Skip to main content
CVE-2025-25296 MEDIUM POC PATCH THREAT This Month

Label Studio is an open source data labeling tool. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.0%.

Information Disclosure XSS Label Studio
NVD GitHub
CVSS 3.1
6.1
EPSS
20.0%
CVE-2025-25990 MEDIUM POC This Month

Cross Site Scripting vulnerability in hooskcms v.1.7.1 allows a remote attacker to obtain sensitive information via the /install/index.php component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hoosk
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-26157 MEDIUM POC This Month

A SQL Injection vulnerability was found in /bpms/index.php in Source Code and Project Beauty Parlour Management System V1.1, which allows remote attackers to execute arbitrary code via the name POST. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Beauty Parlour Management System
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2025-26158 MEDIUM POC This Month

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the manage-employee.php page of Kashipara Online Attendance Management System V1.0. Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Attendance Management System Tenda
NVD GitHub
CVSS 3.1
5.6
EPSS
0.5%
CVE-2025-25740 MEDIUM POC This Month

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the PSK parameter in the SetQuickVPNSettings module. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Buffer Overflow Stack Overflow Dir 853 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-57725 MEDIUM This Month

An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 14.8% and no vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
14.8%
CVE-2025-25992 MEDIUM POC This Month

SQL Injection vulnerability in FeMiner wms 1.0 allows a remote attacker to obtain sensitive information via the inquire_inout_item.php component. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Feminer Wms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.2%
CVE-2025-25993 MEDIUM POC This Month

SQL Injection vulnerability in FeMiner wms wms 1.0 allows a remote attacker to obtain sensitive information via the parameter "itemid.". Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Feminer Wms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25991 MEDIUM POC This Month

SQL Injection vulnerability in hooskcms v.1.7.1 allows a remote attacker to obtain sensitive information via the /install/index.php component. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hoosk
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25988 MEDIUM POC This Month

Cross Site Scripting vulnerability in hooskcms v.1.8 allows a remote attacker to cause a denial of service via the custom Link title parameter and the Title parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Denial Of Service Hoosk
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-7052 MEDIUM POC This Month

The Forminator Forms WordPress plugin before 1.38.3 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Forminator Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2024-13493 MEDIUM POC This Month

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sensly Online Presence
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-26791 MEDIUM POC PATCH This Month

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). Rated medium severity (CVSS 4.5), this vulnerability is no authentication required. Public exploit code available.

XSS Dompurify Red Hat Suse
NVD GitHub
CVSS 3.1
4.5
EPSS
0.2%
CVE-2025-26507 MEDIUM This Month

Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Stack Overflow HP Futuresmart 3 +2
NVD
CVSS 4.0
6.3
EPSS
6.1%
CVE-2025-25304 MEDIUM PATCH This Month

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-26789 MEDIUM This Month

An issue was discovered in Logpoint AgentX before 1.5.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ssti
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-56477 MEDIUM This Month

IBM Power Hardware Management Console V10.3.1050.0 could allow an authenticated user to traverse directories on the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Path Traversal Power Hardware Management Console
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-9601 MEDIUM PATCH This Month

The Qubely - Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-0821 MEDIUM PATCH This Month

Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Bit Assist PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-24567 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.8.16.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-23534 MEDIUM This Month

Missing Authorization vulnerability in Mark Winiarski WPLingo allows Exploiting Incorrectly Configured Access Control Security Levels.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23771 MEDIUM This Month

Missing Authorization vulnerability in Murali Push Notification for Post and BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels.11. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23766 MEDIUM This Month

Missing Authorization vulnerability in ashamil OPSI Israel Domestic Shipments allows Exploiting Incorrectly Configured Access Control Security Levels.6.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-52895 MEDIUM This Month

IBM i 7.4 and 7.5 is vulnerable to a database access denial of service caused by a bypass of a database capabilities restriction check. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-13735 MEDIUM PATCH This Month

The HurryTimer - An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.11.2 due. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Hurrytimer
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-25204 MEDIUM PATCH This Month

`gh` is GitHub’s official command line tool. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-22702 MEDIUM This Month

Missing Authorization vulnerability in EPC Photography.5.2. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-22698 MEDIUM This Month

Missing Authorization vulnerability in Ability, Inc Accessibility Suite by Online ADA allows Exploiting Incorrectly Configured Access Control Security Levels.16. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-13641 MEDIUM PATCH This Month

The Return Refund and Exchange For WooCommerce - Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Microsoft WordPress Information Disclosure Return Refund And Exchange For Woocommerce
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2025-24607 MEDIUM This Month

Missing Authorization vulnerability in Northern Beaches Websites IdeaPush allows Exploiting Incorrectly Configured Access Control Security Levels.71. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.2%
CVE-2024-10404 MEDIUM This Month

CalInvocationHandler in Brocade SANnav before 2.3.1b logs sensitive information in clear text. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Brocade Sannav
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-13692 MEDIUM PATCH This Month

The Return Refund and Exchange For WooCommerce - Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Microsoft WordPress Authentication Bypass Return Refund And Exchange For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-57790 MEDIUM This Month

IXON B.V. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-25290 MEDIUM PATCH This Month

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-25285 MEDIUM PATCH This Month

@octokit/endpoint turns REST API endpoints into generic request options. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-25289 MEDIUM PATCH This Month

@octokit/request-error is an error class for Octokit request errors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-25288 MEDIUM PATCH This Month

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-23406 MEDIUM This Month

Out-of-bounds read vulnerability caused by improper checking of TCP MSS option values exists in Cente middleware TCP/IP Network Series, which may lead to processing a specially crafted packet to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow
NVD
CVSS 3.0
5.3
EPSS
0.1%
CVE-2025-26524 MEDIUM This Month

This vulnerability exists in RupeeWeb trading platform due to missing rate limiting on OTP requests in certain API endpoints. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.8%
CVE-2025-0178 MEDIUM This Month

Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Fireware
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-13791 MEDIUM PATCH This Month

Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

WordPress Path Traversal Bit Assist
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-1239 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the Blocked Sites list. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
4.8
EPSS
0.3%
CVE-2025-1071 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the spamBlocker module. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Fireware
NVD
CVSS 4.0
4.8
EPSS
0.2%
CVE-2024-56463 MEDIUM PATCH This Month

IBM QRadar SIEM 7.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

IBM XSS Qradar Security Information And Event Manager
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2022-28693 MEDIUM PATCH This Month

Unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. Rated medium severity (CVSS 4.7).

Intel Information Disclosure Red Hat Suse
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2024-57969 MEDIUM PATCH This Month

app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

PHP Authentication Bypass Misp
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy