Medium6.72025-12-09A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0).
CVE-2025-40831Medium6.52025-12-09A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0).
CVE-2025-40807Medium6.32025-12-09A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1).
CVE-2025-40806Medium5.32025-12-09A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1).
CVE-2025-40940Medium4.92025-12-09A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1).
CVE-2025-40939Medium4.62025-12-09A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1).
CVE-2025-40941Medium4.32025-12-09A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1).
CVE-2025-40935Medium4.32025-12-09A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.1), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.1), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.1), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.1)…
CVE-2025-40819Medium4.32025-12-09A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4).
CVE-2025-40818Low3.32025-12-09A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4).

Fortinet · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59719Critical9.82025-12-09An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authenticatio…
CVE-2025-59718Critical9.8KEV2025-12-09A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7…
CVE-2025-60024High8.82025-12-09Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated…
CVE-2025-64447High8.12025-12-09A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0…
CVE-2025-64156High7.22025-12-09An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may…
CVE-2025-64153High7.22025-12-09A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions m…
CVE-2025-53949High7.22025-12-09An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all version…
CVE-2025-53679High7.22025-12-09An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all version…
CVE-2025-59808Medium6.82025-12-09An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise…
CVE-2025-54838Medium6.82025-12-09An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests.
CVE-2024-47570Medium6.62025-12-09An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all ver…
CVE-2025-59810Medium6.52025-12-09An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiS…
CVE-2024-40593Medium6.02025-12-11A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 th…
CVE-2025-62631Medium5.62025-12-09An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an…
CVE-2025-54353Medium5.42025-12-09An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, For…
CVE-2025-64471Medium4.92025-12-09A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, Forti…
CVE-2025-59923Low2.72025-12-09An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker…
CVE-2025-57823Low2.72025-12-09A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated…

Huawei · 16 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66328High8.42025-12-08Multi-thread race condition vulnerability in the network management module.
CVE-2025-66324High8.42025-12-08Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity.
CVE-2025-66327High7.12025-12-08Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-66326Medium6.72025-12-08Race condition vulnerability in the audio module.
CVE-2025-66325Medium6.22025-12-08Permission control vulnerability in the package management module.
CVE-2025-66323Medium5.32025-12-08Vulnerability of improper criterion security check in the card module.
CVE-2025-66322Medium5.12025-12-08Multi-thread race condition vulnerability in the camera framework module.
CVE-2025-66321Medium5.12025-12-08Multi-thread race condition vulnerability in the camera framework module.
CVE-2025-66320Medium5.12025-12-08Multi-thread race condition vulnerability in the camera framework module.
CVE-2025-66330Medium4.92025-12-08App lock verification bypass vulnerability in the file management app.
CVE-2025-58279Medium4.42025-12-08Permission control vulnerability in the media library module.
CVE-2025-66329Medium4.02025-12-08Permission control vulnerability in the window management module.
CVE-2025-66334Low3.32025-12-08Denial of service (DoS) vulnerability in the office service.
CVE-2025-66333Low3.32025-12-08Denial of service (DoS) vulnerability in the office service.
CVE-2025-66332Low3.32025-12-08Denial of service (DoS) vulnerability in the office service.
CVE-2025-66331Low3.32025-12-08Denial of service (DoS) vulnerability in the office service.

Code-projects · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14537High7.32025-12-11A weakness has been identified in code-projects Class and Exam Timetable Management 1.0.
CVE-2025-14536High7.32025-12-11A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0.
CVE-2025-14285High7.32025-12-09A vulnerability was found in code-projects Employee Profile Management System 1.0.
CVE-2025-14251High7.32025-12-08A security vulnerability has been detected in code-projects Online Ordering System 1.0.
CVE-2025-14250High7.32025-12-08A weakness has been identified in code-projects Online Ordering System 1.0.
CVE-2025-14249High7.32025-12-08A security flaw has been discovered in code-projects Online Ordering System 1.0.
CVE-2025-14248High7.32025-12-08A vulnerability was identified in code-projects Simple Shopping Cart 1.0.
CVE-2025-14218High7.32025-12-08A security flaw has been discovered in code-projects Currency Exchange System 1.0.
CVE-2025-14217High7.32025-12-08A vulnerability was identified in code-projects Currency Exchange System 1.0.
CVE-2025-14216High7.32025-12-08A vulnerability was determined in code-projects Currency Exchange System 1.0.
CVE-2025-14215High7.32025-12-08A vulnerability was found in code-projects Currency Exchange System 1.0.
CVE-2025-14247Medium6.32025-12-08A vulnerability was determined in code-projects Simple Shopping Cart 1.0.
CVE-2025-14246Medium6.32025-12-08A vulnerability was found in code-projects Simple Shopping Cart 1.0.
CVE-2025-14205Low2.42025-12-08A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0.

Ibm · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13481High8.82025-12-11IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input.
CVE-2025-13148High8.12025-12-11IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.
CVE-2025-13214High7.62025-12-11IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection.
CVE-2025-36140Medium6.52025-12-08IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.
CVE-2025-64650Medium6.52025-12-08IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files.
CVE-2025-36017Medium6.52025-12-08IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.
CVE-2025-36015Medium6.52025-12-08IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.
CVE-2025-12635Medium5.42025-12-08IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input.
CVE-2025-13211Medium5.32025-12-11IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
CVE-2025-12832Medium4.62025-12-08IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF).
CVE-2025-36437Medium4.32025-12-09IBM Planning Analytics Local 2.1.0 - 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system.
CVE-2025-33111Medium4.32025-12-08IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race con…
CVE-2024-56464Low2.72025-12-09IBM QRadar SIEM 7.5 - 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information.
CVE-2025-36102Low2.72025-12-08IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-…

Phoenix Contact · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41752High7.12025-12-09An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM).
CVE-2025-41751High7.12025-12-09An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM).
CVE-2025-41750High7.12025-12-09An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM).
CVE-2025-41749High7.12025-12-09An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM).
CVE-2025-41748High7.12025-12-09An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM).
CVE-2025-41747High7.12025-12-09An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management…
CVE-2025-41746High7.12025-12-09An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (…
CVE-2025-41745High7.12025-12-09An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (W…
CVE-2025-41695High7.12025-12-09An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM).
CVE-2025-41697Medium6.82025-12-09An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g.
CVE-2025-41692Medium6.82025-12-09A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm.
CVE-2025-41694Medium6.52025-12-09A low privileged remote attacker can run the webshell with an empty command containing whitespace.
CVE-2025-41696Medium4.62025-12-09An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device.
CVE-2025-41693Medium4.32025-12-09A low privileged remote attacker can use the ssh feature to execute commands directly after login.

Meatmeet · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65826Critical9.82025-12-10The mobile application was found to contain stored credentials for the network it was developed on.
CVE-2025-65823Critical9.82025-12-10The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on.
CVE-2025-65820Critical9.82025-12-10An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0.
CVE-2025-65830Critical9.12025-12-10Due to a lack of certificate validation, all traffic from the mobile application can be intercepted.
CVE-2025-65827Critical9.12025-12-10The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP.
CVE-2025-65824High8.82025-12-10An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attack…
CVE-2025-65831High7.52025-12-10The application uses an insecure hashing algorithm (MD5) to hash passwords.
CVE-2025-65821High7.52025-12-10As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the N…
CVE-2025-65829Medium6.82025-12-10The ESP32 system on a chip (SoC) that powers the Meatmeet basestation device was found to lack Secure Boot.
CVE-2025-65822Medium6.82025-12-10The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled.
CVE-2025-65828Medium6.52025-12-10An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service.
CVE-2025-65832Medium4.62025-12-10The mobile application insecurely handles information stored within memory.
CVE-2025-65825Medium4.62025-12-10The firmware on the basestation of the Meatmeet is not encrypted.

Mozilla · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14330Critical9.82025-12-09JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2025-14326Critical9.82025-12-09Use-after-free in the Audio/Video: GMP component.
CVE-2025-14324Critical9.82025-12-09JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2025-14321Critical9.82025-12-09Use-after-free in the WebRTC: Signaling component.
CVE-2025-14329High8.82025-12-09Privilege escalation in the Netmonitor component.
CVE-2025-14328High8.82025-12-09Privilege escalation in the Netmonitor component.
CVE-2025-14323High8.82025-12-09Privilege escalation in the DOM: Notifications component.
CVE-2025-14333High8.12025-12-09Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145.
CVE-2025-14322High8.02025-12-09Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
CVE-2025-14327High7.52025-12-09Spoofing issue in the Downloads Panel component.
CVE-2025-14332High7.32025-12-09Memory safety bugs present in Firefox 145 and Thunderbird 145.
CVE-2025-14325High7.32025-12-09JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2025-14331Medium6.52025-12-09Same-origin policy bypass in the Request Handling component.

Angeljudesuarez · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14585High7.32025-12-12A vulnerability was found in itsourcecode COVID Tracking System 1.0.
CVE-2025-14584High7.32025-12-12A vulnerability has been found in itsourcecode COVID Tracking System 1.0.
CVE-2025-14578High7.32025-12-12A weakness has been identified in itsourcecode Student Management System 1.0.
CVE-2025-14337High7.32025-12-09A vulnerability was determined in itsourcecode Student Management System 1.0.
CVE-2025-14336High7.32025-12-09A vulnerability was found in itsourcecode Student Management System 1.0.
CVE-2025-14335High7.32025-12-09A vulnerability has been found in itsourcecode Student Management System 1.0.
CVE-2025-14334High7.32025-12-09A flaw has been found in itsourcecode Student Management System 1.0.
CVE-2025-14258High7.32025-12-08A vulnerability has been found in itsourcecode Student Management System 1.0.
CVE-2025-14257High7.32025-12-08A flaw has been found in itsourcecode Student Management System 1.0.
CVE-2025-14256High7.32025-12-08A vulnerability was detected in itsourcecode Student Management System 1.0.
CVE-2025-14226High7.32025-12-08A vulnerability was identified in itsourcecode Student Management System 1.0.
CVE-2025-14214Medium6.32025-12-08A vulnerability has been found in itsourcecode Student Information System 1.0.

Sap_se · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-42880Critical9.92025-12-09Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.
CVE-2025-42928Critical9.12025-12-09Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution.
CVE-2025-42878High8.22025-12-09SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production.
CVE-2025-42874High7.92025-12-09SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls.
CVE-2025-42877High7.52025-12-09SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability.
CVE-2025-42876High7.12025-12-09Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify docume…
CVE-2025-42875Medium6.62025-12-09The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact…
CVE-2025-42904Medium6.52025-12-09Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists.
CVE-2025-42872Medium6.12025-12-09Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session c…
CVE-2025-42873Medium5.92025-12-09SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities.
CVE-2025-42891Medium5.52025-12-09Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report.
CVE-2025-42896Medium5.42025-12-09SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message.

Gitlab · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12716High8.72025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actio…
CVE-2025-12029High8.02025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorize…
CVE-2025-8405High7.72025-12-11GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of ot…
CVE-2025-12562High7.52025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending c…
CVE-2025-11984Medium6.82025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipul…
CVE-2025-4097Medium6.52025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading sp…
CVE-2025-14157Medium6.52025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafte…
CVE-2025-11247Medium4.32025-12-11GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by…
CVE-2025-13978Medium4.32025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not h…
CVE-2025-12734Low3.52025-12-11GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs…

Groupsession · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65120Medium6.12025-12-12Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1.
CVE-2025-57883Medium6.12025-12-12Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
CVE-2025-54407Medium6.12025-12-12Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
CVE-2025-66284Medium5.42025-12-12Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1.
CVE-2025-62192Medium5.42025-12-12SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
CVE-2025-53523Medium5.42025-12-12Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
CVE-2025-61987Medium5.32025-12-12GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
CVE-2025-64781Medium4.72025-12-12In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration.
CVE-2025-61950Medium4.32025-12-12In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented.
CVE-2025-58576Medium4.32025-12-12Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.

Teamviewer · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64989High7.22025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction prior V21.1.
CVE-2025-64988High7.22025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-GetCmContentLocations instruction prior V19.2.
CVE-2025-64987High7.22025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-CheckSimpleIoC instruction.
CVE-2025-64986High7.22025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21.
CVE-2025-64993Medium6.82025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions.
CVE-2025-64992Medium6.82025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25.
CVE-2025-64991Medium6.82025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15.
CVE-2025-64990Medium6.82025-12-11A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-LogoffUser instruction prior V21.1.
CVE-2025-64995Medium6.52025-12-11A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4.
CVE-2025-64994Medium6.52025-12-11A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1.

Jenkins · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67635High7.52025-12-10Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
CVE-2025-67641Medium5.42025-12-10Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Confi…
CVE-2025-67640Medium5.02025-12-10Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace dire…
CVE-2025-67643Medium4.32025-12-10Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permissio…
CVE-2025-67642Medium4.32025-12-10Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they ar…
CVE-2025-67638Medium4.32025-12-10Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2025-67637Medium4.32025-12-10Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkin…
CVE-2025-67636Medium4.32025-12-10A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.
CVE-2025-67639Low3.52025-12-10A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account.

Unknown · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-14010Critical9.82025-12-12Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands.
CVE-2025-12835High7.32025-12-12The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.
CVE-2025-13073High7.12025-12-10The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such…
CVE-2025-13072High7.12025-12-10The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such…
CVE-2025-13071High7.12025-12-09The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2025-13070Medium6.62025-12-09The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.
CVE-2025-13031Medium5.92025-12-09The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
CVE-2025-12841Medium5.32025-12-12The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
CVE-2025-10684Medium4.32025-12-12The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

Apache · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54947Critical9.82025-12-12In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists.
CVE-2025-58130Critical9.12025-12-12Insufficiently Protected Credentials vulnerability in Apache Fineract.
CVE-2025-26866High8.82025-12-12A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store.
CVE-2025-66675High8.22025-12-10Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.
CVE-2025-58137High8.12025-12-12Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.
CVE-2025-54981High7.52025-12-12Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affect…
CVE-2025-23408Medium6.52025-12-12Weak Password Requirements vulnerability in Apache Fineract.
CVE-2025-53960Medium5.92025-12-12When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm).

Aqara · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65294Critical9.82025-12-10Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution.
CVE-2025-65295High8.12025-12-10Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification.
CVE-2025-65297High7.52025-12-10Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 automatically collect and upload unencrypted sensitive information.
CVE-2025-65291High7.42025-12-10Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks o…
CVE-2025-65290High7.42025-12-10Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic…
CVE-2025-65292High7.32025-12-10Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names.
CVE-2025-65293Medium6.62025-12-10Command injection vulnerabilities in Aqara Camera Hub G3 4.1.9_0027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset.
CVE-2025-65296Medium6.52025-12-10NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs.

Campcodes · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14583High7.32025-12-12A flaw has been found in campcodes Online Student Enrollment System 1.0.
CVE-2025-14529High7.32025-12-11A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0.
CVE-2025-14515High7.32025-12-11A vulnerability has been found in Campcodes Supplier Management System 1.0.
CVE-2025-14514High7.32025-12-11A flaw has been found in Campcodes Supplier Management System 1.0.
CVE-2025-14209High7.32025-12-08A weakness has been identified in Campcodes School File Management System 1.0.
CVE-2025-14582Medium4.72025-12-12A vulnerability was detected in campcodes Online Student Enrollment System 1.0.
CVE-2025-14219Medium4.72025-12-08A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0.

Commax Co., Ltd. · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-477192025-12-09COMMAX WebViewer ActiveX Control 2.1.4.5 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions.
CVE-2021-477102025-12-09COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint.
CVE-2021-477092025-12-09COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint.
CVE-2021-477082025-12-09COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'.
CVE-2021-477072025-12-09COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream.
CVE-2021-477062025-12-09COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting…
CVE-2021-477052025-12-09COMMAX UMS Client ActiveX Control 1.7.0.2 contains a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions.

Thimpress · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67526High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.
CVE-2025-67536Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4.
CVE-2025-63011Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
CVE-2025-67573Medium5.32025-12-09Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6.
CVE-2025-67594Medium4.32025-12-09Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a throu…
CVE-2025-63013Medium4.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
CVE-2025-63012Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.

Libbiosig_project · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66048Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.
CVE-2025-66047Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.
CVE-2025-66046Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.
CVE-2025-66045Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.
CVE-2025-66044Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.
CVE-2025-66043Critical9.82025-12-11Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1.

Projectworlds · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14571High7.32025-12-12A vulnerability has been found in projectworlds Advanced Library Management System 1.0.
CVE-2025-14570High7.32025-12-12A flaw has been found in projectworlds Advanced Library Management System 1.0.
CVE-2025-14527High7.32025-12-11A weakness has been identified in projectworlds Advanced Library Management System 1.0.
CVE-2025-14212High7.32025-12-08A flaw has been found in projectworlds Advanced Library Management System 1.0.
CVE-2025-14211High7.32025-12-08A vulnerability was detected in projectworlds Advanced Library Management System 1.0.
CVE-2025-14210High7.32025-12-08A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0.

Azeotech · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66589Critical9.12025-12-11In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer.
CVE-2025-66590High7.82025-12-11In AzeoTech DAQFactory release 20.7 (Build 2555), an out-of-bounds write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer.
CVE-2025-66588High7.82025-12-11In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.
CVE-2025-66586High7.82025-12-11In AzeoTech DAQFactory release 20.7 (Build 2555), an access of resource using incompatible type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files.
CVE-2025-66585High7.82025-12-11In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files.

Enalean · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64497Medium6.52025-12-08Tuleap is an Open Source Suite for management of software development and collaboration.
CVE-2025-65962Medium4.62025-12-09Tuleap is a free and open source suite for management of software development and collaboration.
CVE-2025-64760Medium4.62025-12-08Tuleap is a free and open source suite for management of software development and collaboration.
CVE-2025-64499Medium4.62025-12-08Tuleap is a free and open source suite for management of software development and collaboration.
CVE-2025-64498Medium4.62025-12-08Tuleap is an Open Source Suite for management of software development and collaboration.

Infinera · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-27020Critical9.82025-12-08Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system .
CVE-2025-27019Critical9.82025-12-08Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.
CVE-2025-26487High8.62025-12-08Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge.
CVE-2025-26488High7.52025-12-08Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from…
CVE-2025-26489Medium6.52025-12-08Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash the service and reboot the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from R22…

Minidvblinux · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2023-53774Critical9.82025-12-09MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems.
CVE-2023-53771Critical9.82025-12-09MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication.
CVE-2023-53772High7.52025-12-09MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter.
CVE-2023-53770High7.52025-12-09MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference.
CVE-2023-53773Medium5.32025-12-09MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol.

Open Bmcs · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47701High8.82025-12-09OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script.
CVE-2021-47718High7.52025-12-09OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality.
CVE-2021-47703High7.22025-12-09OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sess…
CVE-2021-47704Medium6.52025-12-09OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code.
CVE-2021-47702Medium4.32025-12-09OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint.

Selea · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47731Critical9.82025-12-09Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page.
CVE-2021-47728Critical9.82025-12-09Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands.
CVE-2021-47730High8.82025-12-09Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication.
CVE-2021-47729Medium5.42025-12-09Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code.
CVE-2021-47727Medium5.32025-12-09Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication.

Wbce · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67504Critical9.12025-12-09WBCE CMS is a content management system.
CVE-2025-34506High8.82025-12-11WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules.
CVE-2024-58283High8.82025-12-10WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager.
CVE-2025-65950High8.82025-12-10WBCE CMS is a content management system.
CVE-2025-66204High8.12025-12-09WBCE CMS is a content management system.

1panel-dev · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66446High8.82025-12-11MaxKB is an open-source AI assistant for enterprise.
CVE-2025-66419High8.82025-12-11MaxKB is an open-source AI assistant for enterprise.
CVE-2025-66507High7.52025-12-091Panel is an open-source, web-based control panel for Linux server management.
CVE-2025-66508Medium6.52025-12-091Panel is an open-source, web-based control panel for Linux server management.

Baowzh · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14522Medium6.32025-12-11A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c.
CVE-2025-14520Medium5.42025-12-11A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c.
CVE-2025-14521Medium4.32025-12-11A security vulnerability has been detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c.
CVE-2025-14519Low3.52025-12-11A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c.

Barracuda · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-34394Critical9.82025-12-10Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types.
CVE-2025-34393Critical9.82025-12-10Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an attacker-controlled WSDL service, leading to insecure reflection.
CVE-2025-34392Critical9.82025-12-10Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application.
CVE-2025-34395High7.52025-12-10Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service in which an unauthenticated attacker can invoke a method vulnerable to path traversal to read arbitrary files.

Cridiostudio · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63048Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <=…
CVE-2025-63046Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS.This issue affects ListingPro: from n/a through <= 2.9.9.
CVE-2025-63049Medium5.32025-12-09Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ListingPro Lead Form: from n/a through <= 1.0.7.
CVE-2025-63047Medium5.32025-12-09Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-13607Critical9.42025-12-10A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
CVE-2025-14225Medium6.32025-12-08A vulnerability was determined in D-Link DCS-930L 1.15.04.
CVE-2025-14208Medium6.32025-12-08A security flaw has been discovered in D-Link DIR-823X up to 20250416.
CVE-2025-14528Medium5.32025-12-11A vulnerability was detected in D-Link DIR-803 up to 1.04.

Dbbroadcast · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2023-53740Critical9.82025-12-10Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials.
CVE-2023-53776High8.82025-12-10Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers.
CVE-2023-53741High8.12025-12-10Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers.
CVE-2023-53775Medium6.52025-12-10Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change user passwords by exploiting weak session management controls.

Easyimages2.0_project · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65474Critical9.82025-12-11An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format.
CVE-2025-65473Critical9.12025-12-11An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to execute arbitrary code via injecting a crafted payload into an uploaded file name.
CVE-2025-65472High8.82025-12-11A Cross-Site Request Forgery (CSRF) in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page.
CVE-2025-65471High8.82025-12-11An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file.

Eibiz · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36892Critical9.82025-12-10Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles.
CVE-2020-36895High7.52025-12-10EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference.
CVE-2020-36894High7.52025-12-10Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation.
CVE-2020-36893High7.52025-12-10Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server's root directory.

Howfor · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36897Critical9.82025-12-10QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts.
CVE-2020-36898Critical9.12025-12-10QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication.
CVE-2020-36899High7.52025-12-10QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters.
CVE-2020-36896High7.52025-12-10QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file.

Ivanti · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10573Critical9.62025-12-09Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session.
CVE-2025-13659High8.82025-12-09Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution.
CVE-2025-13662High7.82025-12-09Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code.
CVE-2025-13661High7.12025-12-09Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory.

Jetbrains · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67741Medium4.62025-12-11In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute
CVE-2025-67742Low3.82025-12-11In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
CVE-2025-67739Low3.12025-12-11In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
CVE-2025-67740Low2.72025-12-11In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata

Solaredge · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-36745High7.82025-12-12SolarEdge SE3680H  ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems.
CVE-2025-36743Medium6.82025-12-12SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands.
CVE-2025-36746Medium5.42025-12-12SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt.
CVE-2025-36744Low2.42025-12-12SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop.

Talent Software · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12504Critical9.82025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection.
CVE-2025-6924Medium5.42025-12-09Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Reflected XSS.
CVE-2025-6923Medium5.42025-12-09Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software UNIS allows Reflected XSS.
CVE-2025-10876Medium5.32025-12-09Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Cross-Site Scripting (XSS).

Carmelo · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14223High7.32025-12-08A vulnerability has been found in code-projects Simple Leave Manager 1.0.
CVE-2025-14230Medium6.32025-12-08A vulnerability was detected in code-projects Daily Time Recording System 4.5.0.
CVE-2025-14531Medium4.32025-12-11A vulnerability was found in code-projects Rental Management System 2.0.

Circl · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-426202025-12-08In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS).
CVE-2025-426162025-12-08Some endpoints in vulnerability-lookup that modified application state (e.g.
CVE-2025-426152025-12-08In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification.

Danny-avila · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66451Medium6.52025-12-11LibreChat is a ChatGPT clone with additional features.
CVE-2025-66452Medium6.12025-12-11LibreChat is a ChatGPT clone with additional features.
CVE-2025-66450Medium5.42025-12-11LibreChat is a ChatGPT clone with additional features.

Dream-theme · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63076High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion.This issue affects The7 Elements: from n/a thro…
CVE-2025-63074High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion.This issue affects The7: from n/a through < 12.8.1.1.
CVE-2025-63073Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through < 12.9.0.

Facebook · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67779High7.52025-12-12It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
CVE-2025-55184High7.52025-12-11A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack…
CVE-2025-55183Medium5.32025-12-11An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t…

Fearlessgeekmedia · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56431High7.52025-12-10Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the file_get_contents() function.
CVE-2025-56430High7.52025-12-10Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the deleteDirectory function.
CVE-2025-56429Medium6.12025-12-10Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component.

Fit2cloud · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-34429High7.12025-12-101Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality.
CVE-2025-34410High7.12025-12-101Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel).
CVE-2025-34430Medium4.32025-12-101Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality.

Frappe · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10655High8.82025-12-09SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.
CVE-2025-67734Medium5.42025-12-12Frappe Learning Management System (LMS) is a learning system that helps users structure their content.
CVE-2025-67730Medium5.42025-12-12Frappe Learning Management System (LMS) is a learning system that helps users structure their content.

Freepbx · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66039Critical9.82025-12-09FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems.
CVE-2024-58294High8.82025-12-11FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands.
CVE-2025-675132025-12-10FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems.

Galaxy Software Services · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14255Medium6.52025-12-08Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2025-14254Medium6.52025-12-08Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2025-14253Medium4.92025-12-08Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

Lenovo · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13155High7.82025-12-10An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges.
CVE-2025-13152High7.82025-12-10A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges.
CVE-2025-12046High7.82025-12-10A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions.

Netgear · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12946High7.52025-12-09A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses a…
CVE-2025-12945High7.22025-12-09A vulnerability in NETGEAR Nighthawk R7000P routers lets an authenticated admin execute OS command injections due to improper input validation.
CVE-2025-12941Medium5.72025-12-09Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.

Pci-sig · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9614Medium6.52025-12-09An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous se…
CVE-2025-9613Medium6.52025-12-09A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the…
CVE-2025-9612Medium5.12025-12-09An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or re…

Robocode · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14308Critical9.82025-12-09An integer overflow vulnerability exists in the write method of the Buffer class in Robocode version 1.9.3.6.
CVE-2025-14306Critical9.12025-12-09A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6.
CVE-2025-14307High8.12025-12-09An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6.

Saad Iqbal · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63030High7.12025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3.
CVE-2025-67563Medium5.32025-12-09Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 3.6.1.
CVE-2025-67471Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery.This issue affects Quick Contact Form: from n/a through <= 8.2.5.

Spenetix Ag · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36886High8.82025-12-10SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation.
CVE-2020-36883High8.12025-12-10SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters.
CVE-2020-36888Medium5.32025-12-10SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts.

Thembay · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67532High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
CVE-2025-67530High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
CVE-2025-67528High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.

Tornadoweb · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67726High7.52025-12-12Tornado is a Python web framework and asynchronous networking library.
CVE-2025-67725High7.52025-12-12Tornado is a Python web framework and asynchronous networking library.
CVE-2025-67724Medium5.42025-12-12Tornado is a Python web framework and asynchronous networking library.

Tripples · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67531High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion.This issue affects Turitor: from n/a through < 1.5.3.
CVE-2025-67527High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
CVE-2025-67523High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.

Utt · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14535Critical9.82025-12-11A vulnerability was identified in UTT 进取 512W up to 3.1.7.7-171114.
CVE-2025-14534Critical9.82025-12-11A vulnerability was determined in UTT 进取 512W up to 3.1.7.7-171114.
CVE-2025-14572High8.82025-12-12A vulnerability was found in UTT 进取 512W up to 1.7.7-171114.

Xbtitfm · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58309Critical9.82025-12-11xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter.
CVE-2024-58312High7.52025-12-11xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters.
CVE-2024-58313High7.22025-12-11xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature.

Xwiki · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66474High8.82025-12-10XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc).
CVE-2025-66473High7.52025-12-10XWiki is an open-source wiki software platform.
CVE-2025-66472Medium6.12025-12-10XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

Yandex · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5471High7.82025-12-09Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1.
CVE-2025-54702025-12-09Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.
CVE-2025-54692025-12-09Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245

Zauberzeug · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66645High7.52025-12-09NiceGUI is a Python-based UI framework.
CVE-2025-66470Medium6.12025-12-09NiceGUI is a Python-based UI framework.
CVE-2025-66469Medium6.12025-12-09NiceGUI is a Python-based UI framework.

Zitadel · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67494Critical9.32025-12-09ZITADEL is an open-source identity infrastructure tool.
CVE-2025-67495High8.02025-12-09ZITADEL is an open-source identity infrastructure tool.
CVE-2025-67717Medium4.32025-12-11ZITADEL is an open-source identity infrastructure tool.

Adata · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-61075High8.12025-12-09Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized…
CVE-2025-61074Medium4.62025-12-09A stored Cross Site Scripting (XSS) vulnerability in the bulletin board (SchwarzeBrett) in adata Software GmbH Mitarbeiter Portal 2.15.2.0 allows remote authenticated users to execute arbitrary JavaScript code in the web browser of other u…

Allskyteam · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65573High8.82025-12-09Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status.
CVE-2025-65572Medium6.12025-12-09Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php.

Asustor · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13052Medium5.92025-12-12When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in…
CVE-2025-13053Low3.72025-12-12When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MI…

Auth0 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67716Medium5.72025-12-11The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.
CVE-2025-67490Medium5.42025-12-10The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.

Averta · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63045Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12.
CVE-2025-63071Medium5.32025-12-09Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme…

Ays Pro · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67595Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through <= 6.7.0.82.
CVE-2025-66529Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery.This issue affects Chartify: from n/a through <= 3.6.3.

Ays-pro · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14442Medium5.32025-12-12The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions…
CVE-2025-14159Medium4.32025-12-12The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2.

Barix · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65231Medium6.12025-12-08Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.
CVE-2025-65230Medium5.42025-12-08Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.

Crm Perks · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67587Medium4.72025-12-09URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
CVE-2025-67468Medium4.32025-12-09Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue a…

Darendev · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14392Medium4.32025-12-12The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versi…
CVE-2025-14391Medium4.32025-12-12The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.

Dell · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-46637High7.32025-12-09Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability.
CVE-2025-46636Medium6.62025-12-09Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability.

Dfdevelopment · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63036High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: f…
CVE-2025-63037Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.

Elysiajs · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66456Critical9.82025-12-09Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication.
CVE-2025-66457High8.82025-12-09Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication.

Essential Plugin · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2022-46845Medium5.32025-12-09Missing Authorization vulnerability in Essential Plugin Slider a SlidersPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider a SlidersPack: from n/a before 2.3.
CVE-2025-67470Medium4.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Essential Plugin Portfolio and Projects portfolio-and-projects allows Retrieve Embedded Sensitive Data.This issue affects Portfolio and Projects: f…

Ezcast · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-139552025-12-10Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II before version 1.17478.177 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifier…
CVE-2025-139542025-12-10Hard-coded cryptographic keys in Admin UI of EZCast Pro II before version 1.17478.177 allows attackers to bypass authorization checks and gain full access to the admin UI

Flarum · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-583032025-12-11FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates.
CVE-2024-583022025-12-11FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates.

Gnome · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14512Medium6.52025-12-11A flaw was found in glib.
CVE-2025-14087Medium5.62025-12-10A flaw was found in GLib (Gnome Lib).

Google Cloud · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-129522025-12-10A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX.
CVE-2025-95712025-12-10A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion.

Haxxorsid · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14568Medium6.32025-12-12A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0.
CVE-2025-14567Medium5.32025-12-12A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0.

Hippooo · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13339High7.52025-12-10The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function.
CVE-2025-12655Medium5.32025-12-12The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1.

Hogash · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63061Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash KALLYAS kallyas allows DOM-Based XSS.This issue affects KALLYAS: from n/a through < 4.25.0.
CVE-2025-63060Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0.

Jacques Malgrange · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67534High7.12025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.
CVE-2025-67558Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.

Jbl · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-2104High8.82025-12-10Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.
CVE-2024-2105Medium6.52025-12-10An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.

Jegtheme · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67538Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1.
CVE-2025-67591Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1.

Jishenghua · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67344Medium4.62025-12-12jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
CVE-2025-67341Medium4.62025-12-12jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability.

Joe Dolson · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67592Medium4.32025-12-09Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Calendar: from n/a through <= 3.6.16.
CVE-2025-64257Medium4.32025-12-09Missing Authorization vulnerability in Joe Dolson My Tickets my-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Tickets: from n/a through <= 2.1.0.

Kidaze · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14566High7.32025-12-12A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464.
CVE-2025-14565High7.32025-12-12A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464.

Labredescefetrj · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67501High8.82025-12-10WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.
CVE-2025-67496Medium4.32025-12-09WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.

Lambertgroup · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67518High8.52025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a throu…
CVE-2025-62093High8.52025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection.This issue affects Image&Video FullSc…

Medivision · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36902Critical9.82025-12-10UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter.
CVE-2020-36901High8.82025-12-10UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation.

Mercurycom · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65288Medium6.52025-12-09A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation.
CVE-2025-65289Medium6.12025-12-09A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hos…

Metagauss · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63007Medium4.32025-12-09Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.4.1.
CVE-2025-63006Medium4.32025-12-09Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.4.1.

Mikado-themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67515High8.82025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.
CVE-2025-66532Medium4.32025-12-09Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1.

Netweblogic · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12408Medium5.32025-12-12The Events Manager – Calendar, Bookings, Tickets, and more!
CVE-2025-12407Medium4.32025-12-12The Events Manager – Calendar, Bookings, Tickets, and more!

Neuron-ai · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67510Critical9.42025-12-10Neuron is a PHP framework for creating and orchestrating AI Agents.
CVE-2025-67509High8.22025-12-10Neuron is a PHP framework for creating and orchestrating AI Agents.

Nootheme · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67524High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Ele…
CVE-2025-67522High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion.This issue affects Jobmonster: from n/a through <=…

Nvidia · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-33214High8.82025-12-09NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue.
CVE-2025-33213High8.82025-12-09NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue.

Okta · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67505High8.42025-12-10Okta Java Management SDK facilitates interactions with the Okta management API.
CVE-2025-66033Medium5.32025-12-10Okta Java Management SDK facilitates interactions with the Okta management API.

Onelogin · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66568Critical9.12025-12-09The ruby-saml library implements the client side of an SAML authorization.
CVE-2025-66567Critical9.12025-12-09The ruby-saml library is for implementing the client side of a SAML authorization.

Opal_wp · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67529High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion.This issue affects Fashion: from n/a through < 5.3.0.
CVE-2025-67525High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.

Opicron · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62737Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in opicron Image Cleanup image-cleanup allows Retrieve Embedded Sensitive Data.This issue affects Image Cleanup: from n/a through <= 1.9.2.
CVE-2025-62736Medium4.32025-12-09Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Cleanup: from n/a through <= 1.9.2.

P-themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63066Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Stored XSS.This issue affects Porto Theme - Functionality: from n/a throu…
CVE-2025-63067Medium4.32025-12-09Missing Authorization vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a through < 3.7…

Powerdns · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59030High7.52025-12-09An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
CVE-2025-59029Medium5.32025-12-09An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

Premmerce · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13440Medium5.32025-12-12The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10.
CVE-2025-12783Medium4.32025-12-12The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13.

Quantumcloud · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67576Medium5.32025-12-09Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through <= 8.8.3.
CVE-2025-67465Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery.This issue affects Simple Link Directory: from n/a through <= 8.8.3.

Red Hat · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14523High8.22025-12-11A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing.
CVE-2025-14082Low2.72025-12-10A flaw was found in Keycloak Admin REST (Representational State Transfer) API.

Rhys Wynne · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67557Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <=…
CVE-2025-67578Medium5.32025-12-09Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4.

Rockwell Automation · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-93682025-12-09A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service.
CVE-2025-128072025-12-09A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints.

Ronald Huereca · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67586Medium4.72025-12-09Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.
CVE-2025-64254Low2.72025-12-09Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Block: from n/a through <= 1.5.1.

Select-themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67521High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through…
CVE-2025-67539Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Select Core select-core allows DOM-Based XSS.This issue affects Select Core: from n/a through < 2.6.

Shahjahan Jewel · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67519High7.62025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3.
CVE-2025-67597Medium4.32025-12-09Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Booking: from n/a through <= 1.9.11.

Sizam · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63050Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam REHub Framework rehub-framework allows Stored XSS.This issue affects REHub Framework: from n/a through < 19.9.9.7.
CVE-2025-67565Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam Rehub rehub-theme allows Retrieve Embedded Sensitive Data.This issue affects Rehub: from n/a through <= 19.9.9.1.

Stellarwp · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67467Medium5.42025-12-09Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.
CVE-2025-66533Medium5.32025-12-09Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

Stvs · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47723High8.82025-12-09STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests.
CVE-2021-47724Medium6.52025-12-09STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality.

Tenda · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14526High8.82025-12-11A security flaw has been discovered in Tenda CH22 1.0.0.1.
CVE-2025-14286Medium5.32025-12-09A vulnerability was determined in Tenda AC9 15.03.05.14_multi.

Themehigh · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67553Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5…
CVE-2025-67556Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows Stored XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2.

Tianocore · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-22962025-12-09EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access.
CVE-2024-387982025-12-09EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access.

Traefik · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66490Medium6.52025-12-09Traefik is an HTTP reverse proxy and load balancer.
CVE-2025-66491Medium5.92025-12-09Traefik is an HTTP reverse proxy and load balancer.

Vcita · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67559Medium5.42025-12-09Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking &…
CVE-2025-67472Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for W…

Wago · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41732Critical9.82025-12-10An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
CVE-2025-41730Critical9.82025-12-10An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.

Wpjobportal · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14293Medium6.52025-12-11The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function.
CVE-2025-14467Medium4.42025-12-12The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4.

Yalantis · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14516Medium6.32025-12-11A vulnerability was found in Yalantis uCrop 2.2.11.
CVE-2025-14517Medium5.32025-12-11A vulnerability was determined in Yalantis uCrop 2.2.11.

Zoom · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67460High7.82025-12-10Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access.
CVE-2025-67461Medium5.02025-12-10External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access.

3ds · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12956High8.72025-12-08A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's brows…

A1apps · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65814Medium6.52025-12-10A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal.

Aarondoran · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67731High7.52025-12-12Servify Express is a Node.js package to start an Express server and log the port it's running on.

Addonsorg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14074Medium4.32025-12-12The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6…

Agile Logix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67516High8.52025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a t…

Airlift · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67721High7.52025-12-12Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java.

Akaunting · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582932025-12-11Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields.

Akazanstev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62086Medium5.42025-12-09Missing Authorization vulnerability in akazanstev Яндекс Доставка (Boxberry) boxberry allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Яндекс Доставка (Boxberry): from n/a through <= 2.34.

Aksis Computer Services And Consulting Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13003High7.62025-12-11Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc.

Alekv · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67564Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in alekv Pixel Manager for WooCommerce woocommerce-google-adwords-conversion-tracking-tag allows Retrieve Embedded Sensitive Data.This issue affects P…

Alex Furr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49341High7.12025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS.This issue affects PDF Creator Lite: from n/a through <= 1.2.

Alex Prokopenko / Justcoded · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62871Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery.This issue affects Just TinyMCE Custom Styles: from n/a through <= 1.2.1.

Alexdtn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14137Medium6.12025-12-12The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping.

Algernon_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65754Medium6.12025-12-10Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename.

Algosec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12381High7.82025-12-09Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection.

Aliasrobotics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67511Critical9.62025-12-11Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation.

All-dynamics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36900High8.82025-12-10All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation.

Amans2k · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14169High7.52025-12-12The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user s…

Ami · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-58770High8.82025-12-12APTIOV contains a vulnerability in BIOS where a user may cause “Improper Handling of Insufficient Permissions or Privileges” by local access.

Andondesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63062High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a throu…

Andrew Lima · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67575Medium5.32025-12-09Missing Authorization vulnerability in Andrew Lima Sitewide Notice WP sitewide-notice-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sitewide Notice WP: from n/a through <= 2.4.1.

Andru1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14125Medium6.12025-12-12The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping.

Anydesk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-344992025-12-11AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges.

Apasionados · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62102Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case dofollow-case-by-case allows Cross Site Request Forgery.This issue affects DoFollow Case by Case: from n/a through <= 3.5.1.

Apc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-583102025-12-11APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters.

Apprain · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58279High8.82025-12-10appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint.

Apprhyme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14045Medium4.32025-12-12The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1.

Apustheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13764Critical9.82025-12-11The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16.

Argoproj · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66626High8.12025-12-09Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes.

Arscode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63059Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arscode Ninja Popups arscode-ninja-popups allows Stored XSS.This issue affects Ninja Popups: from n/a through <= 4.7.8.

Artplacer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67517High8.52025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.

Ashanjay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63064Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Stored XSS.This issue affects EventON: from n/a through <= 4.9.12.

Astro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66202Medium6.52025-12-09Astro is a web framework.

Atcom Technology Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58314High8.82025-12-12Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands.

Awanhrp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14393Medium6.42025-12-12The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.

Ayothemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14143Medium6.42025-12-12The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping.

Azuracast · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67737Low3.12025-12-12AzuraCast is a self-hosted, all-in-one web radio management suite.

Azuriom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65271High8.82025-12-08Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session.

B3log · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67488High7.82025-12-09SiYuan is self-hosted, open source personal knowledge management software.

Badi Jones · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59132Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Badi Jones Duplicate Content Cure duplicate-content-cure allows Cross Site Request Forgery.This issue affects Duplicate Content Cure: from n/a through <= 1.0.

Bannersky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-4970Medium5.52025-12-12The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping.

Beaverbuilder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12558Medium4.32025-12-09The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function.

Bertha Ai – Andrew Palmer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62085Medium5.32025-12-09Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.

Bestwebsoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63056Medium4.32025-12-09Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through <=…

Bitdefender · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-7073High7.82025-12-10A local privilege escalation vulnerability in Bitdefender Total Security versions prior to 27.0.47.241 allows low-privileged attackers to elevate privileges.

Blair Williams · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67537Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS.This issue affects ThirstyAffiliates: from n/a through <= 3.11.8.

Blazethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13334High8.12025-12-12The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13.

Bmc Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582982025-12-11Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form.

Bobbingwide · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67549Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3.

Bobvanoorschot · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13840Medium6.42025-12-12The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization an…

Boldthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14032Medium6.42025-12-12The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'bold_timeline_group' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization an…

Bowo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64255Low2.72025-12-09Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a th…

Brainstorm Force · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-23729Medium5.42025-12-09Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0.

Brightsign, Llc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-368842025-12-10BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service.

Brother Industries, Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64696Low3.32025-12-09Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory.

Buntegiraffe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13884Medium6.42025-12-12The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitizati…

C-ares · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62408Medium5.92025-12-08c-ares is an asynchronous resolver library.

Campay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12883Medium5.32025-12-12The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2.

Canonical · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5467Low3.32025-12-10It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Carmelogarcia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14222Medium6.32025-12-08A flaw has been found in code-projects Employee Profile Management System 1.0.

Cashu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65548Critical9.12025-12-08NUT-14 allows cashu tokens to be created with a preimage hash.

Catch Themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67543Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2.

Cdpenergy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65287Medium4.32025-12-09An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files.

Chancms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65602Critical9.82025-12-10A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.

Chmln · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65807High8.42025-12-10An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command.

Chyrp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58285Medium5.42025-12-10Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles.

Cisa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67634Medium4.42025-12-12The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields.

Cleantalk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13604High7.22025-12-09The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output esc…

Cleverdisplay B.v. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-367552025-12-12The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions.

Cloudlinux · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65530High8.82025-12-12An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file.

Cmsimple · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58280High8.82025-12-10CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files.

Code Amp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62996Medium4.32025-12-09Missing Authorization vulnerability in Code Amp Custom Layouts – Post + Product grids made easy custom-layouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Layouts – Post + Product grids…

Codeworkweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67473Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery.This issue affects CWW Companion: from n/a through <= 1.3.2.

Codnloc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13987Medium4.32025-12-12The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2.

Connectwise · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14265Critical9.12025-12-11In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users.

Constant Contact · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67580Medium5.32025-12-09Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce…

Containernetworking · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67499Medium6.62025-12-10The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container.

Conveythis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62152Medium5.32025-12-09Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.2.

Coohom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65300Medium5.42025-12-09A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rende…

Cpanel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66429High8.82025-12-11An issue was discovered in cPanel 110 through 132.

Cronosweb I2a · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-413582025-12-10Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive.

Cslanet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66631Critical9.82025-12-09CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications.

Cszcms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58307High8.82025-12-11CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries.

Cvedovini · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13886High7.52025-12-12The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization.

Cytechltd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14064Medium5.42025-12-12The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0.

Datagear · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65792Critical9.12025-12-10DataGear v5.5.0 is vulnerable to Arbitrary File Deletion.

David Lingren · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63065Medium5.32025-12-09Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media LIbrary Assist…

Davidkeen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13960Medium6.42025-12-12The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attr…

Denx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-24857High7.62025-12-10Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbit…

Developerke · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14165Medium4.32025-12-12The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.

Digitaldruid · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55816Medium6.12025-12-11HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file.

Digitalpa S.r.l. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-344132025-12-09Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default.

Dimitri Grassi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66531Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.

Docker · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13743High7.52025-12-09Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization.

Dormakaba · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58311Critical9.82025-12-12Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier.

Dotclear · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58281High8.82025-12-10Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality.

Doubledome · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14354Medium4.32025-12-12The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.

Dr.buho · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13733High7.82025-12-12BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.

E4jvikwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14049Medium6.12025-12-12The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output…

Easy Payment · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63023Medium5.32025-12-09Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway for PayPal on WooCo…

Efm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14485Medium5.02025-12-11A weakness has been identified in EFM ipTIME A3004T 14.19.0.

Elastic Email · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66525Medium4.32025-12-09Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Sender: from n/a through <= 1.2.20.

Elated Themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13613Critical9.82025-12-10The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2.

Elated-themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66534Medium4.32025-12-09Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Aisle: from n/a through <= 2.9.

Elecom Co.,ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66271Medium6.72025-12-09Clone for Windows provided by ELECOM CO.,LTD.

Elementor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67588Medium4.32025-12-09Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0.

Elements · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582902025-12-11Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter.

Elkarte · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582952025-12-11ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process.

Emby · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64113Critical9.82025-12-09Emby Server is a user-installable home media server.

Emlog · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-61318Critical9.12025-12-08Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability.

Emrevona · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10583Low3.52025-12-12The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action.

Entrust Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-344142025-12-09Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled…

Ergonet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62867Medium4.32025-12-09Missing Authorization vulnerability in ergonet Ergonet Cache ergonet-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ergonet Cache: from n/a through <= 1.0.13.

Essekia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66526Medium4.32025-12-09Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.1.34.

Eupago · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62870Medium5.32025-12-09Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a…

Eurisko · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13969Medium6.42025-12-12The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output…

Evan Herman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62865Medium5.32025-12-09Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Cloner: from n/a through <= 1.0.0.

Expresstech Systems · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63054Medium5.32025-12-09Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3…

Falselight · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13963Medium6.42025-12-12The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxcc_convert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on…

Fernandobt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10163Medium6.52025-12-11The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplie…

Filamentphp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67507High8.12025-12-10Filament is a collection of full-stack components for accelerated Laravel development.

Fireplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67545Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS.This issue affects FireBox: from n/a through <= 3.1.0-free.

Flashyapp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62873Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Flashyapp WP Flashy Marketing Automation wp-flashy-marketing-automation allows Cross Site Request Forgery.This issue affects WP Flashy Marketing Automation: from n/a through <= 2.0.8.

Flatboard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582912025-12-11Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields.

Flexmls · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67585Medium4.72025-12-09URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing.This issue affects Flexmls® IDX: from n/a through <= 3.15.7.

Flipper Code - Wordpress Development Company · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67535Medium6.62025-12-09Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.

Flow-scanner · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67750High8.42025-12-12Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows.

Formio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-677182025-12-11Form.io is a combined Form and API platform for Serverless applications.

Foxtheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13408Medium4.32025-12-12The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2.

Foysal Imran · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67583Medium5.32025-12-09Missing Authorization vulnerability in Foysal Imran IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonate: from n/a through <= 2.1.15.

Frapesce · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13366Medium4.32025-12-12The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.

Freeimage_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65803Medium6.52025-12-10An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file.

Fuelthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63003High7.52025-12-09Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion.This issue affects North - Required Pl…

Gallerycreator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63052Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1.

Gardener · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67508High8.42025-12-12gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools.

Genexus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582882025-12-11Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration.

Get Bowtied · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67544Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS.This issue affects Shopkeeper Extender: from n/a through < 7.0.

Ggml-org · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14569Medium5.32025-12-12A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2.

Github · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14046Medium6.12025-12-11An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands.

Gladinet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14611Critical9.8KEV2025-12-12Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme.

Gofiber · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66565Critical9.82025-12-09Fiber Utils is a collection of common functions created for Fiber.

Gogs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-8110High8.8KEV2025-12-10Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Graham · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62153Medium5.32025-12-09Missing Authorization vulnerability in Graham Quick Interest Slider quick-interest-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Interest Slider: from n/a through <= 3.1.7.

Grassroots · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11266Medium6.62025-12-12An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM).

Gravitec.net - Web Push Notifications · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62869Medium4.32025-12-09Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec…

Gs Yuasa International Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66461Medium6.72025-12-08FULLBACK Manager Pro provided by GS Yuasa International Ltd.

Gtt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-139532025-12-10Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method.

Happymonster · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63077Medium4.32025-12-09Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <…

Hashenudara · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66918High8.82025-12-11edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the "title" parameter.

Hassantafreshi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67577Medium5.32025-12-09Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.8.20.

Hcl Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-42197Medium5.52025-12-11HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.

Hiroaki Miyashita · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63058Medium4.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Retrieve Embedded Sensitive Data.This issue affects Custom Field Template: fro…

Hp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11531High8.82025-12-09HP System Event Utility and Omen Gaming Hub might allow execution of certain files outside of their restricted paths.

Humanityco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67554Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for G…

Hummerrisk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63721High8.82025-12-08HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.

Hype · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49348Medium5.32025-12-09Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5.

Hypr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-8273High8.82025-12-11Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing.This issue affects Server: before 10.1.

Ibexa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-677192025-12-11Ibexa is a composable end-to-end DXP (Digital Experience Platform).

Ice00 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13747Medium6.42025-12-12The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user…

Icegram · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12348Medium5.32025-12-12The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10.

Ideacms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14245High7.32025-12-08A vulnerability has been found in IdeaCMS up to 1.8.

Ilevia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14276Medium5.62025-12-08A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden.

Im Park Information Technology, Electronics, Press, Publishing And Advertising, Education Ltd. Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13125Medium4.32025-12-10Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd.

Imagemagick · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66628High7.52025-12-10ImageMagick is a software suite to create, edit, compose, or convert bitmap images.

Imaqpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13363Medium4.32025-12-12The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1.

Imran3229 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13885Medium6.42025-12-12The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and o…

Infility · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12968High8.82025-12-12The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42.

Infinitum Form · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62109Medium5.32025-12-09Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4.

Insyde Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10451High8.22025-12-12Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption.

Intellichoice · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-477172025-12-09IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter.

Iworks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12960Medium6.52025-12-12The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode.

Izuchy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13975Medium4.42025-12-12The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output esca…

Jbrinley · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11876Medium6.42025-12-12The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and outpu…

Jegstudio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62090Medium6.52025-12-09Missing Authorization vulnerability in Jegstudio Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Ne…

Jenyay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13839Medium6.42025-12-12The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user…

Jeremybmerrill · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14035Medium4.42025-12-12The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping.

Jihai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14259Medium6.32025-12-08A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0.

Jk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62872Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in JK Social Photo Fetcher facebook-photo-fetcher allows Cross Site Request Forgery.This issue affects Social Photo Fetcher: from n/a through <= 3.0.4.

Jmri · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-143112025-12-09Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JMRI.This issue affects JMRI: before 5.13.3.

Joel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62735Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Joel User Spam Remover user-spam-remover allows Retrieve Embedded Sensitive Data.This issue affects User Spam Remover: from n/a through <= 1.1.

Joinmastodon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67500Low3.72025-12-10Mastodon is a free, open-source social network server based on ActivityPub.

Jonahsc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14048Medium4.42025-12-12The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.

Jupitercow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49347High7.12025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1.

Justdave · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14160Medium4.32025-12-12The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4.

Jxlindia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63895High7.52025-12-10An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet.

Klemmkeil · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13962Medium6.42025-12-12The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supp…

Knime · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14262Medium4.32025-12-08A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner.

Kodcloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-34504Medium6.12025-12-11KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter.

Kubiq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67469Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery.This issue affects PDF Thumbnail Generator: from n/a through <= 1.4.

Ladislavsoukupgmailcom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13850Medium6.42025-12-12The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping.

Langchain · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67644High7.32025-12-11LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite).

Lazycoders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12963Critical9.82025-12-12The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29.

Lepton-cms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-56704High8.82025-12-09LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files.

Lesion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13904Medium6.42025-12-12The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied…

Lester Chan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67541Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS.This issue affects WP-ShowHide: from n/a through <= 1.05.

Levelfourdevelopment · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62997Medium5.32025-12-09Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11.

Libcoap · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-59391Medium6.52025-12-08A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches.

Libimobiledevice · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66004Medium5.72025-12-10A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user.This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba.

Litmuschaos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14261High7.12025-12-08The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack.

Liton Arefin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63055Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through…

Looks_awesome · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13866Medium6.42025-12-12The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5.

Ludwigyou · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14166Medium5.32025-12-12The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0.

Lyrion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65229Medium4.62025-12-08A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3.

M.code · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62734Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in M.Code Media Library Downloader media-library-downloader allows Cross Site Request Forgery.This issue affects Media Library Downloader: from n/a through <= 1.4.0.

Maartenbelmans · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13924Medium4.32025-12-09The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17.

Machphy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67485Medium5.32025-12-10mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies.

Magblogapi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14162Medium4.32025-12-12The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4.

Mailerlite · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13993Medium5.52025-12-12The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanit…

Malwarebytes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-29144Low3.32025-12-12Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios.

Marcoingraiti · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49350Medium4.32025-12-09Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through <=…

Mario Peshev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62740Medium5.32025-12-09Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.6.

Markutos987 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13314Medium5.32025-12-12The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on t…

Masacms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66492High8.22025-12-12Masa CMS is an open source Enterprise Content Management platform.

Matrix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66622High7.52025-12-09matrix-sdk-base is the base component to build a Matrix client library.

Mayuri-chan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67720Medium6.52025-12-11Pyrofork is a modern, asynchronous MTProto API framework.

Microweber · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58289Medium5.42025-12-11Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields.

Minalic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-583062025-12-11minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests.

Mineadmin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65854Critical9.82025-12-12Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.

Miniflux · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67713Medium6.12025-12-11Miniflux 2 is an open source feed reader.

Miyagawa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2013-10031High7.52025-12-09Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks

Mmattax · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62738Medium5.32025-12-09Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formstack Online Forms: from n/a through <= 2.0.2.

Mongodb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14345Medium4.22025-12-09A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short…

Moxa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-93152025-12-10An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series.

Muffingroup · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63075Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in muffingroup Betheme betheme allows DOM-Based XSS.This issue affects Betheme: from n/a through <= 28.2.

Multiparcels · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62995Medium4.32025-12-09Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shippin…

N8n · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65964High8.82025-12-09n8n is an open source workflow automation platform.

Nalam-1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12965Medium6.42025-12-12The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input san…

Nasir Uddin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62082Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS.This issue affects Generic Elements: from n/a through <= 1…

Nazsabuz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13989Medium6.42025-12-12The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1.

Nebim Neyir Computer Industry And Services Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13506High8.82025-12-12Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc.

Netiket Information Technologies Ltd. Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13124High7.62025-12-11Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd.

Nomysoft Information Technology Training And Consulting Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-1161High7.12025-12-10Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc.

Octagonsimon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14158Medium4.32025-12-12The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0.

Oleksandr Lysyi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67561Medium5.42025-12-09Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Debug Log Viewer: from n/a through <= 2.0.3.

Opensolution · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58308Critical9.82025-12-11Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form.

Oretnom23 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14221Low3.52025-12-08A vulnerability was detected in SourceCodester Online Banking System 1.0.

Orico · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14220Medium4.32025-12-08A security vulnerability has been detected in ORICO CD3510 1.9.12.

Pandikamal03 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14132Medium6.12025-12-12The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.

Parse-community · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67727Critical9.82025-12-12Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js.

Paysera · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63015Medium4.32025-12-09Missing Authorization vulnerability in paysera WooCommerce Payment Gateway - Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Payment Gateway - Payse…

Pcman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58299Critical9.82025-12-12PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code.

Pcsx2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-677492025-12-12PCSX2 is a free and open-source PlayStation 2 (PS2) emulator.

Pegasystems · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62181Medium5.32025-12-10Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration.

Pencidesign · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67572Medium5.32025-12-09Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4.

Personal Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11022Critical9.62025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery.  This CSRF vulnerability resulting in Command Injection has been identified.

Pgadmin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13780Critical9.12025-12-11pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files.

Philipinho · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14227Medium6.32025-12-08A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958.

Phoenixcart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582962025-12-11CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts.

Photoboxone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62762Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.51.

Pipeshub · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67506Critical9.82025-12-10PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation.

Popojicms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58284High7.22025-12-10PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint.

Portabilis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9638Medium4.82025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint.

Presstigers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64256Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Folio simple-folio allows Cross Site Request Forgery.This issue affects Simple Folio: from n/a through <= 1.1.0.

Properfraction · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13642Medium5.42025-12-09The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due…

Proteusthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62733Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in ProteusThemes Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes allows Cross Site Request Forgery.This issue affects Custom Sidebars by ProteusThemes: from n/a through <= 1…

Psm Plugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67598Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.

Puneethreddyhc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58316High7.52025-12-12Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter.

Purei · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-583012025-12-11Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters.

Pyrocms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58297Medium5.42025-12-11PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts.

Qdonow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14068High7.52025-12-12The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara…

Qrevo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13846Medium6.42025-12-12The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping.

Qualitysoft Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64701High7.82025-12-11QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administrator privileges.

Quic-go · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64702Medium5.32025-12-11quic-go is an implementation of the QUIC protocol in Go.

Radykal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12570High7.22025-12-12The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.p…

Rainafarai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62993Medium4.32025-12-09Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notification for Telegram: from n/a through <=…

Ravynsoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14309High7.52025-12-09NULL Pointer Dereference vulnerability in ravynsoft ravynos.This issue affects ravynos: through 0.5.2.

Rcatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13660Medium5.32025-12-12The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3.

Remram44 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67502Medium5.42025-12-10Taguette is an open source qualitative research tool.

Remyandrade · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14530Medium4.72025-12-11A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0.

Rengine · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58287High8.82025-12-11reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands.

Repute Infosystems · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-47425Medium4.32025-12-09Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10.

Rethinkdb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-143102025-12-09Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb.This issue affects rethinkdb: before 2.4.4.

Rhewlif · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67550Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS.This issue affects Donation Thermometer: from n/a through <= 2.2.6.

Riyadh Ahmed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63033Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects M…

Robrichards · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66578Medium6.02025-12-09xmlseclibs is a library written in PHP for working with XML Encryption and Signatures.

Rodgerholl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14044High8.12025-12-12The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie.

Rodolforizzo76 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14065Medium4.32025-12-12The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6.

Roxnor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63057Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through <= 2.3.7.

Rtcamp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67584Medium5.32025-12-09Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoDAM: from n/a through <= 1.4.6.

Rustaurius · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67590Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate FAQ ultimate-faqs allows Cross Site Request Forgery.This issue affects Ultimate FAQ: from n/a through <= 2.4.3.

S9y · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58282High7.22025-12-10Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality.

Saifumak · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62739Medium6.52025-12-09Cross-Site Request Forgery (CSRF) vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Cross Site Request Forgery.This issue affects Add Custom Codes: from n/a through <= 4.80.

Sandboxie-plus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-64721Critical10.02025-12-11Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems.

Scriptsbundle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67569Medium5.32025-12-09Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdForest: from n/a through <= 6.0.11.

Senior-walter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14206Medium6.52025-12-08A vulnerability was determined in SourceCodester Online Student Clearance System 1.0.

Sergiotrinity · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67466Medium4.32025-12-09Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trinity Audio: from n/a through <= 5.23.3.

Sevenspark · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63068Medium5.32025-12-09Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7…

Sgcoskey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12650Medium6.42025-12-12The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2.

Sh1zen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14344Critical9.82025-12-12The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7.

Shahjada · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63070Medium4.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.

Shaneisrael · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67728Critical9.82025-12-12Fireshare facilitates self-hosted media and link sharing.

Shinetheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63028Medium5.32025-12-09Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6.

Shopware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67648High7.12025-12-11Shopware is an open commerce platform.

Siklu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-583002025-12-11Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request.

Silkypress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67542Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS.This issue affects Multi-Step Checkout for Woo…

Sonlamtn200 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13966Medium6.42025-12-12The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input saniti…

Sony · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36885Critical9.82025-12-10Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code.

Soportecibeles · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14030Medium6.42025-12-12The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping.

Sourcecodester · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14229Medium4.72025-12-08A security vulnerability has been detected in SourceCodester Inventory Management System 1.0.

Spa-cart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58304High7.52025-12-11SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts.

Spacex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67780Medium4.22025-12-11SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2.

Specialk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13677Medium4.92025-12-10The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2.

Spinetix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-36887High7.52025-12-10SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory.

Static-web-server · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67487High8.62025-12-09Static Web Server (SWS) is a production-ready web server suitable for static web files or assets.

Steve Truman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63034Medium5.42025-12-09Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page View Count: from n/a through <= 2.9.0.

Stiand · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14170Medium4.32025-12-12The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2.

Stiofan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67593Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48.

Strategy11 Team · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67596Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.

Subhransu-sekhar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13961Medium6.42025-12-12The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user suppl…

Susantabeura · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13843Medium6.42025-12-12The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization…

Tac Information Services Internal And External Trade Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13127Low3.52025-12-10Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc.

Taylor Hawkes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-22675Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery.This issue affects WP Fast Cache: from n/a through 1.5.

Tecno · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9056Medium5.32025-12-10Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation.

Tekafran · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14062Medium4.32025-12-12The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0.

Telepedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67646Low3.52025-12-11TableProgressTracking is a MediaWiki extension to track progress against specific criterion.

Tharkun69 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12824High8.82025-12-12The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode.

Themebon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14119Medium6.42025-12-12The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficie…

Themeco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63072Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3.

Themefic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14356Medium4.32025-12-12The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33.

Themeisle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11467Medium5.82025-12-11The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load f…

Themerain · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62100Medium5.32025-12-09Missing Authorization vulnerability in themerain ThemeRain Core themerain-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeRain Core: from n/a through <= 1.1.9.

Themesinflow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63010Medium4.92025-12-09Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.

Themetechmount · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67581Medium5.32025-12-09Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.0.

Themeum · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63042Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a t…

Themezaa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62999Medium5.42025-12-09Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Litho Addons: from n/a through <= 3.5.

Themifyme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67533High7.12025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS.This issue affects Themify Portfolio Post: from n/a through <=…

Thewellnessway · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13971Medium4.42025-12-12The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping.

Thinkinai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66481Critical9.62025-12-09DeepChat is an open-source AI chat platform that supports cloud models and LLMs.

Thobian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13988Medium6.12025-12-12The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2.

Tiny Solutions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67520High7.62025-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1…

Tinycontrol · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-537392025-12-09Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials.

Tmus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13889Medium6.42025-12-12The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-13184Critical9.82025-12-10Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution).

Truefy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14161Medium4.32025-12-12The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0.

Trustindex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9436Medium6.42025-12-11The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escapin…

Tushar-2223 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14207High7.32025-12-08A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15.

Tychesoftwares · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63024Medium5.42025-12-09Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date fo…

Uixthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67567Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in uixthemes Sober sober allows Retrieve Embedded Sensitive Data.This issue affects Sober: from n/a through <= 3.5.11.

Ultimate Member · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67474Medium4.32025-12-09Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.

Umbraco · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66625Medium4.92025-12-09Umbraco is an ASP.NET CMS.

Usestrict · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67555Medium5.92025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict UseStrict's Calendly Embedder cal-embedder-lite allows Stored XSS.This issue affects UseStrict's Calendly Embedder: from n/a th…

Valentin Agachi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-49351High7.12025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS.This issue affects Create Posts & Terms: from n/a through <= 1.3.1.

Valerio Monti · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62866Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in Valerio Monti Auto Alt Text auto-alt-text allows Cross Site Request Forgery.This issue affects Auto Alt Text: from n/a through <= 2.5.2.

Vankarwai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66527Medium4.32025-12-09Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

Vanquish · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67579Medium5.32025-12-09Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through <= 16.8.

Vexorian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582862025-12-11dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings.

Vibethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63035Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4.

Videomerchant · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14390High8.82025-12-10The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4.

Villatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66528Medium4.32025-12-09Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer…

Vinod Dalvi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63069Medium5.32025-12-09Missing Authorization vulnerability in Vinod Dalvi Ivory Search add-search-to-menu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ivory Search: from n/a through <= 5.5.12.

Virtuaria · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62151Medium5.32025-12-09Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro pa…

Vitejs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67489Critical9.82025-12-09@vitejs/plugin-rs provides React Server Components (RSC) support for Vite.

Walkerwp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67552Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS.This issue affects Walker Core: from n/a through <= 1.3.17.

Wappointment Team · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67551Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wappointment team Wappointment wappointment allows Stored XSS.This issue affects Wappointment: from n/a through <= 2.6.9.

Wasiul99 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14129Medium6.12025-12-12The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping.

Wasmi-labs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66627High8.42025-12-09Wasmi is a WebAssembly interpreter focused on constrained and embedded systems.

Watchtowerhq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13972Medium4.92025-12-12The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0.

Wbcomdesigns · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67582Medium5.32025-12-09Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wbcom Designs: from n/a through <= 2.1.1.

Wealcoder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67540Medium6.52025-12-09Missing Authorization vulnerability in Wealcoder Animation Addons for Elementor animation-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animation Addons for Elementor: from…

Wearefrank · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66214High7.02025-12-09Ladybug adds message-based debugging, unit, system, and regression testing to Java applications.

Webba Appointment Booking · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-66530Medium4.32025-12-09Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Webba Booking: from n/a through <= 6.2.1.

Webcodingplace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67562Medium5.42025-12-09Missing Authorization vulnerability in WebCodingPlace Image Caption Hover Pro image-caption-hover-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Caption Hover Pro: from n/a through < 20…

Webilia Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67560Medium5.42025-12-09Missing Authorization vulnerability in Webilia Inc.

Webmin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67738High8.52025-12-11squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments.

Webtoffee · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67599Medium4.32025-12-09Missing Authorization vulnerability in WebToffee WebToffee eCommerce Marketing Automation decorator-woocommerce-email-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebToffee eCommerce…

Wedevs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63008Medium5.32025-12-09Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.

Westerndeal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67570Medium5.32025-12-09Missing Authorization vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPForms Google Sheet Connector: from n/a t…

Widgetpack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12705High7.22025-12-09The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and…

Windscribe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65199High7.82025-12-10A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function.

Wofficeio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67566Medium5.32025-12-09Missing Authorization vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30.

Wolfssl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-139122025-12-11Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosu…

Wondercms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58305High8.82025-12-12WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint.

Wp Delicious · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67548Medium6.52025-12-09Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.1.

Wp Messiah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62994Medium4.32025-12-09Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7.

Wp Overnight · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67589Medium4.32025-12-09Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF…

Wpchill · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13891Medium6.52025-12-12The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3.

Wpdevart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67574Medium5.32025-12-09Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking…

Wpdive · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12830Medium6.42025-12-12The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied att…

Wpfunnels · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67571Medium5.32025-12-09Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPFunnels: from n/a through <= 3.6.2.

Wpletsgo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14138Medium6.12025-12-12The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping.

Wpmediadownload · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62103Medium4.32025-12-09Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery.This issue affects Media Library File Download: from n/a through <= 1.4.

Wpusermanager · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13320Medium6.82025-12-12The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12.

Xagio Seo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63025Medium4.32025-12-09Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.37.

Xmbforum2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-582922025-12-11XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings.

Xpro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63044Medium6.52025-12-09Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.1…

Xtemos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-67568Medium5.32025-12-09Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Basel: from n/a through <= 5.9.1.

Yandex Metrika · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63063Medium5.32025-12-09Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yandex.Metrica: from n/a through <= 1.2.2.

Yangshare · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14538Low3.52025-12-11A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0.
CVESeverityCVSSKEVPublishedSummary
CVE-2025-14228Low3.52025-12-08A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15.

Yottamaster · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14224Medium4.32025-12-08A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12.

Ysh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13906Medium6.42025-12-12The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied at…

Yuvalo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63009Medium5.32025-12-09Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in yuvalo WP Google Analytics Events wp-google-analytics-events allows Retrieve Embedded Sensitive Data.This issue affects WP Google Analytics Events…

Zealopensource · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12834Medium6.12025-12-12The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and outpu…