High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 0x4m4–HexStrike AI | By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025). | 2025-11-30 | 9.1 | CVE-2025-35028 | https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
| AMD–AMD Prof | Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 7.1 | CVE-2025-48510 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD–Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 8 | CVE-2025-52538 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD–Xilinx Run Time (XRT) | Inadequate lock protection within Xilinx Run time may allow a local attacker to trigger a Use-After-Free condition potentially resulting in loss of confidentiality or availability | 2025-11-24 | 7.3 | CVE-2025-0003 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD–Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. | 2025-11-24 | 7.3 | CVE-2025-0005 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD–Xilinx Run Time (XRT) | A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability. | 2025-11-24 | 7.3 | CVE-2025-52539 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| ASR–Lapwing_Linux | Out-of-bounds Read vulnerability in ASR1903ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26. | 2025-11-26 | 7.4 | CVE-2025-13735 | https://www.asrmicro.com/en/goods/psirt?cid=41 |
| blubrry–PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the ‘powerpress_edit_post’ function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-27 | 8.8 | CVE-2025-13536 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d420ee49-e7b3-43d8-a263-8a93abd1133c?source=cve https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3068 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3012 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L2368 https://plugins.trac.wordpress.org/changeset/3402635/ |
| Chanjet–CRM | A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13788 | VDB-333792 | Chanjet CRM upgradeattribute.php sql injection VDB-333792 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690084 | Chanjet CRM V1.0 SQL Injection https://github.com/Bellingham-max/CVE/issues/1 |
| code-projects–COVID Tracking System | A vulnerability was detected in code-projects COVID Tracking System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument code results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13585 | VDB-333349 | code-projects COVID Tracking System login.php sql injection VDB-333349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699840 | code-projects COVID Tracking System V1.0 SQL Injection https://github.com/beamyou/CVE/issues/4 https://code-projects.org/ |
| code-projects–Jonnys Liquor | A security flaw has been discovered in code-projects Jonnys Liquor 1.0. Affected by this issue is some unknown functionality of the file /detail.php of the component GET Parameter Handler. Performing manipulation of the argument Product results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-11-24 | 7.3 | CVE-2025-13582 | VDB-333346 | code-projects Jonnys Liquor GET Parameter detail.php sql injection VDB-333346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699554 | code-projects Jonnys Liquor 1.0 /detail.php SQL injection https://github.com/rassec2/dbcve/issues/5 https://code-projects.org/ |
| code-projects–Library System | A vulnerability has been found in code-projects Library System 1.0. This affects an unknown function of the file /index.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13578 | VDB-333342 | code-projects Library System Login index.php sql injection VDB-333342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699536 | code-projects Library System 1.0 index.php SQL Injection https://github.com/rassec2/dbcve/issues/4 https://code-projects.org/ |
| code-projects–Question Paper Generator | A weakness has been identified in code-projects Question Paper Generator 1.0. This affects an unknown part of the file /signupscript.php of the component POST Parameter Handler. Executing manipulation of the argument Fname can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 7.3 | CVE-2025-13583 | VDB-333347 | code-projects Question Paper Generator POST Parameter signupscript.php sql injection VDB-333347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699591 | code-projects question paper 1.0 /signupscript.php SQL Injection https://github.com/rassec2/dbcve/issues/6 https://code-projects.org/ |
| cursor–cursor | Improper neutralization of special elements used in an OS command (‘command injection’) in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution. | 2025-11-26 | 9.8 | CVE-2025-62354 | https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/ |
| Dassault Systmes–DELMIA Service Process Engineer | A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user’s browser session. | 2025-11-24 | 8.7 | CVE-2025-10555 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10555 |
| Dassault Systmes–ENOVIA Product Manager | A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user’s browser session. | 2025-11-24 | 8.7 | CVE-2025-10554 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10554 |
| DirectoryThemes–Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the ‘paypal-submit.php’ file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| DirectoryThemes–Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2025-11-27 | 8.8 | CVE-2025-13680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/645f60ad-c8e5-47ec-94f1-960de4ef7838?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| Eaton–Eaton Galileo Software | Improper input sanitization in the file archives upload functionality of Eaton Galileo software allows traversing paths which could lead into an attacker with local access to execute unauthorized code or commands. This security issue has been fixed in the latest version of Galileo which is available on the Eaton download center. | 2025-11-27 | 7.3 | CVE-2025-59890 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1024.pdf |
| Elated Themes–FindAll Listing | The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the ‘findall_listing_user_registration_additional_params’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin. | 2025-11-27 | 9.8 | CVE-2025-13538 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| Elated Themes–FindAll Membership | The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the ‘findall_membership_check_facebook_user’ and the ‘findall_membership_check_google_user’ functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user’s email. | 2025-11-27 | 9.8 | CVE-2025-13539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| factionsecurity–faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | 2025-11-26 | 9.7 | CVE-2025-66022 | https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3 |
| fugue-project–fugue | Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim’s machine. This issue has been patched via commit 6f25326. | 2025-11-25 | 8.8 | CVE-2025-62703 | https://github.com/fugue-project/fugue/security/advisories/GHSA-xv5p-fjw5-vrj6 https://github.com/fugue-project/fugue/commit/6f25326779fd1f528198098d6287c5a863176fc0 |
| geoserver–geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. | 2025-11-25 | 8.2 | CVE-2025-58360 | https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 https://osgeo-org.atlassian.net/browse/GEOS-11682 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads. | 2025-11-26 | 7.5 | CVE-2025-12571 | GitLab Issue #579168 HackerOne Bug Bounty Report #3362239 |
| GL-Inet–GL-AXT1800 | A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | 2025-11-24 | 8.3 | CVE-2025-44018 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2230 |
| HCL Software–iNotes | HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim’s Web browser within the security context of the hosting Web site and/or steal the victim’s cookie-based authentication credentials. | 2025-11-25 | 8.1 | CVE-2025-0248 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127032 |
| Huawei–HarmonyOS | Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality. | 2025-11-28 | 9.3 | CVE-2025-64314 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8.4 | CVE-2025-58302 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 8.4 | CVE-2025-58303 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the distributed component. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8 | CVE-2025-58310 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | 2025-11-28 | 7.3 | CVE-2025-58308 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | DoS vulnerability in the video-related system service module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 7.3 | CVE-2025-58316 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Janitza–UMG 96-PA | An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | 2025-11-24 | 7.5 | CVE-2025-41729 | https://certvde.com/de/advisories/VDE-2025-094 |
| kiteworks–security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user’s active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.1 | CVE-2025-53896 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-23h2-3jj8-58hm |
| kiteworks–security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.2 | CVE-2025-53899 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5 |
| Logpoint–SIEM | An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | 2025-11-27 | 8.5 | CVE-2025-66359 | https://servicedesk.logpoint.com/hc/en-us/articles/29158899698333-XSS-Vulnerability-due-to-insufficient-input-validation |
| Mattermost–Mattermost | Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | 2025-11-27 | 9.9 | CVE-2025-12419 | https://mattermost.com/security-updates |
| Mattermost–Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | 2025-11-27 | 9.9 | CVE-2025-12421 | https://mattermost.com/security-updates |
| mescuwa–entropy-derby | Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | 2025-11-25 | 8.7 | CVE-2025-65951 | https://github.com/mescuwa/entropy-derby/security/advisories/GHSA-pm54-f847-w4mh https://github.com/mescuwa/entropy-derby/commit/2d38d2f16bbb3b4240698148f80d8c5202725c77 |
| Microsoft–Azure App Gateway | Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.4 | CVE-2025-64656 | Azure Application Gateway Elevation of Privilege Vulnerability |
| Microsoft–Azure App Gateway | Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.8 | CVE-2025-64657 | Azure Application Gateway Elevation of Privilege Vulnerability |
| milmor–Telegram Bot & Channel | The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 7.2 | CVE-2025-13068 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45 |
| MISP–MISP | app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. | 2025-11-28 | 8.2 | CVE-2025-66384 | https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5 https://github.com/MISP/MISP/compare/v2.5.23…v2.5.24 |
| n/a–Qualitor | A security flaw has been discovered in Qualitor 8.20/8.24. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13792 | VDB-333796 | Qualitor getResumo.php eval code injection VDB-333796 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691251 | Qualitor Qualitor Web 8.20/8.24 Code Injection https://www.youtube.com/watch?v=hU8YbFc6KpI |
| n/a–validator | Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (uFE0F, uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service. | 2025-11-27 | 7.5 | CVE-2025-12758 | https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476 https://gist.github.com/koral–/ad31208b25b9e3d1e2e35f1d4d72572e https://github.com/validatorjs/validator.js/pull/2616 |
| Nozomi Networks–Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share it with victim users, or a victim can be socially engineered to import a malicious dashboard template. When the victim views or imports the dashboard, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2025-11-25 | 7.9 | CVE-2025-40890 | https://security.nozominetworks.com/NN-2025:11-01 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 9.3 | CVE-2025-33187 | https://nvd.nist.gov/vuln/detail/CVE-2025-33187 https://www.cve.org/CVERecord?id=CVE-2025-33187 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service. | 2025-11-25 | 8 | CVE-2025-33188 | https://nvd.nist.gov/vuln/detail/CVE-2025-33188 https://www.cve.org/CVERecord?id=CVE-2025-33188 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges. | 2025-11-25 | 7.8 | CVE-2025-33189 | https://nvd.nist.gov/vuln/detail/CVE-2025-33189 https://www.cve.org/CVERecord?id=CVE-2025-33189 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–NeMo Agent ToolKit | NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service. | 2025-11-25 | 7.6 | CVE-2025-33203 | https://nvd.nist.gov/vuln/detail/CVE-2025-33203 https://www.cve.org/CVERecord?id=CVE-2025-33203 https://nvidia.custhelp.com/app/answers/detail/a_id/5726 |
| NVIDIA–NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-25 | 7.8 | CVE-2025-33204 | https://nvd.nist.gov/vuln/detail/CVE-2025-33204 https://www.cve.org/CVERecord?id=CVE-2025-33204 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| NVIDIA–NeMo Framework | NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. A successful exploit of this vulnerability may lead to code execution. | 2025-11-25 | 7.3 | CVE-2025-33205 | https://nvd.nist.gov/vuln/detail/CVE-2025-33205 https://www.cve.org/CVERecord?id=CVE-2025-33205 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled. | 2025-11-26 | 7.5 | CVE-2025-64330 | https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437 https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves using default HTTP response body limits and/or disabling http-body-printable logging; body logging is disabled by default. | 2025-11-26 | 7.5 | CVE-2025-64331 | https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is enabled. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling SWF decompression (swf-decompression in suricata.yaml), it is disabled by default; set decompress-depth to lower than half your stack size if swf-decompression must be enabled. | 2025-11-26 | 7.5 | CVE-2025-64332 | https://github.com/OISF/suricata/security/advisories/GHSA-p32q-7wcp-gv92 https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves limiting stream.reassembly.depth to less then half the stack size. Increasing the process stack size makes it less likely the bug will trigger. | 2025-11-26 | 7.5 | CVE-2025-64333 | https://github.com/OISF/suricata/security/advisories/GHSA-537h-xxmx-v87m |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or limiting response-body-limit size. | 2025-11-26 | 7.5 | CVE-2025-64334 | https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w https://github.com/OISF/suricata/commit/00f04daa3a44928dfdd0003cb9735469272c94a1 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data. | 2025-11-26 | 7.5 | CVE-2025-64335 | https://github.com/OISF/suricata/security/advisories/GHSA-v299-h7p3-q4f2 https://github.com/OISF/suricata/commit/c935f08cd988600fd0a4f828a585b181dd5de012 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size. | 2025-11-26 | 7.5 | CVE-2025-64344 | https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a |
| open-circle–valibot | Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0. | 2025-11-26 | 7.5 | CVE-2025-66020 | https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9 https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc |
| Opto 22–groov View Server | The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators. | 2025-11-26 | 7.6 | CVE-2025-13084 | https://www.opto22.com/support/resources-tools/knowledgebase/kb91325 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json |
| ov3rkll–ProjectList | The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2025-11-25 | 7.2 | CVE-2025-13376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/781c3b84-df80-470e-8bcb-3305a8bbb64a?source=cve https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L27 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L27 |
| phpface–StreamTube Core | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the ‘registration password fields’ enabled in theme options. | 2025-11-30 | 9.8 | CVE-2025-13615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-64720 | https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww https://github.com/pnggroup/libpng/issues/686 https://github.com/pnggroup/libpng/pull/751 https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-65018 | https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g https://github.com/pnggroup/libpng/issues/755 https://github.com/pnggroup/libpng/pull/757 https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea |
| Qode Interactive–Tiare Membership | The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the ‘tiare_membership_init_rest_api_register’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve https://themeforest.net/item/tiare-wedding-vendor-directory-theme/26589165?s_rank=1 |
| QuantumNous–new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6. | 2025-11-24 | 8.5 | CVE-2025-62155 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4 |
| Red Hat–Red Hat Enterprise Linux 10 | A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent’s unique identifier (UUID). This action overwrites the legitimate agent’s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls. | 2025-11-24 | 8.2 | CVE-2025-13609 | https://access.redhat.com/security/cve/CVE-2025-13609 RHBZ#2416761 |
| Red Hat–Red Hat Enterprise Linux 6 | A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server. | 2025-11-25 | 7.5 | CVE-2025-13502 | https://access.redhat.com/security/cve/CVE-2025-13502 RHBZ#2416300 |
| Redhat–Redhat | A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. | 2025-11-26 | 7.7 | CVE-2025-13601 | https://access.redhat.com/security/cve/CVE-2025-13601 RHBZ#2416741 https://gitlab.gnome.org/GNOME/glib/-/issues/3827 https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 |
| ricardoboss–PubNet | PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3. | 2025-11-29 | 9.4 | CVE-2025-65112 | https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5 |
| scripteo–Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 7.5 | CVE-2025-7402 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 |
| Sneeit–Sneeit Framework | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts. | 2025-11-25 | 9.8 | CVE-2025-6389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes |
| sonalsinha21–SKT PayPal for WooCommerce | The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them. | 2025-11-27 | 7.5 | CVE-2025-7820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a67b1b3-eb39-4e9a-ba44-ea637fc3bba1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403118%40skt-paypal-for-woocommerce&new=3403118%40skt-paypal-for-woocommerce&sfp_email=&sfph_mail= |
| soportecibeles–AI Feeds | The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the ‘actualizador_git.php’ file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site’s server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13597 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5007dd0-a62c-4ad8-8f8b-eb3f4387c370?source=cve https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402321/ai-feeds https://github.com/d0n601/CVE-2025-13597 https://ryankozak.com/posts/cve-2025-13597 |
| soportecibeles–CIBELES AI | The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the ‘actualizador_git.php’ file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site’s server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13595 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402311/cibeles-ai https://github.com/d0n601/CVE-2025-13595 https://ryankozak.com/posts/cve-2025-13595/ |
| taosir–WTCMS | A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Affected by this issue is the function delete of the file application/Admin/Controller/SlideController.class.php of the component SlideController. The manipulation of the argument ids leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13782 | VDB-333786 | taosir WTCMS SlideController SlideController.class.php delete sql injection VDB-333786 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688837 | wtcms cms 1.0 SQL Injection https://www.yuque.com/shangu-vvuup/ydpg69/amhlbdhkw0pgt44g?singleDoc |
| taosir–WTCMS | A vulnerability was detected in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Impacted is the function fetch of the file /index.php. Performing manipulation of the argument content results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13786 | VDB-333790 | taosir WTCMS index.php fetch code injection VDB-333790 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689523 | wtcms cms 1.0 RCE https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md#3-proof-of-concept-poc |
| Tryton–trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 7.1 | CVE-2025-66423 | https://discuss.tryton.org/t/security-release-for-issue-14364/8952 https://foss.heptapod.net/tryton/tryton/-/issues/14364 |
| Uniong–WebITR | WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability. | 2025-11-28 | 7.5 | CVE-2025-13768 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| unitecms–Unlimited Elements for Elementor (Premium) | The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled. | 2025-11-27 | 7.2 | CVE-2025-13692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279 https://plugins.trac.wordpress.org/changeset/3403331/ https://unlimited-elements.com/change-log/ |
| venusweb–EduKart Pro | The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the ‘edukart_pro_register_user_front_end’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2025-11-25 | 9.8 | CVE-2025-13559 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805 |
| Zenitel–TCIV-3+ | An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64126 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel–TCIV-3+ | An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely. | 2025-11-26 | 10 | CVE-2025-64127 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel–TCIV-3+ | An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64128 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel–TCIV-3+ | Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim’s browser. | 2025-11-26 | 9.8 | CVE-2025-64130 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel–TCIV-3+ | Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device. | 2025-11-26 | 7.6 | CVE-2025-64129 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| zephyrproject-rtos–Zephyr | An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. | 2025-11-26 | 7.6 | CVE-2025-9557 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r3j3-c5v7-2ppf |
| zephyrproject-rtos–Zephyr | There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. | 2025-11-26 | 7.6 | CVE-2025-9558 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8wvr-688x-68vr |
| ZTE–ElasticNet UME R32 | Improper Privilege Management vulnerability in ZTE ElasticNet UME R32 on Linux allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ElasticNet UME R32: ElasticNet_UME_R32_V16.23.20.04. | 2025-11-27 | 7.5 | CVE-2025-66314 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2180460616364429350 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ABB–Terra AC wallbox | Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.This issue affects Terra AC wallbox: through 1.8.33. | 2025-11-28 | 6.1 | CVE-2025-12143 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A8107&LanguageCode=en&DocumentPartId=&Action=Launch |
| AMD–AMD Prof | Improper input validation within AMD uProf can allow a local attacker to write out of bounds, potentially resulting in a crash or denial of service | 2025-11-24 | 5.5 | CVE-2025-29933 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD–AMD Prof | Improper input validation within AMD uprof can allow a local attacker to write to an arbitrary physical address, potentially resulting in crash or denial of service. | 2025-11-24 | 5.5 | CVE-2025-48511 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD–Xilinx Run Time (XRT) | Insufficient validation within Xilinx Run Time framework could allow a local attacker to escalate privileges from user space to kernel space, potentially compromising confidentiality, integrity, and/or availability. | 2025-11-24 | 5.7 | CVE-2025-0007 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| Anjaliavv51–Retro | Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7. | 2025-11-29 | 6.1 | CVE-2025-66036 | https://github.com/Anjaliavv51/Retro/security/advisories/GHSA-gvv6-p6h6-2vj2 |
| appglut–Locker Content | The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the ‘lockerco_submit_post’ AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protected by the plugin. | 2025-11-25 | 5.3 | CVE-2025-12525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/927f94b0-2a5d-4d17-a05b-7940d7976158?source=cve https://wordpress.org/plugins/locker-content/ |
| assafp–Poll, Survey & Quiz Maker Plugin by Opinion Stage | The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-13143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195 https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196 |
| autochat–Autochat Automatic Conversation | The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_nopriv_auycht_saveCid’ AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. | 2025-11-25 | 5.3 | CVE-2025-12043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve https://wordpress.org/plugins/auyautochat-for-wp/ |
| ays-pro–AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-11-27 | 6.5 | CVE-2025-13378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/293ad145-dc93-4d7a-83ba-78f8c730ed6d?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| ays-pro–AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ‘ays_chatgpt_save_wp_media’ function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files. | 2025-11-27 | 5.3 | CVE-2025-13381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3585 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3268 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3597 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| bestweblayout–Job Board by BestWebSoft | The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results. | 2025-11-25 | 6.1 | CVE-2025-13383 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680 |
| buywptemplates–Ace Post Type Builder | The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies. | 2025-11-25 | 5.3 | CVE-2025-13405 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400 https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400 |
| bylancer–Bookme Free Online Appointment Booking and Scheduling Plugin | The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13385 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c17222-5de5-4ecd-a7c6-beabe7624c5b?source=cve https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/tags/4.2/app/admin/Bookings.php#L123 https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/trunk/app/admin/Bookings.php#L123 |
| bytecodealliance–wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR’s fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn’t expanded to match the increased stack_cell_num. This issue has been patched in version 2.4.4. | 2025-11-25 | 5.1 | CVE-2025-64713 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-gvx3-gg3x-rjcx https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| bytecodealliance–wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has been patched in version 2.4.4. | 2025-11-25 | 4.7 | CVE-2025-64704 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-2f2p-wf5w-82qr https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| caido–caido | Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido’s Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a finding generated through the scanner, or other plugins, clicking these injected links could redirect the Caido application to an attacker-controlled domain, enabling phishing style attacks. This issue has been patched in version 0.53.0. | 2025-11-26 | 4.3 | CVE-2025-66025 | https://github.com/caido/caido/security/advisories/GHSA-cf52-h5mw-gmc2 |
| cilium–cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue. | 2025-11-29 | 4 | CVE-2025-64715 | https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97 https://github.com/cilium/cilium/releases/tag/v1.16.17 https://github.com/cilium/cilium/releases/tag/v1.17.10 https://github.com/cilium/cilium/releases/tag/v1.18.4 |
| code-projects–Blog Site | A security vulnerability has been detected in code-projects Blog Site 1.0. Impacted is the function category_exists of the file /resources/functions/blog.php of the component Category Handler. Such manipulation of the argument name/field leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13575 | VDB-333339 | code-projects Blog Site Category blog.php category_exists sql injection VDB-333339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698769 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection Submit #698771 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection1.md https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection2.md https://code-projects.org/ |
| code-projects–Blog Site | A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13576 | VDB-333340 | code-projects Blog Site admin.php improper authorization VDB-333340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698772 | https://code-projects.org/ Blog Site In PHP With Source Code 1.0 Unauthorized https://github.com/Yohane-Mashiro/cve/blob/main/Unauthorized.md https://code-projects.org/ |
| code-projects–Library System | A vulnerability was found in code-projects Library System 1.0. This impacts an unknown function of the file /return.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-11-24 | 6.3 | CVE-2025-13579 | VDB-333343 | code-projects Library System return.php sql injection VDB-333343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699515 | code-projects Library System 1.0 SQL Injection https://github.com/rassec2/dbcve/issues/2 https://code-projects.org/ |
| code-projects–Library System | A vulnerability was determined in code-projects Library System 1.0. Affected is an unknown function of the file /mail.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-24 | 6.3 | CVE-2025-13580 | VDB-333344 | code-projects Library System mail.php sql injection VDB-333344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699534 | code-projects Library System 1.0 mail.php SQL Injection https://github.com/rassec2/dbcve/issues/3 https://code-projects.org/ |
| code-projects–Online Bidding System | A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 4.7 | CVE-2025-13574 | VDB-333338 | code-projects Online Bidding System addcategory.php categoryadd unrestricted upload VDB-333338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698717 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload Submit #698718 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md https://code-projects.org/ |
| contao–contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the ContaoTemplate::once() method. | 2025-11-25 | 6.6 | CVE-2025-65960 | https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r https://contao.org/en/security-advisories/remote-code-execution-in-template-closures |
| deco-cx–apps | A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13796 | VDB-333807 | deco-cx apps Parameter analyticsScript.ts AnalyticsScript server-side request forgery VDB-333807 | CTI Indicators (IOB, IOC, IOA) Submit #691837 | Deco deco-apps 0.114.12 – 0.120.1 Server-Side Request Forgery https://github.com/deco-cx/apps/pull/1360 https://github.com/deco-cx/apps/releases/tag/0.120.2 |
| docjojo–atec Duplicate Page & Post | The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure. | 2025-11-25 | 5.3 | CVE-2025-13404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27 https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27 |
| emrevona–WP Fastest Cache | The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated. | 2025-11-27 | 4.3 | CVE-2025-10476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c24cf4de-1392-43a8-85a5-8c66c00c44d7?source=cve https://research.cleantalk.org/cve-2025-10476 https://plugins.trac.wordpress.org/changeset?old_path=/wp-fastest-cache/tags/1.4.0&new_path=/wp-fastest-cache/tags/1.4.1&sfp_email=&sfph_mail= |
| era404–StaffList | The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-27 | 4.4 | CVE-2025-12185 | https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve https://wordpress.org/plugins/stafflist/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail= |
| evolurise–Conditionnal Maintenance Mode for WordPress | The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to enable or disable the site’s maintenance mode via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12586 | https://www.wordfence.com/threat-intel/vulnerabilities/id/535f1d8a-8266-4f90-82fa-9c32181bf277?source=cve https://plugins.trac.wordpress.org/browser/maintenance-mode-based-on-user-roles/tags/1.0.0/Maintenance_mode.php#L178 |
| favethemes–Houzez | The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-26 | 6.1 | CVE-2025-9163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| favethemes–Houzez | The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-11-26 | 6.3 | CVE-2025-9191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1c450d9-42d8-40f5-84fc-1bc0c8cfcf9b?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| fonttools–fonttools | fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2. | 2025-11-29 | 6.3 | CVE-2025-66034 | https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 |
| galdub–Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the ‘wcp_change_post_folder’ function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders. | 2025-11-27 | 4.3 | CVE-2025-12971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3845071-8419-4bb2-b22d-f9ae22fb7d6a?source=cve https://research.cleantalk.org/cve-2025-12971/ https://plugins.trac.wordpress.org/browser/folders/trunk/includes/folders.class.php#L3291 https://plugins.trac.wordpress.org/changeset/3402986/ |
| geoserver–geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim’s browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0. | 2025-11-25 | 6.1 | CVE-2025-21621 | https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72 https://github.com/geoserver/geoserver/pull/7406 https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d https://osgeo-org.atlassian.net/browse/GEOS-11297 |
| getformwork–formwork | Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‘site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‘controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | 2025-11-25 | 6.5 | CVE-2025-65956 | https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj https://github.com/getformwork/formwork/pull/791 https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests. | 2025-11-26 | 6.5 | CVE-2025-12653 | GitLab Issue #579372 HackerOne Bug Bounty Report #3370245 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing. | 2025-11-26 | 6.5 | CVE-2025-7449 | GitLab Issue #554938 HackerOne Bug Bounty Report #3215054 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | 2025-11-26 | 4.3 | CVE-2025-6195 | GitLab Issue #549937 HackerOne Bug Bounty Report #3155693 |
| gungorbudak–Shouty | The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12712 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28252c89-a2db-441a-93e6-f051f3649fea?source=cve https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L138 https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L139 |
| gwendydd–Chamber Dashboard Business Directory | The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details. | 2025-11-25 | 5.3 | CVE-2025-13414 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850 https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850 |
| Huawei–HarmonyOS | Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58294 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Identity authentication bypass vulnerability in the Gallery app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58305 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 6.4 | CVE-2025-58307 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.8 | CVE-2025-58309 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Vulnerability of accessing invalid memory in the component driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.6 | CVE-2025-58314 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | UAF vulnerability in the USB driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 5.8 | CVE-2025-58311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the App Lock module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.1 | CVE-2025-58312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the Wi-Fi module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.5 | CVE-2025-58315 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.1 | CVE-2025-64311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.3 | CVE-2025-64313 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-58304 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-64312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei–HarmonyOS | Configuration defect vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect app data confidentiality and integrity. | 2025-11-28 | 4.4 | CVE-2025-64315 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| humhub–cfiles | Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2. | 2025-11-25 | 5.4 | CVE-2025-65963 | https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4 https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09 |
| IBM–Concert | IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2025-11-24 | 5.9 | CVE-2025-36150 | https://www.ibm.com/support/pages/node/7252019 |
| IBM–Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user. | 2025-11-24 | 5.3 | CVE-2025-36112 | https://www.ibm.com/support/pages/node/7252197 |
| Iteras–Peppol-py | Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | 2025-11-28 | 5 | CVE-2025-66371 | https://github.com/iterasdev/peppol-py/pull/16 https://github.com/iterasdev/peppol-py/releases/tag/1.1.1 |
| itsourcecode–Student Information System | A vulnerability was identified in itsourcecode Student Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /schedule_edit1.php. Such manipulation of the argument schedule_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-11-24 | 6.3 | CVE-2025-13581 | VDB-333345 | itsourcecode Student Information System schedule_edit1.php sql injection VDB-333345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699516 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/14 https://itsourcecode.com/ |
| karthiksg–Inline frame Iframe | The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ’embedsite’ shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 6.4 | CVE-2025-12645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76 |
| KDE–Krita | In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative. | 2025-11-26 | 6.7 | CVE-2025-59820 | https://invent.kde.org/graphics/krita/ https://kde.org/info/security/advisory-20250929-1.txt https://invent.kde.org/graphics/krita/-/commit/6d3651ac4df88efb68e013d21061de9846e83fe8 |
| kiteworks–security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, this vulnerability could allow an external attacker to gain access to log information from the system by tricking an administrator into browsing a specifically crafted fake page of Kiteworks MFT. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.8 | CVE-2025-53897 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cxwc-7899-3h4m |
| kiteworks–security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.5 | CVE-2025-53900 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-gjq3-8v6p-2h6h |
| kiteworks–security-advisories | Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user’s permissions on the share. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.3 | CVE-2025-53939 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-hpf5-6376-2565 |
| kivitendo–kivitendo | Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server’s filesystem. | 2025-11-28 | 5 | CVE-2025-66370 | https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9 https://blog.kivitendo.de/?p=1415 |
| liquidthemes–AI Engine for WordPress: ChatGPT, GPT Content Generator | The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the ‘lqdai_update_post’ AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-25 | 6.5 | CVE-2025-13380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae0abace-9bf6-4ef9-a9b8-7efffbf25628?source=cve https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L83 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L315 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L423 https://github.com/d0n601/CVE-2025-13380 https://ryankozak.com/posts/cve-2025-13380/ |
| listingthemes–WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘order_by’ parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-13525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38 https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39 https://wordpress.org/plugins/wpdirectorykit/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail= |
| lKinderBueno–Streamity Xtream IPTV Player | A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component. | 2025-11-24 | 6.3 | CVE-2025-13588 | VDB-333352 | lKinderBueno Streamity Xtream IPTV Player proxy.php server-side request forgery VDB-333352 | CTI Indicators (IOB, IOC, IOA) Submit #687573 | lKinderBueno Streamity Xtream IPTV Web player 2.8 Server-Side Request Forgery https://github.com/lakshayyverma/CVE-Discovery/blob/main/Streamity.md https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/commit/c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92 https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/releases/tag/v2.8.1 |
| lyrathemes–Social Images Widget | The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘options_update’ function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-25 | 5.3 | CVE-2025-13386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95ab7473-e368-47ad-a8a0-0efbdafce562?source=cve https://plugins.trac.wordpress.org/browser/social-images-widget/tags/2.1/class-social-images-widget-settings.php#L44 https://plugins.trac.wordpress.org/browser/social-images-widget/trunk/class-social-images-widget-settings.php#L44 |
| MacWarrior–clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 – #164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content (users, videos, photos, collections) on the platform. This can lead to mass flagging attacks, content disruption, and moderation system abuse. This issue has been patched in version 5.5.2 – #164. | 2025-11-29 | 6.5 | CVE-2025-65113 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-9f8v-vph8-pq6q https://github.com/MacWarrior/clipbucket-v5/commit/a83b807e592f85d98f1f156bd3cbb1ffcc230233 |
| mahabubs–YouTube Subscribe | The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12025 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve https://wordpress.org/plugins/easy-youtube-subscribe/ https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242 https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246 |
| Mattermost–Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | 2025-11-27 | 4.3 | CVE-2025-12559 | https://mattermost.com/security-updates |
| MISP–MISP | app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. | 2025-11-28 | 4.1 | CVE-2025-66386 | https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce https://github.com/MISP/MISP/compare/v2.5.26…v2.5.27 |
| Mitsubishi Electric Corporation–GX Works2 | Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. | 2025-11-27 | 5.5 | CVE-2025-3784 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-016_en.pdf https://jvn.jp/vu/JVNVU95288056/ |
| MongoDB Inc.–MongoDB Server | Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1. | 2025-11-25 | 6.5 | CVE-2025-13507 | https://jira.mongodb.org/browse/SERVER-108565 |
| MongoDB Inc.–MongoDB Server | MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2 | 2025-11-25 | 6.5 | CVE-2025-13644 | https://jira.mongodb.org/browse/SERVER-101180 |
| MongoDB Inc.–MongoDB Server | Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2 | 2025-11-25 | 4.2 | CVE-2025-12893 | https://jira.mongodb.org/browse/SERVER-105783 |
| n/a–Scada-LTS | A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13791 | VDB-333795 | Scada-LTS Project Import ZIPProjectManager.java Common.getHomeDir path traversal VDB-333795 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690873 | SCADA-LTS Project Scada-LTS <= commit 1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Path traversal / Zip Slip leading to arbitrary file write https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md#proof-of-concept |
| n/a–Scada-LTS | A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13790 | VDB-333794 | Scada-LTS cross-site request forgery VDB-333794 | CTI Indicators (IOB, IOC) Submit #690871 | SCADA-LTS Project Scada-LTS <=1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Cross-Site Request Forgery (CSRF) https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md#proof-of-concept |
| n/a–ZenTao | A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13789 | VDB-333793 | ZenTao model.php makeRequest server-side request forgery VDB-333793 | CTI Indicators (IOB, IOC, IOA) Submit #690728 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/2 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459 https://www.zentao.net/extension-viewext-6.html |
| n/a–ZenTao | A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component. | 2025-11-30 | 5.4 | CVE-2025-13787 | VDB-333791 | ZenTao File control.php delete privileges management VDB-333791 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689892 | Zentao PMS <=21.7.6-85642 Privilege Escalation https://github.com/ez-lbz/ez-lbz.github.io/issues/1 https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868 https://www.zentao.net/extension-buyext-1601-download.html |
| nextendweb–Nextend Social Login and Register | The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the ‘unlinkUser’ function. This makes it possible for unauthenticated attackers to unlink the user’s social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-28 | 4.3 | CVE-2025-13737 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772 https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php |
| nmedia–Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID. | 2025-11-25 | 5.3 | CVE-2025-13389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142 |
| nmedia–Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters. | 2025-11-25 | 4.3 | CVE-2025-13452 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1dd87c-cc28-43b3-8378-4583dc6de195?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L113 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L113 |
| nmedia–Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the ‘/wpfm/v1/file-rename’ REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the ‘fileid’ parameter. | 2025-11-25 | 4.3 | CVE-2025-13382 | https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L20 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L52 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 6.7 | CVE-2025-33190 | https://nvd.nist.gov/vuln/detail/CVE-2025-33190 https://www.cve.org/CVERecord?id=CVE-2025-33190 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33191 | https://nvd.nist.gov/vuln/detail/CVE-2025-33191 https://www.cve.org/CVERecord?id=CVE-2025-33191 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33192 | https://nvd.nist.gov/vuln/detail/CVE-2025-33192 https://www.cve.org/CVERecord?id=CVE-2025-33192 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 5.7 | CVE-2025-33193 | https://nvd.nist.gov/vuln/detail/CVE-2025-33193 https://www.cve.org/CVERecord?id=CVE-2025-33193 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. A successful exploit of this vulnerability might lead to information disclosure or denial of service. | 2025-11-25 | 5.7 | CVE-2025-33194 | https://nvd.nist.gov/vuln/detail/CVE-2025-33194 https://www.cve.org/CVERecord?id=CVE-2025-33194 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause unexpected memory buffer operations. A successful exploit of this vulnerability might lead to data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 4.4 | CVE-2025-33195 | https://nvd.nist.gov/vuln/detail/CVE-2025-33195 https://www.cve.org/CVERecord?id=CVE-2025-33195 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 4.4 | CVE-2025-33196 | https://nvd.nist.gov/vuln/detail/CVE-2025-33196 https://www.cve.org/CVERecord?id=CVE-2025-33196 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 4.3 | CVE-2025-33197 | https://nvd.nist.gov/vuln/detail/CVE-2025-33197 https://www.cve.org/CVERecord?id=CVE-2025-33197 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| Open-Xchange GmbH–OX App Suite | Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | 2025-11-27 | 6.1 | CVE-2025-59025 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH–OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30186 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH–OX App Suite | Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30190 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH–OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-59026 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| OpenPrinting–cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15. | 2025-11-29 | 6 | CVE-2025-61915 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-hxm8-vfpq-jrfc https://github.com/OpenPrinting/cups/commit/db8d560262c22a21ee1e55dfd62fa98d9359bcb0 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| OpenPrinting–cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15. | 2025-11-29 | 5.1 | CVE-2025-58436 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-8wpw-vfgm-qrrr https://github.com/OpenPrinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| oscaruh–Google Drive upload and download link | The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter of the ‘atachfilegoogle’ shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14ee4247-4cfe-440b-add2-d5d840b1f114?source=cve https://plugins.trac.wordpress.org/browser/google-drive-upload-and-download-link/tags/1.0/pickergoogledirve.php#L27 https://wordpress.org/plugins/google-drive-upload-and-download-link/ |
| ov3rkll–ProjectList | The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e424d27b-f719-4fbf-b4eb-83b42130666c?source=cve https://it.wordpress.org/plugins/projectlist/ https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L61 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L61 |
| Oxide–Omicron | In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date. | 2025-11-30 | 5 | CVE-2025-66432 | https://docs.oxide.computer/security/advisories/20251117-1 https://oxide.computer/ https://github.com/oxidecomputer/omicron/compare/01bb875…ec069f0 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng’s png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64505 | https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 https://github.com/pnggroup/libpng/pull/748 https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng’s png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64506 | https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6 https://github.com/pnggroup/libpng/pull/749 https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 |
| pr-gateway–Blog2Social: Social Media Auto Post & Scheduler | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘deleteUserCcDraftPost’ function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash. | 2025-11-25 | 5.4 | CVE-2025-13558 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61b590f5-7854-42f7-b5e2-e6feaaf03a73?source=cve https://plugins.trac.wordpress.org/browser/blog2social/tags/8.7.0/includes/Ajax/Post.php#L1858 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php?rev=3401934#L1867 |
| presstigers–Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘portfolio_name’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12151 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c7b9827-59a7-4a8f-88d5-0b27c3ea2925?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401878%40simple-folio&new=3401878%40simple-folio&sfp_email=&sfph_mail= |
| qodeinteractive–QODE Wishlist for WooCommerce | The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the ‘qode_wishlist_for_woocommerce_wishlist_table_item_callback’ function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists. | 2025-11-27 | 5.3 | CVE-2025-13157 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95 https://plugins.trac.wordpress.org/changeset/3402469/ |
| quadlayers–Perfect Brands for WooCommerce | The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 6.5 | CVE-2025-10144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4618bfd-77d9-4396-b041-d7ba0f6ec75a?source=cve https://plugins.trac.wordpress.org/browser/perfect-woocommerce-brands/tags/3.6.0/lib/class-woocommerce.php#L112 |
| quadlayers–Search Exclude | The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list. | 2025-11-25 | 4.3 | CVE-2025-10646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve https://plugins.trac.wordpress.org/changeset/3379004/search-exclude |
| realin–wp-twitpic | The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the ‘twitpic’ shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12670 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve https://wordpress.org/plugins/wp-twitpic/ https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42 |
| Red Hat–Red Hat build of Keycloak 26.2 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | 2025-11-25 | 5.5 | CVE-2025-13467 | RHSA-2025:22088 RHSA-2025:22089 RHSA-2025:22090 RHSA-2025:22091 https://access.redhat.com/security/cve/CVE-2025-13467 RHBZ#2416038 |
| Red Hat–Red Hat OpenStack Platform 13 (Queens) | The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the ‘Create Workbook’ feature that may result in disclosure of arbitrary local files content. | 2025-11-26 | 6.5 | CVE-2021-4472 | https://access.redhat.com/security/cve/CVE-2021-4472 https://bugs.launchpad.net/horizon/+bug/1931558 RHBZ#2417321 https://review.opendev.org/c/openstack/mistral-dashboard/+/800952 https://review.opendev.org/c/openstack/python-mistralclient/+/800950 |
| redaxo–redaxo | REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | 2025-11-26 | 6.1 | CVE-2025-66026 | https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgq https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aa |
| rnags–Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘logoff’ action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin’s settings. | 2025-11-27 | 5.3 | CVE-2025-12579 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve https://wordpress.org/plugins/reuters-direct/ |
| rnags–Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the ‘class-reuters-direct-settings.php’ page. This makes it possible for unauthenticated attackers to reset the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-12578 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve https://wordpress.org/plugins/reuters-direct/ |
| shapedplugin–Quick View for WooCommerce | The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the ‘wqv_popup_content’ AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to. | 2025-11-27 | 5.3 | CVE-2025-12584 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809472d5-1698-42da-b414-1dda40983a6e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402213%40woo-quickview&new=3402213%40woo-quickview&sfp_email=&sfph_mail= |
| sigalitam–Just Highlight | The Just Highlight plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Highlight Color’ setting in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin’s settings page. | 2025-11-25 | 4.4 | CVE-2025-13311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d21187bc-5bd0-49b9-9ef2-6654263cd93c?source=cve https://plugins.trac.wordpress.org/browser/just-highlight/trunk/just-highlight.php#L169 https://plugins.trac.wordpress.org/browser/just-highlight/tags/1.0.3/just-highlight.php#L169 |
| SourceCodester–Online Student Clearance System | A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 4.7 | CVE-2025-13586 | VDB-333350 | SourceCodester Online Student Clearance System changepassword.php sql injection VDB-333350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700130 | SourceCodester Online Student Clearance System 1.0 SQL Injection https://github.com/CaseyW33/CVE/issues/2 https://www.sourcecodester.com/ |
| sscovil–SortTable Post | The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | 2025-11-27 | 6.4 | CVE-2025-12649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80c700fa-619f-4ffe-a09a-bcdae2f71a7d?source=cve https://plugins.trac.wordpress.org/browser/sorttable-post/tags/4.2/sorttablepost.php#L100 |
| sunarc–Refund Request for WooCommerce | The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘update_refund_status’ function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected. | 2025-11-25 | 4.3 | CVE-2025-12634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve https://wordpress.org/plugins/refund-request-for-woocommerce/ |
| taosir–WTCMS | A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument ids results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13783 | VDB-333787 | taosir WTCMS CommentadminController CommentadminController.class.php delete sql injection VDB-333787 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688838 | wtcms cms 1.0 SQL Injection Submit #688839 | wtcms cms 1.0 SQL Injection (Duplicate) https://www.yuque.com/shangu-vvuup/ydpg69/dd5zpygt7w5w4d19?singleDoc |
| themehunk–Wishlist for WooCommerce | The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to modify other user’s wishlists | 2025-11-25 | 6.5 | CVE-2025-12040 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d7c8f79-4dfd-4d6f-b533-dc7a5998dfc1?source=cve https://wordpress.org/plugins/th-wishlist/ |
| themesupport–Hide Category by User Role for WooCommerce | The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site’s object cache via forged requests, potentially degrading site performance. | 2025-11-27 | 5.3 | CVE-2025-13441 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b05b0f6d-ffa4-40f4-b969-1153192c52d6?source=cve https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/trunk/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/tags/2.3.1/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402760%40hide-category-by-user-role-for-woocommerce&new=3402760%40hide-category-by-user-role-for-woocommerce&sfp_email=&sfph_mail= |
| trustindex–Customer Reviews Collector for WooCommerce | The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ’email-text’ parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-12123 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6091e396-8cd8-4c56-89cb-7699adb3d798?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389840%40customer-reviews-collector-for-woocommerce&new=3389840%40customer-reviews-collector-for-woocommerce&sfp_email=&sfph_mail= |
| Tryton–sao | Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | 2025-11-30 | 5.4 | CVE-2025-66420 | https://discuss.tryton.org/t/security-release-for-issue-14290/8895 https://foss.heptapod.net/tryton/tryton/-/issues/14290 |
| Tryton–sao | Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | 2025-11-30 | 5.4 | CVE-2025-66421 | https://discuss.tryton.org/t/security-release-for-issue-14363/8951 https://foss.heptapod.net/tryton/tryton/-/issues/14363 |
| Tryton–trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 6.5 | CVE-2025-66424 | https://discuss.tryton.org/t/security-release-for-issue-14366/8953 https://foss.heptapod.net/tryton/tryton/-/issues/14366 |
| Tryton–trytond | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 4.3 | CVE-2025-66422 | https://discuss.tryton.org/t/security-release-for-issue-14354/8950 https://foss.heptapod.net/tryton/tryton/-/issues/14354 |
| Uniong–WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13769 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong–WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13770 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong–WebITR | WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-11-28 | 6.5 | CVE-2025-13771 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| vithanhlam–Zweb Social Mobile ng Dng Nt Gi Mobile | The Zweb Social Mobile – Ứng Dụng Nút Gá»i Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vithanhlam_zsocial_save_messager’, ‘vithanhlam_zsocial_save_zalo’, ‘vithanhlam_zsocial_save_hotline’, and ‘vithanhlam_zsocial_save_contact’ parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12032 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve https://wordpress.org/plugins/zweb-social-mobile/ |
| webgarh–Peer Publish | The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12587 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17 https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20 |
| winston-dsouza–Ecommerce-Website | A weakness has been identified in winston-dsouza Ecommerce-Website up to 87734c043269baac0b4cfe9664784462138b1b2e. Affected by this issue is some unknown functionality of the file /includes/header_menu.php of the component GET Parameter Handler. Executing manipulation of the argument Error can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13793 | VDB-333797 | winston-dsouza Ecommerce-Website GET Parameter header_menu.php cross site scripting VDB-333797 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691622 | ecommerce-website-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/ecommerce-website.docx |
| Wireshark Foundation–Wireshark | BPv7 dissector crash in Wireshark 4.6.0 allows denial of service | 2025-11-26 | 5.5 | CVE-2025-13674 | https://www.wireshark.org/security/wnpa-sec-2025-05.html GitLab Issue #20770 |
| wisc–HTCondor | HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3. | 2025-11-30 | 4.2 | CVE-2025-66433 | https://htcondor.org/security/vulnerabilities/HTCONDOR-2025-0002.html |
| wpoets–Soundslides | The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12713 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd7e9d1-a580-4b32-9365-7ce17cdc37cd?source=cve https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L101 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L102 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L117 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L143 |
| yungifez–Skuul School Management System | A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13785 | VDB-333789 | yungifez Skuul School Management System Image profile information disclosure VDB-333789 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689026 | yungifez Skuul v2.6.5 Exposure of Sensitive Information Through Metadata https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| codingWithElias–School Management System | A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the component Edit Student Info Page. This manipulation of the argument First Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13795 | VDB-333806 | codingWithElias School Management System Edit Student Info student-view.php cross site scripting VDB-333806 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691836 | school-management-system-php web 1 XSS vulnerability https://github.com/Al1ce258/MY-CVE-REPORTS/blob/main/school-management-system.md |
| contao–contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | 2025-11-25 | 3.3 | CVE-2025-65961 | https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc https://contao.org/en/security-advisories/cross-site-scripting-in-templates |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions. | 2025-11-26 | 2 | CVE-2025-13611 | GitLab Issue #545947 |
| IBM–Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. | 2025-11-25 | 3.7 | CVE-2025-36134 | https://www.ibm.com/support/pages/node/7252210 |
| KDE–Skanpage | In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly. | 2025-11-26 | 3.2 | CVE-2025-55174 | https://github.com/KDE/skanpage/tags https://invent.kde.org/utilities/skanpage/-/commit/de3ad2941054a26920e022dc7c4a3dc16c065b5a https://kde.org/info/security/advisory-20250811-1.txt |
| libexpat project–libexpat | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | 2025-11-28 | 2.9 | CVE-2025-66382 | https://github.com/libexpat/libexpat/issues/1076 |
| MongoDB Inc.–MongoDB Server | A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 | 2025-11-25 | 3.1 | CVE-2025-13643 | https://jira.mongodb.org/browse/SERVER-103582 |
| motogadget–mo.lock Ignition Lock | A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be targeted for the attack. A high complexity level is associated with this attack. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-29 | 2 | CVE-2025-6666 | VDB-333785 | motogadget mo.lock Ignition Lock NFC hard-coded key VDB-333785 | CTI Indicators (IOB, IOC, TTP) Submit #701162 | motogadget mo.lock NFC CWE-290, CWE-327, CWE-1394 https://office.dngr.us/s/iZHrwtf2xRPoeJj/download |
| mustangproject–Mustang | Mustang before 2.16.3 allows exfiltrating files via XXE attacks. | 2025-11-28 | 2.8 | CVE-2025-66372 | https://github.com/ZUGFeRD/mustangproject/issues/685 https://github.com/ZUGFeRD/mustangproject/pull/725 https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3 |
| n/a–Eigenfocus | A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.1 is able to resolve this issue. The identifier of the patch is 7dec94c9d1f3e513e0ee38ba68caaba628e08582. Upgrading the affected component is advised. | 2025-11-24 | 3.5 | CVE-2025-13584 | VDB-333348 | Eigenfocus Description cross site scripting VDB-333348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699689 | Eigenfocus Eigenfocus Free Edition 1.4.0 Cross Site Scripting https://github.com/Stolichnayer/eigenfocus-stored-xss https://github.com/Eigenfocus/eigenfocus/pull/358 https://github.com/Eigenfocus/eigenfocus/commit/7dec94c9d1f3e513e0ee38ba68caaba628e08582 https://github.com/Eigenfocus/eigenfocus/releases/tag/v1.4.1-free |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 3.3 | CVE-2025-33198 | https://nvd.nist.gov/vuln/detail/CVE-2025-33198 https://www.cve.org/CVERecord?id=CVE-2025-33198 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. A successful exploit of this vulnerability might lead to data tampering. | 2025-11-25 | 3.2 | CVE-2025-33199 | https://nvd.nist.gov/vuln/detail/CVE-2025-33199 https://www.cve.org/CVERecord?id=CVE-2025-33199 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA–DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 2.3 | CVE-2025-33200 | https://nvd.nist.gov/vuln/detail/CVE-2025-33200 https://www.cve.org/CVERecord?id=CVE-2025-33200 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| PHPGurukul–Hostel Management System | A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 3.5 | CVE-2025-13577 | VDB-333341 | PHPGurukul Hostel Management System register-complaint.php cross site scripting VDB-333341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698995 | PHPGurukul Hostel Management System 2.1 Stored Cross Site Scripting https://phpgurukul.com/ |
| Splunk–Splunk Add-on for Palo Alto Networks | In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts”. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | 2025-11-26 | 2.7 | CVE-2025-20373 | https://advisory.splunk.com/advisories/SVD-2025-1105 |
| spotipy-dev–spotipy | Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user’s browser during OAuth authentication. This issue has been patched in version 2.25.2. | 2025-11-26 | 3.6 | CVE-2025-66040 | https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 |
| VictoriaMetrics–VictoriaMetrics | VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1. | 2025-11-25 | 2.7 | CVE-2025-65942 | https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5 https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1 |
| yungifez–Skuul School Management System | A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13784 | VDB-333788 | yungifez Skuul School Management System SVG File edit cross site scripting VDB-333788 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689012 | yungifez Skuul v2.6.5 Open Redirect https://gist.github.com/thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ACE SECURITY–WIP-90113 HD Camera | ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36874 | https://packetstorm.news/files/id/156497/ https://cxsecurity.com/issue/WLB-2020020137 https://acesecurity.jp/support/top/wip_series/wip-90113 https://www.vulncheck.com/advisories/ace-security-wip90113-unauthenticated-config-disclosure |
| anchore–grype | Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the –file or –output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the –file or –output options. | 2025-11-25 | not yet calculated | CVE-2025-65965 | https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646 https://github.com/anchore/grype/pull/3068 https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1 |
| angular–angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular’s HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs. | 2025-11-26 | not yet calculated | CVE-2025-66035 | https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37 https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e https://github.com/angular/angular/releases/tag/19.2.16 https://github.com/angular/angular/releases/tag/20.3.14 https://github.com/angular/angular/releases/tag/21.0.1 |
| Apache Software Foundation–Apache CloudStack | In Apache CloudStack improper control of generation of code (‘Code Injection’) vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk. | 2025-11-27 | not yet calculated | CVE-2025-59302 | https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788 |
| Apache Software Foundation–Apache CloudStack | In Apache CloudStack, a gap in access control checks affected the APIs – createNetworkACL – listNetworkACLs – listResourceDetails – listVirtualMachinesUsageHistory – listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-59454 | https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc |
| Apache Software Foundation–Apache Druid | Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set. | 2025-11-26 | not yet calculated | CVE-2025-59390 | https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8 |
| Apache Software Foundation–Apache Hive | SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public. | 2025-11-26 | not yet calculated | CVE-2025-62728 | https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g |
| Apache Software Foundation–Apache Kvrocks | Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59790 | https://lists.apache.org/thread/dlbz5hmm4ts3npzqnvhofxmqg9w9zt0o |
| Apache Software Foundation–Apache Kvrocks | Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59792 | https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw |
| Apache Software Foundation–Apache SkyWalking | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking: <= 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-54057 | https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr |
| Apache Software Foundation–Apache Syncope | Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue. | 2025-11-24 | not yet calculated | CVE-2025-65998 | https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts |
| Ashlar-Vellum–Cobalt | An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65084 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Ashlar-Vellum–Cobalt | A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65085 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Astak–CM-818T3 2.4GHz Wireless Security Surveillance Camera | Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36873 | https://packetstorm.news/files/id/156532/ https://www.vulncheck.com/advisories/astak-cm818t3-unauthenticated-config-disclosure |
| ASUS–MyASUS | A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory. | 2025-11-25 | not yet calculated | CVE-2025-59373 | https://www.asus.com/content/security-advisory/ |
| ASUS–Router | A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ‘ Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-12003 | https://www.asus.com/security-advisory/ |
| ASUS–Router | A stack buffer overflow vulnerability has been identified in certain router models. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ‘ Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59365 | https://www.asus.com/security-advisory/ |
| ASUS–Router | An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59366 | https://www.asus.com/content/security-advisory/ |
| ASUS–Router | An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ‘ Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59368 | https://www.asus.com/security-advisory/ |
| ASUS–Router | A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the ‘Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59369 | https://www.asus.com/security-advisory/ |
| ASUS–Router | A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions. Refer to the ‘Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59370 | https://www.asus.com/security-advisory/ |
| ASUS–Router | An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models. Refer to the ‘Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59371 | https://www.asus.com/security-advisory/ |
| ASUS–Router | A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the ‘Security Update for ASUS Router Firmware’ section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59372 | https://www.asus.com/security-advisory/ |
| async_mqtt–Redboltz | Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction order between io_context and endpoint objects. | 2025-11-24 | not yet calculated | CVE-2025-65503 | https://github.com/redboltz/async_mqtt/issues/436 https://github.com/redboltz/async_mqtt/pull/437 |
| ATISoluciones–CIGES | A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise. | 2025-11-24 | not yet calculated | CVE-2025-13596 | https://www.atisoluciones.com/incidentes-cve |
| Automated Logic–WebCTRL | The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server. | 2025-11-27 | not yet calculated | CVE-2024-5539 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic–WebCTRL | The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser . | 2025-11-27 | not yet calculated | CVE-2024-5540 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic–WebCtrl | A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the device to network visibility. | 2025-11-27 | not yet calculated | CVE-2025-0657 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic–Zone Controllers | A vulnerability in Automated Logic and Carrier’s Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed. | 2025-11-27 | not yet calculated | CVE-2025-0658 | https://https://www.corporate.carrier.com/product-security/advisories-resources/ |
| BACnet Interoperability Test Services, Inc.–BACnet Test Server | BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service. | 2025-11-26 | not yet calculated | CVE-2020-36872 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php https://www.exploit-db.com/exploits/48860 https://packetstormsecurity.com/files/159504 https://cxsecurity.com/issue/WLB-2020100045 https://www.bac-test.com/ https://www.vulncheck.com/advisories/bacnet-test-server-malformed-bvlc-length-dos |
| Beijing Star-Net Ruijie Network Technology Co., Ltd.–NBR Series Routers | Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC. | 2025-11-24 | not yet calculated | CVE-2023-7330 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml https://cn-sec.com/archives/1995366.html https://www.cnblogs.com/Domren/articles/19093295 https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/ https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp |
| Bjango–iStats | iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | 2025-11-24 | not yet calculated | CVE-2025-11921 | https://fluidattacks.com/advisories/muse https://bjango.com/mac/istatmenus/ https://cdn.istatmenus.app/files/istatmenus7/versions/iStatMenus7.10.6.zip |
| body-parser–body-parser | body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1. | 2025-11-24 | not yet calculated | CVE-2025-13466 | https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 |
| cerebrate-project–Cerebrate | UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request. | 2025-11-28 | not yet calculated | CVE-2025-66385 | https://github.com/cerebrate-project/cerebrate/compare/v1.29…v1.30 https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb https://vulnerability.circl.lu/api/vulnerability/gcve-1-2025-0017 |
| classroomio–classroomio | An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | 2025-11-26 | not yet calculated | CVE-2025-65669 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65669 |
| classroomio–classroomio | An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access. | 2025-11-26 | not yet calculated | CVE-2025-65670 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65670 |
| classroomio–classroomio | Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. | 2025-11-26 | not yet calculated | CVE-2025-65672 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65672 |
| classroomio–classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | 2025-11-26 | not yet calculated | CVE-2025-65675 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65675 |
| classroomio–classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | 2025-11-26 | not yet calculated | CVE-2025-65676 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65676 |
| CyberArk–CyberArk Secure Web Sessions Extension | Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305. | 2025-11-27 | not yet calculated | CVE-2025-13762 | https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its “Actions” feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible to the LibreChat server (such as cloud metadata services, through which impersonation of the server might be possible). This issue has been patched in version 0.8.1-rc2. | 2025-11-29 | not yet calculated | CVE-2025-66201 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v |
| Davantis–DFUSION | Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “snapshot” or “video.mp4”. These media files contain images recorded by security cameras in response to triggered alerts. | 2025-11-24 | not yet calculated | CVE-2025-41016 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| Davantis–DFUSION | Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”. | 2025-11-24 | not yet calculated | CVE-2025-41017 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php. | 2025-11-26 | not yet calculated | CVE-2025-66250 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files. | 2025-11-26 | not yet calculated | CVE-2025-66251 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop. | 2025-11-26 | not yet calculated | CVE-2025-66252 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET[“filename”]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root). | 2025-11-26 | not yet calculated | CVE-2025-66253 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files. | 2025-11-26 | not yet calculated | CVE-2025-66254 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution | 2025-11-26 | not yet calculated | CVE-2025-66255 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files. | 2025-11-26 | not yet calculated | CVE-2025-66256 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks. | 2025-11-26 | not yet calculated | CVE-2025-66257 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | 2025-11-26 | not yet calculated | CVE-2025-66258 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command | 2025-11-26 | not yet calculated | CVE-2025-66259 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL’s `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance. | 2025-11-26 | not yet calculated | CVE-2025-66260 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[“name”]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66261 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise. | 2025-11-26 | not yet calculated | CVE-2025-66262 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.–Mozart FM Transmitter | Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[‘filename’]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66263 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| Desktop Alert–desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | 2025-11-24 | not yet calculated | CVE-2025-54338 | https://desktopalert.net/cve-2025-54338/ |
| Desktop Alert–desktopalert.net | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | 2025-11-24 | not yet calculated | CVE-2025-54341 | https://desktopalert.net/cve-2025-54341/ |
| Desktop Alert–desktopalert.net | A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions. | 2025-11-24 | not yet calculated | CVE-2025-54347 | https://desktopalert.net/cve-2025-54347/ |
| Desktop Alert–desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | 2025-11-24 | not yet calculated | CVE-2025-54563 | https://desktopalert.net/cve-2025-54563/ |
| Devolutions–Server | Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0. | 2025-11-28 | not yet calculated | CVE-2025-13683 | https://devolutions.net/security/advisories/DEVO-2025-0017/ |
| Devolutions–Server | SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13757 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions–Server | Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13758 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions–Server | Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9. | 2025-11-27 | not yet calculated | CVE-2025-13765 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Digital Bazaar–node-forge | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. | 2025-11-25 | not yet calculated | CVE-2025-12816 | https://www.npmjs.com/package/node-forge https://github.com/digitalbazaar/forge/pull/1124 https://github.com/digitalbazaar/forge CERT/CC Vulnerability Notice Github Security Advisory |
| digitalbazaar–forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66030 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb |
| digitalbazaar–forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66031 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27 https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451 |
| Dongyoung Media Tech Co., Ltd.–DM-AP240T/W Wireless Access Point | Dongyoung Media DM-AP240T/W wireless access points contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/sys_system_config management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25226 | https://packetstorm.news/files/id/154719/ https://cxsecurity.com/issue/WLB-2019100012 http://dongyoung.com/ https://www.vulncheck.com/advisories/dongyoung-media-dm-ap240tw-unauthenticated-config-disclosure |
| Drupal–Drupal | Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., “<img src=1 onerror=alert(document.domain)>”) to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim’s browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | 2025-11-26 | not yet calculated | CVE-2025-12848 | https://www.drupal.org/node/3105204 |
| ESCAM–QD-900 WIFI HD Camera | ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup can include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that may facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36871 | https://packetstorm.news/files/id/156492/ https://www.exploit-db.com/exploits/48107 https://www.vulncheck.com/advisories/escam-qd900-unauthenticated-config-disclosure |
| FAST FAC1200R–sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password. | 2025-11-26 | not yet calculated | CVE-2025-50399 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/1 |
| FAST FAC1200R–sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password. | 2025-11-26 | not yet calculated | CVE-2025-50402 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/2 |
| FluentBit–Fluent Bit | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs. | 2025-11-24 | not yet calculated | CVE-2025-12969 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit–Fluent Bit | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-12970 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit–Fluent Bit | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory. | 2025-11-24 | not yet calculated | CVE-2025-12972 | https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ |
| FluentBit–Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing. | 2025-11-24 | not yet calculated | CVE-2025-12977 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit–Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation. | 2025-11-24 | not yet calculated | CVE-2025-12978 | https://fluentbit.io/announcements/v4.1.0/ |
| Frappe–Frappe CRM | Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1. | 2025-11-26 | not yet calculated | CVE-2025-11461 | https://fluidattacks.com/advisories/oz https://github.com/frappe/crm https://github.com/frappe/crm/pull/1339 |
| Free5gc v4.0.0–OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. | 2025-11-24 | not yet calculated | CVE-2025-60632 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/705 |
| Free5gc v4.0.0–OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. | 2025-11-24 | not yet calculated | CVE-2025-60633 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/702 https://github.com/free5gc/free5gc/issues/700 https://github.com/free5gc/free5gc/issues/701 https://github.com/free5gc/free5gc/issues/703 |
| Free5gc v4.0.0–OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. | 2025-11-24 | not yet calculated | CVE-2025-60638 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/704 |
| Fuji Television Network, Inc.–“FOD” App for Android | “FOD” App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys. | 2025-11-25 | not yet calculated | CVE-2025-64304 | https://help.fod.fujitv.co.jp/hc/ja/articles/48337068747033 https://jvn.jp/en/jp/JVN63368617/ |
| getsentry–sentry-javascript | Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0. | 2025-11-25 | not yet calculated | CVE-2025-65944 | https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp https://github.com/getsentry/sentry-javascript/pull/17475 https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539 https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0 |
| Google Cloud–Looker | An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+ * 25.0.79+ * 25.6.66+ * 25.12.7+ * 25.16.0+ * 25.18.0+ * 25.20.0+ | 2025-11-24 | not yet calculated | CVE-2025-12739 | https://cloud.google.com/support/bulletins#gcp-2025-068 |
| Google Cloud–Looker | A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver’s parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 25.0.93+ * 25.6.84+ * 25.12.42+ * 25.14.50+ * 25.16.44+ | 2025-11-24 | not yet calculated | CVE-2025-12740 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud–Looker | A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-24 | not yet calculated | CVE-2025-12741 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud–Looker | A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-25 | not yet calculated | CVE-2025-12742 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| GroceryMart–GroceryMart | An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | 2025-11-26 | not yet calculated | CVE-2025-65278 | https://gist.github.com/whoisrushi/7e8d15c85221e3f708b7b480e04ab6ca |
| HCL Technologies–HLC | Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51733 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies–HLC | Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51734 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies–HLC | CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51735 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies–HLC | File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51736 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| iiDk-the-actual–Console | Console is a network used to control Gorilla Tag mods’ users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0. | 2025-11-25 | not yet calculated | CVE-2025-65952 | https://github.com/iiDk-the-actual/Console/security/advisories/GHSA-c3f7-xh45-2xc7 https://github.com/iiDk-the-actual/Console/commit/4bcb1cf23ef78f8e6899dd6fe3afa3b24902e458 https://github.com/iiDk-the-actual/Console/commit/e1005b8754594ad463ae58f8a99decda548b1826 |
| ilevia EVE X1–iSee857 | Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 – 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | 2025-11-25 | not yet calculated | CVE-2025-60739 | https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF |
| immonit.com–Monnit | An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts. | 2025-11-26 | not yet calculated | CVE-2025-50433 | http://imonnitcom.com http://monnit.com https://youtu.be/-BqcdwHgMMA https://github.com/0xMandor/imonnit-ato-advisory/blob/main/CVE-2025-50433.md |
| Intercom, Inc.–Security Point (Windows) of MaLion | Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product’s Windows client is installed. If the file is a specially crafted DLL file, arbitrary code could be executed with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-59485 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.–Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-62691 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.–Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a heap-based buffer overflow vulnerability in processing Content-Length. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-64693 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercore-Productions–Core-Bot | Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks) where configuration summaries may inadvertently leak sensitive data (e.g., by failing to redact data in summary embeds or logs). This issue has been patched via commit dffe050. | 2025-11-25 | not yet calculated | CVE-2025-65957 | https://github.com/Intercore-Productions/Core-Bot/security/advisories/GHSA-42j6-x28v-38r8 https://github.com/Intercore-Productions/Core-Bot/commit/dffe050d565a580edfcd0242efa45da88ab31260 |
| JAVA-Oracle | Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. | 2025-11-28 | not yet calculated | CVE-2025-12183 | https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 https://github.com/yawkat/lz4-java/releases/tag/v1.8.1 |
| jishenghua JSH_ERP 2.3.1–Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | 2025-11-25 | not yet calculated | CVE-2025-51742 | https://gitee.com/jishenghua/JSH_ERP https://blog.hackpax.top/jsh-erp/ https://gitee.com/jishenghua https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108 |
| jishenghua JSH_ERP 2.3.1–Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51743 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp2/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1–Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51744 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp3/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1–Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51745 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp4/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1–Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51746 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp5/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jvde-github–AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-catcher. This vulnerability allows an attacker to write approximately 1KB of arbitrary data into a 128-byte buffer. This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66216 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-v53x-f5hh-g2g6 https://github.com/jvde-github/AIS-catcher/commit/3de0ef785fc3c96265a71b37df7b0a82cb279312 |
| jvde-github–AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, an integer underflow vulnerability exists in the MQTT parsing logic of AIS-catcher. This vulnerability allows an attacker to trigger a massive Heap Buffer Overflow by sending a malformed MQTT packet with a manipulated Topic Length field. This leads to an immediate Denial of Service (DoS) and, when used as a library, severe Memory Corruption that can be leveraged for Remote Code Execution (RCE). This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66217 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-93mj-c8q3-69rg https://github.com/jvde-github/AIS-catcher/commit/e0f7242eee659909adc11a4c561c3f7011bdefe7 |
| keras-team–keras-team/keras | Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python’s tarfile.extractall() method without the security-critical filter=’data’ parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter. | 2025-11-28 | not yet calculated | CVE-2025-12638 | https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4 |
| kotaemon 0.11.0–Cinnamon | An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the libsktemktemindexfileui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction, successfully uploading a ZIP bomb could still cause the server to consume excessive resources during decompression. Moreover, if no further files are uploaded afterward, the extracted data could occupy disk space and potentially render the system unavailable. Anyone with permission to upload files can carry out this attack. | 2025-11-24 | not yet calculated | CVE-2025-63914 | https://github.com/Cinnamon/kotaemon https://github.com/WxDou/CVE-2025-63914 |
| krpano–krpano | Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim’s browser via a crafted URL to the passQueryParameters function with the xml parameter enabled. | 2025-11-29 | not yet calculated | CVE-2025-65892 | https://krpano.com/docu/releasenotes/?version=1.23.3 https://krpano.com/forum/wbb/index.php?thread/20554-krpano-1-23-3d-gaussian-splatting-support/&postID=96997#post96997 |
| LFDT-Lockness–cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. This issue has been patched in version 0.6.3, for full mitigation it is recommended to upgrade to cggmp24 version 0.7.0-alpha.2 as it contains more security checks. | 2025-11-25 | not yet calculated | CVE-2025-66016 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-m95p-425x-x889 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| LFDT-Lockness–cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. In versions 0.6.3 and prior of cggmp21 and version 0.7.0-alpha.1 of cggmp24, presignatures can be used in the way that significantly reduces security. cggmp24 version 0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. | 2025-11-25 | not yet calculated | CVE-2025-66017 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| libcoap–OISM | NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65493 | https://github.com/obgm/libcoap/issues/1743 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65494 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter. | 2025-11-24 | not yet calculated | CVE-2025-65495 | https://github.com/obgm/libcoap/issues/1744 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65496 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65497 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65498 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1. | 2025-11-24 | not yet calculated | CVE-2025-65499 | https://github.com/obgm/libcoap/issues/1747 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65500 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap–OISM | Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65501 | https://github.com/obgm/libcoap/issues/1748 https://github.com/obgm/libcoap/pull/1750 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a “pseudo root filesystem” which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in “struct svc_fh” even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected. | 2025-11-24 | not yet calculated | CVE-2025-40212 | https://git.kernel.org/stable/c/b6bc86ce3944b10b9fc181fc00c1a520a20ed965 https://git.kernel.org/stable/c/c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2 https://git.kernel.org/stable/c/8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don’t memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error. | 2025-11-24 | not yet calculated | CVE-2025-40213 | https://git.kernel.org/stable/c/5c19daa93d9af29f1f46251b47e1ea66bcc8d679 https://git.kernel.org/stable/c/1c9aca1787e8395a2c59fef20e914467958969c5 https://git.kernel.org/stable/c/e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 |
| Logpoint–SIEM | An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation. | 2025-11-27 | not yet calculated | CVE-2025-66360 | https://servicedesk.logpoint.com/hc/en-us/articles/29160917867549-Redis-communication-exposed-for-internal-communication |
| Logpoint–SIEM | An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load. | 2025-11-27 | not yet calculated | CVE-2025-66361 | https://servicedesk.logpoint.com/hc/en-us/articles/29160993806749-Process-Data-Exposure-Under-High-Load |
| lukevella–rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6. | 2025-11-29 | not yet calculated | CVE-2025-66027 | https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963 https://github.com/lukevella/rallly/releases/tag/v4.5.6 |
| Lumi Security Camera–Blurams | An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. | 2025-11-24 | not yet calculated | CVE-2025-63674 | http://blurams.com http://a31c.com https://vindivlabs.com/research/lumi_part_2/ |
| lunary-ai–lunary-ai/lunary | lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the ‘aud’ (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35. | 2025-11-25 | not yet calculated | CVE-2025-9803 | https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6 https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91 |
| Magewell Pro Convert–Magewell | A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63952 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63952 |
| Magewell Pro Convert–Magewell | A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63953 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63953 |
| MegaTec Taiwan–ClientMate | The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-66264 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan–ClientMate | CMService.exe creates the C:\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges. | 2025-11-26 | not yet calculated | CVE-2025-66265 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan–UPSilon2000V6.0 | The RupsMon.exe service executable in UPSilon 2000 has insecure permissions, allowing the ‘Everyone’ group Full Control. A local attacker can replace the executable with a malicious binary to execute code with SYSTEM privileges or simply change the config path of the service to a command; starting and stopping the service to immediately achieve code execution and privilege escalation | 2025-11-26 | not yet calculated | CVE-2025-66266 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan–UPSilon2000V6.0 | The RupsMon and USBMate services in UPSilon 2000 run with SYSTEM privileges and contain unquoted service paths. This allows a local attacker to perform path interception and escalate privileges if they have write permissions to the directories proceeding that of which the real service executables live in | 2025-11-26 | not yet calculated | CVE-2025-66269 | https://www.megatec.com.tw/software-download/ |
| Millensys Vision Tools Workspace–MILLENSYS | MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | 2025-11-24 | not yet calculated | CVE-2025-63958 | https://www.millensys.com/ https://ozex.gitlab.io/tricks_hacks/2025-11-19-cve-2025-63958/index.html |
| Mongoose–Cesenta | Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65502 | https://github.com/cesanta/mongoose/issues/3306 https://github.com/cesanta/mongoose/pull/3307 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/sp/transport/mqtt/broker_tcp.c). The vulnerability is due to improper resource management and premature cleanup of message and pipe structures under specific malformed MQTTV5 retain message traffic conditions. This issue has been patched in version 0.22.5. | 2025-11-25 | not yet calculated | CVE-2025-65953 | https://github.com/nanomq/nanomq/security/advisories/GHSA-r95p-wjm8-2qxr |
| NCP Secure Enterprise-NCP | NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability. | 2025-11-26 | not yet calculated | CVE-2025-26155 | https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf https://www.ncp-e.com/ |
| Netskope–Netskope Client | Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, a local, authenticated user with Administrator privileges can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine. | 2025-11-28 | not yet calculated | CVE-2025-11156 | https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-005 |
| OneUptime–oneuptime | OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0. | 2025-11-26 | not yet calculated | CVE-2025-65966 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574g |
| OneUptime–oneuptime | OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | 2025-11-26 | not yet calculated | CVE-2025-66028 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8 https://github.com/OneUptime/oneuptime/commit/3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370 |
| Online Shopping Portal–PHPGurukul | Insecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter. | 2025-11-25 | not yet calculated | CVE-2025-65647 | https://phpgurukul.com/ https://github.com/SachuuZ/CVE/tree/main/CVE-2025-65647 |
| Open-Source HashTech-HashTech Project | An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-65276 | https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 |
| OpenAtlas v.8.12.0– Austrian Academy of Science | An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages | 2025-11-24 | not yet calculated | CVE-2025-56423 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-user-enumeration/ |
| OpenAtlas–Austrian Arcchaeolgical Institute | Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint. | 2025-11-24 | not yet calculated | CVE-2025-60914 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-unautorisierter-zugriff-display_logo/ |
| OpenAtlas–Austrian Arcchaeolgical Institute | An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request. | 2025-11-24 | not yet calculated | CVE-2025-60915 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/ |
| OpenAtlas–Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload into the charge parameter. | 2025-11-24 | not yet calculated | CVE-2025-60916 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-reflected-dom-based-xss-charge/ |
| OpenAtlas–Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload into the color parameter. | 2025-11-24 | not yet calculated | CVE-2025-60917 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-xss-in-farb-feldern-ort/ |
| openbao–openbao | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user’s permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4. | 2025-11-25 | not yet calculated | CVE-2025-64761 | https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436 https://github.com/openbao/openbao/pull/2143 https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5 |
| openobserve–openobserve | OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0. | 2025-11-29 | not yet calculated | CVE-2025-66223 | https://github.com/openobserve/openobserve/security/advisories/GHSA-c856-2xpx-gw75 |
| OpenSearch–OpenSearch | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0. | 2025-11-25 | not yet calculated | CVE-2025-9624 | https://fluidattacks.com/advisories/chick https://opensearch.org/blog/explore-opensearch-3-3/ |
| orangehrm–orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66224 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55 |
| orangehrm–orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66225 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263 |
| orangehrm–orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66289 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x |
| orangehrm–orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66290 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88 |
| orangehrm–orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly request interview attachment URLs and receive the corresponding files. This exposes confidential interview documents-including candidate CVs, evaluations, and supporting files-to unauthorized users. The issue arises from relying on predictable object identifiers and session presence rather than validating the user’s association with the relevant recruitment process. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66291 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-v32g-r8xx-4g6g https://github.com/orangehrm/orangehrm/commit/647133d0fdda989a4836845a6531277078a84607 |
| Otsuka Information Technology–FMS | FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user’s browser through phishing attacks. | 2025-11-24 | not yet calculated | CVE-2025-13589 | https://www.twcert.org.tw/tw/cp-132-10520-03f29-1.html https://www.twcert.org.tw/en/cp-139-10521-abdc1-2.html |
| Overhang.io–Overhang.io | An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | 2025-11-26 | not yet calculated | CVE-2025-65681 | https://github.com/overhangio/tutor https://docs.tutor.edly.io https://github.com/Rivek619/CVE-2025-65681 |
| OWASP–java-html-sanitizer | OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | 2025-11-26 | not yet calculated | CVE-2025-66021 | https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2 |
| pallets–werkzeug | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug’s safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4. | 2025-11-29 | not yet calculated | CVE-2025-66221 | https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 https://github.com/pallets/werkzeug/releases/tag/3.1.4 |
| pretix–pretix | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer’s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing. | 2025-11-27 | not yet calculated | CVE-2025-13742 | https://pretix.eu/about/en/blog/20251126-release-2025-9-1/ |
| Primakon Pi Portal–Primakon | Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes. | 2025-11-25 | not yet calculated | CVE-2025-64061 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64061.md |
| Primakon Pi Portal–Primakon | The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., otheruser@user.com), an attacker can assume the session and gain full access to the target user’s data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level. | 2025-11-25 | not yet calculated | CVE-2025-64062 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md |
| Primakon Pi Portal–Primakon | Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions. | 2025-11-25 | not yet calculated | CVE-2025-64063 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.md |
| Primakon Pi Portal–Primakon | Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | 2025-11-25 | not yet calculated | CVE-2025-64064 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64064.md |
| Primakon Pi Portal–Primakon | The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn’t check the caller’s privilege) compounded by an Insecure Design that permits a session switch without requiring the target user’s password or an administrative token and only needs email of user. | 2025-11-25 | not yet calculated | CVE-2025-64065 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64065.md |
| Primakon Pi Portal–Primakon | Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application’s local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | 2025-11-25 | not yet calculated | CVE-2025-64066 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md |
| Primakon Pi Portal–Primakon | Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information. | 2025-11-25 | not yet calculated | CVE-2025-64067 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md |
| py-pdf–pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This issue has been patched in version 6.4.0. | 2025-11-25 | not yet calculated | CVE-2025-66019 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7 https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2 https://github.com/py-pdf/pypdf/releases/tag/6.4.0 |
| RapidCMS–OpenRapid | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | 2025-11-24 | not yet calculated | CVE-2025-64047 | http://rapidcms.com https://gist.github.com/b1uel0n3/b105ad05dbcd3fe148a26e8180dddda7 |
| ray-project–ray | Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string “Mozilla” as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0. | 2025-11-26 | not yet calculated | CVE-2025-62593 | https://github.com/ray-project/ray/security/advisories/GHSA-q279-jhrf-cc6v https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09 |
| REDAXO CMS–REDAXO | A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | 2025-11-25 | not yet calculated | CVE-2025-64049 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1SpwL548ZBRYU_uL8W7Riv7VHshr2UN0R?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64049.md |
| REDAXO CMS–REDAXO | A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template. | 2025-11-25 | not yet calculated | CVE-2025-64050 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1Via4r4wn5zCcBllWmHpxYweCPgcbN0bz?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64050.md |
| RSA–RSA | In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable. | 2025-11-24 | not yet calculated | CVE-2024-47856 | https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update |
| Ruckas Unleashed–Ruckus Networks | A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp. | 2025-11-25 | not yet calculated | CVE-2025-63735 | https://www.ruckusnetworks.com/products/network-control-and-management/controller-less/ https://github.com/huthx/CVE-2025-63735-Ruckus-Unleashed-Reflected-XSS |
| Ruoyi–Ruoyi | Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46174 | https://gitee.com/y_project/RuoYi/issues/IC1JZR https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9 |
| Ruoyi–Ruoyi | Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46175 | https://gitee.com/y_project/RuoYi/issues/IC1FS0 https://gitee.com/y_project/RuoYi/commit/f935b2782f4237cdbcc13bdce76703e82c42f4fe https://gist.github.com/Han-tj/74d2ed84ede1909da55090fed410d288 |
| Ruoyi–Ruoyi | An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | 2025-11-26 | not yet calculated | CVE-2025-56396 | https://gitee.com/y_project/RuoYi/issues/ICJ865 https://gist.github.com/Han-tj/22cfd18fa9f116bb886e8e56782f6865 |
| SDMC–NE6037 | Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router’s administrative portal, which by default is reachable only via LAN ports. | 2025-11-27 | not yet calculated | CVE-2025-8890 | https://cert.pl/en/posts/2025/11/CVE-2025-8890 |
| shama–willitmerge | willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public. | 2025-11-29 | not yet calculated | CVE-2025-66219 | https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 |
| Shenzhen TVT Digital Technology Co., Ltd.–NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | 2025-11-24 | not yet calculated | CVE-2018-25126 | https://web.archive.org/web/20180614014914/http://en.tvt.net.cn:80/news/227.html https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt https://qkl.seebug.org/vuldb/ssvid-97217 https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-tvt-shenzhen-dvrs-still-lingers https://www.vulncheck.com/advisories/tvt-nvms9000-hardcoded-api-credentials-and-command-injection |
| Shenzhen TVT Digital Technology Co., Ltd.–NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | 2025-11-24 | not yet calculated | CVE-2024-14007 | https://ssd-disclosure.com/ssd-advisory-nvms9000-information-disclosure/ https://www.greynoise.io/blog/surge-exploitation-attempts-tvt-dvrs https://undercodetesting.com/eleven11-botnet-mirai-variant-targeting-nvms-9000-devices/ https://www.vulncheck.com/advisories/tvt-nvms9000-unauthenticated-admin-queries-and-information-disclosure |
| SIGB PBP–SIGB | SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters. | 2025-11-25 | not yet calculated | CVE-2025-61167 | http://pmb.com http://sigb.com https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e |
| SIGB PBP–SIGB | An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | 2025-11-25 | not yet calculated | CVE-2025-61168 | http://pmb.com http://sigb.com https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 |
| Simple SA–Wirtualna Uczelnia | The application contains an insecure ‘redirectToUrl’ mechanism that incorrectly processes the value of the ‘redirectUrlParameter’ parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353 | 2025-11-27 | not yet calculated | CVE-2025-12140 | https://cert.pl/posts/2025/11/CVE-2025-12140/ |
| SiRcom–SMART Alert (SiSA | SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. | 2025-11-25 | not yet calculated | CVE-2025-13483 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 |
| SOGo–alinto | alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the “userName” parameter. | 2025-11-24 | not yet calculated | CVE-2025-63498 | https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c https://github.com/xryptoh/CVE-2025-63498 https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4 |
| Sony Corporation–SNC-CX600W | Cross-site request forgery vulnerability exists in SNC-CX600W versions prior to Ver.2.8.0. If a user accesses a specially crafted webpage while logged in, unintended operations may be performed. | 2025-11-25 | not yet calculated | CVE-2025-62497 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| Sony Corporation–SNC-CX600W | Cross-site scripting vulnerability exists in SNC-CX600W all versions. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the product. | 2025-11-25 | not yet calculated | CVE-2025-64730 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| SwitchBot–Smart Video Doorbell | Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device. | 2025-11-26 | not yet calculated | CVE-2025-64983 | https://www.switch-bot.com/products/switchbot-video-doorbell?srsltid=AfmBOooGEZArqUag9p59qB8ti2fDP0vCOzxX33NGlpJ8yDlZnzC3vJ_f https://jvn.jp/en/jp/JVN67185535 |
| SY-GPON-1110-WDONT–Sryotech | An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | 2025-11-25 | not yet calculated | CVE-2025-63729 | https://github.com/Yashodhanvivek/CVE-2025-63729-Syrotech-SY-GPON-1110-/blob/main/Syrotech_SY-GPON-1110-WDONT_Security_Assessment.pdf |
| Synergetic Data Systems, Inc.–UnForm Server | UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s ‘arc’ endpoint. The Doc Flow module uses the ‘arc’ handler to retrieve and render pages or resources specified by the user-supplied ‘pp’ parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement. | 2025-11-25 | not yet calculated | CVE-2025-34350 | https://unform.com/download/uf101_readme.txt https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file-read |
| System USSD Gateway–OpenCode | OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function. | 2025-11-26 | not yet calculated | CVE-2025-65235 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65235-ussd-gw-sql-injection-subusers |
| System USSD Gateway–OpenCode | OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint. | 2025-11-26 | not yet calculated | CVE-2025-65236 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65236-ussd-gateway-sql-injection-sessions |
| System USSD Gateway–OpenCode | A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user’s browser via injecting a crafted payload. | 2025-11-26 | not yet calculated | CVE-2025-65237 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65237-ussd-gateway-reflected-cross-site-scripting |
| System USSD Gateway–OpenCode | Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information. | 2025-11-26 | not yet calculated | CVE-2025-65238 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65238-ussd-gateway-broken-access-control-sessions |
| System USSD Gateway–OpenCode | Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | 2025-11-26 | not yet calculated | CVE-2025-65239 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65239-ussd-gateway-broken-access-control-logs |
| Taclia–Taclia’s web application | Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2025-11-24 | not yet calculated | CVE-2025-41087 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-stored-taclias-web-application |
| Tellion, Inc.–HN-2204AP Router | Tellion HN-2204AP routers contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/system_config_file management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials, wireless keys, and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25227 | https://packetstorm.news/files/id/154752/ https://web.archive.org/web/20190525010559/https://www.tellion.com/ https://www.vulncheck.com/advisories/tellion-hn2204ap-unauthenticated-config-disclosure |
| TEW-657BRM–TRENDnet | TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters “command”, “todo”, and “next_file,” which allows an attacker to execute arbitrary commands with root privileges. | 2025-11-26 | not yet calculated | CVE-2025-65202 | https://github.com/WhereisRain/TEW-657BRM |
| The Ray Team–Anyscale Ray | Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access. | 2025-11-27 | not yet calculated | CVE-2025-34351 | https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration |
| thingsboard–thingsboard | ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the “Image Gallery”, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user’s browser. This vulnerability can lead to the execution of malicious code in the context of other users’ sessions, potentially compromising their accounts and allowing unauthorized actions. | 2025-11-27 | not yet calculated | CVE-2025-3261 | https://advisory.checkmarx.net/advisory/CVE-2025-3261/ https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03 |
| TIMLEGGE–XML::Sig | XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures. | 2025-11-26 | not yet calculated | CVE-2025-40934 | https://github.com/perl-net-saml2/perl-XML-Sig/issues/63 https://github.com/perl-net-saml2/perl-XML-Sig/pull/64 |
| Tinyproxy–Tinyproxy | Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. | 2025-11-26 | not yet calculated | CVE-2025-63938 | https://github.com/tinyproxy/tinyproxy/issues/586 https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a https://github.com/rayinaw/my-hub/blob/main/CVE-2025-63938/DISCLOSURE.md |
| Tuya Smart–Tuya | Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim’s Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim’s behalf, resulting in unauthorized Alexa access to the victim’s Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | 2025-11-24 | not yet calculated | CVE-2025-56400 | http://tuya.com https://src.tuya.com/announcement/30 |
| Ubuntu–edk2 | The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733. | 2025-11-26 | not yet calculated | CVE-2025-2486 | https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797 |
| Unknown–Backup Migration | The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication. | 2025-11-24 | not yet calculated | CVE-2025-12394 | https://wpscan.com/vulnerability/e61293d0-2e1b-4dac-96c5-97fa17e38b16/ |
| Unknown–Broken Link Manager | The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2025-12629 | https://wpscan.com/vulnerability/528e9775-3a2d-4e52-92f7-f123ad787e7d/ |
| Unknown–Guest posting / Frontend Posting / Front Editor | The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | 2025-11-24 | not yet calculated | CVE-2025-12569 | https://wpscan.com/vulnerability/37586572-33f9-4365-bfce-7db277a8df72/ |
| Unknown–TAX SERVICE Electronic HDM | The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements | 2025-11-26 | not yet calculated | CVE-2025-12061 | https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/ |
| Unknown–WordPress eCommerce Plugin | The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2024-14015 | https://wpscan.com/vulnerability/1a70927a-e345-4e2f-98da-1235f4482cc0/ |
| Unknown–WP 2FA | The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them | 2025-11-24 | not yet calculated | CVE-2025-12628 | https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/ |
| Veal98 echo–ECHO | An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users. | 2025-11-25 | not yet calculated | CVE-2025-51741 | http://echo.com https://github.com/Veal98/Echo https://gist.github.com/Paxsizy/9d92e8746778cf0926705d89b4f3618c |
| xmall–xmall | Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | 2025-11-29 | not yet calculated | CVE-2025-65540 | https://github.com/Exrick/xmall/issues/101 |
| Xtool AnyScan–Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution. | 2025-11-24 | not yet calculated | CVE-2025-63432 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432 |
| Xtool AnyScan–Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application’s code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | 2025-11-24 | not yet calculated | CVE-2025-63433 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63433 |
| Xtool AnyScan–Xtooltech | The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-63434 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63434 |
| Xtool AnyScan–Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | 2025-11-24 | not yet calculated | CVE-2025-63435 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63435 |
| YCCMS 3.4–YCCMS | YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user input in the article title field. | 2025-11-24 | not yet calculated | CVE-2025-64048 | http://yccms.com https://gist.github.com/b1uel0n3/8354650e683ffb0812bfe72b702b482d |
| youlai-boot v2.21–youlai | Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | 2025-11-26 | not yet calculated | CVE-2025-55469 | https://gitee.com/youlaiorg/youlai-boot/issues/ICFCOK https://gitee.com/youlaiorg/youlai-boot https://gist.github.com/old6ma/d6e19c9efbe28431f4c27c063cc9cbb8 |
| youlai-boot v2.21–youlai | Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | 2025-11-26 | not yet calculated | CVE-2025-55471 | https://gitee.com/youlaiorg/youlai-boot https://gitee.com/youlaiorg/youlai-boot/issues/ICFBW8 https://gist.github.com/old6ma/08d83e5aa7d47e7ff18b23337ccd1f1d |
| ZIRA Group WBRM 7.0–Zira Group | ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName. | 2025-11-24 | not yet calculated | CVE-2025-56401 | http://wbrm.com https://mstreet97.github.io/security/cve/sqli/2025/07/25/Zira-WBRM-SQL-Injection-CVE-2025-56401.html |