Skip to main content
CVE-2025-5492 MEDIUM This Month

A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the component /usr/sbin/jhttpd. The manipulation of the argument cmd leads to command injection. The attack can be launched remotely.

Command Injection Di 500wf Wt Firmware D-Link
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-5497 LOW POC Monitor

A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.

Deserialization PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-43924 MEDIUM This Month

Cross Site Scripting vulnerability was discovered in Unicom Focal Point 7.6.1. The val parameter in SettingController (for /fp/admin/settings/loginpage) and the rootserviceurl parameter in FriendsController (for /fp/admin/settings/friends), entered by an admin, allow stored XSS.

XSS Focal Point
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-31710 MEDIUM This Month

In engineermode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.

Privilege Escalation Command Injection Android Google
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-2939 MEDIUM This Month

The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

Deserialization WordPress PHP Ninja Tables
NVD
CVSS 3.1
5.6
EPSS
0.2%
CVE-2025-48953 MEDIUM PATCH This Month

Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.

File Upload Umbraco Cms
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-45655 MEDIUM This Month

IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

Authentication Bypass IBM Application Gateway
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-45855 MEDIUM This Month

An arbitrary file upload vulnerability in the component /upload/GoodsCategory/image of erupt v1.12.19 allows attackers to execute arbitrary code via uploading a crafted file.

File Upload RCE Erupt
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-12718 MEDIUM PATCH This Month

Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Python RCE Path Traversal Ubuntu Debian +2
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-41428 MEDIUM This Month

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in TimeWorks 10.0 to 10.3. If exploited, arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.

Path Traversal
NVD
CVSS 3.0
5.3
EPSS
0.1%
CVE-2025-31712 MEDIUM This Month

In cplog service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed.

Buffer Overflow Denial Of Service Android Google
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-31711 MEDIUM This Month

In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional execution privileges needed.

Null Pointer Dereference Denial Of Service Android Google
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-5103 MEDIUM PATCH This Month

The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi Ultimate Gift Cards For Woocommerce PHP
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-25019 MEDIUM This Month

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system.

Information Disclosure IBM Cloud Pak For Security Qradar Suite
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-43925 MEDIUM This Month

An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.

Information Disclosure Focal Point
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-4047 MEDIUM This Month

A security vulnerability in Broken Link Checker (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49164 MEDIUM This Month

CVE-2025-49164 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-1334 MEDIUM This Month

CVE-2025-1334 is a security vulnerability (CVSS 4.0) that allows web pages. Remediation should follow standard vulnerability management procedures.

Information Disclosure IBM Cloud Pak For Security Qradar Suite
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-49000 LOW PATCH Monitor

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

Python Denial Of Service
NVD GitHub
CVSS 3.1
3.5
EPSS
0.1%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy