Skip to main content
CVE-2025-24054 MEDIUM POC KEV THREAT This Month

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. [CVSS 6.5 MEDIUM] [CISA KEV - actively exploited]

Windows Microsoft
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
11.9%
Threat
4.7
CVE-2025-24071 MEDIUM POC THREAT This Month

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. [CVSS 6.5 MEDIUM]

Windows Microsoft
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
57.7%
Threat
4.5
CVE-2025-24991 MEDIUM KEV THREAT This Month

Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally. [CVSS 5.5 MEDIUM] [CISA KEV - actively exploited]

Windows
NVD
CVSS 3.1
5.5
EPSS
0.7%
CVE-2025-24984 MEDIUM KEV PATCH THREAT Act Now

Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. [CVSS 4.6 MEDIUM] [CISA KEV - actively exploited]

Windows Microsoft
NVD
CVSS 3.1
4.6
EPSS
5.0%
CVE-2025-25927 MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request. [CVSS 6.8 MEDIUM]

CSRF RCE
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-27591 MEDIUM POC PATCH This Month

A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow. [CVSS 6.8 MEDIUM]

Privilege Escalation Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-13853 MEDIUM POC This Month

The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 6.1 MEDIUM]

WordPress XSS
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2025-28906 MEDIUM POC This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thiago S.F. Skitter Slideshow allows Stored XSS. [CVSS 5.9 MEDIUM]

XSS
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2025-2193 MEDIUM POC This Month

A vulnerability has been found in MRCMS 3.1.2 and classified as critical. This vulnerability affects the function delete of the file /admin/file/delete.do of the component org.marker.mushroom.controller.FileController. [CVSS 5.4 MEDIUM]

Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-51322 MEDIUM POC This Month

Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, /jsp/gsmd_container.jsp components [CVSS 5.4 MEDIUM]

RCE
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-51320 MEDIUM POC This Month

Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /servlet/gsdm_fsave_htmltmp, /servlet/gsdm_btlk_openfile components [CVSS 5.4 MEDIUM]

RCE
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-25747 MEDIUM POC This Month

Cross Site Scripting vulnerability in DigitalDruid HotelDruid v.3.0.7 allows an attacker to execute arbitrary code and obtain sensitive information via the ripristina_backup parameter in the crea_backup.php endpoint [CVSS 5.4 MEDIUM]

PHP
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-25929 MEDIUM POC This Month

OpenMRS version 2.4.3 contains a reflected XSS vulnerability in its legacy UI quick report feature that allows attackers to inject malicious JavaScript code through the reportType parameter. Users accessing crafted malicious links to the vulnerable /legacyui/quickReportServlet endpoint are affected. An attacker could execute arbitrary JavaScript in a victim's browser to steal session cookies, capture credentials, or perform actions on behalf of the user within the OpenMRS system.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-0629 MEDIUM POC This Month

The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). [CVSS 4.8 MEDIUM]

WordPress XSS PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-25925 MEDIUM POC This Month

A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form. [CVSS 4.8 MEDIUM]

XSS Openmrs
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2024-13580 MEDIUM POC This Month

XV Random Quotes WordPre versions up to 1.40 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-26658 MEDIUM This Month

The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. [CVSS 6.8 MEDIUM]

Authentication Bypass SAP
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-25266 MEDIUM This Month

A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality. [CVSS 6.8 MEDIUM]

Path Traversal Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-21199 MEDIUM This Month

Improper privilege management in Azure Agent Installer allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]

Privilege Escalation Microsoft
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2024-32123 MEDIUM This Month

Multiple improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 7.2.0 through 7.2.5 and 7.0.0 through 7.0.12 and 6.4.0 through 6.4.14 and 6.2.0 through 6.2.12 and 6.0.0 through 6.0.12 and 5.6.0 through 5.6.11 and 5.4.0 through 5.4.7 and 5.2.0 through 5.2.10 and 5.0.0 through 5.0.12 and 4.3.4 through 4.3.8 allows attacker to execute unauthorized code or commands via crafted CLI requests. [CVSS 6.7 MEDIUM]

Fortinet
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-46663 MEDIUM This Month

in Fortinet FortiMail CLI version 7.6.0 versions up to 7.6.1 is affected by stack-based buffer overflow (CVSS 6.7).

Fortinet Buffer Overflow
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-24988 MEDIUM This Month

Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack. [CVSS 6.6 MEDIUM]

Windows Microsoft
NVD
CVSS 3.1
6.6
EPSS
0.3%
CVE-2025-24987 MEDIUM This Month

Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to elevate privileges with a physical attack. [CVSS 6.6 MEDIUM]

Windows Microsoft
NVD
CVSS 3.1
6.6
EPSS
0.3%
CVE-2025-24996 MEDIUM This Month

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. [CVSS 6.5 MEDIUM]

Windows Microsoft
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-24986 MEDIUM PATCH This Month

Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network. [CVSS 6.5 MEDIUM]

Authentication Bypass Microsoft
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2025-27911 MEDIUM This Month

An issue was discovered in Datalust Seq versions up to 2024.3.13545. is affected by allocation of resources without limits or throttling (CVSS 6.5).

RCE
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-23243 MEDIUM This Month

NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to data tampering or denial of service. [CVSS 6.5 MEDIUM]

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-28874 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-49823 MEDIUM This Month

IBM Common Cryptographic Architecture 7.0.0 versions up to 7.5.51 is affected by out-of-bounds write (CVSS 6.5).

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28930 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rodolphe MOULIN List Mixcloud allows Stored XSS. This issue affects List Mixcloud: from n/a through 1.4. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28929 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vivek Marakana Tabbed Login Widget allows Stored XSS. This issue affects Tabbed Login Widget: from n/a through 1.1.2. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28919 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display allows Stored XSS. This issue affects Easy Image Display: from n/a through 1.2.5. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28918 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid allows Stored XSS. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-22340 MEDIUM This Month

IBM's Common Cryptographic Architecture (versions 7.0.0-7.5.51) contains a timing vulnerability in ECDSA signature generation that leaks sensitive information through how long the operation takes to complete. Attackers can exploit this timing difference to deduce the private signing key through repeated observations of signature creation times. Any organization using affected IBM CCA versions for cryptographic operations is at risk of having their ECDSA private keys compromised.

IBM Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28879 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aumsrini Bee Layer Slider allows Stored XSS. This issue affects Bee Layer Slider: from n/a through 1.1. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-28870 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in amocrm amoCRM WebForm allows DOM-Based XSS. This issue affects amoCRM WebForm: from n/a through 1.1. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2021-37787 MEDIUM This Month

The unprivileged administrative interface in ABO.CMS version 5.8 through v.5.9.3 is affected by a SQL Injection vulnerability via a HTTP POST request to the TinyMCE module [CVSS 6.5 MEDIUM]

SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-0149 MEDIUM This Month

Insufficient verification of data authenticity in some Zoom Workplace Apps may allow an unprivileged user to conduct a denial of service via network access. [CVSS 6.5 MEDIUM]

Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-26704 MEDIUM This Month

Improper Privilege Management vulnerability in ZTE GoldenDB allows Privilege Escalation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.05. [CVSS 6.4 MEDIUM]

Privilege Escalation
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-23384 MEDIUM This Month

A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8.2.1), SCALANCE M812-1 ADSL-Router family (All versions < V8.2.1), SCALANCE M816-1 ADSL-Router family (All versions < V8.2.1), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) (All versions < V8.2.1), SCALANCE M874-2 (6GK5874-2AA00-2AA2) (All versions < V8.2.1), SCALANCE M874-3 (6GK5874-3AA00-2AA2) (All versions < V8.2.1), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) (All versions < V8.2.1), SCALANCE M876-3 (6GK5876-3AA02-2BA2) (All versions < V8.2.1), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) (All versions < V8.2.1), SCALANCE M876-4 (6GK5876-4AA10-2BA2) (All versions < V8.2.1), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) (All versions < V8.2.1), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) (All versions < V8.2.1), SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1) (All versions < V8.2.1), SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1) (All versions < V8.2.1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) (All versions < V8.2.1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) (All versions < V8.2.1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) (All versions < V8.2.1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) (All versions < V8.2.1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) (All versions < V8.2.1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) (All versions < V8.2.1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) (All versions < V8.2.1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) (All versions < V8.2.1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) (All versions < V8.2.1), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) (All versions < V8.2.1), SCALANCE SC-600 family (All versions). [CVSS 3.7 LOW]

Information Disclosure Siemens
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2024-13413 MEDIUM This Month

The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2025-27789 MEDIUM PATCH This Month

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all t...

Denial Of Service
NVD GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2025-25267 MEDIUM This Month

A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict the scope of files accessible to the simulation model. [CVSS 6.2 MEDIUM]

Path Traversal Information Disclosure
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-1434 MEDIUM This Month

The Spreadsheet view is vulnerable to a XSS attack, where a remote unauthorised attacker can read a limited amount of values or DoS the affected spreadsheet. Disclosure of secrets or other system settings is not affected as well as other spreadsheets still work as expected. [CVSS 6.1 MEDIUM]

XSS Denial Of Service
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-26659 MEDIUM This Month

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-25242 MEDIUM This Month

SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13436 MEDIUM This Month

The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. [CVSS 6.1 MEDIUM]

WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-28943 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mylo2h2s DP ALTerminator - Missing ALT manager allows Stored XSS. This issue affects DP ALTerminator - Missing ALT manager: from n/a through 1.0.2. [CVSS 5.9 MEDIUM]

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-28937 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search allows Stored XSS. This issue affects Lava Ajax Search: from n/a through 1.1.9. [CVSS 5.9 MEDIUM]

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-28936 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar allows Stored XSS. This issue affects Lunar: from n/a through 1.3.0. [CVSS 5.9 MEDIUM]

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy