Skip to main content
CVE-2025-27410 MEDIUM POC PATCH THREAT This Month

PwnDoc is a penetration test reporting application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 21.6%.

RCE Path Traversal Pwndoc
NVD GitHub
CVSS 3.1
6.5
EPSS
21.6%
CVE-2025-26466 MEDIUM PATCH This Month

A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.

Microsoft SSH Denial Of Service Openssh Ubuntu Linux +1
NVD
CVSS 3.1
5.9
EPSS
42.5%
CVE-2025-27413 MEDIUM POC PATCH This Month

PwnDoc is a penetration test reporting application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Pwndoc
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-25478 MEDIUM POC This Month

The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Syspass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-25461 MEDIUM POC This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Seeddms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-25476 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Syspass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-25916 MEDIUM POC This Month

wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Wuzhicms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-26263 MEDIUM POC This Month

GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Windows
NVD GitHub Exploit-DB
CVSS 3.1
5.1
EPSS
0.4%
CVE-2025-26047 MEDIUM POC This Month

Loggrove v1.0 is vulnerable to SQL Injection in the read.py file. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Loggrove
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-25429 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the r_name variable inside the have_same_name function on the /addschedule.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-25431 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-25430 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the configname parameter on the /cbi_addcert.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-22271 MEDIUM This Month

The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-23405 MEDIUM This Month

Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-24316 MEDIUM This Month

The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-56340 MEDIUM PATCH This Month

IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

IBM Path Traversal Cognos Analytics
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2024-44754 MEDIUM This Month

Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-22491 MEDIUM This Month

The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-1572 MEDIUM PATCH This Month

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Kivicare PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-0764 MEDIUM PATCH This Month

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress Information Disclosure Wpforo Forum PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-23225 MEDIUM This Month

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow an authenticated user to cause a denial of service due to the improper handling of invalid headers sent to the queue. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Mq Appliance
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-0823 MEDIUM PATCH This Month

IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 and 12.0.0 through 12.0.4 could allow a remote attacker to traverse directories on the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

IBM Path Traversal Cognos Analytics
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-25728 MEDIUM This Month

Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-1662 MEDIUM This Month

The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'url_media_uploader_url_upload' action. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1560 MEDIUM This Month

The WOW Entrance Effects (WEE!) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Wow Entrance Effects Wee PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1571 MEDIUM PATCH This Month

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Image Comparison Widgets in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Exclusive Addons For Elementor PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1405 MEDIUM PATCH This Month

The Product Catalog Simple plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's show_products shortcode in all versions up to, and including, 1.7.11 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Product Catalog Simple PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1757 MEDIUM This Month

The WordPress Portfolio Builder - Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes in. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Portfoliohub PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-9019 MEDIUM This Month

The SecuPress Free - WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupress_check_ban_ips_form shortcode in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-13469 MEDIUM This Month

The Pricing Table by PickPlugins plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button Link in all versions up to, and including, 1.12.10 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Pricing Table
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-12820 MEDIUM PATCH This Month

The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MKGD' shortcode in all versions up to, and including, 3.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Google WordPress XSS Mk Google Directions
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-0769 MEDIUM This Month

PixelYourSite - Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP Deserialization
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-22492 MEDIUM This Month

The connection string visible to users with access to FRSCore database on Foreseer Reporting Software (FRS) VM, this string can be used for gaining administrative access to the 4crXref database. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-1511 MEDIUM PATCH This Month

The User Registration & Membership - Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS User Registration PHP
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2025-25727 MEDIUM This Month

Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-1505 MEDIUM PATCH This Month

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.6.8.1 due to insufficient. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Advanced Ajax Product Filters PHP
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2025-1776 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior to 8.3.4, which could allow remote attackers to execute arbitrary code via the ‘query’ parameter in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google RCE XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-1300 MEDIUM PATCH This Month

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Codechecker
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-1746 MEDIUM POC This Month

Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Opencart
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13638 MEDIUM This Month

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Information Disclosure Order Attachments For Woocommerce
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-24318 MEDIUM This Month

Cookie policy is observable via built-in browser tools. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD
CVSS 4.0
5.9
EPSS
0.1%
CVE-2024-13851 MEDIUM This Month

The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Modal Portfolio
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-0985 MEDIUM This Month

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD stores potentially sensitive information in environment variables that could be obtained by a local user. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure IBM Mq
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-54175 MEDIUM This Month

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD could allow a local user to cause a denial of service due to an improper check for unusual or exceptional conditions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

IBM Denial Of Service Mq
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-1681 MEDIUM This Month

The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-13796 MEDIUM PATCH This Month

The Post Grid and Gutenberg Blocks - ComboBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.6 via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Post Grid
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-24843 MEDIUM This Month

Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-27408 MEDIUM PATCH This Month

Manifest offers users a one-file micro back end. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-1749 MEDIUM This Month

HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Opencart
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-1748 MEDIUM This Month

HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Opencart
NVD
CVSS 3.1
4.7
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy