Skip to main content
CVE-2025-20902 MEDIUM This Month

Improper access control in Media Controller prior to version 1.0.24.5282 allows local attacker to launch activities in MediaController's privilege. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2024-45657 MEDIUM This Month

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment. Rated medium severity (CVSS 5.0). No vendor patch available.

IBM Authentication Bypass Security Verify Access Security Verify Access Docker
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2024-11623 MEDIUM PATCH This Month

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Authentik
NVD GitHub
CVSS 4.0
4.8
EPSS
0.4%
CVE-2025-25039 MEDIUM This Month

A vulnerability in the web-based management interface of HPE Aruba Networking ClearPass Policy Manager (CPPM) allows remote authenticated users to run arbitrary commands on the underlying host. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Aruba Clearpass Policy Manager
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-20894 MEDIUM This Month

Improper access control in Samsung Email prior to version 6.1.97.1 allows physical attackers to access data across multiple user profiles. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Samsung Email
NVD
CVSS 3.1
4.6
EPSS
0.2%
CVE-2025-20884 MEDIUM This Month

Improper access control in Samsung Message prior to SMR Jan-2025 Release 1 allows physical attackers to access data across multiple user profiles. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Samsung Android
NVD
CVSS 3.1
4.6
EPSS
0.2%
CVE-2025-20898 MEDIUM This Month

Improper input validation in Samsung Members prior to version 5.2.00.12 allows physical attackers to access data across multiple user profiles. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Samsung Members
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-20883 MEDIUM This Month

Improper access control in SoundPicker prior to SMR Jan-2025 Release 1 allows physical attackers to access data across multiple user profiles. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Android
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-20901 MEDIUM This Month

Out-of-bounds read in Blockchain Keystore prior to version 1.3.16.5 allows local privileged attackers to read out-of-bounds memory. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Blockchain Keystore
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-1019 MEDIUM PATCH This Month

The z-order of the browser windows could be manipulated to hide the fullscreen notification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XSS Mozilla
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-53994 MEDIUM This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-53266 MEDIUM This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-53851 MEDIUM PATCH This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-24982 MEDIUM This Month

Cross-site request forgery vulnerability exists in Activity Log WinterLock versions prior to 1.2.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2025-22643 MEDIUM This Month

Missing Authorization vulnerability in FameThemes OnePress allows Exploiting Incorrectly Configured Access Control Security Levels.3.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-12046 MEDIUM This Month

The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-13514 MEDIUM This Month

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-13607 MEDIUM This Month

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-20886 MEDIUM This Month

Inclusion of sensitive information in test code in softsim trustlet prior to SMR Jan-2025 Release 1 allows local privileged attackers to get test key. Rated medium severity (CVSS 4.1). No vendor patch available.

Information Disclosure Android
NVD
CVSS 3.1
4.1
EPSS
0.1%
CVE-2025-20896 MEDIUM This Month

Use of implicit intent for sensitive communication in EasySetup prior to version 11.1.18 allows local attackers to access sensitive information. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Easysetup
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-20899 MEDIUM This Month

Improper access control in PushNotification prior to version 13.0.00.15 in Android 12, 14.0.00.7 in Android 13, and 15.1.00.5 in Android 14 allows local attackers to access sensitive information. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Android Samsung
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-22475 LOW Monitor

Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Dell Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
3.7
EPSS
0.2%
CVE-2025-22601 LOW Monitor

Discourse is an open source platform for community discussion. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Path Traversal Discourse
NVD GitHub
CVSS 3.1
3.1
EPSS
0.3%
CVE-2024-45658 LOW Monitor

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Security Verify Access
NVD
CVSS 3.1
2.7
EPSS
0.1%
CVE-2024-56197 LOW Monitor

Discourse is an open source platform for community discussion. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
2.2
EPSS
0.1%
CVE-2024-11467 HIGH This Month

Omnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a logic flaw. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Privilege Escalation macOS
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-24968 HIGH POC This Week

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Rengine
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-24967 HIGH POC This Month

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Rengine
NVD GitHub
CVSS 4.0
7.4
EPSS
0.6%
CVE-2025-24966 MEDIUM POC This Month

reNgine is an automated reconnaissance framework for web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Rengine
NVD GitHub
CVSS 4.0
5.3
EPSS
0.5%
CVE-2025-0509 HIGH PATCH This Month

A security issue was found in Sparkle before version 2.6.4. Rated high severity (CVSS 7.3).

Information Disclosure Path Traversal Sparkle Hci Compute Node Oncommand Workflow Automation +1
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-23060 MEDIUM This Month

A vulnerability in HPE Aruba Networking ClearPass Policy Manager may, under certain circumstances, expose sensitive unencrypted information. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Aruba Authentication Bypass Clearpass Policy Manager
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-22206 MEDIUM POC Monitor

A SQL injection vulnerability in the JS Jobs plugin versions 1.1.5-1.4.2 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands via the 'fieldfor' parameter in. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Js Jobs Joomla
NVD
CVSS 3.1
4.7
EPSS
0.8%
CVE-2025-0825 MEDIUM POC PATCH This Week

cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cpp Httplib Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-9644 CRITICAL POC This Week

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass F3X36 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-40890 HIGH KEV THREAT Act Now

Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authenticated attackers to execute OS commands via crafted HTTP POST requests. No patch available (EOL device).

Command Injection Zyxel Vmg1312 B10A Firmware Vmg1312 B10B Firmware Vmg1312 B10E Firmware +11
NVD
CVSS 3.1
8.8
EPSS
45.9%
CVE-2025-20907 MEDIUM This Month

Improper privilege management in Samsung Find prior to SMR Feb-2025 Release 1 allows local privileged attackers to disable Samsung Find. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Samsung Android
NVD
CVSS 3.1
6.0
EPSS
0.1%
CVE-2025-20904 MEDIUM This Month

Out-of-bounds write in mPOS TUI trustlet prior to SMR Feb-2025 Release 1 allows local privileged attackers to cause memory corruption. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Android
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-20895 LOW Monitor

Authentication Bypass Using an Alternate Path in Galaxy Store prior to version 4.5.87.6 allows physical attackers to install arbitrary applications to bypass restrictions of Setupwizard. Rated low severity (CVSS 3.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Galaxy Store
NVD
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-20892 MEDIUM This Month

Protection Mechanism Failure in bootloader prior to SMR Jan-2025 Release 1 allows physical attackers to allow to execute fastboot command. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Android
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-0466 MEDIUM POC This Month

The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Sensei Lms PHP
NVD WPScan
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-13332 MEDIUM POC This Month

The TransFinanz WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Transfinanz
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13329 HIGH POC This Month

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Solidres
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-13115 MEDIUM POC This Month

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF XSS Wp Projects Portfolio With Client Testimonials
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy