Skip to main content
CVE-2025-23095 MEDIUM This Month

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.

Privilege Escalation Samsung Exynos 1480 Firmware Exynos 2400 Firmware Exynos 1280 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-46011 MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5539 MEDIUM PATCH This Month

The Simple Contact Form Plugin for WordPress - WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Wp Easy Contact PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5532 MEDIUM This Month

The Campus Directory - Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5531 MEDIUM This Month

The Employee Directory - Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5584 LOW POC Monitor

A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been classified as problematic. Affected is an unknown function of the file /doctor/edit-patient.php?editid=2 of the component POST Parameter Handler. The manipulation of the argument patname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2025-20981 MEDIUM This Month

Improper access control in AudioService prior to SMR Jun-2025 Release 1 allows local attackers to access sensitive information.

Information Disclosure Android
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-20273 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unified Intelligent Contact Management Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

XSS Cisco Unified Intelligent Contact Management Enterprise
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-20278 MEDIUM This Month

A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials.

Command Injection Cisco Socialminer Unified Communications Manager Im And Presence Service Finesse +5
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-22245 MEDIUM This Month

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.

XSS VMware Vmware Nsx Cloud Foundation Telco Cloud Platform +1
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-48960 MEDIUM PATCH This Month

CVE-2025-48960 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

Microsoft Apple Information Disclosure Windows macOS
NVD
CVSS 3.0
5.9
EPSS
0.0%
CVE-2025-20985 MEDIUM This Month

A security vulnerability in ThemeManager (CVSS 5.5) that allows local privileged attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Android
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20988 MEDIUM This Month

Out-of-bounds read in fingerprint trustlet prior to SMR May-2025 Release 1 allows local privileged attackers to read out-of-bounds memory.

Buffer Overflow Information Disclosure Android
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20986 MEDIUM This Month

A security vulnerability in ScreenCapture for Galaxy Watch (CVSS 5.5) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Wear Os
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20275 MEDIUM This Month

A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.  This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef file. A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it.

Deserialization Java RCE Cisco Unified Contact Center Express
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2025-49007 MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Denial Of Service Ubuntu Debian Rack Red Hat +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-20259 MEDIUM This Month

Multiple vulnerabilities in the update process of Cisco ThousandEyes Endpoint Agent for Windows could allow an authenticated, local attacker to delete arbitrary files on an affected device. These vulnerabilities are due to improper access controls on files that are in the local file system. An attacker could exploit these vulnerabilities by using a symbolic link to perform an agent upgrade that redirects the delete operation of any protected file. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device.

Microsoft Path Traversal Cisco Thousandeyes Endpoint Agent Windows
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-20989 MEDIUM This Month

A security vulnerability in fingerprint trustlet (CVSS 5.2) that allows local privileged attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Android
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-20987 MEDIUM This Month

A security vulnerability in fingerprint trustlet (CVSS 5.2) that allows local privileged attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Android
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-20996 MEDIUM This Month

A security vulnerability in Smart Switch installed on non-Samsung Device (CVSS 5.0) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Samsung Smart Switch
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-20130 MEDIUM This Month

A vulnerability in the API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. This vulnerability is due to improper validation of the file copy function. An attacker could exploit this vulnerability by sending a crafted file upload request to a specific API endpoint. A successful exploit could allow the attacker to upload arbitrary files to an affected system.

File Upload Authentication Bypass Cisco Identity Services Engine Identity Services Engine Passive Identity Connector
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-20995 MEDIUM This Month

A arbitrary file access vulnerability in ClientProvider in Samsung Internet installed on non-Samsung Device (CVSS 4.9) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Samsung Internet
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-2336 MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 4.8) that allows attackers. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Ubuntu Debian
NVD HeroDevs GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-27444 MEDIUM This Month

A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filter[dateFrom] GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin or editor privileges to inject arbitrary JavaScript code by crafting a malicious URL.

XSS Joomla
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-20279 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to conduct a stored XSS attack on an affected system. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper sanitization of user input to the web-based management interface. An attacker could exploit this vulnerability by submitting a malicious script through the interface. A successful exploit could allow the attacker to conduct a stored XSS attack on the affected system.

XSS Cisco Unified Contact Center Express
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-20994 MEDIUM This Month

A arbitrary file access vulnerability in SyncClientProvider in Samsung Internet installed on non-Samsung Device (CVSS 4.5) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Samsung Internet
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-48962 MEDIUM PATCH This Month

Sensitive information disclosure due to SSRF. The following products are affected: Acronis Cyber Protect 16 (Windows, Linux) before build 39938.

Microsoft Information Disclosure SSRF Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2025-20129 MEDIUM This Month

A vulnerability in the web-based chat interface of Cisco Customer Collaboration Platform (CCP), formerly Cisco SocialMiner, could allow an unauthenticated, remote attacker to persuade users to disclose sensitive data. This vulnerability is due to improper sanitization of HTTP requests that are sent to the web-based chat interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the chat interface of a targeted user on a vulnerable server. A successful exploit could allow the attacker to redirect chat traffic to a server that is under their control, resulting in sensitive information being redirected to the attacker.

Information Disclosure Cisco Unified Contact Center Express Socialminer
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-48710 MEDIUM PATCH This Month

kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.

RCE Suse
NVD GitHub
CVSS 3.1
4.1
EPSS
0.3%
CVE-2025-20993 MEDIUM This Month

Out-of-bounds write in libsecimaging.camera.samsung.so prior to SMR Jun-2025 Release 1 allows local attackers to write out-of-bounds memory.

Buffer Overflow Samsung Memory Corruption Android
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-20991 MEDIUM This Month

A security vulnerability in Bluetooth (CVSS 4.0) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Android Samsung
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-20992 MEDIUM This Month

Out-of-bound read in libsecimaging.camera.samsung.so prior to SMR Feb-2025 Release 1 allows local attackers to read out-of-bounds memory.

Buffer Overflow Information Disclosure Samsung Android
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-20276 LOW Monitor

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.  This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by sending a crafted Java object to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root.

Deserialization Java RCE Cisco
NVD
CVSS 3.1
3.8
EPSS
0.9%
CVE-2025-20277 LOW Monitor

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper limitation of a pathname to a restricted directory (path traversal). An attacker could exploit this vulnerability by sending a crafted web request to an affected device, followed by a specific command through an SSH session. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of an affected device as a low-privilege user. A successful exploit could also allow the attacker to undertake further actions to elevate their privileges to root.

RCE Path Traversal Cisco
NVD
CVSS 3.1
3.4
EPSS
0.0%
CVE-2025-49210 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49209 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49208 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49207 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49206 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49205 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49204 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49203 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
CVE-2025-49202 Awaiting Data

Rejected reason: Not used. No vendor patch available.

Information Disclosure
NVD
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy