Skip to main content
CVE-2025-23103 HIGH This Week

CVE-2025-23103 is an out-of-bounds write vulnerability in Samsung's Exynos 1480 and 2400 mobile processors caused by insufficient length validation, allowing remote unauthenticated attackers to achieve high confidentiality impact with medium integrity and availability impact. The vulnerability has a CVSS score of 8.6 with low attack complexity and no privilege requirements, making it a significant risk to Samsung Galaxy devices using these processors; exploitation status and active use in the wild have not been confirmed at this time.

Buffer Overflow Samsung Exynos 2400 Firmware Exynos 1480 Firmware
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-46154 HIGH This Week

Foxcms v1.25 contains a SQL time-based injection vulnerability in the installdb.php installation script, specifically in the $_POST['dbname'] parameter, allowing unauthenticated local attackers to execute arbitrary SQL commands and fully compromise database confidentiality, integrity, and availability. With a CVSS score of 8.4 and local attack vector, this vulnerability poses a significant risk during initial application deployment; exploitation status and POC availability should be confirmed against current threat intelligence feeds, though the high CVSS and local-only requirement suggests moderate real-world impact depending on deployment model.

PHP SQLi Foxcms
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-5544 MEDIUM POC This Month

A vulnerability was found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. It has been rated as problematic. Affected by this issue is the function image of the file src/main/java/cn/gson/oasys/controller/user/UserpanelController.java. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Java Path Traversal Oa System
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-53026 HIGH This Week

CVE-2024-53026 is an information disclosure vulnerability in IMS (IP Multimedia Subsystem) implementations affecting VoLTE and VoWiFi call processing. When a malicious or malformed RTCP (Real-time Transport Control Protocol) packet is received during an active call, the vulnerable system leaks sensitive information to a network-adjacent attacker without requiring authentication or user interaction. The CVSS 8.2 rating reflects high confidentiality impact with partial availability degradation; exploitation likelihood and real-world activity status require cross-referencing with EPSS and KEV data.

Information Disclosure Wcd9335 Firmware Sm7325p Firmware Qcn9274 Firmware Sa6155 Firmware +207
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2024-53021 HIGH This Week

CVE-2024-53021 is an information disclosure vulnerability in RTCP (Real-time Transport Control Protocol) packet processing that allows unauthenticated remote attackers to leak sensitive data through malicious goodbye (BYE) RTCP packets. The vulnerability affects multiple VoIP and real-time communication products processing RTCP traffic; attackers can extract confidential information across the network without authentication or user interaction, and may also cause limited availability impact. The high CVSS score of 8.2 reflects the severe confidentiality impact and network-based attack vector, though exploitation complexity is low.

Information Disclosure Qcn9011 Firmware Wcn7860 Firmware Wcd9340 Firmware Wcn6450 Firmware +198
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2024-53020 HIGH This Week

CVE-2024-53020 is an information disclosure vulnerability in RTP (Real-time Transport Protocol) packet processing that occurs when decoding packets with malformed header extensions. An attacker on the network can send specially crafted RTP packets to trigger memory disclosure, potentially exposing sensitive information while also causing minor availability impact. The vulnerability affects multiple implementations of RTP protocol handling across various media processing frameworks and VoIP applications; while there is no confirmed active KEV status or public exploit code documented, the high CVSS score (8.2) combined with network accessibility (CVSS:3.1/AV:N) indicates significant real-world risk to exposed services.

Information Disclosure Sa8650p Firmware Apq8017 Firmware Qamsrv1h Firmware Wcn3610 Firmware +207
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2024-53019 HIGH This Week

Network-based information disclosure vulnerability in RTP (Real-time Transport Protocol) packet decoding that occurs when the CSRC (Contributing Source) count header field is improperly validated, allowing an attacker to read sensitive memory contents. The vulnerability affects any system processing RTP streams with malformed headers and has a high CVSS score of 8.2 due to the combination of high confidentiality impact and network accessibility without authentication; no patch availability, KEV status, EPSS score, or active exploitation details are currently documented.

Information Disclosure Wsa8840 Firmware Fastconnect 7800 Firmware Sm7675p Firmware Sm8635p Firmware +73
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-36564 HIGH PATCH This Week

Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability (CWE-61) that allows a local user with limited privileges to escalate their permissions to higher levels without user interaction. The vulnerability has a CVSS score of 7.8 (High) with local attack vector and low attack complexity, indicating straightforward exploitation by unprivileged local users. No active exploitation in the wild has been confirmed at this time, but the local privilege escalation nature and availability of detailed CVE information presents a meaningful post-patch exploitation risk.

Privilege Escalation Dell Encryption
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23098 HIGH This Week

Use-After-Free (UAF) vulnerability in Samsung's Exynos mobile processors (980, 990, 1080, 2100, 1280, 2200, 1380) that enables local privilege escalation. An authenticated attacker with local access can exploit this memory safety flaw to gain elevated privileges on affected devices. The vulnerability has a CVSS 3.1 score of 7.8 (High), reflecting high impact on confidentiality, integrity, and availability, though exploitation requires local access and existing user-level privileges.

Use After Free Privilege Escalation Samsung Exynos 1380 Firmware Exynos 2100 Firmware +5
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-27031 HIGH This Week

Use-after-free memory corruption vulnerability in IOCTL command processing that occurs when buffers in write loopback mode are accessed after being freed. This local privilege escalation affects authenticated users (PR:L) on affected systems and can enable attackers to achieve confidentiality, integrity, and availability compromise (C:H/I:H/A:H). The vulnerability requires local access and low complexity exploitation, making it a significant risk for multi-user systems or systems where local code execution is possible.

Use After Free Memory Corruption Denial Of Service Wcd9375 Firmware Wsa8840 Firmware +16
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-21486 HIGH This Week

Memory corruption vulnerability in dynamic process creation functionality that occurs when a client passes only the address and length of a shell binary without proper validation or bounds checking. This vulnerability affects local attackers with limited user privileges who can exploit the memory corruption to achieve arbitrary code execution with full system impact (confidentiality, integrity, and availability compromise). The vulnerability requires local access and low complexity exploitation, making it a significant risk for multi-user systems; KEV and active exploitation status are not confirmed in available data, but the high CVSS score (7.8) and memory corruption nature suggest this warrants urgent patching.

Buffer Overflow Memory Corruption Denial Of Service Wcn7860 Firmware Sm8750 Firmware +28
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53010 HIGH This Week

Memory corruption vulnerability in Qualcomm's Virtual Machine (VM) attachment mechanism that occurs when the Host Linux OS (HLOS) retains access to a VM during attachment operations. This local privilege escalation vulnerability affects Qualcomm System-on-Chip (SoC) implementations and allows a local attacker with user-level privileges to achieve code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has not been reported as actively exploited in the KEV catalog, but the high CVSS score (7.8) and local attack vector indicate significant real-world risk for deployed Qualcomm-based devices.

VMware Memory Corruption Denial Of Service Qca8081 Firmware Qcn9011 Firmware +165
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-21485 HIGH This Week

Memory corruption vulnerability in Qualcomm's FastRPC implementation that affects local privilege escalation through malformed INIT and multimode invoke IOCTL calls. An attacker with local access and basic user privileges can trigger memory corruption to achieve code execution with elevated privileges, potentially compromising system integrity and confidentiality. The vulnerability carries a CVSS 7.8 score indicating high severity, though exploitation requires local access and authenticated session context.

Buffer Overflow Memory Corruption Denial Of Service Wsa8835 Firmware Qmp1000 Firmware +26
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-4330 HIGH PATCH This Week

Path traversal vulnerability in Python's tarfile module extraction filters that allows attackers to bypass the 'data' and 'tar' filter protections, enabling symlink targets to point outside the extraction directory and permitting modification of file metadata. This affects any application using TarFile.extractall() or TarFile.extract() with filter='data' or filter='tar' on untrusted tar archives, as well as Python 3.14+ users relying on the new 'data' default filter. The vulnerability has a CVSS score of 7.5 (High) with high integrity impact, though exploitation requires an attacker to control the tar archive contents.

Python Path Traversal Information Disclosure RCE Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-4435 HIGH PATCH This Week

Logic flaw in Python's TarFile module where the documented behavior of errorlevel=0 (skip filtered members) contradicts the actual implementation (extract filtered members anyway). This affects any application using Python's tarfile library with extraction filters, allowing attackers to extract files that should be blocked, potentially leading to path traversal or extraction of malicious content. The vulnerability has a high CVSS score (7.5) with network-accessible attack vector and no authentication required, though exploitation requires the application to implement extraction filters expecting them to be respected.

Python Path Traversal Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-23100 HIGH This Week

NULL pointer dereference vulnerability in Samsung's Exynos mobile processors (models 1280, 2200, 1380, 1480, 2400) that allows unauthenticated remote attackers to trigger a denial of service condition without user interaction. The vulnerability has a CVSS 3.1 score of 7.5 (High) with network-based attack vector and high availability impact, though no integrity or confidentiality compromise occurs. Exploitation likelihood and active weaponization status cannot be confirmed without KEV catalog verification and public exploit availability data.

Null Pointer Dereference Denial Of Service Samsung Exynos 1480 Firmware Exynos 2400 Firmware +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27029 HIGH This Week

Network-accessible denial-of-service vulnerability in tone measurement response buffer processing that occurs when buffer contents fall outside expected range parameters, resulting in application/service crashes. The vulnerability affects systems implementing tone measurement protocols with improper input validation on buffer boundaries. An unauthenticated remote attacker can trigger this vulnerability with minimal complexity, causing service unavailability; however, without CVE details indicating active KEV status or public PoC availability, real-world exploitation likelihood remains moderate despite the high CVSS 7.5 score.

Buffer Overflow Denial Of Service Immersive Home 326 Platform Firmware Qca8112 Firmware Qca8085 Firmware +64
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-21463 HIGH This Week

Transient denial-of-service vulnerability in wireless beacon frame processing that occurs when a device receives a malformed EHT (Extremely High Throughput) operation information element. An unauthenticated remote attacker can trigger a temporary service disruption by sending a specially crafted beacon frame, affecting WiFi 6E and later devices. With a CVSS score of 7.5 and high availability impact, this vulnerability requires no user interaction and is network-accessible, making it a notable threat to wireless infrastructure and client devices, though there is currently no evidence of active exploitation in the wild.

Information Disclosure Qcn6024 Firmware Qca6696 Firmware Snapdragon X65 5g Modem Rf System Firmware Sa7775p Firmware +205
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-4138 HIGH PATCH This Week

CVE-2025-4138 is a security vulnerability (CVSS 7.5) that allows the extraction filter. High severity vulnerability requiring prompt remediation.

Python Path Traversal Information Disclosure RCE Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-5513 LOW POC Monitor

A vulnerability has been found in quequnlong shiyi-blog up to 1.2.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /dev-api/api/comment/add. The manipulation of the argument content leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-5523 LOW POC Monitor

A vulnerability classified as problematic has been found in enilu web-flash 1.0. This affects the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/upload of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

File Upload Java XSS
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-35036 HIGH PATCH This Week

A information disclosure vulnerability (CVSS 7.3) that allows an attacker. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Java Hibernate Validator Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.5%
CVE-2025-5522 HIGH This Week

Critical improper authorization vulnerability in the bskms 蓝天幼儿园管理系统 (Lantian Kindergarten Management System) affecting the /sa/addUser endpoint of the User Creation Handler component. The vulnerability allows unauthenticated remote attackers to bypass authorization controls and manipulate user creation functionality, potentially leading to unauthorized account creation, privilege escalation, or data compromise. The exploit has been publicly disclosed with proof-of-concept code available, and the affected product uses continuous delivery with rolling releases, making precise version tracking difficult.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-30167 HIGH PATCH This Week

A security vulnerability in Jupyter Core (CVSS 7.3) that allows users. High severity vulnerability requiring prompt remediation.

Microsoft Authentication Bypass Jupyter Core Windows Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-46355 HIGH This Week

PC Time Tracer versions prior to 5.2 contain an incorrect default permissions vulnerability (CWE-276) that allows local authenticated attackers to execute arbitrary code with SYSTEM privileges on Windows systems. The vulnerability requires local access and user interaction but provides complete system compromise capability. No KEV/CISA known exploited vulnerability status or public POC availability is confirmed from the provided data, though the CVSS 7.3 score and EPSS analysis should be monitored for exploitation likelihood.

RCE Privilege Escalation Windows
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-4392 HIGH This Week

A cross-site scripting vulnerability in Secure File Sharing (CVSS 7.2). High severity vulnerability requiring prompt remediation.

WordPress XSS PHP
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-25021 HIGH This Week

CVE-2025-25021 is a security vulnerability (CVSS 7.2) that allows a privileged execute code. High severity vulnerability requiring prompt remediation.

RCE IBM Privilege Escalation Qradar Suite Cloud Pak For Security
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-4224 HIGH This Week

A cross-site scripting vulnerability in wpForo Advanced Attachments (CVSS 7.2). High severity vulnerability requiring prompt remediation.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-49163 MEDIUM This Month

CVE-2025-49163 is a security vulnerability (CVSS 6.7) that allows booting an arbitrary image. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-53017 MEDIUM This Month

Memory corruption while handling test pattern generator IOCTL command.

Buffer Overflow Memory Corruption Wcn3620 Firmware Wcn3660b Firmware Snapdragon 429 Mobile Platform Firmware +1
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2024-53015 MEDIUM This Month

Memory corruption while processing IOCTL command to handle buffers associated with a session.

Use After Free Buffer Overflow Memory Corruption Wcd9340 Firmware Snapdragon 480 5g Mobile Platform Firmware +78
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2024-53013 MEDIUM This Month

Memory corruption may occur while processing voice call registration with user.

Buffer Overflow Qca9367 Firmware Wcn3620 Firmware Wsa8810 Firmware Wsa8815 Firmware +54
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2024-53018 MEDIUM This Month

CVE-2024-53018 is a security vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Buffer Overflow Wsa8835 Firmware Wcd9385 Firmware Wsa8830 Firmware Sw5100 Firmware +14
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2024-53016 MEDIUM This Month

CVE-2024-53016 is a security vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Buffer Overflow Wcn3660b Firmware Wcn3980 Firmware Wsa8810 Firmware Wcd9385 Firmware +27
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-25020 MEDIUM This Month

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an authenticated user to cause a denial of service due to improperly validating API data input.

Denial Of Service IBM Qradar Suite Cloud Pak For Security
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-43923 MEDIUM This Month

An issue was discovered in ReportController in Unicom Focal Point 7.6.1. A user who has administrative privilege in Focal Point can perform SQL injection via the image parameter during a delete report image operation.

SQLi Focal Point
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-5508 LOW POC Monitor

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been rated as problematic. Affected by this issue is some unknown functionality of the component IP Port Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.2%
CVE-2025-5505 LOW POC Monitor

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011 and classified as problematic. This issue affects some unknown processing of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.2%
CVE-2025-5543 LOW POC Monitor

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Parent Controls Page. The manipulation of the argument Device Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-4671 MEDIUM This Month

The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5116 MEDIUM This Month

The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.

WordPress XSS PHP
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5542 LOW POC Monitor

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-5516 LOW POC Monitor

A vulnerability, which was classified as problematic, was found in TOTOLINK X2000R 1.0.0-B20230726.1108. This affects an unknown part of the file /boafrm/formFilter of the component URL Filtering Page. The manipulation of the argument URL Address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-5340 MEDIUM This Month

The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘album_buy_url’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4205 MEDIUM This Month

The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4420 MEDIUM This Month

The Vayu Blocks - Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5507 LOW POC Monitor

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-5506 LOW POC Monitor

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been classified as problematic. Affected is an unknown function of the component NAT Mapping Page. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-1725 MEDIUM This Month

The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

WordPress File Upload XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-49162 MEDIUM This Month

CVE-2025-49162 is a security vulnerability (CVSS 6.4) that allows file overwrite. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.4
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy