345 CVEs tracked today. 24 Critical, 211 High, 105 Medium, 5 Low.
-
CVE-2025-27590
CRITICAL
CVSS 9.0
In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Path Traversal
Oxidized Web
-
CVE-2025-27583
CRITICAL
CVSS 9.1
Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Academia Student Information System
-
CVE-2025-27419
CRITICAL
CVSS 9.2
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Denial Of Service
Wegia
-
CVE-2025-27270
CRITICAL
CVSS 9.8
Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Privilege Escalation
-
CVE-2025-27268
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes - Worldwide Express Edition allows SQL Injection.2.18. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-26988
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications - WooCommerce allows SQL Injection.7.8. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
SQLi
-
CVE-2025-26970
CRITICAL
CVSS 10.0
Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ark Theme Core ark-core allows Code Injection.71.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Code Injection
-
CVE-2025-26535
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Bitcoin / AltCoin Payment Gateway for WooCommerce allows Blind SQL Injection.7.6. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
SQLi
-
CVE-2025-26206
CRITICAL
CVSS 9.0
Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CSRF
Storefront
-
CVE-2025-25948
CRITICAL
CVSS 9.1
Incorrect access control in the component /rest/staffResource/create of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts,. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication Bypass
Student Information System
-
CVE-2025-25150
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing allows Blind SQL Injection.1.6. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-20646
CRITICAL
CVSS 9.8
In wlan AP FW, there is a possible out of bounds write due to improper input validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
Buffer Overflow
Memory Corruption
Software Development Kit
-
CVE-2025-1875
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "searchtitle" parameter in search.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1874
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "description" parameter in admin/add-category.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1873
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "pagetitle" and "pagedescription" parameters in admin/contactus.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1872
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "sadminusername" parameter in admin/add-subadmins.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1871
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "category" and "subcategory" parameters in admin/add-subcategory.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1870
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "pagedescription" parameter in admin/aboutus.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1869
CRITICAL
CVSS 9.3
SQL injection vulnerability have been found in 101news affecting version 1.0 through the "username" parameter in admin/check_avalability.php. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
SQLi
Best Online News Portal
-
CVE-2025-1867
CRITICAL
CVSS 10.0
A critical HTTP Request/Response Smuggling vulnerability (CWE-444) in ithewei libhv library versions up to 1.3.3 allows attackers to manipulate HTTP request interpretation between frontend and backend servers. With a CVSS 4.0 score of 10.0, this vulnerability requires no authentication or user interaction and can be exploited remotely with low complexity. HTTP smuggling attacks can bypass security controls, poison web caches, hijack user sessions, and enable cross-site scripting, making this particularly dangerous in environments using libhv as a reverse proxy or HTTP server component.
Information Disclosure
Request Smuggling
-
CVE-2025-1866
CRITICAL
CVSS 10.0
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows Pointer Manipulation, potentially leading to out-of-bounds memory access.3.4 and. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Red Hat
Suse
-
CVE-2025-1864
CRITICAL
CVSS 10.0
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Suse
Radare2
-
CVE-2024-55532
CRITICAL
CVSS 9.8
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache
Information Disclosure
Ranger
-
CVE-2024-8262
CRITICAL
CVSS 9.8
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Proliz Software OBS allows Path Traversal.0927. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Path Traversal
Student Affairs Information System
-
CVE-2025-27501
HIGH
CVSS 8.6
OpenZiti is a free and open source project focused on bringing zero trust to any application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SSRF
Openziti
-
CVE-2025-27500
HIGH
CVSS 8.2
OpenZiti is a free and open source project focused on bringing zero trust to any application. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Openziti
-
CVE-2025-27423
HIGH
CVSS 7.1
Vim is an open source, command line text editor. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Command Injection
Red Hat
Vim
Suse
Hci Compute Node
-
CVE-2025-27422
HIGH
CVSS 7.5
FACTION is a PenTesting Report Generation and Collaboration Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-27421
HIGH
CVSS 7.5
Abacus is a highly scalable and stateless counting API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Suse
-
CVE-2025-27279
HIGH
CVSS 7.1
Reflected cross-site scripting in Flashfader WordPress plugin through version 1.1.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is low (0.09%, 26th percentile) with no confirmed active exploitation (not in CISA KEV). Patchstack vulnerability database lists this as a reflected XSS requiring social engineering or phishing to trick users into clicking malicious links. The changed scope (S:C) in CVSS indicates potential for cross-context attacks including session hijacking or privilege escalation within WordPress admin environments.
XSS
-
CVE-2025-27278
HIGH
CVSS 7.1
Reflected cross-site scripting in AcuGIS Leaflet Maps WordPress plugin (versions through 5.1.1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling potential session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no public exploit code has been identified at time of analysis.
XSS
-
CVE-2025-27275
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in WOO Codice Fiscale WordPress plugin versions up to 1.6.3 enables remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (clicking a crafted URL) but no authentication, allowing attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low likelihood of mass exploitation. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
XSS
-
CVE-2025-27271
HIGH
CVSS 7.1
Reflected XSS in DB Tables Import/Export WordPress plugin through version 1.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted links requiring user interaction. The vulnerability stems from inadequate input sanitization during web page generation, enabling scope change attacks with potential for session hijacking, credential theft, and administrative action execution. EPSS score of 0.09% (26th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
XSS
-
CVE-2025-27269
HIGH
CVSS 7.1
Reflected cross-site scripting in .htaccess Login block WordPress plugin versions up to 0.9a allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malicious actions in the context of authenticated WordPress administrators. EPSS score of 0.09% (26th percentile) indicates low probability of widespread exploitation, and no active exploitation or public POC has been identified at time of analysis.
XSS
-
CVE-2025-27264
HIGH
CVSS 7.5
Local File Inclusion (LFI) in Doctor Appointment Booking WordPress plugin version 1.0.0 and earlier allows authenticated attackers with low privileges to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive application data. Despite the network attack vector, exploitation requires high complexity conditions and low-level authentication. EPSS score of 0.24% (47th percentile) suggests low probability of widespread exploitation, with no CISA KEV listing or confirmed active exploitation at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-27263
HIGH
CVSS 8.5
SQL injection in Doctor Appointment Booking WordPress plugin versions up to 1.0.0 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause availability disruption. The vulnerability enables scope change, meaning attackers can access resources beyond their authorized privilege level to read high-sensitivity data. With EPSS probability at 0.12% (31st percentile) and no evidence of active exploitation or public exploit code, this represents a moderate real-world risk primarily for sites where low-privileged user accounts (subscriber/contributor roles) exist.
SQLi
-
CVE-2025-26999
HIGH
CVSS 8.8
PHP object injection in ProfileGrid WordPress plugin versions up to 5.9.4.3 allows authenticated attackers to execute arbitrary code through unsafe deserialization of user-controlled data. With CVSS 8.8 severity and only low-privilege authentication required, this CWE-502 vulnerability enables full site compromise. EPSS exploitation probability is low (0.23%, 45th percentile) and no active exploitation or public POC is confirmed, though Patchstack has documented the vulnerability in their WordPress plugin security database.
Deserialization
-
CVE-2025-26994
HIGH
CVSS 7.1
Stored cross-site scripting in Zigaform WordPress plugin versions up to 7.4.2 allows unauthenticated attackers to inject malicious scripts that execute when administrators or users view affected form submissions. The vulnerability achieves changed scope (S:C in CVSS vector), enabling attackers to compromise admin sessions and potentially take over WordPress sites. EPSS probability is low at 0.08% (25th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the issue but fix version is not independently verified from available data.
XSS
-
CVE-2025-26989
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in Zigaform Form Builder Lite WordPress plugin through version 7.4.2 allows unauthenticated remote attackers to inject malicious scripts that execute in victims' browsers. The vulnerability requires user interaction (viewing the stored malicious content) and enables changed scope impact, potentially compromising administrator sessions and site integrity. EPSS score of 0.08% (25th percentile) indicates low observed exploitation probability despite the network-accessible attack vector. Patchstack database confirms the vulnerability but patch status is not documented in available references.
XSS
-
CVE-2025-26984
HIGH
CVSS 7.1
Reflected Cross-Site Scripting (XSS) in the SMS Alert Order Notifications WordPress plugin through version 3.7.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability carries a CVSS score of 7.1 due to changed scope (cross-domain consequences), though exploitation requires user interaction. EPSS probability is low (0.08%, 25th percentile), indicating limited observed exploitation activity. No CISA KEV listing confirms active widespread exploitation, though Patchstack's vulnerability database disclosure suggests the flaw may be targeted in WordPress-specific attack campaigns.
WordPress
XSS
-
CVE-2025-26967
HIGH
CVSS 8.8
PHP object injection in Events Calendar for GeoDirectory plugin versions through 2.3.14 enables authenticated attackers with low-privilege access to execute arbitrary PHP code by injecting malicious serialized objects. The CVSS 8.8 score reflects network-based exploitation requiring only low-level authentication, with no user interaction needed. EPSS score of 0.23% (45th percentile) indicates low observed exploitation probability, and no CISA KEV listing confirms this is not yet actively exploited in the wild. Patchstack database reports this as a confirmed deserialization vulnerability (CWE-502) in the WordPress plugin ecosystem.
Deserialization
-
CVE-2025-26918
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the Small Package Quotes - Unishippers Edition WordPress plugin through version 2.4.9 allows remote attackers to inject malicious scripts that execute in victims' browsers when users click crafted links. The CVSS vector indicates network-based exploitation requiring user interaction but no authentication, with changed scope enabling attacks beyond the vulnerable component's security context. EPSS score of 0.08% (25th percentile) suggests low observed exploitation activity, though no public exploit code or CISA KEV listing exists at time of analysis.
XSS
-
CVE-2025-26917
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WP Templata allows Reflected XSS.0.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-26914
HIGH
CVSS 7.1
Reflected cross-site scripting in Variable Inspector WordPress plugin versions up to 2.6.2 enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. The vulnerability stems from improper neutralization of input during page generation (CWE-79). With CVSS 7.1 and scope change capability, successful exploitation allows limited data theft, session hijacking, and malicious actions under victim context. EPSS score of 0.09% (26th percentile) suggests low probability of mass exploitation. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation campaigns.
XSS
-
CVE-2025-26885
HIGH
CVSS 7.2
Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-26879
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristián Lávaque s2Member Pro allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-26589
HIGH
CVSS 7.1
Reflected cross-site scripting in IE CSS3 Support WordPress plugin through version 2.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication and can impact other site origins due to changed scope (S:C in CVSS). EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation or CISA KEV listing, indicating limited real-world targeting despite moderate CVSS 7.1 scoring.
XSS
-
CVE-2025-26588
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the WordPress TTT Crop plugin versions up to 1.0 enables remote attackers to inject malicious JavaScript into victim browsers via crafted URLs. With a CVSS score of 7.1 and changed scope, successful exploitation allows attackers to steal session tokens, perform actions as the victim, or deliver phishing content within the WordPress admin context. EPSS exploitation probability is low at 0.09% (26th percentile), and no public exploit code or active exploitation has been identified at time of analysis.
XSS
-
CVE-2025-26587
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in sidebarTabs WordPress plugin versions ≤3.1 enables remote attackers to inject malicious scripts via crafted URLs that execute in victim browsers when user interaction occurs. Reported by Patchstack security research (audit@patchstack.com), this vulnerability exploits improper input neutralization during page generation. EPSS score of 0.09% (26th percentile) suggests low widespread exploitation probability, with no CISA KEV listing or public POC identified at time of analysis, indicating limited active exploitation despite moderate CVSS severity.
XSS
-
CVE-2025-26586
HIGH
CVSS 7.1
Reflected XSS in Events Planner WordPress plugin versions up to 1.3.10 allows remote attackers to inject malicious scripts via crafted URLs that execute in victims' browsers when clicked. Reported by Patchstack security researchers, the vulnerability requires user interaction (opening a malicious link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
XSS
-
CVE-2025-26585
HIGH
CVSS 7.1
Reflected cross-site scripting in DL Leadback WordPress plugin versions up to 1.2.1 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability permits theft of session cookies, credential harvesting, or defacement of WordPress admin interfaces. EPSS score of 0.09% (26th percentile) suggests low observed exploitation activity, and no active exploitation is confirmed via CISA KEV. Patchstack documented this XSS flaw affecting all installations through version 1.2.1.
XSS
-
CVE-2025-26563
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the Rocket Mobile WordPress plugin through version 1.3.3 allows remote attackers to inject malicious scripts via crafted URLs. Successful exploitation requires victim interaction (clicking a malicious link). The vulnerability enables scope change (S:C), allowing attackers to execute JavaScript in the context of another user's session, potentially leading to session hijacking, credential theft, or site defacement. EPSS score of 0.09% (26th percentile) suggests low observed exploitation in the wild, and no public exploit code or CISA KEV listing identified at time of analysis.
XSS
-
CVE-2025-26557
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in ViperBar WordPress plugin versions up to 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack security researchers, this network-exploitable vulnerability has a low EPSS score (0.09%, 26th percentile) indicating minimal observed exploitation activity. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component, enabling session hijacking or privilege escalation within WordPress installations.
XSS
-
CVE-2025-26540
HIGH
CVSS 7.7
Arbitrary file deletion in Helloprint WordPress plugin (versions up to 2.0.7) allows authenticated attackers with low privileges to delete critical system files via path traversal, potentially causing complete site unavailability. The CVSS 7.7 score reflects the Changed scope and High availability impact - an attacker can traverse directories to target files outside the plugin's intended boundary, triggering denial of service. EPSS score of 0.18% (40th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Path Traversal
-
CVE-2025-26534
HIGH
CVSS 8.6
Arbitrary file deletion in Helloprint WordPress plugin versions up to 2.0.7 allows remote unauthenticated attackers to delete critical files via path traversal, causing denial of service. CVSS 8.6 with Changed scope indicates impact beyond the vulnerable component. EPSS score of 0.19% (41st percentile) suggests low current exploitation probability. Reported by Patchstack audit team with technical details available in their vulnerability database.
Path Traversal
-
CVE-2025-25967
HIGH
CVSS 8.8
Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CSRF
Acora Cms
-
CVE-2025-25951
HIGH
CVSS 7.5
An information disclosure vulnerability in the component /rest/cb/executeBasicSearch of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Academia Student Information System
-
CVE-2025-25950
HIGH
CVSS 8.1
Incorrect access control in the component /rest/staffResource/update of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Academia Student Information System
-
CVE-2025-25302
HIGH
CVSS 8.7
Rembg is a tool to remove images background. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Information Disclosure
Rembg
-
CVE-2025-25185
HIGH
CVSS 7.5
GPT Academic provides interactive interfaces for large language models. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Information Disclosure
Gpt Academic
-
CVE-2025-25170
HIGH
CVSS 7.1
Reflected cross-site scripting in the Migrate Posts WordPress plugin (versions ≤1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted requests. Attack requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling social engineering vectors such as malicious links in phishing emails. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no public exploit identified at time of analysis. Patchstack vulnerability database confirms the flaw but patch status requires verification with plugin maintainers.
XSS
-
CVE-2025-25169
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Authors Autocomplete Meta Box WordPress plugin versions up to 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. Exploitation requires user interaction - a logged-in administrator or editor must click a malicious link. While CVSS rates this 7.1 (High) due to changed scope, the EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No active exploitation confirmed; no CISA KEV listing.
XSS
-
CVE-2025-25165
HIGH
CVSS 7.1
Stored Cross-Site Scripting (XSS) in WordPress Staff Directory Plugin (Company Directory) versions up to 4.3 allows remote unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers. The CVSS 7.1 score reflects Changed scope (S:C), indicating the injected script can operate outside the vulnerable component's security context. EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation. Patchstack database identifies this as a stored XSS variant, meaning the malicious payload persists in the WordPress database and triggers whenever affected pages are viewed.
XSS
-
CVE-2025-25164
HIGH
CVSS 7.1
Reflected XSS in the Meta Accelerator WordPress plugin through version 1.0.4 enables remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exploits improper input sanitization in web page generation, requiring victim interaction (user must click a malicious link) but no authentication. Changed scope (S:C) indicates potential session hijacking or actions outside the vulnerable component's context. EPSS score of 0.09% (26th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit code identified at time of analysis.
XSS
-
CVE-2025-25162
HIGH
CVSS 7.5
Absolute path traversal in Sports Rankings and Lists WordPress plugin versions up to 1.0.2 allows unauthenticated remote attackers to read arbitrary files from the server filesystem. The vulnerability enables unauthorized access to sensitive configuration files, credentials, and source code without requiring authentication or user interaction. EPSS score of 0.25% suggests low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis.
Path Traversal
-
CVE-2025-25161
HIGH
CVSS 7.1
Reflected cross-site scripting in WP Find Your Nearest WordPress plugin versions up to 0.3.1 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or deliver malware, provided the victim clicks a malicious link. EPSS score of 0.09% suggests low current exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
XSS
-
CVE-2025-25158
HIGH
CVSS 7.1
Reflected cross-site scripting in the Uncomplicated SEO WordPress plugin through version 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. The vulnerability requires user interaction (CVSS UI:R) and features a changed scope (S:C), indicating potential access to resources beyond the vulnerable component. With EPSS exploitation probability at 0.09% (26th percentile) and no CISA KEV listing, this represents a moderate real-world threat primarily relevant to targeted phishing campaigns against WordPress site administrators.
XSS
-
CVE-2025-25157
HIGH
CVSS 7.1
Reflected cross-site scripting in WP Church Center plugin (versions ≤1.3.3) enables network-based attackers to execute arbitrary JavaScript in victim browsers without authentication, requiring only that a user click a malicious link. The scope-change vector indicates potential compromise beyond the vulnerable plugin itself. EPSS exploitation probability is low (0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept at time of analysis, suggesting this remains a theoretical risk requiring social engineering to weaponize.
XSS
-
CVE-2025-25142
HIGH
CVSS 7.1
Stored cross-site scripting in WP Less Compiler WordPress plugin versions through 1.3.0 enables remote unauthenticated attackers to inject malicious scripts that execute in victim browsers when triggered by user interaction. The vulnerability affects a WordPress LESS CSS preprocessor plugin, with scope change (S:C) indicating potential attack escalation beyond the plugin's security context. EPSS score of 0.09% (26th percentile) suggests low probability of widespread exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.
XSS
-
CVE-2025-25133
HIGH
CVSS 7.1
Cross-site scripting (XSS) in WP Frontend Submit 1.1.0 and earlier allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted input. The vulnerability features network-based attack vector with low complexity but requires user interaction, enabling attackers to modify page content and steal session tokens with changed security context (scope:changed). EPSS score of 0.09% (26th percentile) indicates very low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
XSS
-
CVE-2025-25132
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in the Visitor Details WordPress plugin through version 1.0.1 allows remote unauthenticated attackers to inject malicious scripts that execute when authenticated users view visitor logs. The vulnerability leverages improper input sanitization in user-controllable fields (likely visitor metadata like User-Agent, referrer, or custom parameters). Exploitation requires victim interaction (UI:R) with the modified scope (S:C) enabling attacks beyond the vulnerable plugin's context. EPSS exploitation probability is low at 0.09% (26th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a moderate-priority remediation for sites using this plugin in administrative contexts.
XSS
-
CVE-2025-25130
HIGH
CVSS 7.5
Path traversal in Delete Comments By Status (WordPress plugin) versions up to 2.1.1 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Attack requires high complexity (AC:H) and user interaction (UI:R), limiting exploitation to social engineering scenarios. EPSS score of 0.18% (39th percentile) indicates low widespread exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public POC identified at time of analysis.
PHP
Path Traversal
-
CVE-2025-25129
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the Callback Request WordPress plugin through version 1.4 allows remote attackers to inject malicious JavaScript by manipulating user-supplied input reflected in web page output without proper sanitization. Exploitation requires victim interaction (UI:R) with a crafted link but needs no authentication (PR:N), enabling attacks via phishing or malicious websites. The changed scope (S:C) indicates potential impact beyond the vulnerable plugin itself. EPSS score of 0.09% (26th percentile) suggests low immediate exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
XSS
-
CVE-2025-25127
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the WordPress plugin 'Contact Us By Lord Linus' (versions up to 2.6) allows remote attackers to execute arbitrary JavaScript in victim browsers by crafting malicious URLs. Exploitation requires user interaction (clicking a link or visiting a crafted page), but no authentication is needed. CVSS 7.1 reflects scope change indicating potential session hijacking across security contexts. EPSS score of 0.15% (36th percentile) suggests low mass-exploitation probability, though XSS vulnerabilities in WordPress plugins remain attractive targets for phishing and account takeover campaigns.
XSS
-
CVE-2025-25124
HIGH
CVSS 7.1
Reflected cross-site scripting in Status Updater WordPress plugin (versions ≤1.9.2) allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers with changed security context (CVSS scope change). Attack vector is network-based with low complexity but requires user interaction (typically clicking a crafted link). EPSS score of 0.15% (36th percentile) indicates low automated exploitation probability. No CISA KEV listing or public POC identified at time of analysis. Patchstack database entry suggests this may be part of a broader WordPress plugin vulnerability pattern, though reference URLs contain inconsistent metadata (titles reference different plugin 'WP Spell Check' despite CVE being for Status Updater).
XSS
-
CVE-2025-25122
HIGH
CVSS 8.1
Path traversal in WizShop plugin versions through 3.0.2 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Despite the high CVSS score (8.1), this vulnerability shows low real-world exploitation probability with EPSS at 0.22% (45th percentile). The attack complexity is rated HIGH (AC:H), requiring specific conditions to successfully exploit. No active exploitation confirmed; not listed in CISA KEV, and no public proof-of-concept identified at time of analysis.
PHP
Path Traversal
-
CVE-2025-25121
HIGH
CVSS 7.1
Stored cross-site scripting in Theme Options Z WordPress plugin through version 1.4 allows remote attackers to inject malicious scripts that execute in victim browsers when authenticated users view affected pages. Despite the CVSS 7.1 rating suggesting network-accessible exploitation without authentication (PR:N), stored XSS vulnerabilities in WordPress plugins typically require at least contributor-level access to inject payloads, creating a discrepancy between the CVSS vector and realistic exploitation requirements. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV or other threat intelligence sources.
XSS
-
CVE-2025-25119
HIGH
CVSS 7.1
Reflected cross-site scripting in Woocommerce osCommerce Sync WordPress plugin versions through 2.0.20 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability requires user interaction (clicking a crafted link) but no authentication, making it exploitable through phishing or social engineering campaigns. With EPSS at 0.09% (26th percentile), exploitation probability remains low, and no active exploitation or public POC has been identified at time of analysis.
WordPress
XSS
-
CVE-2025-25118
HIGH
CVSS 7.1
Reflected cross-site scripting in WPOptin (WordPress plugin 'Top Bar - PopUps - by WPOptin') versions up to 2.0.8 allows remote attackers to inject malicious JavaScript through unsanitized input parameters. With CVSS 7.1 (AV:N/AC:L/PR:N/UI:R/S:C), successful exploitation requires user interaction but no authentication, enabling session hijacking, credential theft, or malicious actions in victim context. EPSS score of 0.09% (26th percentile) indicates low observed exploitation activity. Patchstack vulnerability database confirms this issue with no current evidence of active exploitation or public POC.
XSS
-
CVE-2025-25114
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the User Role WordPress plugin versions up to 1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URL parameters. The vulnerability requires user interaction (victim must click a malicious link) but needs no authentication, enabling attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No CISA KEV listing confirms this is not yet actively exploited in the wild, though Patchstack has documented the flaw in their WordPress vulnerability database.
XSS
-
CVE-2025-25113
HIGH
CVSS 7.1
Reflected cross-site scripting in Implied Cookie Consent WordPress plugin through version 1.3 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs requiring user interaction. Reported by Patchstack's security audit team, this network-accessible vulnerability scores CVSS 7.1 due to scope change enabling attacks across security contexts. EPSS exploitation probability is low at 0.15% (36th percentile), and no active exploitation has been confirmed in CISA KEV, though Patchstack tracking suggests awareness in vulnerability databases targeting WordPress plugins.
XSS
-
CVE-2025-25112
HIGH
CVSS 7.6
Blind SQL injection in the NotFound Social Links WordPress plugin (versions ≤1.2) allows authenticated administrators with high privileges to extract sensitive database contents remotely. The CVSS scope change indicates potential compromise beyond the vulnerable plugin's database context. EPSS score of 0.12% suggests low automated exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis. However, the privileged access requirement significantly limits real-world risk to scenarios involving compromised admin accounts or malicious insiders.
SQLi
-
CVE-2025-25109
HIGH
CVSS 8.1
Local file inclusion in WP Vehicle Manager 3.1 and earlier allows remote unauthenticated attackers to read arbitrary files on the server or potentially execute code via PHP file inclusion. Classified as CWE-98 (PHP Remote File Inclusion) but exploits local file paths. EPSS score of 0.30% (53rd percentile) indicates below-average exploitation probability, with no CISA KEV listing or confirmed active exploitation. Patchstack vulnerability database confirms the issue affects arbitrary shortcode execution paths, suggesting exploitation requires specific WordPress shortcode processing contexts.
PHP
Information Disclosure
LFI
-
CVE-2025-25108
HIGH
CVSS 7.1
Reflected cross-site scripting in SW Plus WordPress plugin through version 2.1 allows remote attackers to inject malicious scripts into web pages viewed by other users. Attack requires user interaction (victim must click a malicious link) but needs no authentication. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, consistent with typical reflected XSS patterns requiring social engineering. Patchstack database lists this as a confirmed vulnerability with dedicated entry, though no public exploit code or CISA KEV listing exists at time of analysis.
XSS
-
CVE-2025-25102
HIGH
CVSS 7.1
Reflected cross-site scripting in the Yahoo BOSS WordPress plugin (versions up to 0.7) allows remote attackers to execute arbitrary JavaScript in victims' browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling session hijacking, credential theft, and phishing attacks against WordPress site users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack database confirms the vulnerability with technical details available.
XSS
-
CVE-2025-25099
HIGH
CVSS 7.1
Reflected cross-site scripting in Appointment Buddy Widget (WordPress plugin) versions up to 1.2 allows remote attackers to execute malicious scripts in victim browsers via crafted URLs. Scope change in CVSS vector indicates potential session hijacking or data exfiltration across origin boundaries. EPSS score of 0.15% (36th percentile) suggests low likelihood of mass exploitation, but XSS remains a viable social engineering attack vector. Reported by Patchstack audit team with public disclosure via vulnerability database.
XSS
-
CVE-2025-25092
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in All push notification for WP plugin versions through 1.5.3 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. While CVSS rates this 7.1 (High) with changed scope indicating potential token theft or session hijacking beyond the plugin context, EPSS exploitation probability remains low at 0.15% (36th percentile), and no public exploit code or active exploitation (non-KEV) has been identified. Patchstack identified and reported this vulnerability, indicating security research focus on WordPress plugins.
XSS
-
CVE-2025-25090
HIGH
CVSS 7.1
Reflected cross-site scripting in the Dreamstime Stock Photos WordPress plugin (versions up to 4.1) allows remote attackers to inject malicious JavaScript into user browsers via crafted URLs. The vulnerability requires victim interaction (UI:R) but no authentication (PR:N), enabling session hijacking, credential theft, or malicious redirects when users click attacker-controlled links. EPSS exploitation probability is low at 0.09% (26th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable plugin context, affecting the WordPress installation or user session integrity.
XSS
-
CVE-2025-25089
HIGH
CVSS 7.1
Reflected cross-site scripting in Image Rotator WordPress plugin allows remote attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers when users click attacker-controlled links. Affects all versions through 2.0 with no public exploit identified at time of analysis. EPSS score of 0.15% (36th percentile) indicates low predicted exploitation probability, consistent with typical WordPress plugin XSS requiring user interaction.
XSS
-
CVE-2025-25087
HIGH
CVSS 7.1
Reflected XSS in seekXL Snapr WordPress plugin (versions through 2.0.6) allows remote attackers to inject malicious scripts via unsanitized input parameters, executing arbitrary JavaScript in victim browsers when users click crafted links. The CVSS 7.1 score reflects changed scope (S:C) indicating potential impact beyond the vulnerable component, though the low EPSS score (0.09%, 26th percentile) suggests minimal active exploitation. Patchstack published the vulnerability details, but no vendor patch version beyond 2.0.6 is confirmed in available data.
XSS
-
CVE-2025-25083
HIGH
CVSS 7.1
Stored cross-site scripting in EP4 More Embeds WordPress plugin (all versions up to 1.0.0) allows remote attackers to inject malicious JavaScript into website content that executes in victims' browsers. Despite CVSS 7.1, exploitation probability is very low (EPSS 0.09%, 26th percentile) and requires user interaction. No active exploitation confirmed, no vendor patch identified, and limited deployment scope of this niche WordPress plugin significantly reduces real-world risk.
XSS
-
CVE-2025-25070
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in Album Reviewer WordPress plugin versions up to 2.0.2 allows remote unauthenticated attackers to inject malicious JavaScript into album review content that executes when other users view the compromised pages. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of victim users, with cross-site scope allowing attacks beyond the vulnerable component's security boundary. EPSS score of 0.15% (36th percentile) indicates relatively low automated exploitation probability, and no active exploitation is documented in CISA KEV at time of analysis.
XSS
-
CVE-2025-24846
HIGH
CVSS 7.5
Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-24758
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations allows Reflected XSS.0.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-24694
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Email Registration Blacklist and Whitelist allows Reflected XSS.5.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-24654
HIGH
CVSS 7.1
Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.4.05. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-23956
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Easy Post Mailer allows Reflected XSS.64. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23945
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Popliup allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-23904
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rebrand Fluent Forms allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23903
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Local Shipping Labels for WooCommerce allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23883
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Stray Random Quotes allows Reflected XSS.9.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23881
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LJ Custom Menu Links allows Reflected XSS.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23879
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PillarDev Easy Automatic Newsletter Lite allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23852
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound First Comment Redirect allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23850
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mojo Under Construction allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23847
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Site Launcher allows Reflected XSS.9.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23843
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphrmanager WP-HR Manager: The Human Resources Plugin for WordPress allows Reflected XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23814
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CRUDLab Like Box allows Reflected XSS.0.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23813
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Guten Free Options allows Reflected XSS.9.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23762
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DsgnWrks Twitter Importer allows Reflected XSS.1.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23753
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DN Sitemap Control allows Reflected XSS.0.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23741
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Notifications Center allows Reflected XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23740
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy School Registration allows Reflected XSS.9.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23739
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Ultimate Reviews FREE allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23738
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ps Ads Pro allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23736
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To JSON allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23731
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin Tax Report for WooCommerce allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23726
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ComparePress allows Reflected XSS.0.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23721
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mobigate allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23718
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mancx AskMe Widget allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23716
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Login Watchdog allows Stored XSS.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23688
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Cobwebo URL Plugin allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23670
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 4 author cheer up donate allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23668
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ChatGPT Open AI Images & Content for WooCommerce allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23663
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Vaquez Contexto allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23637
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 新淘客WordPress插件 allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23635
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mobde3net ePermissions allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23619
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Catch Duplicate Switcher allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23616
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Canalplan allows Reflected XSS.31. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23600
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pinal.shah Send to a Friend Addon allows Reflected XSS.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23595
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Page Health-O-Meter allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23587
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound all-in-one-box-login allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23586
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Post Category Notifications allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23585
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo Goo.gl Url Shorter allows Reflected XSS.gl Url Shorter: from n/a through 1.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23584
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Pin Locations on Map allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23576
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Intro.JS allows Reflected XSS.JS: from n/a through 1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23575
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DX Sales CRM allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23570
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Social Links allows Reflected XSS.3.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23565
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Wibstats allows Reflected XSS.5.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23564
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mohsenshahbazi WP FixTag allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23563
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Explore pages allows Reflected XSS.01. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23556
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Push Envoy Notifications allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23555
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ui Slider Filter By Price allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23553
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Cramer Userbase Access Control allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23552
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Texteller allows Reflected XSS.3.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23549
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Maniac SEO allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23539
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Awesome Hooks allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23538
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Contest allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23536
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Track Page Scroll allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23526
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Swift Calendar Online Appointment Scheduling allows Reflected XSS.3.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23524
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ClickBank Storefront allows Reflected XSS.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23521
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Goodlayers Blocks allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23520
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS.3.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23519
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound G Web Pro Store Locator allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23518
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound GoogleMapper allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23517
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Google Map on Post/Page allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Google
-
CVE-2025-23516
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Sale with Razorpay allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23505
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Pit Login Welcome allows Reflected XSS.1.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23502
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in NotFound Curated Search allows Stored XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
CSRF
-
CVE-2025-23496
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP FPO allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23494
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Quizzin allows Reflected XSS.01.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23493
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Google Transliteration allows Reflected XSS.7.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Google
-
CVE-2025-23490
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Browser-Update-Notify allows Reflected XSS.2.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23488
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound rng-refresh allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23487
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Gallery allows Reflected XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23485
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richestsoft RS Survey allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23484
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Predict When allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23482
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound azurecurve Floating Featured Image allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23481
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ni WooCommerce Sales Report Email allows Reflected XSS.1.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23479
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound melascrivi allows Reflected XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23478
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Photo Video Store allows Reflected XSS.07. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23473
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Killer Theme Options allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23472
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Flexo Slider allows Reflected XSS.0013. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23468
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Essay Wizard (wpCRES) allows Reflected XSS.0.6.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23465
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Vampire Character Manager allows Reflected XSS.13. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23464
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Twitter News Feed allows Reflected XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23451
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Awesome Twitter Feeds allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23450
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agenwebsite AW WooCommerce Kode Pembayaran allows Reflected XSS.1.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
XSS
-
CVE-2025-23447
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Smooth Dynamic Slider allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23446
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in NotFound WP SpaceContent allows Stored XSS.4.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
CSRF
-
CVE-2025-23441
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Attach Gallery Posts allows Reflected XSS.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23439
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in willshouse TinyMCE Extended Config allows Reflected XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23437
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ntp-header-images allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23433
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jnwry vcOS allows Reflected XSS.4.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23425
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marekki Marekkis Watermark allows Reflected XSS.9.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-21424
HIGH
CVSS 7.8
Memory corruption while calling the NPU driver APIs concurrently. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
315 5g Iot Modem Firmware
Aqt1000 Firmware
-
CVE-2025-20645
HIGH
CVSS 7.8
In KeyInstall, there is a possible out of bounds write due to a missing bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Privilege Escalation
Buffer Overflow
Google
Memory Corruption
Android
-
CVE-2025-1877
HIGH
CVSS 7.1
A vulnerability, which was classified as critical, was found in D-Link DAP-1562 1.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Denial Of Service
D-Link
Dap 1562 Firmware
-
CVE-2025-1853
HIGH
CVSS 8.7
A vulnerability was found in Tenda AC8 16.03.34.06 and classified as critical. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
Tenda
Ac8 Firmware
-
CVE-2025-1852
HIGH
CVSS 8.7
A vulnerability has been found in Totolink EX1800T 9.1.0cu.2112_B20220316 and classified as critical. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer Overflow
Ex1800T Firmware
TOTOLINK
-
CVE-2025-1851
HIGH
CVSS 8.7
A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer Overflow
Tenda
Ac7 Firmware
-
CVE-2025-1801
HIGH
CVSS 8.1
A flaw was found in the Ansible aap-gateway. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
Race Condition
Red Hat
-
CVE-2025-1723
HIGH
CVSS 8.1
Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Manageengine Adselfservice Plus
-
CVE-2025-1125
HIGH
CVSS 7.8
When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Red Hat
Grub2
-
CVE-2025-0689
HIGH
CVSS 7.8
When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Red Hat
Grub2
Suse
-
CVE-2025-0678
HIGH
CVSS 7.8
A flaw was found in grub2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
RCE
Buffer Overflow
Integer Overflow
Red Hat
Enterprise Linux
-
CVE-2025-0555
HIGH
CVSS 7.7
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
XSS
Gitlab
-
CVE-2025-0475
HIGH
CVSS 8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Gitlab
-
CVE-2025-0289
HIGH
CVSS 7.8
Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Paragon Backup Recovery
Paragon Disk Wiper
Paragon Drive Copy
Paragon Hard Disk Manager
-
CVE-2025-0288
HIGH
CVSS 7.8
Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Privilege Escalation
Paragon Backup Recovery
Paragon Disk Wiper
Paragon Drive Copy
Paragon Hard Disk Manager
-
CVE-2025-0286
HIGH
CVSS 8.4
Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
RCE
Paragon Backup Recovery
Paragon Disk Wiper
Paragon Drive Copy
Paragon Hard Disk Manager
-
CVE-2025-0285
HIGH
CVSS 7.8
Various Paragon Software products contain an arbitrary kernel memory mapping vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Privilege Escalation
Paragon Backup Recovery
Paragon Disk Wiper
Paragon Drive Copy
Paragon Hard Disk Manager
-
CVE-2024-53388
HIGH
CVSS 8.8
A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Mavo
-
CVE-2024-53387
HIGH
CVSS 8.8
A DOM Clobbering vulnerability in umeditor v1.2.3 allows attackers to execute arbitrary code via supplying a crafted HTML element. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Umeditor
-
CVE-2024-53034
HIGH
CVSS 7.8
Memory corruption occurs during an Escape call if an invalid Kernel Mode CPU event and sync object handle are passed with the DriverKnownEscape flag reset. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
Sc8380xp Firmware
Wcd9380 Firmware
-
CVE-2024-53033
HIGH
CVSS 7.8
Memory corruption while doing Escape call when user provides valid kernel address in the place of valid user buffer address. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
Sc8380xp Firmware
Wcd9380 Firmware
-
CVE-2024-53032
HIGH
CVSS 7.8
Memory corruption may occur in keyboard virtual device due to guest VM interaction. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53031
HIGH
CVSS 7.8
Memory corruption while reading a type value from a buffer controlled by the Guest Virtual Machine. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53030
HIGH
CVSS 7.8
Memory corruption while processing input message passed from FE driver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Msm8996au Firmware
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
-
CVE-2024-53029
HIGH
CVSS 7.8
Memory corruption while reading a value from a buffer controlled by the Guest Virtual Machine. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53028
HIGH
CVSS 7.8
Memory corruption may occur while processing message from frontend during allocation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53027
HIGH
CVSS 7.5
Transient DOS may occur while processing the country IE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
Sd865 5g Firmware
Snapdragon 8 Gen 1 Firmware
Video Collaboration Vc5 Platform Firmware
Sdx61 Firmware
Sg8275p Firmware
-
CVE-2024-53024
HIGH
CVSS 7.8
Memory corruption in display driver while detaching a device. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
Buffer Overflow
Denial Of Service
Null Pointer Dereference
Ar8035 Firmware
Csra6620 Firmware
-
CVE-2024-53023
HIGH
CVSS 7.8
Memory corruption may occur while accessing a variable during extended back to back tests. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Ar8035 Firmware
Fastconnect 6900 Firmware
-
CVE-2024-53022
HIGH
CVSS 7.8
Memory corruption may occur during communication between primary and guest VM. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53014
HIGH
CVSS 7.8
Memory corruption may occur while validating ports and channels in Audio driver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Wcn3615 Firmware
Sd865 5g Firmware
Snapdragon 8 Gen 1 Firmware
Video Collaboration Vc5 Platform Firmware
Sdx61 Firmware
-
CVE-2024-53012
HIGH
CVSS 7.8
Memory corruption may occur due to improper input validation in clock device. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Qam8255p Firmware
Qam8295p Firmware
Qam8620p Firmware
Qam8650p Firmware
-
CVE-2024-53011
HIGH
CVSS 7.9
Information disclosure may occur due to improper permission and access controls to Video Analytics engine. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. No vendor patch available.
Privilege Escalation
Information Disclosure
Fastconnect 6700 Firmware
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-51962
HIGH
CVSS 8.7
A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Arcgis Server
-
CVE-2024-51961
HIGH
CVSS 7.5
There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Arcgis Server
-
CVE-2024-51954
HIGH
CVSS 8.5
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Windows
Authentication Bypass
Microsoft
Arcgis Server
-
CVE-2024-49836
HIGH
CVSS 7.8
Memory corruption may occur during the synchronization of the camera`s frame processing pipeline. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Buffer Overflow
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
Qmp1000 Firmware
Sdm429w Firmware
-
CVE-2024-47092
HIGH
CVSS 7.7
Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Deserialization
Microsoft
Check Mk Python Api
-
CVE-2024-45782
HIGH
CVSS 7.8
A flaw was found in the HFS filesystem. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Memory Corruption
Red Hat
Enterprise Linux
-
CVE-2024-45580
HIGH
CVSS 7.8
Memory corruption while handling multuple IOCTL calls from userspace for remote invocation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-43169
HIGH
CVSS 8.8
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
IBM
Engineering Requirements Management Doors Next
-
CVE-2024-43062
HIGH
CVSS 7.8
Memory corruption caused by missing locks and checks on the DMA fence and improper synchronization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-43061
HIGH
CVSS 7.8
Memory corruption during voice activation, when sound model parameters are loaded from HLOS, and the received sound model list is empty in HLOS drive. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-43060
HIGH
CVSS 7.8
Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Buffer Overflow
Memory Corruption
Ar8035 Firmware
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-43059
HIGH
CVSS 7.8
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
-
CVE-2024-43057
HIGH
CVSS 7.8
Memory corruption while processing command in Glink linux. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Buffer Overflow
Use After Free
Memory Corruption
Ar8035 Firmware
C V2x 9150 Firmware
-
CVE-2024-43055
HIGH
CVSS 7.8
Memory corruption while processing camera use case IOCTL call. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Fastconnect 6900 Firmware
Fastconnect 7800 Firmware
Sdm429w Firmware
Snapdragon 8 Gen 1 Firmware
-
CVE-2024-41771
HIGH
CVSS 7.5
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
IBM
Engineering Requirements Management Doors Next
-
CVE-2024-41770
HIGH
CVSS 7.5
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
IBM
Engineering Requirements Management Doors Next
-
CVE-2024-8261
HIGH
CVSS 7.5
Authorization Bypass Through User-Controlled Key vulnerability in Proliz Software OBS allows Exploiting Incorrectly Configured Access Control Security Levels.0927. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Student Affairs Information System
-
CVE-2025-27585
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Academia Student Information System
-
CVE-2025-27584
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Academia Student Information System
-
CVE-2025-27579
MEDIUM
CVSS 5.4
In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
CSRF
-
CVE-2025-27499
MEDIUM
CVSS 6.4
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
PHP
XSS
Wegia
-
CVE-2025-27498
MEDIUM
CVSS 5.6
aes-gcm is a pure Rust implementation of the AES-GCM. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. No vendor patch available.
Information Disclosure
Jwt Attack
-
CVE-2025-27420
MEDIUM
CVSS 6.4
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
PHP
XSS
Wegia
-
CVE-2025-27418
MEDIUM
CVSS 6.4
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
PHP
XSS
Wegia
-
CVE-2025-27417
MEDIUM
CVSS 6.4
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
PHP
XSS
Wegia
-
CVE-2025-27371
MEDIUM
CVSS 6.9
In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Information Disclosure
-
CVE-2025-27370
MEDIUM
CVSS 6.9
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Code Injection
-
CVE-2025-27274
MEDIUM
CVSS 4.9
Path Traversal vulnerability in NotFound GPX Viewer allows Path Traversal.2.11. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
-
CVE-2025-27273
MEDIUM
CVSS 5.8
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager allows Reflected XSS.0. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
XSS
-
CVE-2025-27099
MEDIUM
CVSS 4.8
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XSS
Tuleap
-
CVE-2025-27094
MEDIUM
CVSS 5.4
Tuleap is an open-source suite designed to improve software development management and collaboration. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.
Denial Of Service
Tuleap
-
CVE-2025-25953
MEDIUM
CVSS 6.5
Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 was discovered to contain an Azure JWT access token exposure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Microsoft
Academia Student Information System
-
CVE-2025-25952
MEDIUM
CVSS 6.5
An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Academia Student Information System
-
CVE-2025-25949
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Student Information System
-
CVE-2025-25939
MEDIUM
CVSS 6.1
Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Reprise License Manager
-
CVE-2025-25303
MEDIUM
CVSS 6.9
The MouseTooltipTranslator Chrome extension allows mouseover translation of any language at once. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Chrome
Google
SSRF
Microsoft
-
CVE-2025-25301
MEDIUM
CVSS 6.9
Rembg is a tool to remove images background. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Information Disclosure
SSRF
Rembg
-
CVE-2025-25280
MEDIUM
CVSS 5.3
Buffer overflow vulnerability exists in FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine) provided by Century Systems Co., Ltd. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
-
CVE-2025-25137
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Social Links allows Stored XSS.0.11. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-25131
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RJ Quickcharts allows Stored XSS.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-25115
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Like dislike plus counter allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-25084
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound UniTimetable allows Stored XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23829
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Woo Update Variations In Cart allows Stored XSS.0.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23763
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-23615
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in NotFound Interactive Page Hierarchy allows Exploiting Incorrectly Configured Access Control Security Levels.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-23613
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in NotFound WP Journal allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-23579
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DZS Ajaxer Lite allows Stored XSS.04. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23515
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in tsecher ts-tree allows Exploiting Incorrectly Configured Access Control Security Levels.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-23480
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RSVP ME allows Stored XSS.9.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-23440
MEDIUM
CVSS 6.3
Missing Authorization vulnerability in radicaldesigns radSLIDE allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-20653
MEDIUM
CVSS 6.5
In da, there is a possible out of bounds read due to an integer overflow. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Google
Integer Overflow
Android
-
CVE-2025-20652
MEDIUM
CVSS 4.6
In V5 DA, there is a possible out of bounds read due to a missing bounds check. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Google
Android
-
CVE-2025-20651
MEDIUM
CVSS 4.1
In da, there is a possible out of bounds read due to a missing bounds check. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Google
Android
Openwrt
-
CVE-2025-20650
MEDIUM
CVSS 6.8
In da, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
Buffer Overflow
Google
Memory Corruption
Android
-
CVE-2025-20649
MEDIUM
CVSS 6.5
In Bluetooth Stack SW, there is a possible information disclosure due to a missing permission check. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Openwrt
Software Development Kit
-
CVE-2025-20648
MEDIUM
CVSS 5.5
In apu, there is a possible out of bounds read due to a missing bounds check. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Google
Android
-
CVE-2025-20647
MEDIUM
CVSS 6.5
In Modem, there is a possible system crash due to a missing bounds check. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Null Pointer Dereference
Nr15
Nr16
Nr12A
-
CVE-2025-20644
MEDIUM
CVSS 6.5
In Modem, there is a possible memory corruption due to incorrect error handling. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Denial Of Service
Nr15
Nr16
-
CVE-2025-1889
MEDIUM
CVSS 5.3
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Information Disclosure
Picklescan
-
CVE-2025-1881
MEDIUM
CVSS 5.3
A vulnerability was found in i-Drive i11 and i12 up to 20250227. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
I12 Firmware
I11 Firmware
-
CVE-2025-1876
MEDIUM
CVSS 6.9
A vulnerability, which was classified as critical, has been found in D-Link DAP-1562 1.10. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer Overflow
D-Link
Dap 1562 Firmware
-
CVE-2025-1868
MEDIUM
CVSS 6.9
Vulnerability of unauthorized exposure of confidential information affecting Advanced IP Scanner and Advanced Port Scanner. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-1859
MEDIUM
CVSS 6.9
A vulnerability, which was classified as critical, has been found in PHPGurukul News Portal 4.1.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
News Portal
-
CVE-2025-1858
MEDIUM
CVSS 6.9
A vulnerability classified as critical was found in Codezips Online Shopping Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
Online Shopping Website
-
CVE-2025-1857
MEDIUM
CVSS 6.9
A vulnerability classified as critical has been found in PHPGurukul Nipah Virus Testing Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
Nipah Virus Testing Management System
-
CVE-2025-1856
MEDIUM
CVSS 6.9
A vulnerability was found in Codezips Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
Gym Management System
-
CVE-2025-1855
MEDIUM
CVSS 5.3
A vulnerability was found in PHPGurukul Online Shopping Portal 2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
Online Shopping Portal
-
CVE-2025-1854
MEDIUM
CVSS 5.3
A vulnerability was found in Codezips Gym Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
Gym Management System
-
CVE-2025-1850
MEDIUM
CVSS 6.9
A vulnerability, which was classified as critical, has been found in Codezips College Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
SQLi
College Management System
-
CVE-2025-1849
MEDIUM
CVSS 5.3
A vulnerability classified as critical was found in zj1983 zz up to 2024-8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SSRF
Zz
-
CVE-2025-1848
MEDIUM
CVSS 5.3
A vulnerability classified as critical has been found in zj1983 zz up to 2024-8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SSRF
Zz
-
CVE-2025-1847
MEDIUM
CVSS 5.3
A vulnerability was found in zj1983 zz up to 2024-8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Information Disclosure
Zz
-
CVE-2025-1846
MEDIUM
CVSS 5.3
A vulnerability was found in zj1983 zz up to 2024-8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Denial Of Service
Java
Zz
-
CVE-2025-1845
MEDIUM
CVSS 5.3
A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command Injection
Dsm
-
CVE-2025-1844
MEDIUM
CVSS 5.3
A vulnerability, which was classified as critical, was found in ESAFENET CDG 5.6.3.154.205_20250114. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Cdg
-
CVE-2025-1843
MEDIUM
CVSS 5.3
A vulnerability, which was classified as critical, has been found in Mini-Tmall up to 20250211.java. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQLi
Tmall Demo
-
CVE-2025-1842
MEDIUM
CVSS 5.3
A vulnerability classified as problematic was found in FITSTATS Technologies AthleteMonitoring up to 20250302. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
XSS
-
CVE-2025-1841
MEDIUM
CVSS 6.9
A vulnerability classified as critical has been found in ESAFENET CDG 5.6.3.154.205. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
Cdg
-
CVE-2025-1840
MEDIUM
CVSS 6.9
A vulnerability was found in ESAFENET CDG 5.6.3.154.205. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
Cdg
-
CVE-2025-0686
MEDIUM
CVSS 6.4
A flaw was found in grub2. Rated medium severity (CVSS 6.4). No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Red Hat
Grub2
-
CVE-2025-0685
MEDIUM
CVSS 6.4
A flaw was found in grub2. Rated medium severity (CVSS 6.4). No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Red Hat
Grub2
-
CVE-2025-0684
MEDIUM
CVSS 6.4
A flaw was found in grub2. Rated medium severity (CVSS 6.4). No vendor patch available.
RCE
Buffer Overflow
Memory Corruption
Red Hat
Grub2
-
CVE-2025-0287
MEDIUM
CVSS 5.1
Various Paragon Software products contain a null pointer dereference vulnerability within biontdrv.sys that is caused by a lack of a valid MasterLrp structure in the input buffer, allowing an. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
RCE
Denial Of Service
Null Pointer Dereference
Paragon Backup Recovery
-
CVE-2024-57240
MEDIUM
CVSS 5.4
A Cross-Site Scripting (XSS) vulnerability in the Rendering Engine component in Apryse WebViewer v11.1 and earlier allows attackers to execute arbitrary code via a crafted PDF file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Webviewer
-
CVE-2024-55570
MEDIUM
CVSS 5.4
/api/user/users in the web GUI for the Cubro EXA48200 network packet broker (build 20231025055018) fixed in V5.0R14.5P4-V3.3R1 allows remote authenticated users of the application to increase their. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2024-55064
MEDIUM
CVSS 5.4
Multiple cross-site scripting (XSS) vulnerabilities in EasyVirt DC NetScope <= 8.6.4 allow remote attackers to inject arbitrary JavaScript or HTML code via the (1) smtp_server, (2) smtp_account, (3). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Dc Netscope
-
CVE-2024-54179
MEDIUM
CVSS 5.4
IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
IBM
Business Automation Workflow
-
CVE-2024-53386
MEDIUM
CVSS 4.9
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
XSS
RCE
Code Injection
Stage Js
-
CVE-2024-53384
MEDIUM
CVSS 5.1
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Tsup
-
CVE-2024-53382
MEDIUM
CVSS 4.9
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
XSS
RCE
Code Injection
Red Hat
Prism
-
CVE-2024-53025
MEDIUM
CVSS 5.5
Transient DOS can occur while processing UCI command. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Integer Overflow
Fastconnect 7800 Firmware
Sm8750 Firmware
Sm8750p Firmware
-
CVE-2024-51966
MEDIUM
CVSS 4.9
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
Arcgis Server
-
CVE-2024-51963
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51960
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51959
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51958
MEDIUM
CVSS 4.9
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
Arcgis Server
-
CVE-2024-51957
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51956
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51953
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51952
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51951
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51950
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51949
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51948
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51947
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51946
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51945
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51944
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51942
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-51091
MEDIUM
CVSS 5.4
Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
RCE
Seajs
-
CVE-2024-45780
MEDIUM
CVSS 6.7
A flaw was found in grub2. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Memory Corruption
Red Hat
Grub2
Suse
-
CVE-2024-45779
MEDIUM
CVSS 6.0
An integer overflow flaw was found in the BFS file system driver in grub2. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Information Disclosure
Integer Overflow
Red Hat
Grub2
Suse
-
CVE-2024-45778
MEDIUM
CVSS 4.1
A stack overflow flaw was found when reading a BFS file system. Rated medium severity (CVSS 4.1). No vendor patch available.
Denial Of Service
Integer Overflow
Red Hat
Enterprise Linux
Grub2
-
CVE-2024-43056
MEDIUM
CVSS 5.5
Transient DOS during hypervisor virtual I/O operation in a virtual machine. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
Aqt1000 Firmware
Ar8035 Firmware
Fastconnect 6200 Firmware
Fastconnect 6700 Firmware
-
CVE-2024-43051
MEDIUM
CVSS 5.5
Information disclosure while deriving keys for a session for any Widevine use case. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Authentication Bypass
Information Disclosure
Aqt1000 Firmware
Ar8031 Firmware
Ar8035 Firmware
-
CVE-2024-38426
MEDIUM
CVSS 5.4
While processing the authentication message in UE, improper authentication may lead to information disclosure. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Information Disclosure
315 5g Iot Firmware
Ar8035 Firmware
Csra6620 Firmware
-
CVE-2024-30154
MEDIUM
CVSS 5.3
HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
CSRF
Hcl Sx
-
CVE-2024-24778
MEDIUM
CVSS 6.5
Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know.95.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege Escalation
Apache
Streampipes
-
CVE-2024-10925
MEDIUM
CVSS 5.3
A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Authentication Bypass
Gitlab
-
CVE-2024-10904
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2024-8186
MEDIUM
CVSS 5.4
An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Gitlab
-
CVE-2024-5888
MEDIUM
CVSS 4.8
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Arcgis Server
-
CVE-2025-24023
LOW
CVSS 3.7
Flask-AppBuilder is an application development framework. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Python
Information Disclosure
Flask Appbuilder
-
CVE-2025-1882
LOW
CVSS 2.3
A vulnerability was found in i-Drive i11 and i12 up to 20250227. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
Authentication Bypass
I12 Firmware
I11 Firmware
-
CVE-2025-1880
LOW
CVSS 1.0
A vulnerability was found in i-Drive i11 and i12 up to 20250227. Rated low severity (CVSS 1.0), this vulnerability is no authentication required. No vendor patch available.
Authentication Bypass
I12 Firmware
I11 Firmware
-
CVE-2025-1879
LOW
CVSS 2.4
A vulnerability was found in i-Drive i11 and i12 up to 20250227 and classified as problematic. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
I12 Firmware
I11 Firmware
-
CVE-2025-1878
LOW
CVSS 2.3
A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
Information Disclosure
I12 Firmware
I11 Firmware